OpenJS FoundationNODEJSBLOG:AUG-2021-SECURITY-RELEASESAugust 2021 Security Releases
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
87.2%
(Update 11-Aug-2021) Security releases available
Updates are now available for v16.x, v14.x, and v12.x Node.js release lines for the following issues.
cares upgrade - Improper handling of untypical characters in domain names (High) (CVE-2021-22931)
Node.js was vulnerable to Remote Code Execution, XSS, application crashes due to missing input validation of host names returned by Domain Name Servers in the Node.js DNS library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library.
You can read more about it in: <https://vulners.com/cve/CVE-2021-22931>
Impacts:
- All versions of the 16.x, 14.x, and 12.x releases lines
Thank you to Philipp Jeitner from Fraunhofer SIT for reporting this vulnerability.
Use after free on close http2 on stream canceling (High) (CVE-2021-22940)
Node.js was vulnerable to a use after free attack where an attacker might be able to exploit memory corruption to change process behavior. The issue is a follow on to CVE-2021-22930 as the issue was not completely resolved in the fix for CVE-2021-22930.
You can read more about it in: <https://vulners.com/cve/CVE-2021-22940>
Impacts:
- All versions of the 16.x, 14.x, and 12.x releases lines
Thank you to Eran Levin (exx8) for reporting the original vulnerability and those who helped identify the remaining issues.
Incomplete validation of rejectUnauthorized parameter (Low) (CVE-2021-22939)
If the Node.js https API was used incorrectly and “undefined” was in passed for the “rejectUnauthorized” parameter, no error was returned and connections to servers with an expired certificate would have been accepted.
You can read more about it in: <https://vulners.com/cve/CVE-2021-22939>
Impacts:
- All versions of the 16.x, 14.x, and 12.x releases lines
Thank you to Tim Perry, from HTTP Toolkit for reporting this vulnerability.
Downloads and release details
- Node.js v12.22.5 (LTS)
- Node.js v14.17.5 (LTS)
- Node.js v16.6.2 (Current)
Summary
The Node.js project will release new versions of all supported release lines on or shortly after Wednesday August 11th, 2021 in order to address:
- Two high severity issues and one low severity issue.
Impact
The 16.x release line of Node.js is vulnerable to two high severity issues and one low severity issue.
The 14.x release line of Node.js is vulnerable to two high severity issues and one low severity issue.
The 12.x release line of Node.js is vulnerable to two high severity issues and one low severity issue.
Release timing
Releases will be available at, or shortly after, Wednesday, August 11th, 2021.
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
87.2%