Lucene search

K
ubuntucveUbuntu.comUB:CVE-2021-22918
HistoryJul 02, 2021 - 12:00 a.m.

CVE-2021-22918

2021-07-0200:00:00
ubuntu.com
ubuntu.com
17
node.js
out-of-bounds read
uv__idna_toascii
information disclosure
crashes
uv_getaddrinfo
cve-2021-22918
unix

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

46.5%

Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds
read when uv__idna_toascii() is used to convert strings to ASCII. The
pointer p is read and increased without checking whether it is beyond pe,
with the latter holding a pointer to the end of the buffer. This can lead
to information disclosures or crashes. This function can be triggered via
uv_getaddrinfo().

Bugs

OSVersionArchitecturePackageVersionFilename
ubuntu20.04noarchlibuv1<ย 1.34.2-1ubuntu1.3UNKNOWN
ubuntu20.10noarchlibuv1<ย 1.38.0-2ubuntu2.1UNKNOWN
ubuntu21.04noarchlibuv1<ย 1.40.0-1ubuntu0.1UNKNOWN
ubuntu21.10noarchlibuv1<ย 1.40.0-2UNKNOWN
ubuntu22.04noarchlibuv1<ย 1.40.0-2UNKNOWN

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

46.5%