Vulnerability Description
Node.js before 16.4.1, 14.17.2, and 12.22.2 is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH and DLL hijacking.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nodejs | Node.Js | >= 12.0.0, < 12.22.2 |
| Microsoft | Windows | - |
| Siemens | Sinec Infrastructure Network Services | < 1.0.1.1 |
Related Weaknesses (CWE)
References
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfPatchThird Party Advisory
- https://hackerone.com/reports/1211160ExploitThird Party Advisory
- https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/PatchRelease NotesVendor Advisory
- https://security.netapp.com/advisory/ntap-20210805-0003/Third Party Advisory
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfPatchThird Party Advisory
- https://hackerone.com/reports/1211160ExploitThird Party Advisory
- https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/PatchRelease NotesVendor Advisory
- https://security.netapp.com/advisory/ntap-20210805-0003/Third Party Advisory
FAQ
What is CVE-2021-22921?
CVE-2021-22921 is a vulnerability with a CVSS score of 7.8 (HIGH). Node.js before 16.4.1, 14.17.2, and 12.22.2 is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions ...
How severe is CVE-2021-22921?
CVE-2021-22921 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-22921?
Check the references section above for vendor advisories and patch information. Affected products include: Nodejs Node.Js, Microsoft Windows, Siemens Sinec Infrastructure Network Services.