CVE-2021-22940 — HIGH (7.5)

Q: What is CVE-2021-22940?

CVE-2021-22940 is a vulnerability with a CVSS score of 7.5 (HIGH). Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.

Q: How severe is CVE-2021-22940?

CVE-2021-22940 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-22940?

Check the references section above for vendor advisories and patch information. Affected products include: Nodejs Node.Js, Oracle Graalvm, Oracle Jd Edwards Enterpriseone Tools, Oracle Peoplesoft Enterprise Peopletools, Netapp Nextgen Api.

Vulnerability Description

Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Nodejs	Node.Js	>= 12.0.0, < 12.22.5
Oracle	Graalvm	20.3.3
Oracle	Jd Edwards Enterpriseone Tools	<= 9.2.6.1
Oracle	Peoplesoft Enterprise Peopletools	8.57
Netapp	Nextgen Api	-
Siemens	Sinec Infrastructure Network Services	< 1.0.1.1
Debian	Debian Linux	10.0

Related Weaknesses (CWE)

CWE-416

References

https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfPatchThird Party Advisory
https://hackerone.com/reports/1238162Permissions RequiredThird Party Advisory
https://lists.debian.org/debian-lts-announce/2022/10/msg00006.htmlMailing ListThird Party Advisory
https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/PatchVendor Advisory
https://security.gentoo.org/glsa/202401-02
https://security.netapp.com/advisory/ntap-20210923-0001/Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.htmlPatchThird Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfPatchThird Party Advisory
https://hackerone.com/reports/1238162Permissions RequiredThird Party Advisory
https://lists.debian.org/debian-lts-announce/2022/10/msg00006.htmlMailing ListThird Party Advisory
https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/PatchVendor Advisory
https://security.gentoo.org/glsa/202401-02
https://security.netapp.com/advisory/ntap-20210923-0001/Third Party Advisory

FAQ

What is CVE-2021-22940?

CVE-2021-22940 is a vulnerability with a CVSS score of 7.5 (HIGH). Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.

How severe is CVE-2021-22940?

CVE-2021-22940 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-22940?

Check the references section above for vendor advisories and patch information. Affected products include: Nodejs Node.Js, Oracle Graalvm, Oracle Jd Edwards Enterpriseone Tools, Oracle Peoplesoft Enterprise Peopletools, Netapp Nextgen Api.