Home

CVE-2021-22918

Description

Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo().

Risk Information

Base Score
5.3
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score
Exploitation Probability
0.718

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2021-22918,CVE-2021-22921,CVE-2021-27290,CVE-2021-23362 are fixed in Node.js 12 (x64) (12.22.2)Windows
Vulnerabilities CVE-2021-22918,CVE-2021-22921,CVE-2021-27290,CVE-2021-23362 are fixed in Node.js 12 (12.22.2)Windows
Vulnerabilities CVE-2021-22918,CVE-2021-22921,CVE-2021-27290,CVE-2021-23362 are fixed in Node.js 14 (x64) (14.17.2)Windows
Vulnerabilities CVE-2021-22918,CVE-2021-22921,CVE-2021-27290,CVE-2021-23362 are fixed in Node.js 14 (14.17.2)Windows
Vulnerabilities CVE-2021-22918,CVE-2021-22921,CVE-2021-27290,CVE-2021-23362 are fixed in Node.js 16 (16.20.1)Windows
Vulnerabilities CVE-2021-22918,CVE-2021-22921,CVE-2021-27290,CVE-2021-23362 are fixed in Node.js 16 (x64) (16.20.1)Windows
Multiple Vulnerabilities are affected in IBM Cognos Controller 11.0.1Windows
Multiple Vulnerabilities are affected in IBM Cognos Analytics 11.1Windows
Multiple Vulnerabilities are affected in IBM Cognos Analytics 11.2Windows
Multiple Vulnerabilities are affected in IBM Business Automation Workflow 21.0Windows
Multiple Vulnerabilities are affected in IBM App Connect Enterprise 12.0.1.0Windows
libuv1 security update(DSA-4936-1) libuv1_1.24.1-1+deb10u1_i386.debLinux
libuv1 security update(DSA-4936-1) libuv1_1.24.1-1+deb10u1_amd64.debLinux
asynchronous event notification library - runtime library (USN-5007-1) libuv1_1.34.2-1ubuntu1.3_i386.debLinux
asynchronous event notification library - runtime library (USN-5007-1) libuv1_1.34.2-1ubuntu1.3_amd64.debLinux
asynchronous event notification library - runtime library (USN-5007-1) libuv1_1.38.0-2ubuntu2.1_i386.debLinux
asynchronous event notification library - runtime library (USN-5007-1) libuv1_1.38.0-2ubuntu2.1_amd64.debLinux
asynchronous event notification library - runtime library (USN-5007-1) libuv1_1.40.0-1ubuntu0.1_i386.debLinux
asynchronous event notification library - runtime library (USN-5007-1) libuv1_1.40.0-1ubuntu0.1_amd64.debLinux
(RHSA-2021:3073) nodejs:12 security, bug fix, and enhancement update nodejs-12.22.3-2.module+el8.4.0+11732+c668cc9f.x86_64.rpmLinux
(RHSA-2021:3073) nodejs:12 security, bug fix, and enhancement update nodejs-debugsource-12.22.3-2.module+el8.4.0+11732+c668cc9f.x86_64.rpmLinux
(RHSA-2021:3073) nodejs:12 security, bug fix, and enhancement update nodejs-devel-12.22.3-2.module+el8.4.0+11732+c668cc9f.x86_64.rpmLinux
(RHSA-2021:3073) nodejs:12 security, bug fix, and enhancement update nodejs-docs-12.22.3-2.module+el8.4.0+11732+c668cc9f.noarch.rpmLinux
(RHSA-2021:3073) nodejs:12 security, bug fix, and enhancement update nodejs-full-i18n-12.22.3-2.module+el8.4.0+11732+c668cc9f.x86_64.rpmLinux
(RHSA-2021:3073) nodejs:12 security, bug fix, and enhancement update nodejs-nodemon-2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch.rpmLinux
(RHSA-2021:3073) nodejs:12 security, bug fix, and enhancement update npm-6.14.13-1.12.22.3.2.module+el8.4.0+11732+c668cc9f.x86_64.rpmLinux
(RHSA-2021:3074) nodejs:14 security, bug fix, and enhancement update nodejs-14.17.3-2.module+el8.4.0+11738+3bd42762.x86_64.rpmLinux
(RHSA-2021:3074) nodejs:14 security, bug fix, and enhancement update nodejs-debugsource-14.17.3-2.module+el8.4.0+11738+3bd42762.x86_64.rpmLinux
(RHSA-2021:3074) nodejs:14 security, bug fix, and enhancement update nodejs-devel-14.17.3-2.module+el8.4.0+11738+3bd42762.x86_64.rpmLinux
(RHSA-2021:3074) nodejs:14 security, bug fix, and enhancement update nodejs-docs-14.17.3-2.module+el8.4.0+11738+3bd42762.noarch.rpmLinux
(RHSA-2021:3074) nodejs:14 security, bug fix, and enhancement update nodejs-full-i18n-14.17.3-2.module+el8.4.0+11738+3bd42762.x86_64.rpmLinux
(RHSA-2021:3074) nodejs:14 security, bug fix, and enhancement update npm-6.14.13-1.14.17.3.2.module+el8.4.0+11738+3bd42762.x86_64.rpmLinux
(RHSA-2021:3075) libuv security update libuv-1.41.1-1.el8_4.i686.rpmLinux
(RHSA-2021:3075) libuv security update libuv-1.41.1-1.el8_4.x86_64.rpmLinux
(RHSA-2021:3075) libuv security update libuv-debugsource-1.41.1-1.el8_4.i686.rpmLinux
(RHSA-2021:3075) libuv security update libuv-debugsource-1.41.1-1.el8_4.x86_64.rpmLinux
Nodejs update (ELSA-2021-3073) nodejs-12.22.3-2.module+el8.4.0+20281+eb64e322.x86_64.rpmLinux
Nodejs-devel update (ELSA-2021-3073) nodejs-devel-12.22.3-2.module+el8.4.0+20281+eb64e322.x86_64.rpmLinux
Nodejs-docs update (ELSA-2021-3073) nodejs-docs-12.22.3-2.module+el8.4.0+20281+eb64e322.noarch.rpmLinux
Nodejs-full-i18n update (ELSA-2021-3073) nodejs-full-i18n-12.22.3-2.module+el8.4.0+20281+eb64e322.x86_64.rpmLinux
Nodejs-nodemon update (ELSA-2021-3073) nodejs-nodemon-2.0.3-1.module+el8.4.0+20281+eb64e322.noarch.rpmLinux
Nodejs-packaging update (ELSA-2021-3073) nodejs-packaging-17-3.module+el8.1.0+5393+aaf413e3.noarch.rpmLinux
Npm update (ELSA-2021-3073) npm-6.14.13-1.12.22.3.2.module+el8.4.0+20281+eb64e322.x86_64.rpmLinux
Libuv update (ELSA-2021-3075) libuv-1.41.1-1.el8_4.i686.rpmLinux
Libuv update (ELSA-2021-3075) libuv-1.41.1-1.el8_4.x86_64.rpmLinux
Libuv-devel update (ELSA-2021-3075) libuv-devel-1.41.1-1.el8_4.i686.rpmLinux
Libuv-devel update (ELSA-2021-3075) libuv-devel-1.41.1-1.el8_4.x86_64.rpmLinux
(RHSA-2021:3075)Low: security update libuv-debuginfo-1.41.1-1.el8_4.i686.rpmLinux
(RHSA-2021:3075)Low: security update libuv-debuginfo-1.41.1-1.el8_4.x86_64.rpmLinux
libuv security update (RLSA-2021:3075) libuv-1.41.1-1.el8_4.i686.rpmLinux
libuv security update (RLSA-2021:3075) libuv-1.41.1-1.el8_4.x86_64.rpmLinux
nodejs:12 security, bug fix, and enhancement update (RLSA-2021:3073) nodejs-nodemon-2.0.3-1.module+el8.6.0+982+9fdca2d4.noarch.rpmLinux
nodejs:14 security, bug fix, and enhancement update (RLSA-2021:3074) nodejs-packaging-23-3.module+el8.7.0+1071+4bdda2a8.noarch.rpmLinux
nodejs:14 security, bug fix, and enhancement update (RLSA-2021:3074) nodejs-nodemon-2.0.3-1.module+el8.6.0+982+9fdca2d4.noarch.rpmLinux
Npm update (ELSA-2025-8514) npm-10.8.2-1.20.19.2.1.module+el8.10.0+90611+29f3ae1e.x86_64.rpmLinux
Nodejs-packaging-bundler update (ELSA-2025-8514) nodejs-packaging-bundler-2021.06-4.module+el8.10.0+90611+29f3ae1e.noarch.rpmLinux
Nodejs-packaging update (ELSA-2025-8514) nodejs-packaging-2021.06-4.module+el8.10.0+90611+29f3ae1e.noarch.rpmLinux
Nodejs-nodemon update (ELSA-2025-8514) nodejs-nodemon-3.0.1-1.module+el8.10.0+90611+29f3ae1e.noarch.rpmLinux
Nodejs-full-i18n update (ELSA-2025-8514) nodejs-full-i18n-20.19.2-1.module+el8.10.0+90611+29f3ae1e.x86_64.rpmLinux
Nodejs-docs update (ELSA-2025-8514) nodejs-docs-20.19.2-1.module+el8.10.0+90611+29f3ae1e.noarch.rpmLinux
Nodejs-devel update (ELSA-2025-8514) nodejs-devel-20.19.2-1.module+el8.10.0+90611+29f3ae1e.x86_64.rpmLinux
Nodejs update (ELSA-2025-8514) nodejs-20.19.2-1.module+el8.10.0+90611+29f3ae1e.x86_64.rpmLinux

Patch Details

Click to see the patches provided by ManageEngine for this CVE
Patch IDPatch Description
PATCH-324371Node.js 12 (x64) (12.22.12)
PATCH-324370Node.js 12 (12.22.12)
PATCH-329083Node.js 14 (x64) (14.21.3)
PATCH-329082Node.js 14 (14.21.3)
PATCH-331256Node.js 16 (16.20.1)
PATCH-331257Node.js 16 (x64) (16.20.1)

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234