Home

CVE-2021-22921

Description

Node.js before 16.4.1, 14.17.2, and 12.22.2 is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH and DLL hijacking.

Risk Information

Base Score
7.8
MODERATE
Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
0.409

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2021-22918,CVE-2021-22921,CVE-2021-27290,CVE-2021-23362 are fixed in Node.js 12 (x64) (12.22.2)Windows
Vulnerabilities CVE-2021-22918,CVE-2021-22921,CVE-2021-27290,CVE-2021-23362 are fixed in Node.js 12 (12.22.2)Windows
Vulnerabilities CVE-2021-22918,CVE-2021-22921,CVE-2021-27290,CVE-2021-23362 are fixed in Node.js 14 (x64) (14.17.2)Windows
Vulnerabilities CVE-2021-22918,CVE-2021-22921,CVE-2021-27290,CVE-2021-23362 are fixed in Node.js 14 (14.17.2)Windows
Vulnerabilities CVE-2021-22918,CVE-2021-22921,CVE-2021-27290,CVE-2021-23362 are fixed in Node.js 16 (16.20.1)Windows
Vulnerabilities CVE-2021-22918,CVE-2021-22921,CVE-2021-27290,CVE-2021-23362 are fixed in Node.js 16 (x64) (16.20.1)Windows
Multiple Vulnerabilities are affected in IBM Cognos Controller 11.0.1Windows
Multiple Vulnerabilities are affected in IBM Cognos Analytics 11.1Windows
Multiple Vulnerabilities are affected in IBM Cognos Analytics 11.2Windows
Multiple Vulnerabilities are affected in IBM Business Automation Workflow 21.0Windows
Multiple Vulnerabilities are affected in IBM App Connect Enterprise 12.0.1.0Windows

Patch Details

Click to see the patches provided by ManageEngine for this CVE
Patch IDPatch Description
PATCH-324371Node.js 12 (x64) (12.22.12)
PATCH-324370Node.js 12 (12.22.12)
PATCH-329083Node.js 14 (x64) (14.21.3)
PATCH-329082Node.js 14 (14.21.3)
PATCH-331256Node.js 16 (16.20.1)
PATCH-331257Node.js 16 (x64) (16.20.1)

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234