Bug 1993019 (CVE-2021-22931)
| Summary: | CVE-2021-22931 nodejs: Improper handling of untypical characters in domain names | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Dhananjay Arunesh <darunesh> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aarif, bdettelb, caswilli, fjansen, gkamathe, hhorak, jnakfour, jorton, kaycoth, mrunge, mvanderw, nodejs-maint, nodejs-sig, sgallagh, tchollingsworth, thrcka, tomckay, zsvetlik |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | nodejs 12.22.5, nodejs 14.17.5, nodejs 16.6.2 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in Node.js. These vulnerabilities include remote code execution, Cross-site scripting (XSS), application crashes due to missing input validation of hostnames returned by Domain Name Servers in the Node.js DNS library, which can lead to the output of wrong hostnames (leading to Domain hijacking) and injection vulnerabilities in applications using the library.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-08-26 15:35:15 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1993020, 1993021, 1993022, 1993023, 1993024, 1993025, 1993026, 1993027, 1993814, 1993815, 1993816, 1993817, 1993818, 1993819, 1993964, 1993967, 1993992, 1993993, 1993994, 1994000, 1995498, 1995499, 1995500, 2003014, 2003070 | ||
| Bug Blocks: | 1993049 | ||
|
Description
Dhananjay Arunesh
2021-08-12 09:42:52 UTC
Created nodejs tracking bugs for this issue: Affects: epel-7 [bug 1993020] Affects: fedora-all [bug 1993021] Created nodejs:10/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1993022] Created nodejs:12/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1993023] Created nodejs:13/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1993024] Created nodejs:14/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1993025] Created nodejs:15/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1993026] Created nodejs:16/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1993027] This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:3281 https://access.redhat.com/errata/RHSA-2021:3281 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:3280 https://access.redhat.com/errata/RHSA-2021:3280 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-22931 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3623 https://access.redhat.com/errata/RHSA-2021:3623 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:3639 https://access.redhat.com/errata/RHSA-2021:3639 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:3638 https://access.redhat.com/errata/RHSA-2021:3638 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3666 https://access.redhat.com/errata/RHSA-2021:3666 |