Bug 1993019 (CVE-2021-22931) - CVE-2021-22931 nodejs: Improper handling of untypical characters in domain names
Summary: CVE-2021-22931 nodejs: Improper handling of untypical characters in domain names
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-22931
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1993020 1993021 1993022 1993023 1993024 1993025 1993026 1993027 1993817 1993818 1993819 2003014 2003070 1993814 1993815 1993816 1993964 1993967 1993992 1993993 1993994 1994000 1995498 1995499 1995500
Blocks: 1993049
TreeView+ depends on / blocked
 
Reported: 2021-08-12 09:42 UTC by Dhananjay Arunesh
Modified: 2021-11-18 10:45 UTC (History)
18 users (show)

Fixed In Version: nodejs 12.22.5, nodejs 14.17.5, nodejs 16.6.2
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Node.js. These vulnerabilities include remote code execution, Cross-site scripting (XSS), application crashes due to missing input validation of hostnames returned by Domain Name Servers in the Node.js DNS library, which can lead to the output of wrong hostnames (leading to Domain hijacking) and injection vulnerabilities in applications using the library.
Clone Of:
Environment:
Last Closed: 2021-08-26 15:35:15 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:3400 0 None None None 2021-08-31 20:51:21 UTC
Red Hat Product Errata RHBA-2021:3478 0 None None None 2021-09-09 12:33:02 UTC
Red Hat Product Errata RHBA-2021:4731 0 None None None 2021-11-18 10:45:16 UTC
Red Hat Product Errata RHSA-2021:3280 0 None None None 2021-08-26 10:19:00 UTC
Red Hat Product Errata RHSA-2021:3281 0 None None None 2021-08-26 10:15:31 UTC
Red Hat Product Errata RHSA-2021:3623 0 None None None 2021-09-21 13:12:51 UTC
Red Hat Product Errata RHSA-2021:3638 0 None None None 2021-09-22 09:01:04 UTC
Red Hat Product Errata RHSA-2021:3639 0 None None None 2021-09-22 08:51:46 UTC
Red Hat Product Errata RHSA-2021:3666 0 None None None 2021-09-27 07:29:14 UTC

Description Dhananjay Arunesh 2021-08-12 09:42:52 UTC
Node.js was vulnerable to Remote Code Execution, XSS, application crashes due to missing input validation of host names returned by Domain Name Servers in the Node.js DNS library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library.

References:
https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/

Comment 1 Dhananjay Arunesh 2021-08-12 09:44:18 UTC
Created nodejs tracking bugs for this issue:

Affects: epel-7 [bug 1993020]
Affects: fedora-all [bug 1993021]


Created nodejs:10/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1993022]


Created nodejs:12/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1993023]


Created nodejs:13/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1993024]


Created nodejs:14/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1993025]


Created nodejs:15/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1993026]


Created nodejs:16/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1993027]

Comment 6 errata-xmlrpc 2021-08-26 10:15:28 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:3281 https://access.redhat.com/errata/RHSA-2021:3281

Comment 7 errata-xmlrpc 2021-08-26 10:18:58 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:3280 https://access.redhat.com/errata/RHSA-2021:3280

Comment 8 Product Security DevOps Team 2021-08-26 15:35:15 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-22931

Comment 9 errata-xmlrpc 2021-09-21 13:12:48 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3623 https://access.redhat.com/errata/RHSA-2021:3623

Comment 10 errata-xmlrpc 2021-09-22 08:51:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:3639 https://access.redhat.com/errata/RHSA-2021:3639

Comment 11 errata-xmlrpc 2021-09-22 09:01:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:3638 https://access.redhat.com/errata/RHSA-2021:3638

Comment 13 errata-xmlrpc 2021-09-27 07:29:12 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3666 https://access.redhat.com/errata/RHSA-2021:3666


Note You need to log in before you can comment on or make changes to this bug.