CVE-2021-22940

Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.

Published: Aug 16, 2021
Updated: Apr 14, 2023
CVE: CVE-2021-22940
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:P/A:N

CWEs:

CWE-416

Affected Software
References

Software	From	Fixed in
nodejs / node.js	12.0.0	12.22.5
nodejs / node.js	14.0.0	14.17.5
nodejs / node.js	16.0.0	16.6.2
oracle / peoplesoft_enterprise_peopletools	8.57	8.57.x
oracle / peoplesoft_enterprise_peopletools	8.58	8.58.x
oracle / peoplesoft_enterprise_peopletools	8.59	8.59.x
oracle / graalvm	20.3.3	20.3.3.x
oracle / graalvm	21.2.0	21.2.0.x
oracle / jd_edwards_enterpriseone_tools	-	9.2.6.1.x
siemens / sinec_infrastructure_network_services	-	1.0.1.1
debian / debian_linux	10.0	10.0.x

https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
https://hackerone.com/reports/1238162
https://lists.debian.org/debian-lts-announce/2022/10/msg00006.html
https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/
https://security.gentoo.org/glsa/202401-02
https://security.netapp.com/advisory/ntap-20210923-0001/
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html

Vulnerability Database

CVE-2021-22940

Deep Security Visibility Without the Complexity