CVSS: 6.8EPSS: 0%CPEs: 35EXPL: 1CVE-2021-3672 – c-ares: Missing input validation of host names may lead to domain hijacking
https://notcve.org/view.php?id=CVE-2021-3672
A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability. Se ha encontrado un fallo en la biblioteca c-ares, en la que una falta de comprobación de la comprobación de entrada de los nombres de host devueltos por los DNS (Servidores de Nombres de Dominio) puede conllevar a una salida de nombres de host erróneos, que podría conllevar potencialmente a un Secuestro de Dominios. La mayor amenaza de esta vulnerabilidad es para la confidencialidad e integridad, así como para la disponibilidad del sistema • https://bugzilla.redhat.com/show_bug.cgi?id=1988342 https://c-ares.haxx.se/adv_20210810.html https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf https://security.gentoo.org/glsa/202401-02 https://www.oracle.com/security-alerts/cpujul2022.html https://access.redhat.com/security/cve/CVE-2021-3672 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 1CVE-2021-22921
https://notcve.org/view.php?id=CVE-2021-22921
Node.js before 16.4.1, 14.17.2, and 12.22.2 is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH and DLL hijacking. Node.js versiones anteriores a 16.4.1, 14.17.2 y 12.22.2, es vulnerable a ataques de escalada de privilegios locales bajo determinadas condiciones en plataformas Windows. Más concretamente, una configuración inapropiada de los permisos en el directorio de instalación permite a un atacante llevar a cabo dos ataques de escalada diferentes: PATH y secuestro de DLL • https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf https://hackerone.com/reports/1211160 https://nodejs.org/en/blog/vulnerability/july-2021-security-releases https://security.netapp.com/advisory/ntap-20210805-0003 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 1CVE-2021-22918 – libuv: out-of-bounds read in uv__idna_toascii() can lead to information disclosures or crashes
https://notcve.org/view.php?id=CVE-2021-22918
Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo(). Node.js versiones anteriores a 16.4.1, 14.17.2, 12.22.2, es vulnerable a una lectura fuera de límites cuando la función uv__idna_toascii() es usada para convertir cadenas a ASCII. • https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf https://hackerone.com/reports/1209681 https://nodejs.org/en/blog/vulnerability/july-2021-security-releases https://security.gentoo.org/glsa/202401-23 https://security.netapp.com/advisory/ntap-20210805-0003 https://access.redhat.com/security/cve/CVE-2021-22918 https://bugzilla.redhat.com/show_bug.cgi?id=1979338 • CWE-125: Out-of-bounds Read •