// For flags

CVE-2021-22931

nodejs: Improper handling of untypical characters in domain names

Severity Score

9.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Attend
*SSVC
Descriptions

Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library.

Node.js versiones anteriores a 16.6.0, 14.17.4 y 12.22.4, es vulnerable a una Ejecución de Código Remota , ataques de tipo XSS, bloqueo de Aplicaciones debido a una falta de comprobación de entrada de los nombres de host devueltos por los Servidores de Nombres de Dominio en la librería dns de Node.js, que puede conllevar a la salida de nombres de host erróneos (conllevando al Secuestro de Dominio) y vulnerabilidades de inyección en aplicaciones que usan la librería.

A flaw was found in Node.js. These vulnerabilities include remote code execution, Cross-site scripting (XSS), application crashes due to missing input validation of hostnames returned by Domain Name Servers in the Node.js DNS library, which can lead to the output of wrong hostnames (leading to Domain hijacking) and injection vulnerabilities in applications using the library.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:Attend
Exploitation
None
Automatable
Yes
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2021-01-06 CVE Reserved
  • 2021-08-16 CVE Published
  • 2024-09-02 EPSS Updated
  • 2024-11-18 CVE Updated
  • 2024-11-18 First Exploit
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-20: Improper Input Validation
  • CWE-170: Improper Null Termination
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Nodejs
Search vendor "Nodejs"
Node.js
Search vendor "Nodejs" for product "Node.js"
>= 12.0.0 <= 12.12.0
Search vendor "Nodejs" for product "Node.js" and version " >= 12.0.0 <= 12.12.0"
-
Affected
Nodejs
Search vendor "Nodejs"
Node.js
Search vendor "Nodejs" for product "Node.js"
>= 12.13.0 < 12.22.5
Search vendor "Nodejs" for product "Node.js" and version " >= 12.13.0 < 12.22.5"
lts
Affected
Nodejs
Search vendor "Nodejs"
Node.js
Search vendor "Nodejs" for product "Node.js"
>= 14.0.0 <= 14.14.0
Search vendor "Nodejs" for product "Node.js" and version " >= 14.0.0 <= 14.14.0"
-
Affected
Nodejs
Search vendor "Nodejs"
Node.js
Search vendor "Nodejs" for product "Node.js"
>= 14.15.0 < 14.17.5
Search vendor "Nodejs" for product "Node.js" and version " >= 14.15.0 < 14.17.5"
lts
Affected
Nodejs
Search vendor "Nodejs"
Node.js
Search vendor "Nodejs" for product "Node.js"
>= 16.0.0 < 16.6.2
Search vendor "Nodejs" for product "Node.js" and version " >= 16.0.0 < 16.6.2"
-
Affected
Netapp
Search vendor "Netapp"
Active Iq Unified Manager
Search vendor "Netapp" for product "Active Iq Unified Manager"
-vmware_vsphere
Affected
Netapp
Search vendor "Netapp"
Active Iq Unified Manager
Search vendor "Netapp" for product "Active Iq Unified Manager"
-windows
Affected
Netapp
Search vendor "Netapp"
Nextgen Api
Search vendor "Netapp" for product "Nextgen Api"
--
Affected
Netapp
Search vendor "Netapp"
Oncommand Insight
Search vendor "Netapp" for product "Oncommand Insight"
--
Affected
Netapp
Search vendor "Netapp"
Oncommand Workflow Automation
Search vendor "Netapp" for product "Oncommand Workflow Automation"
--
Affected
Netapp
Search vendor "Netapp"
Snapcenter
Search vendor "Netapp" for product "Snapcenter"
--
Affected
Oracle
Search vendor "Oracle"
Graalvm
Search vendor "Oracle" for product "Graalvm"
20.3.3
Search vendor "Oracle" for product "Graalvm" and version "20.3.3"
enterprise
Affected
Oracle
Search vendor "Oracle"
Graalvm
Search vendor "Oracle" for product "Graalvm"
21.2.0
Search vendor "Oracle" for product "Graalvm" and version "21.2.0"
enterprise
Affected
Oracle
Search vendor "Oracle"
Mysql Cluster
Search vendor "Oracle" for product "Mysql Cluster"
<= 8.0.26
Search vendor "Oracle" for product "Mysql Cluster" and version " <= 8.0.26"
-
Affected
Oracle
Search vendor "Oracle"
Peoplesoft Enterprise Peopletools
Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools"
8.57
Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.57"
-
Affected
Oracle
Search vendor "Oracle"
Peoplesoft Enterprise Peopletools
Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools"
8.58
Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.58"
-
Affected
Oracle
Search vendor "Oracle"
Peoplesoft Enterprise Peopletools
Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools"
8.59
Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.59"
-
Affected
Siemens
Search vendor "Siemens"
Sinec Infrastructure Network Services
Search vendor "Siemens" for product "Sinec Infrastructure Network Services"
< 1.0.1.1
Search vendor "Siemens" for product "Sinec Infrastructure Network Services" and version " < 1.0.1.1"
-
Affected