Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2021-22931 (High) detected in node #1048

Closed
tmarkley opened this issue Dec 29, 2021 · 1 comment · Fixed by #1028
Closed

CVE-2021-22931 (High) detected in node #1048

tmarkley opened this issue Dec 29, 2021 · 1 comment · Fixed by #1028
Labels
cve Security vulnerabilities detected by Dependabot or Mend high severity High severity CVE Mend: dependency security vulnerability Security vulnerability detected by Mend v2.0.0

Comments

@tmarkley
Copy link
Contributor

CVE-2021-22931 - High Severity Vulnerability

⚠️ Vulnerable Libraries: node@10.24.1

Dependency Hierarchy

  • node@10.24.1 (Root Library)

Found in base branch: main

🕵️ Vulnerability Details

Description

Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library.

Publish Date

2021-08-16

URL

CVE-2021-22931

🎯 CVSS 3 Score Details (9.8)

Scores

Base: 9.8
Exploitability: 3.9
Impact: 5.9
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability Metrics

Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S)
Network (AV:N) Low (AC:L) None (PR:N) None (UI:N) Unchanged (S:U)

Impact Metrics

Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)
High (C:H) High (I:H) High (A:H)

🔧 Suggested Fix

How to fix?

Upgrade node to version 16.6.2, 14.17.5, 12.22.5 or higher.

Origin

https://security.snyk.io/vuln/SNYK-UPSTREAM-NODE-1540538
@tmarkley tmarkley added Mend: dependency security vulnerability Security vulnerability detected by Mend high severity High severity CVE labels Dec 29, 2021
@tmarkley tmarkley linked a pull request Dec 29, 2021 that will close this issue
[Node 14] Upgrades Node version to 14.18.2 #1028
Merged
7 tasks
@mend-for-github-com
Copy link

✔️ This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.

@mend-for-github-com mend-for-github-com bot changed the title CVE-2021-22931 (High) detected in node CVE-2021-22931 (High) detected in node - autoclosed Jan 4, 2022
@tmarkley tmarkley changed the title CVE-2021-22931 (High) detected in node - autoclosed CVE-2021-22931 (High) detected in node Jan 4, 2022
@tmarkley tmarkley reopened this Jan 4, 2022
@tmarkley tmarkley added cve Security vulnerabilities detected by Dependabot or Mend v2.0.0 labels Jan 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
cve Security vulnerabilities detected by Dependabot or Mend high severity High severity CVE Mend: dependency security vulnerability Security vulnerability detected by Mend v2.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Node 14] Upgrades Node version to 14.18.2 boktorbb/OpenSearch-Dashboards
1 participant
@tmarkley