CVE-2021-22921
N/A
N/A
Summary
Node.js before 16.4.1, 14.17.2, and 12.22.2 is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH and DLL hijacking.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| NodeJS | Node | 4.0 < 4.* | affected |
| NodeJS | Node | 5.0 < 5.* | affected |
| NodeJS | Node | 6.0 < 6.* | affected |
| NodeJS | Node | 7.0 < 7.* | affected |
| NodeJS | Node | 8.0 < 8.* | affected |
| NodeJS | Node | 9.0 < 9.* | affected |
| NodeJS | Node | 10.0 < 10.* | affected |
| NodeJS | Node | 11.0 < 11.* | affected |
| NodeJS | Node | 12.0 < 12.22.2 | affected |
| NodeJS | Node | 13.0 < 13.* | affected |
| NodeJS | Node | 14.0 < 14.17.2 | affected |
| NodeJS | Node | 15.0 < 15.* | affected |
| NodeJS | Node | 16.0 < 16.4.1 | affected |
Weaknesses
- CWE-732: Incorrect Permission Assignment for Critical Resource (CWE-732)
ADP Enrichment
CVE Program Container
Additional References
- https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/
- https://hackerone.com/reports/1211160
- https://security.netapp.com/advisory/ntap-20210805-0003/
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
References
- https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/
- https://hackerone.com/reports/1211160
- https://security.netapp.com/advisory/ntap-20210805-0003/
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.