Free and open-source vulnerability scanner
Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.
Install NowAvailable for macOS, Windows, and Linux
CVE-2021-22883
CVE information
Published
Last Modified
CVSSv2.0 Severity
CVSSv3.1 Severity
Impact Analysis
Description
Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory..
CVSSv2.0 Score
- Severity
- High
- Base Score
- 7.8/10
- Exploit Score
- 10/10
- Access Vector
- Network
- Access Complexity
- Low
- Authentication Required
- None
- Impact Score
- 6.9/10
- Confidentiality Impact
- None
- Availability Impact
- Complete
- Integrity Impact
- None
CVSSv3.1 Score
- Severity
- High
- Base Score
- 7.5/10
- Exploit Score
- 3.9/10
- Access Vector
- Network
- Access Complexity
- Low
- Privileges Required
- None
- Impact Score
- 3.6/10
- Confidentiality Impact
- None
- Availability Impact
- High
- Integrity Impact
- None
- Scope
- Unchanged
- User Interaction
- None
Products Affected
| CPE | Affected | Vulnerable | Excluding | Edit |
|---|---|---|---|---|
| cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* |
Yes
|
15.0.0 | 15.10.0 | |
| cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:* |
Yes
|
14.0.0 | 14.16.0 | |
| cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:* |
Yes
|
12.0.0 | 12.21.0 | |
| cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:* |
Yes
|
10.0.0 | 10.24.0 | |
| cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:netapp:e-series_performance_analyzer:-:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*: |
Yes
|
- | - | |
| cpe:2.3:a:oracle:graalvm:20.3.1.2:*:*:*:enterprise:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:graalvm:21.0.0.2:*:*:*:enterprise:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:graalvm:19.3.5:*:*:*:enterprise:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:nosql_database:*:*:*:*:*:*:*:* |
Yes
|
- | 20.3 | |
| cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*: |
Yes
|
- | - | |
| cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*: |
Yes
|
- | 9.2.6.0 | |
| cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*: |
Yes
|
- | 1.0.1.1 |
References
- https://hackerone.com/reports/1043360
- https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/
- https://security.netapp.com/advisory/ntap-20210416-0001/
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org