ALT-PU-2021-2123-2

Package node updated to version 14.17.2-alt1 for branch sisyphus in task 276697.

Уязвимость функции uv__idna_toascii() программной платформы Node.js, позволяющая нарушителю вызвать отказ в обслуживании или получить несанкционированный доступ к защищаемой информации

Severity: HIGH (8.2)Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

Severity: MEDIUM (6.4)Vector: AV:N/AC:L/Au:N/C:P/I:N/A:P

References:

CVE-2021-22918

Уязвимость функции uv__idna_toascii() программной платформы Node.js, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации или вызвать отказ в обслуживании

Severity: MEDIUM (6.5)Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Severity: MEDIUM (6.4)Vector: AV:N/AC:L/Au:N/C:P/I:N/A:P

References:

CVE-2021-22918

Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo().

Severity: MEDIUM (5.0)Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Severity: MEDIUM (5.3)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Node.js before 16.4.1, 14.17.2, and 12.22.2 is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH and DLL hijacking.

Severity: MEDIUM (4.4)Vector: AV:L/AC:M/Au:N/C:P/I:P/A:P

Severity: HIGH (7.8)Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References:

Version: 2.1.2

Package node update in sisyphus on 2021-07-02

ALT-PU-2021-2123-2

Closed vulnerabilities

BDU:2021-03700

BDU:2021-04210

CVE-2021-22918

CVE-2021-22921