CVE-2021-22930 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	High
Remote	Yes
Type	Arbitrary code execution
Description	Node.js before version 16.6.0, 14.17.4 and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.

Group	Package	Affected	Fixed	Severity	Status
AVG-2241	nodejs-lts-erbium	12.22.3-1	12.22.4-1	High	Fixed
AVG-2240	nodejs-lts-fermium	14.17.3-1	14.17.4-1	High	Fixed
AVG-2239	nodejs	16.5.0-1	16.6.0-1	High	Fixed

Date	Advisory	Group	Package	Severity	Type
03 Aug 2021	ASA-202108-3	AVG-2241	nodejs-lts-erbium	High	arbitrary code execution
03 Aug 2021	ASA-202108-2	AVG-2240	nodejs-lts-fermium	High	arbitrary code execution
03 Aug 2021	ASA-202108-1	AVG-2239	nodejs	High	arbitrary code execution

References
https://nodejs.org/en/blog/vulnerability/july-2021-security-releases-2/#use-after-free-on-close-http2-on-stream-canceling-high-cve-2021-22930 https://github.com/nodejs/node/issues/38964 https://github.com/nodejs/node/pull/39423 https://github.com/nodejs/node/commit/9d950a0956bf2c3dd87bacb56807f37e16a91db4 https://github.com/nodejs/node/commit/d48b91ea2b27828ceea10dab1effa42bc542be03 https://github.com/nodejs/node/commit/b263f2585ab53f56e0e22b46cf1f8519a8af8a05

References

https://nodejs.org/en/blog/vulnerability/july-2021-security-releases-2/#use-after-free-on-close-http2-on-stream-canceling-high-cve-2021-22930
https://github.com/nodejs/node/issues/38964
https://github.com/nodejs/node/pull/39423
https://github.com/nodejs/node/commit/9d950a0956bf2c3dd87bacb56807f37e16a91db4
https://github.com/nodejs/node/commit/d48b91ea2b27828ceea10dab1effa42bc542be03
https://github.com/nodejs/node/commit/b263f2585ab53f56e0e22b46cf1f8519a8af8a05