CVE-2021-22940 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	High
Remote	Yes
Type	Arbitrary code execution
Description	Node.js before versions 16.6.2, 14.17.5 and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit memory corruption to change process behavior. The issue is a follow on to CVE-2021-22930 as the issue was not completely resolved in the fix for CVE-2021-22930.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-2285	nodejs-lts-erbium	12.22.4-2	12.22.7-1	High	Fixed	FS#72412
AVG-2284	nodejs-lts-fermium	14.17.4-1	14.18.1-1	High	Fixed	FS#72413
AVG-2283	nodejs	16.6.1-1	16.6.2-1	High	Fixed

Date	Advisory	Group	Package	Severity	Type
21 Oct 2021	ASA-202110-6	AVG-2285	nodejs-lts-erbium	High	multiple issues
21 Oct 2021	ASA-202110-5	AVG-2284	nodejs-lts-fermium	High	multiple issues

References
https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/#use-after-free-on-close-http2-on-stream-canceling-high-cve-2021-22940 https://github.com/nodejs/node/pull/39423 https://github.com/nodejs/node/pull/39622 https://github.com/nodejs/node/commit/a3c33d4ce78f74d1cf1765704af5b427aa3840a6 https://github.com/nodejs/node/commit/2008c9722fcf7591e39013691f303934b622df7b https://github.com/nodejs/node/commit/2008c9722fcf7591e39013691f303934b622df7b

References

https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/#use-after-free-on-close-http2-on-stream-canceling-high-cve-2021-22940
https://github.com/nodejs/node/pull/39423
https://github.com/nodejs/node/pull/39622
https://github.com/nodejs/node/commit/a3c33d4ce78f74d1cf1765704af5b427aa3840a6
https://github.com/nodejs/node/commit/2008c9722fcf7591e39013691f303934b622df7b
https://github.com/nodejs/node/commit/2008c9722fcf7591e39013691f303934b622df7b