CVE-2021-22940 log

Source
Severity High
Remote Yes
Type Arbitrary code execution
Description
Node.js before versions 16.6.2, 14.17.5 and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit memory corruption to change process behavior. The issue is a follow on to CVE-2021-22930 as the issue was not completely resolved in the fix for CVE-2021-22930.
Group Package Affected Fixed Severity Status Ticket
AVG-2285 nodejs-lts-erbium 12.22.4-2 12.22.7-1 High Fixed FS#72412
AVG-2284 nodejs-lts-fermium 14.17.4-1 14.18.1-1 High Fixed FS#72413
AVG-2283 nodejs 16.6.1-1 16.6.2-1 High Fixed
Date Advisory Group Package Severity Type
21 Oct 2021 ASA-202110-6 AVG-2285 nodejs-lts-erbium High multiple issues
21 Oct 2021 ASA-202110-5 AVG-2284 nodejs-lts-fermium High multiple issues
References
https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/#use-after-free-on-close-http2-on-stream-canceling-high-cve-2021-22940
https://github.com/nodejs/node/pull/39423
https://github.com/nodejs/node/pull/39622
https://github.com/nodejs/node/commit/a3c33d4ce78f74d1cf1765704af5b427aa3840a6
https://github.com/nodejs/node/commit/2008c9722fcf7591e39013691f303934b622df7b
https://github.com/nodejs/node/commit/2008c9722fcf7591e39013691f303934b622df7b