---

Log

AVG-2114 edited at 12 Aug 2021 07:37:52
Affected	- 2.5.0-6 + 2.5.1-1

CVE-2021-22931 edited at 12 Aug 2021 07:37:19

References

https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/#cares-upgrade-improper-handling-of-untypical-characters-in-domain-names-high-cve-2021-22931 + https://github.com/nodejs/node/pull/39724 + https://github.com/nodejs/node/commit/054537cdc2b24605df829b098660bc486626e88c + https://github.com/nodejs/node/commit/4923b59e0b74dcc34ae0796f647286922da570ec + https://github.com/nodejs/node/commit/5f947db68ce3be4339e27fc68ec81a6956ef065f

CVE-2021-22940 edited at 12 Aug 2021 07:35:30

References

https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/#use-after-free-on-close-http2-on-stream-canceling-high-cve-2021-22940 + https://github.com/nodejs/node/pull/39423 + https://github.com/nodejs/node/pull/39622 + https://github.com/nodejs/node/commit/a3c33d4ce78f74d1cf1765704af5b427aa3840a6 + https://github.com/nodejs/node/commit/2008c9722fcf7591e39013691f303934b622df7b + https://github.com/nodejs/node/commit/2008c9722fcf7591e39013691f303934b622df7b

CVE-2021-22939 edited at 12 Aug 2021 07:33:24

References

https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/#incomplete-validation-of-rejectunauthorized-parameter-low-cve-2021-22939 + https://hackerone.com/reports/1278254 + https://github.com/nodejs-private/node-private/pull/276 + https://github.com/nodejs/node/commit/6c7fff6f1d53dfb6c2b184ee41809b8d7614cb80 + https://github.com/nodejs/node/commit/35b86110e45083a75d7dc8e6be5a930b262494f6 + https://github.com/nodejs/node/commit/1780bbc3291357f7c3370892eb311fc7a62afe8d

AVG-2289 edited at 12 Aug 2021 07:30:31
Severity	- Unknown + Medium

CVE-2021-33193 edited at 12 Aug 2021 07:30:31
Severity	- Unknown + Medium
Remote	- Unknown + Remote
Type	- Unknown + Url request injection
Description	+ A security issue has been found in Apache httpd. mod_proxy is vulnerable to request line injections when using HTTP/2.
References	+ https://portswigger.net/research/http2 + https://github.com/apache/httpd/commit/ecebcc035ccd8d0e2984fe41420d9e944f456b3c
Notes

AVG-2289 created at 12 Aug 2021 07:28:21
Packages	+ apache
Issues	+ CVE-2021-33193
Status	+ Vulnerable
Severity	+ Unknown
Affected	+ 2.4.48-1
Fixed
Ticket
Advisory qualified	+ Yes
References
Notes

CVE-2021-33193 created at 12 Aug 2021 07:28:21

CVE-2021-36770 edited at 12 Aug 2021 07:17:44

Description

- A security issue has been found in Perl. Encode::ConfigLocal can be loaded from a path relative to the current directory, because the || operator will evaluate @inc in scalar context, putting an integer as the only value in @inc. + Encode.pm, as distributed in Perl through 5.34.0, allows local users to gain privileges via a Trojan horse Encode::ConfigLocal library (in the current working directory) that preempts dynamic module loading. Exploitation requires an unusual configuration, and certain 2021 versions of Encode.pm (3.05 through 3.11). This issue occurs because the || operator evaluates @INC in a scalar context, and thus @INC has only an integer value.

AVG-2288 created at 12 Aug 2021 07:15:40
Packages	+ nodejs-lts-erbium
Issues	+ CVE-2021-22931
Status	+ Not affected
Severity	+ High
Affected	+ 12.22.4-2
Fixed
Ticket
Advisory qualified	+ No
References
Notes	+ The Arch Linux package is linked against the system c-ares library.

AVG-2287 created at 12 Aug 2021 07:15:26
Packages	+ nodejs-lts-fermium
Issues	+ CVE-2021-22931
Status	+ Not affected
Severity	+ High
Affected	+ 14.17.4-1
Fixed
Ticket
Advisory qualified	+ No
References
Notes	+ The Arch Linux package is linked against the system c-ares library.

AVG-2286 created at 12 Aug 2021 07:15:05
Packages	+ nodejs
Issues	+ CVE-2021-22931
Status	+ Not affected
Severity	+ High
Affected	+ 16.6.1-1
Fixed	+ 16.6.2-1
Ticket
Advisory qualified	+ No
References
Notes	+ The Arch Linux package is linked against the system c-ares library.