Search for vulnerabilities
Vulnerability details: VCID-2bdt-6ufr-aaam
Vulnerability ID VCID-2bdt-6ufr-aaam
Aliases CVE-2021-22931
Summary Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library.
Status Published
Exploitability 0.5
Weighted Severity 8.8
Risk 4.4
Affected and Fixed Packages Package Details
Weaknesses (2)
CWE-20 Improper Input Validation
CWE-170 Improper Null Termination
System Score Found at
rhas Important https://access.redhat.com/errata/RHSA-2021:3280
rhas Important https://access.redhat.com/errata/RHSA-2021:3281
rhas Important https://access.redhat.com/errata/RHSA-2021:3623
rhas Important https://access.redhat.com/errata/RHSA-2021:3638
rhas Important https://access.redhat.com/errata/RHSA-2021:3639
rhas Important https://access.redhat.com/errata/RHSA-2021:3666
cvssv3 5.0 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22931.json
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00738 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.00758 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.01408 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.01408 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.01408 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.01408 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.01408 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.01408 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.01408 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.01408 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.01408 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.01408 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.02288 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.02288 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.02288 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.02288 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.02302 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.03020 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.03020 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.03020 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.03020 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.03020 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.03020 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.03020 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.03020 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.03020 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.03020 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
epss 0.03020 https://api.first.org/data/v1/epss?cve=CVE-2021-22931
rhbs medium https://bugzilla.redhat.com/show_bug.cgi?id=1993019
cvssv3.1 8.2 https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
generic_textual HIGH https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
ssvc Track https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
cvssv3.1 8.8 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
ssvc Track https://hackerone.com/reports/1178337
ssvc Track https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/
cvssv2 7.5 https://nvd.nist.gov/vuln/detail/CVE-2021-22931
cvssv3 9.8 https://nvd.nist.gov/vuln/detail/CVE-2021-22931
cvssv3.1 9.8 https://nvd.nist.gov/vuln/detail/CVE-2021-22931
archlinux High https://security.archlinux.org/AVG-2286
ssvc Track https://security.gentoo.org/glsa/202401-02
ssvc Track https://security.netapp.com/advisory/ntap-20210923-0001/
ssvc Track https://security.netapp.com/advisory/ntap-20211022-0003/
cvssv3.1 6.6 https://www.oracle.com/security-alerts/cpujan2022.html
generic_textual MODERATE https://www.oracle.com/security-alerts/cpujan2022.html
ssvc Track https://www.oracle.com/security-alerts/cpujan2022.html
cvssv3.1 7.5 https://www.oracle.com/security-alerts/cpujul2022.html
generic_textual HIGH https://www.oracle.com/security-alerts/cpujul2022.html
ssvc Track https://www.oracle.com/security-alerts/cpujul2022.html
cvssv3.1 8.2 https://www.oracle.com/security-alerts/cpuoct2021.html
generic_textual HIGH https://www.oracle.com/security-alerts/cpuoct2021.html
ssvc Track https://www.oracle.com/security-alerts/cpuoct2021.html
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22931.json
https://api.first.org/data/v1/epss?cve=CVE-2021-22931
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://hackerone.com/reports/1178337
https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/
https://security.netapp.com/advisory/ntap-20210923-0001/
https://security.netapp.com/advisory/ntap-20211022-0003/
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html
1993019 https://bugzilla.redhat.com/show_bug.cgi?id=1993019
AVG-2286 https://security.archlinux.org/AVG-2286
cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*
cpe:2.3:a:netapp:nextgen_api:-:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:netapp:nextgen_api:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
cpe:2.3:a:oracle:graalvm:20.3.3:*:*:*:enterprise:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:oracle:graalvm:20.3.3:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:graalvm:21.2.0:*:*:*:enterprise:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:oracle:graalvm:21.2.0:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*
cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*
CVE-2021-22931 https://nvd.nist.gov/vuln/detail/CVE-2021-22931
GLSA-202401-02 https://security.gentoo.org/glsa/202401-02
GLSA-202405-29 https://security.gentoo.org/glsa/202405-29
RHSA-2021:3280 https://access.redhat.com/errata/RHSA-2021:3280
RHSA-2021:3281 https://access.redhat.com/errata/RHSA-2021:3281
RHSA-2021:3623 https://access.redhat.com/errata/RHSA-2021:3623
RHSA-2021:3638 https://access.redhat.com/errata/RHSA-2021:3638
RHSA-2021:3639 https://access.redhat.com/errata/RHSA-2021:3639
RHSA-2021:3666 https://access.redhat.com/errata/RHSA-2021:3666
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22931.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N Found at https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-01-11T21:01:01Z/ Found at https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-01-11T21:01:01Z/ Found at https://hackerone.com/reports/1178337
Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-01-11T21:01:01Z/ Found at https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P Found at https://nvd.nist.gov/vuln/detail/CVE-2021-22931
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2021-22931
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2021-22931
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-01-11T21:01:01Z/ Found at https://security.gentoo.org/glsa/202401-02
Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-01-11T21:01:01Z/ Found at https://security.netapp.com/advisory/ntap-20210923-0001/
Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-01-11T21:01:01Z/ Found at https://security.netapp.com/advisory/ntap-20211022-0003/
Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H Found at https://www.oracle.com/security-alerts/cpujan2022.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-01-11T21:01:01Z/ Found at https://www.oracle.com/security-alerts/cpujan2022.html
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://www.oracle.com/security-alerts/cpujul2022.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-01-11T21:01:01Z/ Found at https://www.oracle.com/security-alerts/cpujul2022.html
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N Found at https://www.oracle.com/security-alerts/cpuoct2021.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-01-11T21:01:01Z/ Found at https://www.oracle.com/security-alerts/cpuoct2021.html
Exploit Prediction Scoring System (EPSS)
Percentile 0.70536
EPSS Score 0.00738
Published At March 28, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
There are no relevant records.