CVE-2021-22921
Published: 12 July 2021
Node.js before 16.4.1, 14.17.2, and 12.22.2 is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH and DLL hijacking.
Priority
Status
Package | Release | Status |
---|---|---|
nodejs Launchpad, Ubuntu, Debian |
jammy |
Not vulnerable
|
bionic |
Not vulnerable
|
|
focal |
Not vulnerable
|
|
groovy |
Not vulnerable
|
|
hirsute |
Not vulnerable
|
|
trusty |
Not vulnerable
|
|
upstream |
Not vulnerable
(debian: Only affects Windows installer)
|
|
xenial |
Not vulnerable
|
|
impish |
Not vulnerable
|
|
kinetic |
Not vulnerable
|
|
lunar |
Not vulnerable
|
|
mantic |
Not vulnerable
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.8 |
Attack vector | Local |
Attack complexity | Low |
Privileges required | None |
User interaction | Required |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |