CVE-2021-22921

Description

Node.js before 16.4.1, 14.17.2, and 12.22.2 is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH and DLL hijacking.

How to fix CVE-2021-22921

To remediate CVE-2021-22921, upgrade the affected package to a fixed version below.

Bitnami/node—upgrade to 12.22.2 or later
—upgrade to 12.22.2 or later

Is CVE-2021-22921 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 12.0.0, < 12.22.2, >= 14.0.0, < 14.17.2, >= 16.0.0, < 16.4.1
>= 12.0.0, < 12.22.2, >= 14.0.0, < 14.17.2, >= 16.0.0, < 16.4.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.8	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References (5)

WEBcert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
WEBhackerone.com/reports/1211160
WEBnodejs.org/en/blog/vulnerability/july-2021-security-releases/
WEBnvd.nist.gov/vuln/detail/CVE-2021-22921
WEB