CVE-2021-22883
03.03.2021, 18:15
Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| nodejs | node.js | 10.0.0 ≤ 𝑥 < 10.24.0 |
| nodejs | node.js | 12.0.0 ≤ 𝑥 < 12.21.0 |
| nodejs | node.js | 14.0.0 ≤ 𝑥 < 14.16.0 |
| nodejs | node.js | 15.0.0 ≤ 𝑥 < 15.10.0 |
| netapp | e-series_performance_analyzer | - |
| oracle | graalvm | 19.3.5 |
| oracle | graalvm | 20.3.1.2 |
| oracle | graalvm | 21.0.0.2 |
| oracle | jd_edwards_enterpriseone_tools | 𝑥 < 9.2.6.0 |
| oracle | mysql_cluster | 𝑥 ≤ 8.0.25 |
| oracle | nosql_database | 𝑥 < 20.3 |
| oracle | peoplesoft_enterprise_peopletools | 8.58 |
| oracle | peoplesoft_enterprise_peopletools | 8.59 |
| siemens | sinec_infrastructure_network_services | 𝑥 < 1.0.1.1 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
openSUSE / SLES Releases
openSUSE Product | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| nodejs10 |
| ||||||||||||
| nodejs10-devel |
| ||||||||||||
| nodejs10-docs |
| ||||||||||||
| nodejs12 |
| ||||||||||||
| nodejs12-devel |
| ||||||||||||
| nodejs12-docs |
| ||||||||||||
| nodejs14 |
| ||||||||||||
| nodejs14-devel |
| ||||||||||||
| nodejs14-docs |
| ||||||||||||
| npm10 |
| ||||||||||||
| npm12 |
| ||||||||||||
| npm14 |
|
Common Weakness Enumeration
- CWE-400 - Uncontrolled Resource ConsumptionThe software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
- CWE-772 - Missing Release of Resource after Effective LifetimeThe software does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.
References