CVE-2021-22921

HIGH7.8EPSS 0.53%

Published: 3/6/2024Modified: 4/3/2025

Description

Node.js before 16.4.1, 14.17.2, and 12.22.2 is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH and DLL hijacking.

Affected packages (2)

Bitnami/node>= 12.0.0, < 12.22.2, >= 14.0.0, < 14.17.2, >= 16.0.0, < 16.4.1
Bitnami/node-min>= 12.0.0, < 12.22.2, >= 14.0.0, < 14.17.2, >= 16.0.0, < 16.4.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.8	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References (5)

WEBhttps://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
WEBhttps://hackerone.com/reports/1211160
WEBhttps://nodejs.org/en/blog/vulnerability/july-2021-security-releases/
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2021-22921
WEBhttps://security.netapp.com/advisory/ntap-20210805-0003/