{
  "threat_severity" : "Important",
  "public_date" : "2021-08-11T00:00:00Z",
  "bugzilla" : {
    "description" : "nodejs: Use-after-free on close http2 on stream canceling",
    "id" : "1993029",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1993029"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-416",
  "details" : [ "Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.", "A flaw was found in Node.js, where it is vulnerable to a use-after-free attack. This flaw allows an attacker to exploit memory corruption to change process behavior. The highest threat from this vulnerability is to confidentiality and integrity." ],
  "statement" : "This issue is a follow-up to CVE-2021-22930, as the issue was not completely resolved in the fix for CVE-2021-22930. Node.js as shipped in Red Hat Enterprise Linux 8 streams and Red Hat Software Collections is not explicitly affected by the incomplete fix because the incomplete fix was not released, but the original issue does affect these components.\nRed Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\" with impact LOW.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2021-09-21T00:00:00Z",
    "advisory" : "RHSA-2021:3623",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "nodejs:12-8040020210817133458.522a0ee4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2021-09-27T00:00:00Z",
    "advisory" : "RHSA-2021:3666",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "nodejs:14-8040020210817165654.522a0ee4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.1 Extended Update Support",
    "release_date" : "2021-09-22T00:00:00Z",
    "advisory" : "RHSA-2021:3639",
    "cpe" : "cpe:/a:redhat:rhel_eus:8.1",
    "package" : "nodejs:12-8010020210817113128.c27ad7f8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.2 Extended Update Support",
    "release_date" : "2021-09-22T00:00:00Z",
    "advisory" : "RHSA-2021:3638",
    "cpe" : "cpe:/a:redhat:rhel_eus:8.2",
    "package" : "nodejs:12-8020020210817125332.4cda2c84"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2021-08-26T00:00:00Z",
    "advisory" : "RHSA-2021:3280",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-nodejs14-nodejs-0:14.17.5-1.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2021-08-26T00:00:00Z",
    "advisory" : "RHSA-2021:3281",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-nodejs12-nodejs-0:12.22.5-1.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2021-08-26T00:00:00Z",
    "advisory" : "RHSA-2021:3281",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-nodejs12-nodejs-nodemon-0:2.0.3-5.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS",
    "release_date" : "2021-08-26T00:00:00Z",
    "advisory" : "RHSA-2021:3280",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-nodejs14-nodejs-0:14.17.5-1.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS",
    "release_date" : "2021-08-26T00:00:00Z",
    "advisory" : "RHSA-2021:3281",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-nodejs12-nodejs-0:12.22.5-1.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS",
    "release_date" : "2021-08-26T00:00:00Z",
    "advisory" : "RHSA-2021:3281",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-nodejs12-nodejs-nodemon-0:2.0.3-5.el7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "nodejs:16/nodejs",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "nodejs",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Quay 3",
    "fix_state" : "Will not fix",
    "package_name" : "quay/quay-rhel8",
    "cpe" : "cpe:/a:redhat:quay:3",
    "impact" : "low"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-22940\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-22940\nhttps://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/" ],
  "name" : "CVE-2021-22940",
  "csaw" : false
}