Bug 1187975 (CVE-2021-22921)

Summary: VUL-1: CVE-2021-22921: nodejs10,nodejs12,nodejs14,nodejs: Windows installer - Node Installer Local Privilege Escalation
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Adam Majer <amajer>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None    
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Robert Frohl 2021-07-02 13:58:12 UTC 
Windows installer - Node Installer Local Privilege Escalation (Medium) (CVE-2021-22921)

Node.js is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH and DLL hijacking.

You can read more about it in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22921

Impacts:

    All versions of the 16.x, 14.x, and 12.x releases lines

https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/
Comment 1 Robert Frohl 2021-07-02 13:58:34 UTC 
not relevant for linux, closing