Bug 1187975 (CVE-2021-22921)

Summary: VUL-1: CVE-2021-22921: nodejs10,nodejs12,nodejs14,nodejs: Windows installer - Node Installer Local Privilege Escalation
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Adam Majer <amajer>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None    
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Robert Frohl 2021-07-02 13:58:12 UTC
Windows installer - Node Installer Local Privilege Escalation (Medium) (CVE-2021-22921)

Node.js is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH and DLL hijacking.

You can read more about it in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22921


    All versions of the 16.x, 14.x, and 12.x releases lines

Comment 1 Robert Frohl 2021-07-02 13:58:34 UTC
not relevant for linux, closing