VDB
CVE-2021-22921
CVE-2021-22921
PUBLISHED
CVSS 8.5 HIGH
Node.js before 16.4.1, 14.17.2, and 12.22.2 is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH and DLL hijacking.
EPSS 0.53% · 67.5th percentile
Risk Scores
CVSS 4.0
8.5
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
EPSS Score
0.53%
67.5th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bitnami | node | 12.0.0, 16.0.0, 14.0.0 |
| Bitnami | node-min | 16.0.0, 14.0.0, 14.0.0 |
| Bitnami | node-min | 12.0.0, 14.0.0, 16.0.0 |
| Bitnami | node | 12.0.0, 14.0.0, 16.0.0 |
Exploit Intelligence
- Node Installer Local Privilege Escalation (hackerone)
- Node Installer Local Privilege Escalation (hackerone)
- Node Installer Local Privilege Escalation (hackerone)
- https://hackerone.com/reports/1211160 (bitnami)
Timeline
- CVE Published
- Jul 1, 2021 PoC Published
- Jul 13, 2021 EPSS Score
- Jul 16, 2021 EPSS Score
- Aug 6, 2021 EPSS Score
- Nov 9, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Jan 8, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Mar 9, 2022 EPSS Score
- May 7, 2022 EPSS Score
- Jul 6, 2022 EPSS Score