Homepage
About Snyk

Missing Release of Resource after Effective Lifetime Affecting npm package, versions <1:6.14.11-1.12.21.0.1.module+el8.3.0+9672+c7b0544d

Severity

 Recommended
0.0
high
0
10

Based on Oracle Linux security rating

    Threat Intelligence

    EPSS
    0.65% (80th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-ORACLE8-NPM-2578344
  • published 10 Apr 2022
  • disclosed 3 Mar 2021
Report a new vulnerability Found a mistake?

Introduced: 3 Mar 2021

CVE-2021-22883 Open this link in a new tab
CWE-772 Open this link in a new tab

How to fix?

Upgrade Oracle:8 npm to version 1:6.14.11-1.12.21.0.1.module+el8.3.0+9672+c7b0544d or higher.
This issue was patched in ELSA-2021-0734.

NVD Description

Note: Versions mentioned in the description apply only to the upstream npm package and not the npm package as distributed by Oracle. See How to fix? for Oracle:8 relevant fixed versions and status.

Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.

References

CVSS Scores

version 3.1
Expand this section

NVD

7.5 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    None
  • Integrity (I)
    None
  • Availability (A)
    High
Expand this section

SUSE

7.5 high
Expand this section

Red Hat

7.5 high