2021-07-07-libuv upgrade – Out of bounds read (Medium) (CVE-2021-22918)

Advisory ID CVE Number Date discovered Severity Advisory revision
STORM-2021-053 CVE-2021-22918 07/07/2021 low v1

Vulnerability details

NodeJS published a security update on their TLS branch.

It fixes a vulnerability (CVE-2021-22918) on a component used for DNS resolution (libuv)

Impacted products

Stormshield Management Center low libuv upgrade - Out of bounds read


Version Date Description
v1  16/07/2021 Initial release



Stormshield Management Center

CVSS v3.1 Overall Score: 2.1      


Impacted version

The attack scenario imply a malevolent authorised user on SMC can cause an information leak or a crash of the application when he ask for domain resolution.

This can only be caused by asking for resolution of an FQDN object, which will make SMC unavaible until manual restart.


  • SMC 3.0.0 and lower


Workaround solution


Not using FQDN object

The 3.0.1 update will fix this vulnerability.

Attack Vector Attack Complexity Privileges Required User Interaction Scope Confidentiality Impact Integrity Impact Availability impact
Local High High Required Unchanged None None Low
CVSS Base score: 1.8 CVSS Vector: (AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L)
Exploit Code Maturity Remediation Level Report Confidence
Unproven that exploit exists Workaround Unknown
CVSS Temporal score: 1.5 CVSS Vector: (AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L/E:U/RL:W/RC:U)
Confidentiality Requirement Integrity Requirement Availability Requirement
Medium High High
CVSS Environmental score: 2.1 CVSS Vector: (AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L/E:U/RL:W/RC:U/CR:M/IR:H/AR:H/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X)