Security
Headlines
HeadlinesLatestCVEs

Headline

Red Hat Security Advisory 2022-8832-01

Red Hat Security Advisory 2022-8832-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include a denial of service vulnerability.

Packet Storm
#vulnerability#linux#red_hat#dos#nodejs#js#java

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================
Red Hat Security Advisory

Synopsis: Moderate: nodejs:18 security, bug fix, and enhancement update
Advisory ID: RHSA-2022:8832-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:8832
Issue date: 2022-12-06
CVE Names: CVE-2022-3517 CVE-2022-43548
====================================================================

  1. Summary:

An update for the nodejs:18 module is now available for Red Hat Enterprise
Linux 9.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

  1. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64

  1. Description:

Node.js is a software development platform for building fast and scalable
network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version:
nodejs (18.12.1). (BZ#2142809, BZ#2142830, BZ#2142834, BZ#2142856)

Security Fix(es):

  • nodejs-minimatch: ReDoS via the braceExpand function (CVE-2022-3517)

  • nodejs: DNS rebinding in inspect via invalid octal IP address
    (CVE-2022-43548)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

  1. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

  1. Bugs fixed (https://bugzilla.redhat.com/):

2134609 - CVE-2022-3517 nodejs-minimatch: ReDoS via the braceExpand function
2140911 - CVE-2022-43548 nodejs: DNS rebinding in inspect via invalid octal IP address
2142809 - nodejs:18/nodejs: Rebase to the latest Nodejs 18 release [rhel-9] [rhel-9.1.0.z]

  1. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:
nodejs-18.12.1-1.module+el9.1.0.z+17326+318294bb.src.rpm
nodejs-nodemon-2.0.20-1.module+el9.1.0.z+17326+318294bb.src.rpm
nodejs-packaging-2021.06-4.module+el9.1.0+15718+e52ec601.src.rpm

aarch64:
nodejs-18.12.1-1.module+el9.1.0.z+17326+318294bb.aarch64.rpm
nodejs-debuginfo-18.12.1-1.module+el9.1.0.z+17326+318294bb.aarch64.rpm
nodejs-debugsource-18.12.1-1.module+el9.1.0.z+17326+318294bb.aarch64.rpm
nodejs-devel-18.12.1-1.module+el9.1.0.z+17326+318294bb.aarch64.rpm
nodejs-full-i18n-18.12.1-1.module+el9.1.0.z+17326+318294bb.aarch64.rpm
npm-8.19.2-1.18.12.1.1.module+el9.1.0.z+17326+318294bb.aarch64.rpm

noarch:
nodejs-docs-18.12.1-1.module+el9.1.0.z+17326+318294bb.noarch.rpm
nodejs-nodemon-2.0.20-1.module+el9.1.0.z+17326+318294bb.noarch.rpm
nodejs-packaging-2021.06-4.module+el9.1.0+15718+e52ec601.noarch.rpm
nodejs-packaging-bundler-2021.06-4.module+el9.1.0+15718+e52ec601.noarch.rpm

ppc64le:
nodejs-18.12.1-1.module+el9.1.0.z+17326+318294bb.ppc64le.rpm
nodejs-debuginfo-18.12.1-1.module+el9.1.0.z+17326+318294bb.ppc64le.rpm
nodejs-debugsource-18.12.1-1.module+el9.1.0.z+17326+318294bb.ppc64le.rpm
nodejs-devel-18.12.1-1.module+el9.1.0.z+17326+318294bb.ppc64le.rpm
nodejs-full-i18n-18.12.1-1.module+el9.1.0.z+17326+318294bb.ppc64le.rpm
npm-8.19.2-1.18.12.1.1.module+el9.1.0.z+17326+318294bb.ppc64le.rpm

s390x:
nodejs-18.12.1-1.module+el9.1.0.z+17326+318294bb.s390x.rpm
nodejs-debuginfo-18.12.1-1.module+el9.1.0.z+17326+318294bb.s390x.rpm
nodejs-debugsource-18.12.1-1.module+el9.1.0.z+17326+318294bb.s390x.rpm
nodejs-devel-18.12.1-1.module+el9.1.0.z+17326+318294bb.s390x.rpm
nodejs-full-i18n-18.12.1-1.module+el9.1.0.z+17326+318294bb.s390x.rpm
npm-8.19.2-1.18.12.1.1.module+el9.1.0.z+17326+318294bb.s390x.rpm

x86_64:
nodejs-18.12.1-1.module+el9.1.0.z+17326+318294bb.x86_64.rpm
nodejs-debuginfo-18.12.1-1.module+el9.1.0.z+17326+318294bb.x86_64.rpm
nodejs-debugsource-18.12.1-1.module+el9.1.0.z+17326+318294bb.x86_64.rpm
nodejs-devel-18.12.1-1.module+el9.1.0.z+17326+318294bb.x86_64.rpm
nodejs-full-i18n-18.12.1-1.module+el9.1.0.z+17326+318294bb.x86_64.rpm
npm-8.19.2-1.18.12.1.1.module+el9.1.0.z+17326+318294bb.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

  1. References:

https://access.redhat.com/security/cve/CVE-2022-3517
https://access.redhat.com/security/cve/CVE-2022-43548
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index

  1. Contact:

The Red Hat security contact is [email protected]. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBY4+QKdzjgjWX9erEAQitTA//Ym4CEb+xV/oOjJz9ftgqbg9H6QFLuQ8R
3G/FubRRj5yWrhpVnliWWf4mZ4BF+vIQ57eezd4KxnhF0SUTw7MV3N2WuotkkZ0X
2bubflujCxdJ/rj5B+wZ9F9FnAEWOptjxSKpOQbX9CZ+plos32vTEsbdbFwLMaSe
YrAZgJt0t7gkUjZwWBDiDw3ga6wMct8a+nMvi+5nOG9s9tzSsa5J/jyrwIXnQLcL
qIpPJQLBMK5/wL2xoHbA398+YHJUxdvV5+LiZnXx6RJJsBOaqW9/+gCWfWVYpPLQ
uXK9orlfhRbcJfyhbUR8mjfVxA8r79LWiwS1X78kXLFqiS1+mS7trb3401HT7SWm
jm8X7/4gxiGQclH+K6/o3+UbJogmxBRZO3m9gf87TV8EkEvaIQTVDheZekrCmN8O
AJB0itRJbYtWizqTkLFlBcTIpse+P3z/fjxg+iWCl7ml2AlQxnkgC8k7UhrTEA7v
MMdoz+P1urvpgLaYhjMs2Pn9Wu8W5VA6oFKJyBGD9G0BsA7kpiPdWt6Xsnw1feFv
H87llR6gM54HC+m0mTL8+kazuwj5SrCkIrdH/dRZLEP4ihI1ASuwqNYIk9ZOpDjc
j2UEi7s/qMk9/SwncpSGjhLB1CnAwR61F/YMVbUBWPdZwgf1fWAPRpGRsCc0DybL
KPRxCz61jgI=d/7M
-----END PGP SIGNATURE-----

RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Related news

Gentoo Linux Security Advisory 202405-29

Gentoo Linux Security Advisory 202405-29 - Multiple vulnerabilities have been discovered in Node.js. Versions greater than or equal to 16.20.2 are affected.

Ubuntu Security Notice USN-6491-1

Ubuntu Security Notice 6491-1 - Axel Chong discovered that Node.js incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to execute arbitrary code. Zeyu Zhang discovered that Node.js incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 22.04 LTS.

CVE-2023-22062: Oracle Critical Patch Update Advisory - July 2023

Vulnerability in the Oracle Hyperion Financial Reporting product of Oracle Hyperion (component: Repository). The supported version that is affected is 11.2.13.0.000. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hyperion Financial Reporting. While the vulnerability is in Oracle Hyperion Financial Reporting, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hyperion Financial Reporting accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Hyperion Financial Reporting. CVSS 3.1 Base Score 8.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L).

RHSA-2023:3742: Red Hat Security Advisory: Red Hat OpenShift Data Foundation 4.13.0 security and bug fix update

Updated images that include numerous enhancements, security, and bug fixes are now available in Red Hat Container Registry for Red Hat OpenShift Data Foundation 4.13.0 on Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-16250: A flaw was found in Vault and Vault Enterprise (“Vault”). In the affected versions of Vault, with the AWS Auth Method configured and under certain circumstances, the values relied upon by Vault to validate AWS IAM ident...

Ubuntu Security Notice USN-6086-1

Ubuntu Security Notice 6086-1 - It was discovered that minimatch incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service.

CVE-2023-21954: Oracle Critical Patch Update Advisory - April 2023

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through...

RHSA-2023:1742: Red Hat Security Advisory: nodejs:14 security, bug fix, and enhancement update

An update for the nodejs:14 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-35065: A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability. * CVE-2021-44531: A flaw was found in node.js where it accepted a certificate's Subject Alternative Names (SAN) entry...

Red Hat Security Advisory 2023-1533-01

Red Hat Security Advisory 2023-1533-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling, buffer overflow, bypass, and denial of service vulnerabilities.

RHSA-2023:1533: Red Hat Security Advisory: nodejs:14 security, bug fix, and enhancement update

An update for the nodejs:14 module is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-35065: A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability. * CVE-2021-44906: An Uncontrolled Resource Consumption flaw was found in minimist. This flaw allows an attacker to tr...

RHSA-2023:0630: Red Hat Security Advisory: Red Hat Advanced Cluster Management 2.7.0 security and bug fix updates

Red Hat Advanced Cluster Management for Kubernetes 2.7.0 General Availability release images, which provide security updates and fix bugs. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3517: A vulnerability was found in the nodejs-minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service. * CVE-2022-30629: A flaw was found in the crypto/tls golang pa...

RHSA-2023:0612: Red Hat Security Advisory: rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon security update

An update for rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-35065: A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability. * CVE-2021-44906: An Uncontrolled Resource Consumption flaw was found in minimist. This flaw allows an attacker t...

Red Hat Security Advisory 2023-0471-01

Red Hat Security Advisory 2023-0471-01 - An update is now available for Migration Toolkit for Runtimes (v1.0.1). Issues addressed include a denial of service vulnerability.

RHSA-2023:0471: Red Hat Security Advisory: Migration Toolkit for Runtimes security update

An update is now available for Migration Toolkit for Runtimes (v1.0.1). Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand function * CVE-2022-25914: jib-core: RCE via the isDockerInstalled * CVE-2022-37603: loader-utils:Regular expression denial of service * CVE-2022-42003: jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS * CVE-2022-42004: jackson-databind: use of deeply nested arrays * CVE-2022...

Debian Security Advisory 5326-1

Debian Linux Security Advisory 5326-1 - Multiple vulnerabilities were discovered in Node.js, which could result in HTTP request smuggling, bypass of host IP address validation and weak randomness setup.

RHSA-2023:0321: Red Hat Security Advisory: nodejs and nodejs-nodemon security, bug fix, and enhancement update

An update for nodejs and nodejs-nodemon is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-44906: minimist: prototype pollution * CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand function * CVE-2022-35256: nodejs: HTTP Request Smuggling due to incorrect parsing of header fields * CVE-2022-43548: nodejs: DNS rebinding in inspect via invalid octal IP address

CVE-2023-21850: Oracle Critical Patch Update Advisory - January 2023

Vulnerability in the Oracle Demantra Demand Management product of Oracle Supply Chain (component: E-Business Collections). Supported versions that are affected are 12.1 and 12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Demantra Demand Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Demantra Demand Management accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

Red Hat Security Advisory 2023-0050-01

Red Hat Security Advisory 2023-0050-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include a denial of service vulnerability.

RHSA-2023:0050: Red Hat Security Advisory: nodejs:14 security, bug fix, and enhancement update

An update for the nodejs:14 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-44906: minimist: prototype pollution * CVE-2022-0235: node-fetch: exposure of sensitive information to an unauthorized actor * CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand function * CVE-2022-24999: express: "qs" prototype poisoning causes the hang of the node process * CVE-2022-43548: nodejs: DNS rebinding in inspect via inva...

Red Hat Security Advisory 2022-9073-01

Red Hat Security Advisory 2022-9073-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include bypass and denial of service vulnerabilities.

RHSA-2022:9073: Red Hat Security Advisory: nodejs:16 security, bug fix, and enhancement update

An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-44531: nodejs: Improper handling of URI Subject Alternative Names * CVE-2021-44532: nodejs: Certificate Verification Bypass via String Injection * CVE-2021-44533: nodejs: Incorrect handling of certificate subject and issuer fields * CVE-2021-44906: minimist: prototype pollution * CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand fu...

RHSA-2022:9040: Red Hat Security Advisory: Red Hat Advanced Cluster Management 2.6.3 security update

Red Hat Advanced Cluster Management for Kubernetes 2.6.3 General Availability release images, which provide security updates, fix bugs, and update container images. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand function * CVE-2022-41912: crewjam/saml: Authentication bypass when processing SAML responses containing multiple Assertion elements

Red Hat Security Advisory 2022-8833-01

Red Hat Security Advisory 2022-8833-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include a denial of service vulnerability.

RHSA-2022:8833: Red Hat Security Advisory: nodejs:18 security, bug fix, and enhancement update

An update for the nodejs:18 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand function * CVE-2022-43548: nodejs: DNS rebinding in inspect via invalid octal IP address

RHSA-2022:8833: Red Hat Security Advisory: nodejs:18 security, bug fix, and enhancement update

An update for the nodejs:18 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand function * CVE-2022-43548: nodejs: DNS rebinding in inspect via invalid octal IP address

RHSA-2022:8832: Red Hat Security Advisory: nodejs:18 security, bug fix, and enhancement update

An update for the nodejs:18 module is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand function * CVE-2022-43548: nodejs: DNS rebinding in inspect via invalid octal IP address

RHSA-2022:8832: Red Hat Security Advisory: nodejs:18 security, bug fix, and enhancement update

An update for the nodejs:18 module is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand function * CVE-2022-43548: nodejs: DNS rebinding in inspect via invalid octal IP address

CVE-2022-43548: Nov 3 2022 Security Releases | Node.js

A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.The fix for this issue in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212 was incomplete and this new CVE is to complete the fix.

CVE-2022-3517: PRISMA-2022-0039 - High vulnerability · Issue #329 · grafana/grafana-image-renderer

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

CVE-2022-0564: Qlik Sense Enterprise on Windows Release notes - November 2021 Initial Release to Patch 16

A vulnerability in Qlik Sense Enterprise on Windows could allow an remote attacker to enumerate domain user accounts. An attacker could exploit this vulnerability by sending authentication requests to an affected system. A successful exploit could allow the attacker to compare the response time that are returned by the affected system to determine which accounts are valid user accounts. Affected systems are only vulnerable if they have LDAP configured.

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution