Security
Headlines
HeadlinesLatestCVEs

Headline

Red Hat Security Advisory 2022-4914-01

Red Hat Security Advisory 2022-4914-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling and bypass vulnerabilities.

Packet Storm
#vulnerability#web#linux#red_hat#nodejs#js#java

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================
Red Hat Security Advisory

Synopsis: Moderate: rh-nodejs12-nodejs security, bug fix, and enhancement update
Advisory ID: RHSA-2022:4914-01
Product: Red Hat Software Collections
Advisory URL: https://access.redhat.com/errata/RHSA-2022:4914
Issue date: 2022-06-06
CVE Names: CVE-2021-3918 CVE-2021-22959 CVE-2021-22960
CVE-2021-37701 CVE-2021-37712 CVE-2021-44531
CVE-2021-44532 CVE-2021-44533 CVE-2021-44906
CVE-2022-21824
====================================================================

  1. Summary:

An update for rh-nodejs12-nodejs is now available for Red Hat Software
Collections.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

  1. Relevant releases/architectures:

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64le, s390x, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64

  1. Description:

Node.js is a software development platform for building fast and scalable
network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version:
rh-nodejs12-nodejs (12.22.12). This is the last planned rebase before the
collection reaches End of Life.

Security Fix(es):

  • nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918)

  • nodejs-tar: Insufficient symlink protection due to directory cache
    poisoning using symbolic links allowing arbitrary file creation and
    overwrite (CVE-2021-37701)

  • nodejs-tar: Insufficient symlink protection due to directory cache
    poisoning using symbolic links allowing arbitrary file creation and
    overwrite (CVE-2021-37712)

  • nodejs: Improper handling of URI Subject Alternative Names
    (CVE-2021-44531)

  • nodejs: Certificate Verification Bypass via String Injection
    (CVE-2021-44532)

  • nodejs: Incorrect handling of certificate subject and issuer fields
    (CVE-2021-44533)

  • minimist: prototype pollution (CVE-2021-44906)

  • llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959)

  • llhttp: HTTP Request Smuggling when parsing the body of chunked requests
    (CVE-2021-22960)

  • nodejs: Prototype pollution via console.table properties (CVE-2022-21824)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

  1. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

  1. Bugs fixed (https://bugzilla.redhat.com/):

1999731 - CVE-2021-37701 nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite
1999739 - CVE-2021-37712 nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite
2014057 - CVE-2021-22959 llhttp: HTTP Request Smuggling due to spaces in headers
2014059 - CVE-2021-22960 llhttp: HTTP Request Smuggling when parsing the body of chunked requests
2024702 - CVE-2021-3918 nodejs-json-schema: Prototype pollution vulnerability
2040839 - CVE-2021-44531 nodejs: Improper handling of URI Subject Alternative Names
2040846 - CVE-2021-44532 nodejs: Certificate Verification Bypass via String Injection
2040856 - CVE-2021-44533 nodejs: Incorrect handling of certificate subject and issuer fields
2040862 - CVE-2022-21824 nodejs: Prototype pollution via console.table properties
2066009 - CVE-2021-44906 minimist: prototype pollution

  1. Package List:

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):

Source:
rh-nodejs12-nodejs-12.22.12-2.el7.src.rpm

noarch:
rh-nodejs12-nodejs-docs-12.22.12-2.el7.noarch.rpm

ppc64le:
rh-nodejs12-nodejs-12.22.12-2.el7.ppc64le.rpm
rh-nodejs12-nodejs-debuginfo-12.22.12-2.el7.ppc64le.rpm
rh-nodejs12-nodejs-devel-12.22.12-2.el7.ppc64le.rpm
rh-nodejs12-npm-6.14.16-12.22.12.2.el7.ppc64le.rpm

s390x:
rh-nodejs12-nodejs-12.22.12-2.el7.s390x.rpm
rh-nodejs12-nodejs-debuginfo-12.22.12-2.el7.s390x.rpm
rh-nodejs12-nodejs-devel-12.22.12-2.el7.s390x.rpm
rh-nodejs12-npm-6.14.16-12.22.12.2.el7.s390x.rpm

x86_64:
rh-nodejs12-nodejs-12.22.12-2.el7.x86_64.rpm
rh-nodejs12-nodejs-debuginfo-12.22.12-2.el7.x86_64.rpm
rh-nodejs12-nodejs-devel-12.22.12-2.el7.x86_64.rpm
rh-nodejs12-npm-6.14.16-12.22.12.2.el7.x86_64.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7):

Source:
rh-nodejs12-nodejs-12.22.12-2.el7.src.rpm

noarch:
rh-nodejs12-nodejs-docs-12.22.12-2.el7.noarch.rpm

x86_64:
rh-nodejs12-nodejs-12.22.12-2.el7.x86_64.rpm
rh-nodejs12-nodejs-debuginfo-12.22.12-2.el7.x86_64.rpm
rh-nodejs12-nodejs-devel-12.22.12-2.el7.x86_64.rpm
rh-nodejs12-npm-6.14.16-12.22.12.2.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

  1. References:

https://access.redhat.com/security/cve/CVE-2021-3918
https://access.redhat.com/security/cve/CVE-2021-22959
https://access.redhat.com/security/cve/CVE-2021-22960
https://access.redhat.com/security/cve/CVE-2021-37701
https://access.redhat.com/security/cve/CVE-2021-37712
https://access.redhat.com/security/cve/CVE-2021-44531
https://access.redhat.com/security/cve/CVE-2021-44532
https://access.redhat.com/security/cve/CVE-2021-44533
https://access.redhat.com/security/cve/CVE-2021-44906
https://access.redhat.com/security/cve/CVE-2022-21824
https://access.redhat.com/security/updates/classification/#moderate

  1. Contact:

The Red Hat security contact is [email protected]. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYp4VndzjgjWX9erEAQi6ThAAmuiC/L2RfziogamDLIku0fNjaH9t5ifL
XjA0SekEiNfnG5S+hT19SLhGuQ18WEzzIY/xU+qN/J9oOSnQ12AmabyQmaekDOLl
W299BWDfeDmPP+sEcmpm33qX8wCE1xzCsSM5hOoyx4/N/uzREjpoOSO+KE2dWOdT
LEbXLYZMtstBUe0ht7DQ/u/l1OBf3eFov5r2uKuJ/+fGvDXLMybFZpehtw4u6q+j
Gr4aK3/NK75L50Me4GbdWb5eEbuPqJyTkXB3Q8qCPk4Re3PsAbl/Z0nf+6U5ZWrl
pZxaP0IUBo9Ls7/YVHZXr5+LGsQhO8z6y3PCIiSfrohhgf3H6BAeux7HXsKvP6A5
sRDSIyuFfNjzvYDGXh8fHJjSChdxcElgBPOVVHCMF9KuR1OvUJIh4UqD043xNtwe
e4/+eGct8YROLHXadP+sQuMKKoPGH3lvu6gyKRSS84tkwebu1I9vWUTqclRxWq/U
epL6Vj5nYatjwOi7zD6QAgvXEoPmevPiPlDNnjR3JHrepQQrISQ2QIT3wvZisHsf
F8ZZCBtGBxaX0xgu1AOVfd+cxNjwvwCXtuZCRfLSx97i/Uq0j2BF0I5ySidzp4uS
QoYbhwYNc60aZSuWwh+2oCXvuYwXVV1Ep3HtkoB3q52KrVpHbhEaof553vJL83OE
fM6G97EmFoY=VZoV
-----END PGP SIGNATURE-----

RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Related news

Gentoo Linux Security Advisory 202405-29

Gentoo Linux Security Advisory 202405-29 - Multiple vulnerabilities have been discovered in Node.js. Versions greater than or equal to 16.20.2 are affected.

CVE-2022-36777: Security Bulletin: QRadar Suite Software includes components with multiple known vulnerabilities

IBM Cloud Pak for Security (CP4S) 1.10.0.0 through 1.10.11.0 and IBM QRadar Suite Software 1.10.12.0 through 1.10.16.0could allow an authenticated user to obtain sensitive version information that could aid in further attacks against the system. IBM X-Force ID: 233665.

CVE-2022-4039

A flaw was found in Red Hat Single Sign-On for OpenShift container images, which are configured with an unsecured management interface enabled. This flaw allows an attacker to use this interface to deploy malicious code and access and modify potentially sensitive information in the app server configuration.

Red Hat Security Advisory 2023-3742-02

Red Hat Security Advisory 2023-3742-02 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. Issues addressed include bypass, denial of service, and remote SQL injection vulnerabilities.

RHSA-2023:3742: Red Hat Security Advisory: Red Hat OpenShift Data Foundation 4.13.0 security and bug fix update

Updated images that include numerous enhancements, security, and bug fixes are now available in Red Hat Container Registry for Red Hat OpenShift Data Foundation 4.13.0 on Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-16250: A flaw was found in Vault and Vault Enterprise (“Vault”). In the affected versions of Vault, with the AWS Auth Method configured and under certain circumstances, the values relied upon by Vault to validate AWS IAM ident...

Ubuntu Security Notice USN-6103-1

Ubuntu Security Notice 6103-1 - It was discovered that JSON Schema incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to exploit JavaScript runtimes and cause a denial of service or execute arbitrary code.

CVE-2023-21954: Oracle Critical Patch Update Advisory - April 2023

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through...

CVE-2023-28069: DSA-2022-258: Dell Streaming Data Platform Security Update for Multiple Third-Party Component Vulnerabilities

Dell Streaming Data Platform prior to 1.4 contains Open Redirect vulnerability. An attacker with privileges same as a legitimate user can phish the legitimate the user to redirect to malicious website leading to information disclosure and launch of phishing attacks.

RHSA-2023:1533: Red Hat Security Advisory: nodejs:14 security, bug fix, and enhancement update

An update for the nodejs:14 module is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-35065: A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability. * CVE-2021-44906: An Uncontrolled Resource Consumption flaw was found in minimist. This flaw allows an attacker to tr...

Red Hat Security Advisory 2023-1045-01

Red Hat Security Advisory 2023-1045-01 - Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.6.2 on RHEL 9 serves as a replacement for Red Hat Single Sign-On 7.6.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include code execution, cross site scripting, denial of service, deserialization, html injection, memory exhaustion, server-side request forgery, and traversal vulnerabilities.

Red Hat Security Advisory 2023-1049-01

Red Hat Security Advisory 2023-1049-01 - Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.6.2 serves as a replacement for Red Hat Single Sign-On 7.6.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include code execution, cross site scripting, denial of service, deserialization, html injection, memory exhaustion, open redirection, server-side request forgery, and traversal vulnerabilities.

RHSA-2023:1043: Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 security update on RHEL 7

New Red Hat Single Sign-On 7.6.2 packages are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2018-14040: In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute. * CVE-2018-14042: In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip. * CVE-2019-11358: A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modi...

RHSA-2023:1049: Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 security update

A security update is now available for Red Hat Single Sign-On 7.6 from the Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2018-14040: In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute. * CVE-2018-14042: In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip. * CVE-2019-11358: A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modi...

RHSA-2023:1045: Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 security update on RHEL 9

New Red Hat Single Sign-On 7.6.2 packages are now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2018-14040: In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute. * CVE-2018-14042: In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip. * CVE-2019-11358: A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modi...

RHSA-2023:1044: Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 security update on RHEL 8

New Red Hat Single Sign-On 7.6.2 packages are now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2018-14040: In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute. * CVE-2018-14042: In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip. * CVE-2019-11358: A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modi...

CVE-2022-42950: Couchbase Alerts

An issue was discovered in Couchbase Server 7.x before 7.0.5 and 7.1.x before 7.1.2. A crafted HTTP REST request from an administrator account to the Couchbase Server Backup Service can exhaust memory resources, causing the process to be killed, which can be used for denial of service.

RHSA-2023:0612: Red Hat Security Advisory: rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon security update

An update for rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-35065: A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability. * CVE-2021-44906: An Uncontrolled Resource Consumption flaw was found in minimist. This flaw allows an attacker t...

CVE-2023-21850: Oracle Critical Patch Update Advisory - January 2023

Vulnerability in the Oracle Demantra Demand Management product of Oracle Supply Chain (component: E-Business Collections). Supported versions that are affected are 12.1 and 12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Demantra Demand Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Demantra Demand Management accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

Red Hat Security Advisory 2023-0050-01

Red Hat Security Advisory 2023-0050-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include a denial of service vulnerability.

RHSA-2023:0050: Red Hat Security Advisory: nodejs:14 security, bug fix, and enhancement update

An update for the nodejs:14 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-44906: minimist: prototype pollution * CVE-2022-0235: node-fetch: exposure of sensitive information to an unauthorized actor * CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand function * CVE-2022-24999: express: "qs" prototype poisoning causes the hang of the node process * CVE-2022-43548: nodejs: DNS rebinding in inspect via inva...

Red Hat Security Advisory 2022-9073-01

Red Hat Security Advisory 2022-9073-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include bypass and denial of service vulnerabilities.

RHSA-2022:9073: Red Hat Security Advisory: nodejs:16 security, bug fix, and enhancement update

An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-44531: nodejs: Improper handling of URI Subject Alternative Names * CVE-2021-44532: nodejs: Certificate Verification Bypass via String Injection * CVE-2021-44533: nodejs: Incorrect handling of certificate subject and issuer fields * CVE-2021-44906: minimist: prototype pollution * CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand fu...

RHSA-2022:8652: Red Hat Security Advisory: Red Hat Fuse 7.11.1 release and security update

A minor version update (from 7.11 to 7.11.1) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2019-8331: bootstrap: XSS in the tooltip or popover data-template attribute * CVE-2021-3717: wildfly: incorrect JBOSS_LOCAL_USER challenge location may lead to giving access to all the local users * CVE-2021-31684: json-smart: Denial of Service in...

Red Hat Security Advisory 2022-7830-01

Red Hat Security Advisory 2022-7830-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling and bypass vulnerabilities.

RHSA-2022:7830: Red Hat Security Advisory: nodejs:14 security update

An update for the nodejs:14 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-44531: nodejs: Improper handling of URI Subject Alternative Names * CVE-2021-44532: nodejs: Certificate Verification Bypass via String Injection * CVE-2021-44533: nodejs: Incorrect handling of certificate subject and issuer fields * CVE-2022-21824: nodejs: Prototype pollution via console.table properties * CVE-2022-35256: nodejs: HTTP Reque...

Red Hat Security Advisory 2022-7044-01

Red Hat Security Advisory 2022-7044-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling and bypass vulnerabilities.

RHSA-2022:7055: Red Hat Security Advisory: RHOSDT 2.6.0 operator/operand containers Security Update

An update is now available for Red Hat Openshift distributed tracing 2.6.0 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-3918: nodejs-json-schema: Prototype pollution vulnerability * CVE-2022-0536: follow-redirects: Exposure of Sensitive Information via Authorization Header leak * CVE-2022-1650: eventsource: Exposure of Sensitive Information * CVE-2022-24785: Moment.js: Path traversal in moment.locale * CVE-2022-31129: moment: inefficient parsing algorithm resulting ...

RHSA-2022:7044: Red Hat Security Advisory: rh-nodejs14-nodejs security update

An update for rh-nodejs14-nodejs is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-44531: nodejs: Improper handling of URI Subject Alternative Names * CVE-2021-44532: nodejs: Certificate Verification Bypass via String Injection * CVE-2021-44533: nodejs: Incorrect handling of certificate subject and issuer fields * CVE-2021-44906: minimist: prototype pollution * CVE-2022-21824: nodejs: Prototype pollution via console.table...

CVE-2022-21587: Oracle Critical Patch Update Advisory - October 2022

Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: Upload). Supported versions that are affected are 12.2.3-12.2.11. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. Successful attacks of this vulnerability can result in takeover of Oracle Web Applications Desktop Integrator. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Red Hat Security Advisory 2022-6813-01

Red Hat Security Advisory 2022-6813-01 - Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services. This asynchronous security patch is an update to Red Hat Process Automation Manager 7. Issues addressed include XML injection, bypass, denial of service, and traversal vulnerabilities.

RHSA-2022:6813: Red Hat Security Advisory: Red Hat Process Automation Manager 7.13.1 security update

An update is now available for Red Hat Process Automation Manager. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-7746: chart.js: prototype pollution * CVE-2020-36518: jackson-databind: denial of service via a large depth of nested objects * CVE-2021-23436: immer: type confusion vulnerability can lead to a bypass of CVE-2020-28477 * CVE-2021-44906: minimist: prototype pollution * CVE-2022-0235: node-fetch: exposure of sensitive information to an unauthorized actor * CVE-202...

CVE-2020-4301: Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 176609.

Red Hat Security Advisory 2022-5069-01

Red Hat Security Advisory 2022-5069-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.0. Issues addressed include code execution, cross site scripting, denial of service, information leakage, and traversal vulnerabilities.

RHSA-2022:5069: Red Hat Security Advisory: OpenShift Container Platform 4.11.0 bug fix and security update

Red Hat OpenShift Container Platform release 4.11.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.11. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-23566: nanoid: Information disclosure via valueOf() function * CVE-2021-23648: sanitize-url: XSS * CVE-2021-41190: opencontainers: OCI manifest and index parsing confusion * CVE-2021-44906:...

Red Hat Security Advisory 2022-5928-01

Red Hat Security Advisory 2022-5928-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.6 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.5, and includes bug fixes and enhancements. Issues addressed include a deserialization vulnerability.

RHSA-2022:5928: Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.6 Security update

A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-44906: minimist: prototype pollution * CVE-2022-24823: netty: world readable temporary file containing sensitive data * CVE-2022-25647: com.google.code.gson-gson: Deserialization of Untrusted Data in com.google.code.gson-gson

Red Hat Security Advisory 2022-5892-01

Red Hat Security Advisory 2022-5892-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.6 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.5, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.6 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include a deserialization vulnerability.

Red Hat Security Advisory 2022-5893-01

Red Hat Security Advisory 2022-5893-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.6 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.5, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.6 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include a deserialization vulnerability.

Red Hat Security Advisory 2022-5894-01

Red Hat Security Advisory 2022-5894-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.6 is a first release for Red Hat JBoss Enterprise Application Platform 7.4 on Red Hat Enterprise Linux 9, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.6 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include a deserialization vulnerability.

CVE-2022-21586: Oracle Critical Patch Update Advisory - July 2022

Vulnerability in the Oracle Banking Trade Finance product of Oracle Financial Services Applications (component: Infrastructure). The supported version that is affected is 14.5. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Banking Trade Finance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Banking Trade Finance accessible data as well as unauthorized access to critical data or complete access to all Oracle Banking Trade Finance accessible data. CVSS 3.1 Base Score 6.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N).

RHEA-2022:5615: Red Hat Enhancement Advisory: nodejs:12 bug fix and enhancement update

An update for the nodejs:12 module is now available for Red Hat Enterprise Linux 8.4 Extended Update Support.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-3918: nodejs-json-schema: Prototype pollution vulnerability * CVE-2021-22959: llhttp: HTTP Request Smuggling due to spaces in headers * CVE-2021-22960: llhttp: HTTP Request Smuggling when parsing the body of chunked requests * CVE-2021-37701: nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite * CVE-2021-37712: nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite * CVE-2021-44531: nodejs: Improper...

Solving the indirect vulnerability enigma - fixing indirect vulnerabilities without breaking your dependency tree

Fixing indirect vulnerabilities is one of those complex, tedious and, quite frankly, boring tasks that no one really wants to touch. No one except for Debricked, it seems. Sure, there are lots of ways to do it manually, but can it be done automatically with minimal risk of breaking changes? The Debricked team decided to find out.  A forest full of fragile trees So, where do you even start?

RHEA-2022:5221: Red Hat Enhancement Advisory: nodejs:12 bug fix and enhancement update

An update for the nodejs:12 module is now available for Red Hat Enterprise Linux 8.2 Extended Update Support.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-3918: nodejs-json-schema: Prototype pollution vulnerability * CVE-2021-22959: llhttp: HTTP Request Smuggling due to spaces in headers * CVE-2021-22960: llhttp: HTTP Request Smuggling when parsing the body of chunked requests * CVE-2021-37701: nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite * CVE-2021-37712: nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite * CVE-2021-44531: nodejs: Improper...

RHEA-2022:5139: Red Hat Enhancement Advisory: nodejs:12 bug fix and enhancement update

An update for the nodejs:12 module is now available for Red Hat Enterprise Linux 8.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-3918: nodejs-json-schema: Prototype pollution vulnerability * CVE-2021-22959: llhttp: HTTP Request Smuggling due to spaces in headers * CVE-2021-22960: llhttp: HTTP Request Smuggling when parsing the body of chunked requests * CVE-2021-37701: nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite * CVE-2021-37712: nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite * CVE-2021-44531: nodejs: Improper handling of URI Subject A...

Red Hat Security Advisory 2022-4956-01

Red Hat Security Advisory 2022-4956-01 - Red Hat Advanced Cluster Management for Kubernetes 2.5.0 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs and security issues. Issues addressed include privilege escalation and traversal vulnerabilities.

RHSA-2022:4956: Red Hat Security Advisory: Red Hat Advanced Cluster Management 2.5 security updates, images, and bug fixes

Red Hat Advanced Cluster Management for Kubernetes 2.5.0 is now generally available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-3918: nodejs-json-schema: Prototype pollution vulnerability * CVE-2021-41190: opencontainers: OCI manifest and index parsing confusion * CVE-2021-43565: golang.org/x/crypto: empty plaintext packet causes panic * CVE-2021-43816: containerd: Unprivileged pod may bind mount any privileged regular file on disk * CVE-2021-43858: minio: user priv...

Containers vulnerability risk assessment

Security considerations are even more important today than they were in the past. Every day we discover new vulnerabilities that impact our computer systems, and every day our computer systems become more complex. With the deluge of vulnerabilities that threaten to swamp our security teams, the question, "How much does it matter?" comes quickly to our minds. This question, "Does it matter?", has two parts:

RHEA-2022:4925: Red Hat Enhancement Advisory: nodejs:12 bug fix and enhancement update

An update for the nodejs:12 module is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-3918: nodejs-json-schema: Prototype pollution vulnerability * CVE-2021-22959: llhttp: HTTP Request Smuggling due to spaces in headers * CVE-2021-22960: llhttp: HTTP Request Smuggling when parsing the body of chunked requests * CVE-2021-37701: nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite * CVE-2021-37712: nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite * CVE-2021-44531: nodejs...

RHSA-2022:4914: Red Hat Security Advisory: rh-nodejs12-nodejs security, bug fix, and enhancement update

An update for rh-nodejs12-nodejs is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-3918: nodejs-json-schema: Prototype pollution vulnerability * CVE-2021-22959: llhttp: HTTP Request Smuggling due to spaces in headers * CVE-2021-22960: llhttp: HTTP Request Smuggling when parsing the body of chunked requests * CVE-2021-37701: nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links a...

RHSA-2022:4914: Red Hat Security Advisory: rh-nodejs12-nodejs security, bug fix, and enhancement update

An update for rh-nodejs12-nodejs is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-3918: nodejs-json-schema: Prototype pollution vulnerability * CVE-2021-22959: llhttp: HTTP Request Smuggling due to spaces in headers * CVE-2021-22960: llhttp: HTTP Request Smuggling when parsing the body of chunked requests * CVE-2021-37701: nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links a...

RHSA-2022:4914: Red Hat Security Advisory: rh-nodejs12-nodejs security, bug fix, and enhancement update

An update for rh-nodejs12-nodejs is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-3918: nodejs-json-schema: Prototype pollution vulnerability * CVE-2021-22959: llhttp: HTTP Request Smuggling due to spaces in headers * CVE-2021-22960: llhttp: HTTP Request Smuggling when parsing the body of chunked requests * CVE-2021-37701: nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links a...

RHSA-2022:4914: Red Hat Security Advisory: rh-nodejs12-nodejs security, bug fix, and enhancement update

An update for rh-nodejs12-nodejs is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-3918: nodejs-json-schema: Prototype pollution vulnerability * CVE-2021-22959: llhttp: HTTP Request Smuggling due to spaces in headers * CVE-2021-22960: llhttp: HTTP Request Smuggling when parsing the body of chunked requests * CVE-2021-37701: nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links a...

RHSA-2022:4914: Red Hat Security Advisory: rh-nodejs12-nodejs security, bug fix, and enhancement update

An update for rh-nodejs12-nodejs is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-3918: nodejs-json-schema: Prototype pollution vulnerability * CVE-2021-22959: llhttp: HTTP Request Smuggling due to spaces in headers * CVE-2021-22960: llhttp: HTTP Request Smuggling when parsing the body of chunked requests * CVE-2021-37701: nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links a...

RHSA-2022:4914: Red Hat Security Advisory: rh-nodejs12-nodejs security, bug fix, and enhancement update

An update for rh-nodejs12-nodejs is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-3918: nodejs-json-schema: Prototype pollution vulnerability * CVE-2021-22959: llhttp: HTTP Request Smuggling due to spaces in headers * CVE-2021-22960: llhttp: HTTP Request Smuggling when parsing the body of chunked requests * CVE-2021-37701: nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links a...

RHSA-2022:4914: Red Hat Security Advisory: rh-nodejs12-nodejs security, bug fix, and enhancement update

An update for rh-nodejs12-nodejs is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-3918: nodejs-json-schema: Prototype pollution vulnerability * CVE-2021-22959: llhttp: HTTP Request Smuggling due to spaces in headers * CVE-2021-22960: llhttp: HTTP Request Smuggling when parsing the body of chunked requests * CVE-2021-37701: nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links a...

RHSA-2022:4914: Red Hat Security Advisory: rh-nodejs12-nodejs security, bug fix, and enhancement update

An update for rh-nodejs12-nodejs is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-3918: nodejs-json-schema: Prototype pollution vulnerability * CVE-2021-22959: llhttp: HTTP Request Smuggling due to spaces in headers * CVE-2021-22960: llhttp: HTTP Request Smuggling when parsing the body of chunked requests * CVE-2021-37701: nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links a...

RHSA-2022:4914: Red Hat Security Advisory: rh-nodejs12-nodejs security, bug fix, and enhancement update

An update for rh-nodejs12-nodejs is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-3918: nodejs-json-schema: Prototype pollution vulnerability * CVE-2021-22959: llhttp: HTTP Request Smuggling due to spaces in headers * CVE-2021-22960: llhttp: HTTP Request Smuggling when parsing the body of chunked requests * CVE-2021-37701: nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links a...

RHSA-2022:4914: Red Hat Security Advisory: rh-nodejs12-nodejs security, bug fix, and enhancement update

An update for rh-nodejs12-nodejs is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-3918: nodejs-json-schema: Prototype pollution vulnerability * CVE-2021-22959: llhttp: HTTP Request Smuggling due to spaces in headers * CVE-2021-22960: llhttp: HTTP Request Smuggling when parsing the body of chunked requests * CVE-2021-37701: nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links a...

CVE-2021-38946: Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.1.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 211240.

CVE-2021-38946: Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.1.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 211240.

CVE-2022-21496: Oracle Critical Patch Update Advisory - April 2022

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service ...

CVE-2022-21496: Oracle Critical Patch Update Advisory - April 2022

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service ...

CVE-2022-21496: Oracle Critical Patch Update Advisory - April 2022

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service ...

CVE-2022-21496: Oracle Critical Patch Update Advisory - April 2022

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service ...

CVE-2021-44533

Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification.Affected versions of Node.js that do not accept multi-value Relative Distinguished Names and are thus not vulnerable to such attacks themselves. However, third-party code that uses node's ambiguous presentation of certificate subjects may be vulnerable.

CVE-2022-21824

Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "__proto__". The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js >= 12.22.9, >= 14.18.3, >= 16.13.2, and >= 17.3.1 use a null protoype for the object these properties are being assigned to.

CVE-2022-21363: Oracle Critical Patch Update Advisory - January 2022

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2022-21363: Oracle Critical Patch Update Advisory - January 2022

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2021-22959

The parser in accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6.

CVE-2021-3918: Don't allow __proto__ property to be used for schema default/coerce, … · kriszyp/json-schema@22f1461

json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

CVE-2021-22960

The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions.

CVE-2021-35576: Oracle Critical Patch Update Advisory - October 2021

Vulnerability in the Oracle Database Enterprise Edition Unified Audit component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1 and 19c. Easily exploitable vulnerability allows high privileged attacker having Local Logon privilege with network access via Oracle Net to compromise Oracle Database Enterprise Edition Unified Audit. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database Enterprise Edition Unified Audit accessible data. CVSS 3.1 Base Score 2.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N).

CVE-2021-37712: Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links

The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with names containing unicode values that normalized to the same value. Additionally, on Windows systems, long path portions would resolve to the same file system entities as their 8.3 "short path" counterparts. A specially crafted tar archive could thus include a directory with one form of the path, followed by a symbolic link with a different string that resolves to the same file sy...

CVE-2021-37701: Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links

The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both `\` and `/` characters as path separators, however `\` is a valid filename character on posix systems. By first creating a directory, and then replacing that directory with a symlink, it was thus possib...

Packet Storm: Latest News

Zeek 6.0.9