Security
Headlines
HeadlinesLatestCVEs

Headline

RHSA-2023:1533: Red Hat Security Advisory: nodejs:14 security, bug fix, and enhancement update

An update for the nodejs:14 module is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:

  • CVE-2021-35065: A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability.
  • CVE-2021-44906: An Uncontrolled Resource Consumption flaw was found in minimist. This flaw allows an attacker to trick the library into adding or modifying the properties of Object.prototype, using a constructor or proto payload, resulting in prototype pollution and loss of confidentiality, availability, and integrity.
  • CVE-2022-3517: A vulnerability was found in the nodejs-minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
  • CVE-2022-4904: A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity.
  • CVE-2022-24999: A flaw was found in the express.js npm package. Express.js Express is vulnerable to a denial of service caused by a prototype pollution flaw in qs. By adding or modifying properties of Object.prototype using a proto or constructor payload, a remote attacker can cause a denial of service.
  • CVE-2022-25881: A flaw was found in http-cache-semantics. When the server reads the cache policy from the request using this library, a Regular Expression Denial of Service occurs, caused by malicious request header values sent to the server.
  • CVE-2022-35256: A vulnerability was found in NodeJS due to improper validation of HTTP requests. The llhttp parser in the HTTP module in Node.js does not correctly handle header fields that are not terminated with CLRF. This issue may result in HTTP Request Smuggling. This flaw allows a remote attacker to send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.
  • CVE-2022-38900: A flaw was found in decode-uri-component. This issue occurs due to a specially crafted input, resulting in a denial of service.
  • CVE-2022-43548: A flaw was found in NodeJS. The issue occurs in the Node.js rebinding protector for --inspect that still allows invalid IP addresses, specifically, the octal format. This flaw allows an attacker to perform DNS rebinding and execute arbitrary code.
  • CVE-2023-23918: A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permissions option with --experimental-policy.
  • CVE-2023-23920: An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges.
Red Hat Security Data
#vulnerability#linux#red_hat#dos#nodejs#js#java#buffer_overflow#auth#ibm#sap

Synopsis

Important: nodejs:14 security, bug fix, and enhancement update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for the nodejs:14 module is now available for Red Hat Enterprise Linux 8.4 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version: nodejs (14.21.3).

Security Fix(es):

  • decode-uri-component: improper input validation resulting in DoS (CVE-2022-38900)
  • glob-parent: Regular Expression Denial of Service (CVE-2021-35065)
  • minimist: prototype pollution (CVE-2021-44906)
  • nodejs-minimatch: ReDoS via the braceExpand function (CVE-2022-3517)
  • c-ares: buffer overflow in config_sortlist() due to missing string length check (CVE-2022-4904)
  • express: “qs” prototype poisoning causes the hang of the node process (CVE-2022-24999)
  • http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability (CVE-2022-25881)
  • nodejs: HTTP Request Smuggling due to incorrect parsing of header fields (CVE-2022-35256)
  • nodejs: DNS rebinding in inspect via invalid octal IP address (CVE-2022-43548)
  • Node.js: Permissions policies can be bypassed via process.mainModule (CVE-2023-23918)
  • Node.js: insecure loading of ICU data through ICU_DATA environment variable (CVE-2023-23920)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Affected Products

  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.4 x86_64
  • Red Hat Enterprise Linux Server - AUS 8.4 x86_64
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.4 s390x
  • Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.4 ppc64le
  • Red Hat Enterprise Linux Server - TUS 8.4 x86_64
  • Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.4 aarch64
  • Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.4 ppc64le
  • Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.4 x86_64

Fixes

  • BZ - 2066009 - CVE-2021-44906 minimist: prototype pollution
  • BZ - 2130518 - CVE-2022-35256 nodejs: HTTP Request Smuggling due to incorrect parsing of header fields
  • BZ - 2134609 - CVE-2022-3517 nodejs-minimatch: ReDoS via the braceExpand function
  • BZ - 2140911 - CVE-2022-43548 nodejs: DNS rebinding in inspect via invalid octal IP address
  • BZ - 2142823 - nodejs:14/nodejs: Rebase to the latest Nodejs 14 release [rhel-8] [rhel-8.4.0.z]
  • BZ - 2150323 - CVE-2022-24999 express: “qs” prototype poisoning causes the hang of the node process
  • BZ - 2156324 - CVE-2021-35065 glob-parent: Regular Expression Denial of Service
  • BZ - 2165824 - CVE-2022-25881 http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability
  • BZ - 2168631 - CVE-2022-4904 c-ares: buffer overflow in config_sortlist() due to missing string length check
  • BZ - 2170644 - CVE-2022-38900 decode-uri-component: improper input validation resulting in DoS
  • BZ - 2171935 - CVE-2023-23918 Node.js: Permissions policies can be bypassed via process.mainModule
  • BZ - 2172217 - CVE-2023-23920 Node.js: insecure loading of ICU data through ICU_DATA environment variable
  • BZ - 2175828 - nodejs:14/nodejs: Rebase to the latest Nodejs 14 release [rhel-8] [rhel-8.4.0.z]

CVEs

  • CVE-2021-35065
  • CVE-2021-44906
  • CVE-2022-3517
  • CVE-2022-4904
  • CVE-2022-24999
  • CVE-2022-25881
  • CVE-2022-35256
  • CVE-2022-38900
  • CVE-2022-43548
  • CVE-2023-23918
  • CVE-2023-23920

Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.4

SRPM

nodejs-14.21.3-1.module+el8.4.0+18317+43f5ac16.src.rpm

SHA-256: 07c96f425e0104adbda6ba720d049063604224ba84526749ac2e0ea24d9386ad

nodejs-nodemon-2.0.20-3.module+el8.4.0+18317+43f5ac16.src.rpm

SHA-256: 27239ca08caaa8405951cdfd355912dcc59a18f4817c479d8a57b38dd2830099

nodejs-packaging-23-3.module+el8.3.0+6519+9f98ed83.src.rpm

SHA-256: 550d2f0197e4e69e9cfba813170d0fab3911749327f0c30db022424702287709

x86_64

nodejs-14.21.3-1.module+el8.4.0+18317+43f5ac16.x86_64.rpm

SHA-256: 8cda26c081db7f1659119dbf4d3ff7b9c2d2f0d41ba80c86815ac7eb990de467

nodejs-debuginfo-14.21.3-1.module+el8.4.0+18317+43f5ac16.x86_64.rpm

SHA-256: 3dd73a94f85c1e9dc1f559c3dcfc0bb3f225a05ea88a90470b4fe8f28596e1e5

nodejs-debugsource-14.21.3-1.module+el8.4.0+18317+43f5ac16.x86_64.rpm

SHA-256: f49ffe68291ed83f262374fbab8c6c0270b03d7c3f464374ba4125badf83d279

nodejs-devel-14.21.3-1.module+el8.4.0+18317+43f5ac16.x86_64.rpm

SHA-256: 161a522c06addb6958a10ab5d79be549b8c8d925fb43b687a4cbc647e15d7491

nodejs-docs-14.21.3-1.module+el8.4.0+18317+43f5ac16.noarch.rpm

SHA-256: 1ceb6d496343a9d8b70d5612486c83048a4f7810a038e56050954a3718d64745

nodejs-full-i18n-14.21.3-1.module+el8.4.0+18317+43f5ac16.x86_64.rpm

SHA-256: 629edf40ea86fb6a8cdb052bf3bdf782ed185880afadcec2485dcfa075a98327

nodejs-nodemon-2.0.20-3.module+el8.4.0+18317+43f5ac16.noarch.rpm

SHA-256: 6f420d462280cd84a1553b54b8ea1ea05c115d40623ae8875289f3ad08793114

nodejs-packaging-23-3.module+el8.3.0+6519+9f98ed83.noarch.rpm

SHA-256: d0ffb55491051b33ed7a0c9d1dfeb65ef76f367c9df1065140d0fa830091b169

npm-6.14.18-1.14.21.3.1.module+el8.4.0+18317+43f5ac16.x86_64.rpm

SHA-256: d0c8cc8c4fd82709605e12590f9b2417e68fb2d0b8b23d574ea0767ad5e789b6

Red Hat Enterprise Linux Server - AUS 8.4

SRPM

nodejs-14.21.3-1.module+el8.4.0+18317+43f5ac16.src.rpm

SHA-256: 07c96f425e0104adbda6ba720d049063604224ba84526749ac2e0ea24d9386ad

nodejs-nodemon-2.0.20-3.module+el8.4.0+18317+43f5ac16.src.rpm

SHA-256: 27239ca08caaa8405951cdfd355912dcc59a18f4817c479d8a57b38dd2830099

nodejs-packaging-23-3.module+el8.3.0+6519+9f98ed83.src.rpm

SHA-256: 550d2f0197e4e69e9cfba813170d0fab3911749327f0c30db022424702287709

x86_64

nodejs-14.21.3-1.module+el8.4.0+18317+43f5ac16.x86_64.rpm

SHA-256: 8cda26c081db7f1659119dbf4d3ff7b9c2d2f0d41ba80c86815ac7eb990de467

nodejs-debuginfo-14.21.3-1.module+el8.4.0+18317+43f5ac16.x86_64.rpm

SHA-256: 3dd73a94f85c1e9dc1f559c3dcfc0bb3f225a05ea88a90470b4fe8f28596e1e5

nodejs-debugsource-14.21.3-1.module+el8.4.0+18317+43f5ac16.x86_64.rpm

SHA-256: f49ffe68291ed83f262374fbab8c6c0270b03d7c3f464374ba4125badf83d279

nodejs-devel-14.21.3-1.module+el8.4.0+18317+43f5ac16.x86_64.rpm

SHA-256: 161a522c06addb6958a10ab5d79be549b8c8d925fb43b687a4cbc647e15d7491

nodejs-docs-14.21.3-1.module+el8.4.0+18317+43f5ac16.noarch.rpm

SHA-256: 1ceb6d496343a9d8b70d5612486c83048a4f7810a038e56050954a3718d64745

nodejs-full-i18n-14.21.3-1.module+el8.4.0+18317+43f5ac16.x86_64.rpm

SHA-256: 629edf40ea86fb6a8cdb052bf3bdf782ed185880afadcec2485dcfa075a98327

nodejs-nodemon-2.0.20-3.module+el8.4.0+18317+43f5ac16.noarch.rpm

SHA-256: 6f420d462280cd84a1553b54b8ea1ea05c115d40623ae8875289f3ad08793114

nodejs-packaging-23-3.module+el8.3.0+6519+9f98ed83.noarch.rpm

SHA-256: d0ffb55491051b33ed7a0c9d1dfeb65ef76f367c9df1065140d0fa830091b169

npm-6.14.18-1.14.21.3.1.module+el8.4.0+18317+43f5ac16.x86_64.rpm

SHA-256: d0c8cc8c4fd82709605e12590f9b2417e68fb2d0b8b23d574ea0767ad5e789b6

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.4

SRPM

nodejs-14.21.3-1.module+el8.4.0+18317+43f5ac16.src.rpm

SHA-256: 07c96f425e0104adbda6ba720d049063604224ba84526749ac2e0ea24d9386ad

nodejs-nodemon-2.0.20-3.module+el8.4.0+18317+43f5ac16.src.rpm

SHA-256: 27239ca08caaa8405951cdfd355912dcc59a18f4817c479d8a57b38dd2830099

nodejs-packaging-23-3.module+el8.3.0+6519+9f98ed83.src.rpm

SHA-256: 550d2f0197e4e69e9cfba813170d0fab3911749327f0c30db022424702287709

s390x

nodejs-docs-14.21.3-1.module+el8.4.0+18317+43f5ac16.noarch.rpm

SHA-256: 1ceb6d496343a9d8b70d5612486c83048a4f7810a038e56050954a3718d64745

nodejs-nodemon-2.0.20-3.module+el8.4.0+18317+43f5ac16.noarch.rpm

SHA-256: 6f420d462280cd84a1553b54b8ea1ea05c115d40623ae8875289f3ad08793114

nodejs-packaging-23-3.module+el8.3.0+6519+9f98ed83.noarch.rpm

SHA-256: d0ffb55491051b33ed7a0c9d1dfeb65ef76f367c9df1065140d0fa830091b169

nodejs-14.21.3-1.module+el8.4.0+18317+43f5ac16.s390x.rpm

SHA-256: 16c0d659088d1e7680619ba82a742f23b04778aecc8aace67301518fb6b037c3

nodejs-debuginfo-14.21.3-1.module+el8.4.0+18317+43f5ac16.s390x.rpm

SHA-256: a4e8d48a7eee3408195c0715272c668849f9098a3a5b42de9415d8f639d017c1

nodejs-debugsource-14.21.3-1.module+el8.4.0+18317+43f5ac16.s390x.rpm

SHA-256: 10eafea1cf18a9f0adc5d685b2700fad76107305fce8515382f0c79c399493cd

nodejs-devel-14.21.3-1.module+el8.4.0+18317+43f5ac16.s390x.rpm

SHA-256: 5fe5e9037a6d5c233c682ae1d3b962908146bf9579b0ca6eb15d663656bf3a71

nodejs-full-i18n-14.21.3-1.module+el8.4.0+18317+43f5ac16.s390x.rpm

SHA-256: 5a65b62ee3aeb12af767a0b7e52d888bd1f0d2a0b4b016d5ef76d66faebc9733

npm-6.14.18-1.14.21.3.1.module+el8.4.0+18317+43f5ac16.s390x.rpm

SHA-256: 9c364b037d44f831043f36a76eb0b8a24b4cd946e54d4681113ecfd76cf368a1

Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.4

SRPM

nodejs-14.21.3-1.module+el8.4.0+18317+43f5ac16.src.rpm

SHA-256: 07c96f425e0104adbda6ba720d049063604224ba84526749ac2e0ea24d9386ad

nodejs-nodemon-2.0.20-3.module+el8.4.0+18317+43f5ac16.src.rpm

SHA-256: 27239ca08caaa8405951cdfd355912dcc59a18f4817c479d8a57b38dd2830099

nodejs-packaging-23-3.module+el8.3.0+6519+9f98ed83.src.rpm

SHA-256: 550d2f0197e4e69e9cfba813170d0fab3911749327f0c30db022424702287709

ppc64le

nodejs-docs-14.21.3-1.module+el8.4.0+18317+43f5ac16.noarch.rpm

SHA-256: 1ceb6d496343a9d8b70d5612486c83048a4f7810a038e56050954a3718d64745

nodejs-nodemon-2.0.20-3.module+el8.4.0+18317+43f5ac16.noarch.rpm

SHA-256: 6f420d462280cd84a1553b54b8ea1ea05c115d40623ae8875289f3ad08793114

nodejs-packaging-23-3.module+el8.3.0+6519+9f98ed83.noarch.rpm

SHA-256: d0ffb55491051b33ed7a0c9d1dfeb65ef76f367c9df1065140d0fa830091b169

nodejs-14.21.3-1.module+el8.4.0+18317+43f5ac16.ppc64le.rpm

SHA-256: 3d462fc52e874466a8f9e35fadc8d3b43d8164a025fa02331bc52551e8c2f4d5

nodejs-debuginfo-14.21.3-1.module+el8.4.0+18317+43f5ac16.ppc64le.rpm

SHA-256: dcba8972acaeff857906b93711c74b79f8130108c44799a8991f5d8a13d82572

nodejs-debugsource-14.21.3-1.module+el8.4.0+18317+43f5ac16.ppc64le.rpm

SHA-256: 913ceb5fea0ae79fd4e16ebfac51faf47c649baf4e8c3c911b3cc85cfef0966d

nodejs-devel-14.21.3-1.module+el8.4.0+18317+43f5ac16.ppc64le.rpm

SHA-256: 49bb43d58f05cbffca78ac4d8daa34671da2f28b1c74441a93e871dbbd435263

nodejs-full-i18n-14.21.3-1.module+el8.4.0+18317+43f5ac16.ppc64le.rpm

SHA-256: 764c80666b4c735775775fdcb9b8a45cb0c294678f21594b97087d5289defe14

npm-6.14.18-1.14.21.3.1.module+el8.4.0+18317+43f5ac16.ppc64le.rpm

SHA-256: f1213c3aea2ba543aa84f09573e866078353478c178139e48dafc7e399c05ac9

Red Hat Enterprise Linux Server - TUS 8.4

SRPM

nodejs-14.21.3-1.module+el8.4.0+18317+43f5ac16.src.rpm

SHA-256: 07c96f425e0104adbda6ba720d049063604224ba84526749ac2e0ea24d9386ad

nodejs-nodemon-2.0.20-3.module+el8.4.0+18317+43f5ac16.src.rpm

SHA-256: 27239ca08caaa8405951cdfd355912dcc59a18f4817c479d8a57b38dd2830099

nodejs-packaging-23-3.module+el8.3.0+6519+9f98ed83.src.rpm

SHA-256: 550d2f0197e4e69e9cfba813170d0fab3911749327f0c30db022424702287709

x86_64

nodejs-14.21.3-1.module+el8.4.0+18317+43f5ac16.x86_64.rpm

SHA-256: 8cda26c081db7f1659119dbf4d3ff7b9c2d2f0d41ba80c86815ac7eb990de467

nodejs-debuginfo-14.21.3-1.module+el8.4.0+18317+43f5ac16.x86_64.rpm

SHA-256: 3dd73a94f85c1e9dc1f559c3dcfc0bb3f225a05ea88a90470b4fe8f28596e1e5

nodejs-debugsource-14.21.3-1.module+el8.4.0+18317+43f5ac16.x86_64.rpm

SHA-256: f49ffe68291ed83f262374fbab8c6c0270b03d7c3f464374ba4125badf83d279

nodejs-devel-14.21.3-1.module+el8.4.0+18317+43f5ac16.x86_64.rpm

SHA-256: 161a522c06addb6958a10ab5d79be549b8c8d925fb43b687a4cbc647e15d7491

nodejs-docs-14.21.3-1.module+el8.4.0+18317+43f5ac16.noarch.rpm

SHA-256: 1ceb6d496343a9d8b70d5612486c83048a4f7810a038e56050954a3718d64745

nodejs-full-i18n-14.21.3-1.module+el8.4.0+18317+43f5ac16.x86_64.rpm

SHA-256: 629edf40ea86fb6a8cdb052bf3bdf782ed185880afadcec2485dcfa075a98327

nodejs-nodemon-2.0.20-3.module+el8.4.0+18317+43f5ac16.noarch.rpm

SHA-256: 6f420d462280cd84a1553b54b8ea1ea05c115d40623ae8875289f3ad08793114

nodejs-packaging-23-3.module+el8.3.0+6519+9f98ed83.noarch.rpm

SHA-256: d0ffb55491051b33ed7a0c9d1dfeb65ef76f367c9df1065140d0fa830091b169

npm-6.14.18-1.14.21.3.1.module+el8.4.0+18317+43f5ac16.x86_64.rpm

SHA-256: d0c8cc8c4fd82709605e12590f9b2417e68fb2d0b8b23d574ea0767ad5e789b6

Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.4

SRPM

nodejs-14.21.3-1.module+el8.4.0+18317+43f5ac16.src.rpm

SHA-256: 07c96f425e0104adbda6ba720d049063604224ba84526749ac2e0ea24d9386ad

nodejs-nodemon-2.0.20-3.module+el8.4.0+18317+43f5ac16.src.rpm

SHA-256: 27239ca08caaa8405951cdfd355912dcc59a18f4817c479d8a57b38dd2830099

nodejs-packaging-23-3.module+el8.3.0+6519+9f98ed83.src.rpm

SHA-256: 550d2f0197e4e69e9cfba813170d0fab3911749327f0c30db022424702287709

aarch64

nodejs-docs-14.21.3-1.module+el8.4.0+18317+43f5ac16.noarch.rpm

SHA-256: 1ceb6d496343a9d8b70d5612486c83048a4f7810a038e56050954a3718d64745

nodejs-nodemon-2.0.20-3.module+el8.4.0+18317+43f5ac16.noarch.rpm

SHA-256: 6f420d462280cd84a1553b54b8ea1ea05c115d40623ae8875289f3ad08793114

nodejs-packaging-23-3.module+el8.3.0+6519+9f98ed83.noarch.rpm

SHA-256: d0ffb55491051b33ed7a0c9d1dfeb65ef76f367c9df1065140d0fa830091b169

nodejs-14.21.3-1.module+el8.4.0+18317+43f5ac16.aarch64.rpm

SHA-256: 883a4554b01c861fe36271ca8df6f745d22feb20b531ebd2896f47bc3bed3b19

nodejs-debuginfo-14.21.3-1.module+el8.4.0+18317+43f5ac16.aarch64.rpm

SHA-256: 86405bcb4746b4a2383cbb83f28a05b283c93b4add7bcc45c61cba3f1a92ac44

nodejs-debugsource-14.21.3-1.module+el8.4.0+18317+43f5ac16.aarch64.rpm

SHA-256: 6b753d678206832700f09802fe2cbbc52ccb32be6229dbe7a1c6632326690426

nodejs-devel-14.21.3-1.module+el8.4.0+18317+43f5ac16.aarch64.rpm

SHA-256: 639ffdb2c4a92fa424e46b200820e713326b5bb7acb11bf156435432f55a3abc

nodejs-full-i18n-14.21.3-1.module+el8.4.0+18317+43f5ac16.aarch64.rpm

SHA-256: d8d2ea7049e3ac6da178f355f4f12c794a2de497e263caeba5a5be11f3639383

npm-6.14.18-1.14.21.3.1.module+el8.4.0+18317+43f5ac16.aarch64.rpm

SHA-256: 207165d909e72a312156df54e0c645f68f1f0d59bff45afe5b9f765ca398e6c6

Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.4

SRPM

nodejs-14.21.3-1.module+el8.4.0+18317+43f5ac16.src.rpm

SHA-256: 07c96f425e0104adbda6ba720d049063604224ba84526749ac2e0ea24d9386ad

nodejs-nodemon-2.0.20-3.module+el8.4.0+18317+43f5ac16.src.rpm

SHA-256: 27239ca08caaa8405951cdfd355912dcc59a18f4817c479d8a57b38dd2830099

nodejs-packaging-23-3.module+el8.3.0+6519+9f98ed83.src.rpm

SHA-256: 550d2f0197e4e69e9cfba813170d0fab3911749327f0c30db022424702287709

ppc64le

nodejs-docs-14.21.3-1.module+el8.4.0+18317+43f5ac16.noarch.rpm

SHA-256: 1ceb6d496343a9d8b70d5612486c83048a4f7810a038e56050954a3718d64745

nodejs-nodemon-2.0.20-3.module+el8.4.0+18317+43f5ac16.noarch.rpm

SHA-256: 6f420d462280cd84a1553b54b8ea1ea05c115d40623ae8875289f3ad08793114

nodejs-packaging-23-3.module+el8.3.0+6519+9f98ed83.noarch.rpm

SHA-256: d0ffb55491051b33ed7a0c9d1dfeb65ef76f367c9df1065140d0fa830091b169

nodejs-14.21.3-1.module+el8.4.0+18317+43f5ac16.ppc64le.rpm

SHA-256: 3d462fc52e874466a8f9e35fadc8d3b43d8164a025fa02331bc52551e8c2f4d5

nodejs-debuginfo-14.21.3-1.module+el8.4.0+18317+43f5ac16.ppc64le.rpm

SHA-256: dcba8972acaeff857906b93711c74b79f8130108c44799a8991f5d8a13d82572

nodejs-debugsource-14.21.3-1.module+el8.4.0+18317+43f5ac16.ppc64le.rpm

SHA-256: 913ceb5fea0ae79fd4e16ebfac51faf47c649baf4e8c3c911b3cc85cfef0966d

nodejs-devel-14.21.3-1.module+el8.4.0+18317+43f5ac16.ppc64le.rpm

SHA-256: 49bb43d58f05cbffca78ac4d8daa34671da2f28b1c74441a93e871dbbd435263

nodejs-full-i18n-14.21.3-1.module+el8.4.0+18317+43f5ac16.ppc64le.rpm

SHA-256: 764c80666b4c735775775fdcb9b8a45cb0c294678f21594b97087d5289defe14

npm-6.14.18-1.14.21.3.1.module+el8.4.0+18317+43f5ac16.ppc64le.rpm

SHA-256: f1213c3aea2ba543aa84f09573e866078353478c178139e48dafc7e399c05ac9

Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.4

SRPM

nodejs-14.21.3-1.module+el8.4.0+18317+43f5ac16.src.rpm

SHA-256: 07c96f425e0104adbda6ba720d049063604224ba84526749ac2e0ea24d9386ad

nodejs-nodemon-2.0.20-3.module+el8.4.0+18317+43f5ac16.src.rpm

SHA-256: 27239ca08caaa8405951cdfd355912dcc59a18f4817c479d8a57b38dd2830099

nodejs-packaging-23-3.module+el8.3.0+6519+9f98ed83.src.rpm

SHA-256: 550d2f0197e4e69e9cfba813170d0fab3911749327f0c30db022424702287709

x86_64

nodejs-14.21.3-1.module+el8.4.0+18317+43f5ac16.x86_64.rpm

SHA-256: 8cda26c081db7f1659119dbf4d3ff7b9c2d2f0d41ba80c86815ac7eb990de467

nodejs-debuginfo-14.21.3-1.module+el8.4.0+18317+43f5ac16.x86_64.rpm

SHA-256: 3dd73a94f85c1e9dc1f559c3dcfc0bb3f225a05ea88a90470b4fe8f28596e1e5

nodejs-debugsource-14.21.3-1.module+el8.4.0+18317+43f5ac16.x86_64.rpm

SHA-256: f49ffe68291ed83f262374fbab8c6c0270b03d7c3f464374ba4125badf83d279

nodejs-devel-14.21.3-1.module+el8.4.0+18317+43f5ac16.x86_64.rpm

SHA-256: 161a522c06addb6958a10ab5d79be549b8c8d925fb43b687a4cbc647e15d7491

nodejs-docs-14.21.3-1.module+el8.4.0+18317+43f5ac16.noarch.rpm

SHA-256: 1ceb6d496343a9d8b70d5612486c83048a4f7810a038e56050954a3718d64745

nodejs-full-i18n-14.21.3-1.module+el8.4.0+18317+43f5ac16.x86_64.rpm

SHA-256: 629edf40ea86fb6a8cdb052bf3bdf782ed185880afadcec2485dcfa075a98327

nodejs-nodemon-2.0.20-3.module+el8.4.0+18317+43f5ac16.noarch.rpm

SHA-256: 6f420d462280cd84a1553b54b8ea1ea05c115d40623ae8875289f3ad08793114

nodejs-packaging-23-3.module+el8.3.0+6519+9f98ed83.noarch.rpm

SHA-256: d0ffb55491051b33ed7a0c9d1dfeb65ef76f367c9df1065140d0fa830091b169

npm-6.14.18-1.14.21.3.1.module+el8.4.0+18317+43f5ac16.x86_64.rpm

SHA-256: d0c8cc8c4fd82709605e12590f9b2417e68fb2d0b8b23d574ea0767ad5e789b6

Related news

Ubuntu Security Notice USN-6672-1

Ubuntu Security Notice 6672-1 - Morgan Jones discovered that Node.js incorrectly handled certain inputs that leads to false positive errors during some cryptographic operations. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 23.10. It was discovered that Node.js incorrectly handled certain inputs leaded to a untrusted search path vulnerability. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to perform a privilege escalation.

Gentoo Linux Security Advisory 202401-02

Gentoo Linux Security Advisory 202401-2 - Multiple vulnerabilities have been found in c-ares, the worst of which could result in the loss of confidentiality or integrity. Versions greater than or equal to 1.19.0 are affected.

Debian Security Advisory 5589-1

Debian Linux Security Advisory 5589-1 - Multiple vulnerabilities were discovered in Node.js, which could result in HTTP request smuggling, bypass of policy feature checks, denial of service or loading of incorrect ICU data.

Red Hat Security Advisory 2023-7543-01

Red Hat Security Advisory 2023-7543-01 - An update for c-ares is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include a buffer overflow vulnerability.

Red Hat Security Advisory 2023-7116-01

Red Hat Security Advisory 2023-7116-01 - An update for c-ares is now available for Red Hat Enterprise Linux 8. Issues addressed include a buffer overflow vulnerability.

CVE-2023-38735: Security Bulletin: IBM Cognos Dashboards on Cloud Pak for Data has addressed security vulnerabilities

IBM Cognos Dashboards on Cloud Pak for Data 4.7.0 could allow a remote attacker to bypass security restrictions, caused by a reverse tabnabbing flaw. An attacker could exploit this vulnerability and redirect a victim to a phishing site. IBM X-Force ID: 262482.

Red Hat Security Advisory 2023-5533-01

Red Hat Security Advisory 2023-5533-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The package has been upgraded to a later upstream version: nodejs. Issues addressed include HTTP request smuggling, buffer overflow, bypass, crlf injection, and denial of service vulnerabilities.

CVE-2022-4137

A reflected cross-site scripting (XSS) vulnerability was found in the 'oob' OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to be vulnerable. This may compromise user details, allowing it to be changed or collected by an attacker.

RHSA-2023:4983: Red Hat Security Advisory: Red Hat Process Automation Manager 7.13.4 security update

An update is now available for Red Hat Process Automation Manager. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which provides a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-30129: A vulnerability in sshd-core of Apache Mina SSHD allows an attacker to overflow the server causing an OutOfMemory error. This issue affects the SFTP and port forwarding features of Apache Mina SSHD version 2.0.0 and later versions. It was addressed in Apache Mina SSHD 2.7.0 * CVE-2022-3171: A parsing issue with binary data in protobuf-java core and...

Red Hat Security Advisory 2023-4035-01

Red Hat Security Advisory 2023-4035-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include buffer overflow and denial of service vulnerabilities.

RHSA-2023:4035: Red Hat Security Advisory: nodejs:18 security update

An update for the nodejs:18 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-4904: A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity. * CVE-2023-31124: A flaw was found in c-ares. This issue occurs...

Red Hat Security Advisory 2023-3742-02

Red Hat Security Advisory 2023-3742-02 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. Issues addressed include bypass, denial of service, and remote SQL injection vulnerabilities.

RHSA-2023:3742: Red Hat Security Advisory: Red Hat OpenShift Data Foundation 4.13.0 security and bug fix update

Updated images that include numerous enhancements, security, and bug fixes are now available in Red Hat Container Registry for Red Hat OpenShift Data Foundation 4.13.0 on Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-16250: A flaw was found in Vault and Vault Enterprise (“Vault”). In the affected versions of Vault, with the AWS Auth Method configured and under certain circumstances, the values relied upon by Vault to validate AWS IAM ident...

RHSA-2023:3645: Red Hat Security Advisory: Red Hat OpenShift Service Mesh 2.2.7 security update

Red Hat OpenShift Service Mesh 2.2.7 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-20329: A flaw was found in Mongo. Specific cstrings input may not be properly validated in the MongoDB Go Driver when marshaling Go objects into BSON. This flaw allows a malicious user to use a Go object with a specific string to inject additional fields into marshaled documents. * CVE-2021-43138: A vulnerability was found in the async package. This flaw allows a malicious user to obtai...

RHSA-2023:3265: Red Hat Security Advisory: Red Hat OpenShift Data Foundation 4.12.3 Security and Bug fix update

Updated images that fix several bugs are now available for Red Hat OpenShift Data Foundation 4.12.3 on Red Hat Enterprise Linux 8 from Red Hat Container Registry. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-23539: A flaw was found in the jsonwebtoken package. The affected versions of the `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. *...

Red Hat Security Advisory 2023-2654-01

Red Hat Security Advisory 2023-2654-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include buffer overflow, bypass, crlf injection, and denial of service vulnerabilities.

Red Hat Security Advisory 2023-2655-01

Red Hat Security Advisory 2023-2655-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include buffer overflow, bypass, crlf injection, and denial of service vulnerabilities.

RHSA-2023:2655: Red Hat Security Advisory: nodejs and nodejs-nodemon security, bug fix, and enhancement update

An update for nodejs and nodejs-nodemon is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-4904: A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity. * CVE-2022-25881: A flaw was found in http-cache-semantics....

Red Hat Security Advisory 2023-2098-01

Red Hat Security Advisory 2023-2098-01 - Multicluster Engine for Kubernetes 2.0.8 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy. Issues addressed include a denial of service vulnerability.

RHSA-2023:2098: Red Hat Security Advisory: Multicluster Engine for Kubernetes 2.0.8 security updates and bug fixes

Multicluster Engine for Kubernetes 2.0.8 General Availability release images, which fix bugs and security updates container images. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25881: A flaw was found in http-cache-semantics. When the server reads the cache policy from the request using this library, a Regular Expression Denial of Service occurs, caused by malicious request header values sent to the server.

Red Hat Security Advisory 2023-2083-01

Red Hat Security Advisory 2023-2083-01 - Red Hat Advanced Cluster Management for Kubernetes 2.6.5 General Availability release images, which fix bugs and security updates container images. Issues addressed include denial of service and server-side request forgery vulnerabilities.

Debian Security Advisory 5395-1

Debian Linux Security Advisory 5395-1 - An untrusted search path vulnerability was discovered in Node.js, which could result in unexpected searching or loading ICU data when running with elevated privileges.

Red Hat Security Advisory 2023-2061-01

Red Hat Security Advisory 2023-2061-01 - Multicluster Engine for Kubernetes 2.1.6 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-1887-01

Red Hat Security Advisory 2023-1887-01 - Multicluster Engine for Kubernetes 2.2.3 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-1888-01

Red Hat Security Advisory 2023-1888-01 - Red Hat Advanced Cluster Management for Kubernetes 2.7.3 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs. Issues addressed include denial of service and server-side request forgery vulnerabilities.

RHSA-2023:1888: Red Hat Security Advisory: Red Hat Advanced Cluster Management 2.7.3 security fixes and bug fixes

Red Hat Advanced Cluster Management for Kubernetes 2.7.3 General Availability release images, which fix bugs and security updates container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3841: A Server-Side Request Forgery (SSRF) vulnerability was found in the console API endpoint from Red Hat Advanced Cluster Management for Kubernetes (RHACM). An attacker could take advantage of this as the console API endpoint is missing an authentication check, allowing unauth...

RHSA-2023:1887: Red Hat Security Advisory: Multicluster Engine for Kubernetes 2.2.3 security updates and bug fixes

Multicluster Engine for Kubernetes 2.2.3 General Availability release images, which fix bugs and security updates container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25881: A flaw was found in http-cache-semantics. When the server reads the cache policy from the request using this library, a Regular Expression Denial of Service occurs, caused by malicious request header values sent to the server. * CVE-2023-29017: A flaw was found in vm2 where the component...

CVE-2023-21954: Oracle Critical Patch Update Advisory - April 2023

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through...

Red Hat Security Advisory 2023-1744-01

Red Hat Security Advisory 2023-1744-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include buffer overflow, bypass, and denial of service vulnerabilities.

Red Hat Security Advisory 2023-1743-01

Red Hat Security Advisory 2023-1743-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include buffer overflow, bypass, and denial of service vulnerabilities.

RHSA-2023:1744: Red Hat Security Advisory: rh-nodejs14-nodejs security, bug fix, and enhancement update

An update for rh-nodejs14-nodejs is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-4904: A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity. * CVE-2022-25881: A flaw was found in http-cache-semantics. Whe...

RHSA-2023:1742: Red Hat Security Advisory: nodejs:14 security, bug fix, and enhancement update

An update for the nodejs:14 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-35065: A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability. * CVE-2021-44531: A flaw was found in node.js where it accepted a certificate's Subject Alternative Names (SAN) entry...

RHSA-2023:1743: Red Hat Security Advisory: nodejs:14 security, bug fix, and enhancement update

An update for the nodejs:14 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-35065: A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability. * CVE-2022-3517: A vulnerability was found in the nodejs-minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) whe...

RHSA-2023:1583: Red Hat Security Advisory: nodejs:18 security, bug fix, and enhancement update

An update for the nodejs:18 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-35065: A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability. * CVE-2022-25881: A flaw was found in http-cache-semantics. When the server reads the cache policy from the request using this library, a Regula...

RHSA-2023:1582: Red Hat Security Advisory: nodejs:16 security, bug fix, and enhancement update

An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-35065: A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability. * CVE-2022-4904: A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which a...

Red Hat Security Advisory 2023-1533-01

Red Hat Security Advisory 2023-1533-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling, buffer overflow, bypass, and denial of service vulnerabilities.

RHSA-2023:1428: Red Hat Security Advisory: Migration Toolkit for Containers (MTC) 1.7.8 security and bug fix update

The Migration Toolkit for Containers (MTC) 1.7.8 is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-36567: A flaw was found in gin. This issue occurs when the default Formatter for the Logger middleware (LoggerConfig.Formatter), which is included in the Default engine, allows attackers to inject arbitrary log entries by manipulating the request path. * CVE-2022-24999: A flaw was found in the express.js npm package. Express.js Express is vulnerable to a d...

RHSA-2023:1428: Red Hat Security Advisory: Migration Toolkit for Containers (MTC) 1.7.8 security and bug fix update

The Migration Toolkit for Containers (MTC) 1.7.8 is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-36567: A flaw was found in gin. This issue occurs when the default Formatter for the Logger middleware (LoggerConfig.Formatter), which is included in the Default engine, allows attackers to inject arbitrary log entries by manipulating the request path. * CVE-2022-24999: A flaw was found in the express.js npm package. Express.js Express is vulnerable to a d...

Red Hat Security Advisory 2023-0932-01

Red Hat Security Advisory 2023-0932-01 - Update information for Logging Subsystem 5.6.3 in Red Hat OpenShift. Red Hat Product Security has rated this update as having a security impact of Moderate.

RHSA-2023:0930: Red Hat Security Advisory: Logging Subsystem 5.5.8 - Red Hat OpenShift

Logging Subsystem 5.5.8 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-24999: qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&...

CVE-2022-4904: Invalid Bug ID

A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity.

Ubuntu Security Notice USN-5907-1

Ubuntu Security Notice 5907-1 - It was discovered that c-ares incorrectly handled certain sortlist strings. A remote attacker could use this issue to cause c-ares to crash, resulting in a denial of service, or possibly execute arbitrary code.

Red Hat Security Advisory 2023-1049-01

Red Hat Security Advisory 2023-1049-01 - Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.6.2 serves as a replacement for Red Hat Single Sign-On 7.6.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include code execution, cross site scripting, denial of service, deserialization, html injection, memory exhaustion, open redirection, server-side request forgery, and traversal vulnerabilities.

RHSA-2023:1049: Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 security update

A security update is now available for Red Hat Single Sign-On 7.6 from the Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2018-14040: In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute. * CVE-2018-14042: In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip. * CVE-2019-11358: A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modi...

RHSA-2023:1047: Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 for OpenShift image security and enhancement update

A new image is available for Red Hat Single Sign-On 7.6.2, running on Red Hat OpenShift Container Platform from the release of 3.11 up to the release of 4.12.0. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2018-14040: In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute. * CVE-2018-14042: In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip. * CVE-2019-11358: A Prototype Pollution vulnerability was found in jque...

RHSA-2023:1044: Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 security update on RHEL 8

New Red Hat Single Sign-On 7.6.2 packages are now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2018-14040: In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute. * CVE-2018-14042: In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip. * CVE-2019-11358: A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modi...

RHSA-2023:0934: Red Hat Security Advisory: Migration Toolkit for Applications security and bug fix update

Migration Toolkit for Applications 6.0.1 release Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-36567: A flaw was found in gin. This issue occurs when the default Formatter for the Logger middleware (LoggerConfig.Formatter), which is included in the Default engine, allows attackers to inject arbitrary log entries by manipulating the request path. * CVE-2021-35065: A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to...

RHSA-2023:0934: Red Hat Security Advisory: Migration Toolkit for Applications security and bug fix update

Migration Toolkit for Applications 6.0.1 release Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-36567: A flaw was found in gin. This issue occurs when the default Formatter for the Logger middleware (LoggerConfig.Formatter), which is included in the Default engine, allows attackers to inject arbitrary log entries by manipulating the request path. * CVE-2021-35065: A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to...

CVE-2023-23920: Thursday February 16 2023 Security Releases | Node.js

An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges.

CVE-2023-23920: Thursday February 16 2023 Security Releases | Node.js

An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges.

Red Hat Security Advisory 2023-0794-01

Red Hat Security Advisory 2023-0794-01 - Red Hat Advanced Cluster Management for Kubernetes 2.6.4 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs.

RHSA-2023:0794: Red Hat Security Advisory: Red Hat Advanced Cluster Management 2.6.4 bug fixes and security updates

Red Hat Advanced Cluster Management for Kubernetes 2.6.4 General Availability release images, which fix bugs and update container images. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-24999: qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload i...

Red Hat Security Advisory 2023-0634-01

Red Hat Security Advisory 2023-0634-01 - Logging Subsystem 5.6.1 - Red Hat OpenShift. Issues addressed include a denial of service vulnerability.

RHSA-2023:0634: Red Hat Security Advisory: Red Hat OpenShift (Logging Subsystem) security update

Logging Subsystem 5.6.1 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-35065: A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability. * CVE-2022-46175: A flaw was found in the json5 package. The affected version of the json5 package could allow an attacker to set arbitrary and unexpected keys on the object returned f...

RHSA-2023:0612: Red Hat Security Advisory: rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon security update

An update for rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-35065: A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability. * CVE-2021-44906: An Uncontrolled Resource Consumption flaw was found in minimist. This flaw allows an attacker t...

RHSA-2023:0612: Red Hat Security Advisory: rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon security update

An update for rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-35065: A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability. * CVE-2021-44906: An Uncontrolled Resource Consumption flaw was found in minimist. This flaw allows an attacker t...

RHSA-2023:0612: Red Hat Security Advisory: rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon security update

An update for rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-35065: A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability. * CVE-2021-44906: An Uncontrolled Resource Consumption flaw was found in minimist. This flaw allows an attacker t...

GHSA-rc47-6667-2j5j: http-cache-semantics vulnerable to Regular Expression Denial of Service

http-cache semantics contains an Inefficient Regular Expression Complexity , leading to Denial of Service. This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

CVE-2022-25881: Snyk Vulnerability Database | Snyk

This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

Red Hat Security Advisory 2023-0471-01

Red Hat Security Advisory 2023-0471-01 - An update is now available for Migration Toolkit for Runtimes (v1.0.1). Issues addressed include a denial of service vulnerability.

RHSA-2023:0471: Red Hat Security Advisory: Migration Toolkit for Runtimes security update

An update is now available for Migration Toolkit for Runtimes (v1.0.1). Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand function * CVE-2022-25914: jib-core: RCE via the isDockerInstalled * CVE-2022-37603: loader-utils:Regular expression denial of service * CVE-2022-42003: jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS * CVE-2022-42004: jackson-databind: use of deeply nested arrays * CVE-2022...

Debian Security Advisory 5326-1

Debian Linux Security Advisory 5326-1 - Multiple vulnerabilities were discovered in Node.js, which could result in HTTP request smuggling, bypass of host IP address validation and weak randomness setup.

Debian Security Advisory 5326-1

Debian Linux Security Advisory 5326-1 - Multiple vulnerabilities were discovered in Node.js, which could result in HTTP request smuggling, bypass of host IP address validation and weak randomness setup.

RHSA-2023:0321: Red Hat Security Advisory: nodejs and nodejs-nodemon security, bug fix, and enhancement update

An update for nodejs and nodejs-nodemon is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-44906: minimist: prototype pollution * CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand function * CVE-2022-35256: nodejs: HTTP Request Smuggling due to incorrect parsing of header fields * CVE-2022-43548: nodejs: DNS rebinding in inspect via invalid octal IP address

RHSA-2023:0321: Red Hat Security Advisory: nodejs and nodejs-nodemon security, bug fix, and enhancement update

An update for nodejs and nodejs-nodemon is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-44906: minimist: prototype pollution * CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand function * CVE-2022-35256: nodejs: HTTP Request Smuggling due to incorrect parsing of header fields * CVE-2022-43548: nodejs: DNS rebinding in inspect via invalid octal IP address

Red Hat Security Advisory 2023-0050-01

Red Hat Security Advisory 2023-0050-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-0050-01

Red Hat Security Advisory 2023-0050-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include a denial of service vulnerability.

RHSA-2023:0050: Red Hat Security Advisory: nodejs:14 security, bug fix, and enhancement update

An update for the nodejs:14 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-44906: minimist: prototype pollution * CVE-2022-0235: node-fetch: exposure of sensitive information to an unauthorized actor * CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand function * CVE-2022-24999: express: "qs" prototype poisoning causes the hang of the node process * CVE-2022-43548: nodejs: DNS rebinding in inspect via inva...

RHSA-2023:0050: Red Hat Security Advisory: nodejs:14 security, bug fix, and enhancement update

An update for the nodejs:14 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-44906: minimist: prototype pollution * CVE-2022-0235: node-fetch: exposure of sensitive information to an unauthorized actor * CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand function * CVE-2022-24999: express: "qs" prototype poisoning causes the hang of the node process * CVE-2022-43548: nodejs: DNS rebinding in inspect via inva...

CVE-2021-35065: fix: Resolve ReDoS vulnerability from CVE-2021-35065 (#49) · gulpjs/glob-parent@3e9f04a

The glob-parent package before 6.0.1 for Node.js allows ReDoS (regular expression denial of service) attacks against the enclosure regular expression.

Red Hat Security Advisory 2022-9073-01

Red Hat Security Advisory 2022-9073-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include bypass and denial of service vulnerabilities.

Red Hat Security Advisory 2022-9073-01

Red Hat Security Advisory 2022-9073-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include bypass and denial of service vulnerabilities.

RHSA-2022:9073: Red Hat Security Advisory: nodejs:16 security, bug fix, and enhancement update

An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-44531: nodejs: Improper handling of URI Subject Alternative Names * CVE-2021-44532: nodejs: Certificate Verification Bypass via String Injection * CVE-2021-44533: nodejs: Incorrect handling of certificate subject and issuer fields * CVE-2021-44906: minimist: prototype pollution * CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand fu...

RHSA-2022:9073: Red Hat Security Advisory: nodejs:16 security, bug fix, and enhancement update

An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-44531: nodejs: Improper handling of URI Subject Alternative Names * CVE-2021-44532: nodejs: Certificate Verification Bypass via String Injection * CVE-2021-44533: nodejs: Incorrect handling of certificate subject and issuer fields * CVE-2021-44906: minimist: prototype pollution * CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand fu...

RHSA-2022:9073: Red Hat Security Advisory: nodejs:16 security, bug fix, and enhancement update

An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-44531: nodejs: Improper handling of URI Subject Alternative Names * CVE-2021-44532: nodejs: Certificate Verification Bypass via String Injection * CVE-2021-44533: nodejs: Incorrect handling of certificate subject and issuer fields * CVE-2021-44906: minimist: prototype pollution * CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand fu...

Red Hat Security Advisory 2022-8832-01

Red Hat Security Advisory 2022-8832-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2022-8832-01

Red Hat Security Advisory 2022-8832-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2022-8833-01

Red Hat Security Advisory 2022-8833-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2022-8833-01

Red Hat Security Advisory 2022-8833-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include a denial of service vulnerability.

RHSA-2022:8833: Red Hat Security Advisory: nodejs:18 security, bug fix, and enhancement update

An update for the nodejs:18 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand function * CVE-2022-43548: nodejs: DNS rebinding in inspect via invalid octal IP address

RHSA-2022:8833: Red Hat Security Advisory: nodejs:18 security, bug fix, and enhancement update

An update for the nodejs:18 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand function * CVE-2022-43548: nodejs: DNS rebinding in inspect via invalid octal IP address

RHSA-2022:8832: Red Hat Security Advisory: nodejs:18 security, bug fix, and enhancement update

An update for the nodejs:18 module is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand function * CVE-2022-43548: nodejs: DNS rebinding in inspect via invalid octal IP address

RHSA-2022:8832: Red Hat Security Advisory: nodejs:18 security, bug fix, and enhancement update

An update for the nodejs:18 module is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand function * CVE-2022-43548: nodejs: DNS rebinding in inspect via invalid octal IP address

CVE-2022-35256

The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.

CVE-2022-43548: Nov 3 2022 Security Releases | Node.js

A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.The fix for this issue in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212 was incomplete and this new CVE is to complete the fix.

GHSA-w573-4hg7-7wgq: decode-uri-component vulnerable to Denial of Service (DoS)

decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.

CVE-2022-38900: TypeError: decodeComponents(...).join is not a function · Issue #345 · sindresorhus/query-string

decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.

GHSA-hrpp-h998-j3pp: qs vulnerable to Prototype Pollution

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: [email protected]" in its release description, is not vulnerable).

CVE-2022-24999: GitHub - n8tz/CVE-2022-24999: "qs" prototype poisoning vulnerability ( CVE-2022-24999 )

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: [email protected]" in its release description, is not vulnerable).

Red Hat Security Advisory 2022-7830-01

Red Hat Security Advisory 2022-7830-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling and bypass vulnerabilities.

Red Hat Security Advisory 2022-7821-01

Red Hat Security Advisory 2022-7821-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include a HTTP request smuggling vulnerability.

RHSA-2022:7830: Red Hat Security Advisory: nodejs:14 security update

An update for the nodejs:14 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-44531: nodejs: Improper handling of URI Subject Alternative Names * CVE-2021-44532: nodejs: Certificate Verification Bypass via String Injection * CVE-2021-44533: nodejs: Incorrect handling of certificate subject and issuer fields * CVE-2022-21824: nodejs: Prototype pollution via console.table properties * CVE-2022-35256: nodejs: HTTP Reque...

RHSA-2022:7821: Red Hat Security Advisory: nodejs:18 security update

An update for the nodejs:18 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-35255: nodejs: weak randomness in WebCrypto keygen * CVE-2022-35256: nodejs: HTTP Request Smuggling due to incorrect parsing of header fields

Red Hat Security Advisory 2022-7044-01

Red Hat Security Advisory 2022-7044-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling and bypass vulnerabilities.

Red Hat Security Advisory 2022-6963-01

Red Hat Security Advisory 2022-6963-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include a HTTP request smuggling vulnerability.

Red Hat Security Advisory 2022-6964-01

Red Hat Security Advisory 2022-6964-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include a HTTP request smuggling vulnerability.

RHSA-2022:6963: Red Hat Security Advisory: nodejs security update

An update for nodejs is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-35255: nodejs: weak randomness in WebCrypto keygen * CVE-2022-35256: nodejs: HTTP Request Smuggling due to incorrect parsing of header fields

CVE-2022-3517: PRISMA-2022-0039 - High vulnerability · Issue #329 · grafana/grafana-image-renderer

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

RHSA-2022:6964: Red Hat Security Advisory: nodejs:16 security update

An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-35255: nodejs: weak randomness in WebCrypto keygen * CVE-2022-35256: nodejs: HTTP Request Smuggling due to incorrect parsing of header fields

Red Hat Security Advisory 2022-5928-01

Red Hat Security Advisory 2022-5928-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.6 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.5, and includes bug fixes and enhancements. Issues addressed include a deserialization vulnerability.

RHSA-2022:5928: Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.6 Security update

A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-44906: minimist: prototype pollution * CVE-2022-24823: netty: world readable temporary file containing sensitive data * CVE-2022-25647: com.google.code.gson-gson: Deserialization of Untrusted Data in com.google.code.gson-gson

Red Hat Security Advisory 2022-5894-01

Red Hat Security Advisory 2022-5894-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.6 is a first release for Red Hat JBoss Enterprise Application Platform 7.4 on Red Hat Enterprise Linux 9, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.6 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include a deserialization vulnerability.

GHSA-cj88-88mr-972w: glob-parent before 6.0.1 vulnerable to Regular Expression Denial of Service (ReDoS)

glob-parent before 6.0.1 is vulnerable to Regular Expression Denial of Service (ReDoS).

Red Hat Security Advisory 2022-4914-01

Red Hat Security Advisory 2022-4914-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling and bypass vulnerabilities.

RHSA-2022:4914: Red Hat Security Advisory: rh-nodejs12-nodejs security, bug fix, and enhancement update

An update for rh-nodejs12-nodejs is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-3918: nodejs-json-schema: Prototype pollution vulnerability * CVE-2021-22959: llhttp: HTTP Request Smuggling due to spaces in headers * CVE-2021-22960: llhttp: HTTP Request Smuggling when parsing the body of chunked requests * CVE-2021-37701: nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links a...

CVE-2022-0564: Qlik Sense Enterprise on Windows Release notes - November 2021 Initial Release to Patch 16

A vulnerability in Qlik Sense Enterprise on Windows could allow an remote attacker to enumerate domain user accounts. An attacker could exploit this vulnerability by sending authentication requests to an affected system. A successful exploit could allow the attacker to compare the response time that are returned by the affected system to determine which accounts are valid user accounts. Affected systems are only vulnerable if they have LDAP configured.