Headline
RHSA-2022:8832: Red Hat Security Advisory: nodejs:18 security, bug fix, and enhancement update
An update for the nodejs:18 module is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand function
- CVE-2022-43548: nodejs: DNS rebinding in inspect via invalid octal IP address
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- OpenShift Dev Spaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Issued:
2022-12-06
Updated:
2022-12-06
RHSA-2022:8832 - Security Advisory
- Overview
- Updated Packages
Synopsis
Moderate: nodejs:18 security, bug fix, and enhancement update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for the nodejs:18 module is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.
The following packages have been upgraded to a later upstream version: nodejs (18.12.1). (BZ#2142809, BZ#2142830, BZ#2142834, BZ#2142856)
Security Fix(es):
- nodejs-minimatch: ReDoS via the braceExpand function (CVE-2022-3517)
- nodejs: DNS rebinding in inspect via invalid octal IP address (CVE-2022-43548)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Affected Products
- Red Hat Enterprise Linux for x86_64 9 x86_64
- Red Hat Enterprise Linux for IBM z Systems 9 s390x
- Red Hat Enterprise Linux for Power, little endian 9 ppc64le
- Red Hat Enterprise Linux for ARM 64 9 aarch64
Fixes
- BZ - 2134609 - CVE-2022-3517 nodejs-minimatch: ReDoS via the braceExpand function
- BZ - 2140911 - CVE-2022-43548 nodejs: DNS rebinding in inspect via invalid octal IP address
- BZ - 2142809 - nodejs:18/nodejs: Rebase to the latest Nodejs 18 release [rhel-9] [rhel-9.1.0.z]
References
- https://access.redhat.com/security/updates/classification/#moderate
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index
Red Hat Enterprise Linux for x86_64 9
SRPM
nodejs-18.12.1-1.module+el9.1.0.z+17326+318294bb.src.rpm
SHA-256: 81afaa32f3b66e1df91d30783dbbe6488024aab645c2c219dd3be1b2e6ca03db
nodejs-nodemon-2.0.20-1.module+el9.1.0.z+17326+318294bb.src.rpm
SHA-256: f1ac6663efb1b869fdd13b4f4750393a7f9389e574dbcaa9777dea46f74cdc36
nodejs-packaging-2021.06-4.module+el9.1.0+15718+e52ec601.src.rpm
SHA-256: fd4cb1826d0e63749d7ca229842c4449088dc3d7c3e3fb0704d722c66d20aff1
x86_64
nodejs-18.12.1-1.module+el9.1.0.z+17326+318294bb.x86_64.rpm
SHA-256: 7ce310618bf88abab3f32c47c7d0e988d828837649119436af09582c691a84d8
nodejs-debuginfo-18.12.1-1.module+el9.1.0.z+17326+318294bb.x86_64.rpm
SHA-256: 70cde3c52b9528ed0bec131fb8125bbb1556f6a0899bd554d7d6a2ef768c2ab1
nodejs-debugsource-18.12.1-1.module+el9.1.0.z+17326+318294bb.x86_64.rpm
SHA-256: ec09fa2951eda2260269d13a9a7208aac99086048b654e41717e559e20d983e1
nodejs-devel-18.12.1-1.module+el9.1.0.z+17326+318294bb.x86_64.rpm
SHA-256: 5b7ad328d4a45fa27cf54f8e651b60317a2953342aa290002cef66fcec0b2b62
nodejs-docs-18.12.1-1.module+el9.1.0.z+17326+318294bb.noarch.rpm
SHA-256: 58477e0ff0ee65e7020d57a867eb56228340e5875244cecab7cf6654ec241233
nodejs-full-i18n-18.12.1-1.module+el9.1.0.z+17326+318294bb.x86_64.rpm
SHA-256: d0240df2d34808133b38a0bb40856e80733dfd00fe3e37dfd0ed5cb623cf0e8d
nodejs-nodemon-2.0.20-1.module+el9.1.0.z+17326+318294bb.noarch.rpm
SHA-256: bf52fbd5c732fc7d46b16ad95539c6fef8b57f070b3488a3aed0f9105ec55203
nodejs-packaging-2021.06-4.module+el9.1.0+15718+e52ec601.noarch.rpm
SHA-256: 68464b58e953276d3e4ec6478cc7cd656b0bb7692b6232baeb53177a0dfc162d
nodejs-packaging-bundler-2021.06-4.module+el9.1.0+15718+e52ec601.noarch.rpm
SHA-256: b35bba697b10222e6e87e817a7feabe5802805e1c05fbbcf3d312dc532836b43
npm-8.19.2-1.18.12.1.1.module+el9.1.0.z+17326+318294bb.x86_64.rpm
SHA-256: 4c7c73aba761cb69b2dd16a073e816c4dc976b661db4540834775c73d5ed6dad
Red Hat Enterprise Linux for IBM z Systems 9
SRPM
nodejs-18.12.1-1.module+el9.1.0.z+17326+318294bb.src.rpm
SHA-256: 81afaa32f3b66e1df91d30783dbbe6488024aab645c2c219dd3be1b2e6ca03db
nodejs-nodemon-2.0.20-1.module+el9.1.0.z+17326+318294bb.src.rpm
SHA-256: f1ac6663efb1b869fdd13b4f4750393a7f9389e574dbcaa9777dea46f74cdc36
nodejs-packaging-2021.06-4.module+el9.1.0+15718+e52ec601.src.rpm
SHA-256: fd4cb1826d0e63749d7ca229842c4449088dc3d7c3e3fb0704d722c66d20aff1
s390x
nodejs-docs-18.12.1-1.module+el9.1.0.z+17326+318294bb.noarch.rpm
SHA-256: 58477e0ff0ee65e7020d57a867eb56228340e5875244cecab7cf6654ec241233
nodejs-nodemon-2.0.20-1.module+el9.1.0.z+17326+318294bb.noarch.rpm
SHA-256: bf52fbd5c732fc7d46b16ad95539c6fef8b57f070b3488a3aed0f9105ec55203
nodejs-packaging-2021.06-4.module+el9.1.0+15718+e52ec601.noarch.rpm
SHA-256: 68464b58e953276d3e4ec6478cc7cd656b0bb7692b6232baeb53177a0dfc162d
nodejs-packaging-bundler-2021.06-4.module+el9.1.0+15718+e52ec601.noarch.rpm
SHA-256: b35bba697b10222e6e87e817a7feabe5802805e1c05fbbcf3d312dc532836b43
nodejs-18.12.1-1.module+el9.1.0.z+17326+318294bb.s390x.rpm
SHA-256: 6b5d5c940d712e710863bcc6371c2b0e7a55ba72a1d040287127615218f7e618
nodejs-debuginfo-18.12.1-1.module+el9.1.0.z+17326+318294bb.s390x.rpm
SHA-256: 6d5d0bce71def1ffef58da52574cdd47ff954c8625a95cb56415c64f08e3a27d
nodejs-debugsource-18.12.1-1.module+el9.1.0.z+17326+318294bb.s390x.rpm
SHA-256: c98749f26eb9073bb6bc0f9a789ae1a337f075126da69ea3ad9c4dbd35a82f42
nodejs-devel-18.12.1-1.module+el9.1.0.z+17326+318294bb.s390x.rpm
SHA-256: 9e0a012c1c11cdbb1ae8ced2518406693a2346048d24f0b3737b0850b0b7780c
nodejs-full-i18n-18.12.1-1.module+el9.1.0.z+17326+318294bb.s390x.rpm
SHA-256: d57bf89224ee7e8abbe6bd5394631f09b1f488a4b8802b50a1e115832641df47
npm-8.19.2-1.18.12.1.1.module+el9.1.0.z+17326+318294bb.s390x.rpm
SHA-256: 25cb72c675d67b740031da247cc66b0e37ee899ab090c3e94898b115e6f0f5c3
Red Hat Enterprise Linux for Power, little endian 9
SRPM
nodejs-18.12.1-1.module+el9.1.0.z+17326+318294bb.src.rpm
SHA-256: 81afaa32f3b66e1df91d30783dbbe6488024aab645c2c219dd3be1b2e6ca03db
nodejs-nodemon-2.0.20-1.module+el9.1.0.z+17326+318294bb.src.rpm
SHA-256: f1ac6663efb1b869fdd13b4f4750393a7f9389e574dbcaa9777dea46f74cdc36
nodejs-packaging-2021.06-4.module+el9.1.0+15718+e52ec601.src.rpm
SHA-256: fd4cb1826d0e63749d7ca229842c4449088dc3d7c3e3fb0704d722c66d20aff1
ppc64le
nodejs-docs-18.12.1-1.module+el9.1.0.z+17326+318294bb.noarch.rpm
SHA-256: 58477e0ff0ee65e7020d57a867eb56228340e5875244cecab7cf6654ec241233
nodejs-nodemon-2.0.20-1.module+el9.1.0.z+17326+318294bb.noarch.rpm
SHA-256: bf52fbd5c732fc7d46b16ad95539c6fef8b57f070b3488a3aed0f9105ec55203
nodejs-packaging-2021.06-4.module+el9.1.0+15718+e52ec601.noarch.rpm
SHA-256: 68464b58e953276d3e4ec6478cc7cd656b0bb7692b6232baeb53177a0dfc162d
nodejs-packaging-bundler-2021.06-4.module+el9.1.0+15718+e52ec601.noarch.rpm
SHA-256: b35bba697b10222e6e87e817a7feabe5802805e1c05fbbcf3d312dc532836b43
nodejs-18.12.1-1.module+el9.1.0.z+17326+318294bb.ppc64le.rpm
SHA-256: ee240f8c9b86cb935ff2be9948b4fedcf1d731c75c7c685f97c0c4a946416df4
nodejs-debuginfo-18.12.1-1.module+el9.1.0.z+17326+318294bb.ppc64le.rpm
SHA-256: 886628c84df3c5cef22af12de3d85ff3d78b06fce6a7adb65c4ffcc736d881fe
nodejs-debugsource-18.12.1-1.module+el9.1.0.z+17326+318294bb.ppc64le.rpm
SHA-256: ee9eb5097b32179740968707a972822584164644c7a995370e4a26681410be8b
nodejs-devel-18.12.1-1.module+el9.1.0.z+17326+318294bb.ppc64le.rpm
SHA-256: 36749de716a8dc60683e2f2d2edee56ed61b1c3f4e0ae96c36c569f737e81747
nodejs-full-i18n-18.12.1-1.module+el9.1.0.z+17326+318294bb.ppc64le.rpm
SHA-256: 3223a3411739c94a91d6522a5151930861f29bbb6938e77b7d5bec752c249a94
npm-8.19.2-1.18.12.1.1.module+el9.1.0.z+17326+318294bb.ppc64le.rpm
SHA-256: 6cd8193c9ab434fb41718e3176901196b44a380db6bb689cce0cc5c628be69aa
Red Hat Enterprise Linux for ARM 64 9
SRPM
nodejs-18.12.1-1.module+el9.1.0.z+17326+318294bb.src.rpm
SHA-256: 81afaa32f3b66e1df91d30783dbbe6488024aab645c2c219dd3be1b2e6ca03db
nodejs-nodemon-2.0.20-1.module+el9.1.0.z+17326+318294bb.src.rpm
SHA-256: f1ac6663efb1b869fdd13b4f4750393a7f9389e574dbcaa9777dea46f74cdc36
nodejs-packaging-2021.06-4.module+el9.1.0+15718+e52ec601.src.rpm
SHA-256: fd4cb1826d0e63749d7ca229842c4449088dc3d7c3e3fb0704d722c66d20aff1
aarch64
nodejs-docs-18.12.1-1.module+el9.1.0.z+17326+318294bb.noarch.rpm
SHA-256: 58477e0ff0ee65e7020d57a867eb56228340e5875244cecab7cf6654ec241233
nodejs-nodemon-2.0.20-1.module+el9.1.0.z+17326+318294bb.noarch.rpm
SHA-256: bf52fbd5c732fc7d46b16ad95539c6fef8b57f070b3488a3aed0f9105ec55203
nodejs-packaging-2021.06-4.module+el9.1.0+15718+e52ec601.noarch.rpm
SHA-256: 68464b58e953276d3e4ec6478cc7cd656b0bb7692b6232baeb53177a0dfc162d
nodejs-packaging-bundler-2021.06-4.module+el9.1.0+15718+e52ec601.noarch.rpm
SHA-256: b35bba697b10222e6e87e817a7feabe5802805e1c05fbbcf3d312dc532836b43
nodejs-18.12.1-1.module+el9.1.0.z+17326+318294bb.aarch64.rpm
SHA-256: ee65346b763647781aa94973de5fca57086cd7cdaa634125180d2d068e28a0b0
nodejs-debuginfo-18.12.1-1.module+el9.1.0.z+17326+318294bb.aarch64.rpm
SHA-256: 9973680e31baaf8f7e27650712d869738abb72f5df10e925a106866fe5fe9f64
nodejs-debugsource-18.12.1-1.module+el9.1.0.z+17326+318294bb.aarch64.rpm
SHA-256: 87ec6edda30be77a8e524d1d6a8627e61685c30d3b80d48dd2748fdc2b326574
nodejs-devel-18.12.1-1.module+el9.1.0.z+17326+318294bb.aarch64.rpm
SHA-256: 862ff8d0730c5311d6a035186ba10af596ad46a5ffb39b9df118e33709df4d2d
nodejs-full-i18n-18.12.1-1.module+el9.1.0.z+17326+318294bb.aarch64.rpm
SHA-256: 80746b06ac54b5421fb800faa073219293b7162842248fdcbcd81d9e5306425a
npm-8.19.2-1.18.12.1.1.module+el9.1.0.z+17326+318294bb.aarch64.rpm
SHA-256: f9c79f339d7afdacb2de1b4f45d83b79bbecdf2341f9dcb295ebeeca42760fb3
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Gentoo Linux Security Advisory 202405-29 - Multiple vulnerabilities have been discovered in Node.js. Versions greater than or equal to 16.20.2 are affected.
Ubuntu Security Notice 6491-1 - Axel Chong discovered that Node.js incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to execute arbitrary code. Zeyu Zhang discovered that Node.js incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 22.04 LTS.
Vulnerability in the Oracle Hyperion Financial Reporting product of Oracle Hyperion (component: Repository). The supported version that is affected is 11.2.13.0.000. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hyperion Financial Reporting. While the vulnerability is in Oracle Hyperion Financial Reporting, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hyperion Financial Reporting accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Hyperion Financial Reporting. CVSS 3.1 Base Score 8.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L).
Updated images that include numerous enhancements, security, and bug fixes are now available in Red Hat Container Registry for Red Hat OpenShift Data Foundation 4.13.0 on Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-16250: A flaw was found in Vault and Vault Enterprise (“Vault”). In the affected versions of Vault, with the AWS Auth Method configured and under certain circumstances, the values relied upon by Vault to validate AWS IAM ident...
Red Hat Security Advisory 2023-1743-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include buffer overflow, bypass, and denial of service vulnerabilities.
An update for the nodejs:14 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-35065: A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability. * CVE-2021-44531: A flaw was found in node.js where it accepted a certificate's Subject Alternative Names (SAN) entry...
An update for the nodejs:14 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-35065: A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability. * CVE-2022-3517: A vulnerability was found in the nodejs-minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) whe...
Red Hat Security Advisory 2023-1533-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling, buffer overflow, bypass, and denial of service vulnerabilities.
An update for the nodejs:14 module is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-35065: A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability. * CVE-2021-44906: An Uncontrolled Resource Consumption flaw was found in minimist. This flaw allows an attacker to tr...
Red Hat Advanced Cluster Management for Kubernetes 2.7.0 General Availability release images, which provide security updates and fix bugs. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3517: A vulnerability was found in the nodejs-minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service. * CVE-2022-30629: A flaw was found in the crypto/tls golang pa...
An update for rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-35065: A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability. * CVE-2021-44906: An Uncontrolled Resource Consumption flaw was found in minimist. This flaw allows an attacker t...
Red Hat Security Advisory 2023-0471-01 - An update is now available for Migration Toolkit for Runtimes (v1.0.1). Issues addressed include a denial of service vulnerability.
An update is now available for Migration Toolkit for Runtimes (v1.0.1). Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand function * CVE-2022-25914: jib-core: RCE via the isDockerInstalled * CVE-2022-37603: loader-utils:Regular expression denial of service * CVE-2022-42003: jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS * CVE-2022-42004: jackson-databind: use of deeply nested arrays * CVE-2022...
Debian Linux Security Advisory 5326-1 - Multiple vulnerabilities were discovered in Node.js, which could result in HTTP request smuggling, bypass of host IP address validation and weak randomness setup.
An update for nodejs and nodejs-nodemon is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-44906: minimist: prototype pollution * CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand function * CVE-2022-35256: nodejs: HTTP Request Smuggling due to incorrect parsing of header fields * CVE-2022-43548: nodejs: DNS rebinding in inspect via invalid octal IP address
Vulnerability in the Oracle Demantra Demand Management product of Oracle Supply Chain (component: E-Business Collections). Supported versions that are affected are 12.1 and 12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Demantra Demand Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Demantra Demand Management accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
Red Hat Security Advisory 2023-0050-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include a denial of service vulnerability.
An update for the nodejs:14 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-44906: minimist: prototype pollution * CVE-2022-0235: node-fetch: exposure of sensitive information to an unauthorized actor * CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand function * CVE-2022-24999: express: "qs" prototype poisoning causes the hang of the node process * CVE-2022-43548: nodejs: DNS rebinding in inspect via inva...
Red Hat Security Advisory 2022-9073-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include bypass and denial of service vulnerabilities.
An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-44531: nodejs: Improper handling of URI Subject Alternative Names * CVE-2021-44532: nodejs: Certificate Verification Bypass via String Injection * CVE-2021-44533: nodejs: Incorrect handling of certificate subject and issuer fields * CVE-2021-44906: minimist: prototype pollution * CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand fu...
Red Hat Advanced Cluster Management for Kubernetes 2.6.3 General Availability release images, which provide security updates, fix bugs, and update container images. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand function * CVE-2022-41912: crewjam/saml: Authentication bypass when processing SAML responses containing multiple Assertion elements
Red Hat Security Advisory 2022-8832-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2022-8833-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include a denial of service vulnerability.
An update for the nodejs:18 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand function * CVE-2022-43548: nodejs: DNS rebinding in inspect via invalid octal IP address
An update for the nodejs:18 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand function * CVE-2022-43548: nodejs: DNS rebinding in inspect via invalid octal IP address
A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.The fix for this issue in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212 was incomplete and this new CVE is to complete the fix.
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
A vulnerability in Qlik Sense Enterprise on Windows could allow an remote attacker to enumerate domain user accounts. An attacker could exploit this vulnerability by sending authentication requests to an affected system. A successful exploit could allow the attacker to compare the response time that are returned by the affected system to determine which accounts are valid user accounts. Affected systems are only vulnerable if they have LDAP configured.