Headline
RHSA-2022:8833: Red Hat Security Advisory: nodejs:18 security, bug fix, and enhancement update
An update for the nodejs:18 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand function
- CVE-2022-43548: nodejs: DNS rebinding in inspect via invalid octal IP address
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- OpenShift Dev Spaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Issued:
2022-12-06
Updated:
2022-12-06
RHSA-2022:8833 - Security Advisory
- Overview
- Updated Packages
Synopsis
Moderate: nodejs:18 security, bug fix, and enhancement update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for the nodejs:18 module is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.
The following packages have been upgraded to a later upstream version: nodejs (18.12.1), nodejs-nodemon (2.0.20). (BZ#2142818)
Security Fix(es):
- nodejs-minimatch: ReDoS via the braceExpand function (CVE-2022-3517)
- nodejs: DNS rebinding in inspect via invalid octal IP address (CVE-2022-43548)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Affected Products
- Red Hat Enterprise Linux for x86_64 8 x86_64
- Red Hat Enterprise Linux for IBM z Systems 8 s390x
- Red Hat Enterprise Linux for Power, little endian 8 ppc64le
- Red Hat Enterprise Linux for ARM 64 8 aarch64
Fixes
- BZ - 2134609 - CVE-2022-3517 nodejs-minimatch: ReDoS via the braceExpand function
- BZ - 2140911 - CVE-2022-43548 nodejs: DNS rebinding in inspect via invalid octal IP address
- BZ - 2142818 - nodejs:18/nodejs: Rebase to the latest Nodejs 18 release [rhel-8] [rhel-8.7.0.z]
Red Hat Enterprise Linux for x86_64 8
SRPM
nodejs-18.12.1-2.module+el8.7.0+17306+fc023f99.src.rpm
SHA-256: 2ba6d20a4e72ecb7b5ce585f5f5c582335cff21b540af87c58d18eb6303083f5
nodejs-nodemon-2.0.20-1.module+el8.7.0+17282+f47dd33b.src.rpm
SHA-256: 492ff6b18a2266bb4b415f70c76efa75b5f6fc44b88013cd480c9e8ab3ea59e8
nodejs-packaging-2021.06-4.module+el8.7.0+15582+19c314fa.src.rpm
SHA-256: f1345ed8ecd3230b52424cb789ff10664a96a3e7eac42f3cc5c5e787e4d393bd
x86_64
nodejs-18.12.1-2.module+el8.7.0+17306+fc023f99.x86_64.rpm
SHA-256: 049899443bac05c10b9493f8f34b77cd2a884c88e76b94b926dafcc7351e9af0
nodejs-debuginfo-18.12.1-2.module+el8.7.0+17306+fc023f99.x86_64.rpm
SHA-256: 385e3699ac455704efcb0b90e3391859b47ec5ab30323eca47de875b099cc529
nodejs-debugsource-18.12.1-2.module+el8.7.0+17306+fc023f99.x86_64.rpm
SHA-256: eb9eeb8419df42a65e1655bcc5240b0cd89f37c0e370108013037cf8d662e9d6
nodejs-devel-18.12.1-2.module+el8.7.0+17306+fc023f99.x86_64.rpm
SHA-256: 8a3289f003dcd9cf0ddd66924e68b80eea1f5021008b9e38dc289792579cb6cd
nodejs-docs-18.12.1-2.module+el8.7.0+17306+fc023f99.noarch.rpm
SHA-256: ce10f4e3504286155e35265cf331d38d13255155c89f741d4ed4352019497145
nodejs-full-i18n-18.12.1-2.module+el8.7.0+17306+fc023f99.x86_64.rpm
SHA-256: d1f1796bb9972ec8e00a0e712acd7a4d5fb82ca1bd0dcfd8341051449c421a33
nodejs-nodemon-2.0.20-1.module+el8.7.0+17282+f47dd33b.noarch.rpm
SHA-256: 354b8acb590ec7aea5199b5037d22b5465cfe19bfd2f953cba939cf45261a2a9
nodejs-packaging-2021.06-4.module+el8.7.0+15582+19c314fa.noarch.rpm
SHA-256: 3ef698eb2f19de97bde0e2e7eb6de64ef1c8370f5c6e4283874b34cce46914d4
nodejs-packaging-bundler-2021.06-4.module+el8.7.0+15582+19c314fa.noarch.rpm
SHA-256: d2fd8d3242cc76d52c1eb84fced4f82b629cce882854ec7189f4de1ea47e20b4
npm-8.19.2-1.18.12.1.2.module+el8.7.0+17306+fc023f99.x86_64.rpm
SHA-256: f75d3ac6879076e1e28b6e5f4a559c3f505654d1d2f91ecfcf6e35b49d32c362
Red Hat Enterprise Linux for IBM z Systems 8
SRPM
nodejs-18.12.1-2.module+el8.7.0+17306+fc023f99.src.rpm
SHA-256: 2ba6d20a4e72ecb7b5ce585f5f5c582335cff21b540af87c58d18eb6303083f5
nodejs-nodemon-2.0.20-1.module+el8.7.0+17282+f47dd33b.src.rpm
SHA-256: 492ff6b18a2266bb4b415f70c76efa75b5f6fc44b88013cd480c9e8ab3ea59e8
nodejs-packaging-2021.06-4.module+el8.7.0+15582+19c314fa.src.rpm
SHA-256: f1345ed8ecd3230b52424cb789ff10664a96a3e7eac42f3cc5c5e787e4d393bd
s390x
nodejs-docs-18.12.1-2.module+el8.7.0+17306+fc023f99.noarch.rpm
SHA-256: ce10f4e3504286155e35265cf331d38d13255155c89f741d4ed4352019497145
nodejs-nodemon-2.0.20-1.module+el8.7.0+17282+f47dd33b.noarch.rpm
SHA-256: 354b8acb590ec7aea5199b5037d22b5465cfe19bfd2f953cba939cf45261a2a9
nodejs-packaging-2021.06-4.module+el8.7.0+15582+19c314fa.noarch.rpm
SHA-256: 3ef698eb2f19de97bde0e2e7eb6de64ef1c8370f5c6e4283874b34cce46914d4
nodejs-packaging-bundler-2021.06-4.module+el8.7.0+15582+19c314fa.noarch.rpm
SHA-256: d2fd8d3242cc76d52c1eb84fced4f82b629cce882854ec7189f4de1ea47e20b4
nodejs-18.12.1-2.module+el8.7.0+17306+fc023f99.s390x.rpm
SHA-256: 06c9d7ec888464f89ec8cf11caf4cf44a2d7d01a47713528445c56fddb796140
nodejs-debuginfo-18.12.1-2.module+el8.7.0+17306+fc023f99.s390x.rpm
SHA-256: 40c0044453d02f8d3eec5f8fd88db08a04c15f0059a6d79a8e07241001facb27
nodejs-debugsource-18.12.1-2.module+el8.7.0+17306+fc023f99.s390x.rpm
SHA-256: 7ec3b2d4d0827eb7a33251929666e44a6ca39370b463509283b52c6b4e328400
nodejs-devel-18.12.1-2.module+el8.7.0+17306+fc023f99.s390x.rpm
SHA-256: 23811309b43074f1bdc93edb3832b9bde43f495ec582027e79265ed968e13812
nodejs-full-i18n-18.12.1-2.module+el8.7.0+17306+fc023f99.s390x.rpm
SHA-256: 229947748ef93f2024f854e773ded2d98ce948f904fcc97d532e55d30552d413
npm-8.19.2-1.18.12.1.2.module+el8.7.0+17306+fc023f99.s390x.rpm
SHA-256: 90011c3a0f6afec48a5b3fd4888b28df49906239e4624c9d7ecc2a0d74609405
Red Hat Enterprise Linux for Power, little endian 8
SRPM
nodejs-18.12.1-2.module+el8.7.0+17306+fc023f99.src.rpm
SHA-256: 2ba6d20a4e72ecb7b5ce585f5f5c582335cff21b540af87c58d18eb6303083f5
nodejs-nodemon-2.0.20-1.module+el8.7.0+17282+f47dd33b.src.rpm
SHA-256: 492ff6b18a2266bb4b415f70c76efa75b5f6fc44b88013cd480c9e8ab3ea59e8
nodejs-packaging-2021.06-4.module+el8.7.0+15582+19c314fa.src.rpm
SHA-256: f1345ed8ecd3230b52424cb789ff10664a96a3e7eac42f3cc5c5e787e4d393bd
ppc64le
nodejs-docs-18.12.1-2.module+el8.7.0+17306+fc023f99.noarch.rpm
SHA-256: ce10f4e3504286155e35265cf331d38d13255155c89f741d4ed4352019497145
nodejs-nodemon-2.0.20-1.module+el8.7.0+17282+f47dd33b.noarch.rpm
SHA-256: 354b8acb590ec7aea5199b5037d22b5465cfe19bfd2f953cba939cf45261a2a9
nodejs-packaging-2021.06-4.module+el8.7.0+15582+19c314fa.noarch.rpm
SHA-256: 3ef698eb2f19de97bde0e2e7eb6de64ef1c8370f5c6e4283874b34cce46914d4
nodejs-packaging-bundler-2021.06-4.module+el8.7.0+15582+19c314fa.noarch.rpm
SHA-256: d2fd8d3242cc76d52c1eb84fced4f82b629cce882854ec7189f4de1ea47e20b4
nodejs-18.12.1-2.module+el8.7.0+17306+fc023f99.ppc64le.rpm
SHA-256: d770ee06b2739bd026551d37830422e8b97b375336ff2bc8166631b818801b41
nodejs-debuginfo-18.12.1-2.module+el8.7.0+17306+fc023f99.ppc64le.rpm
SHA-256: 625bd38d00448a2d8f16448cd1b4b75cad845364079813d5b31d3cd50e47f5b3
nodejs-debugsource-18.12.1-2.module+el8.7.0+17306+fc023f99.ppc64le.rpm
SHA-256: b4de223304474cd9347c49a7dc729506368e94ed58d0ed2e3b9aa7ef60ec79e7
nodejs-devel-18.12.1-2.module+el8.7.0+17306+fc023f99.ppc64le.rpm
SHA-256: 4de1d68e50fbf9eae7cccfa94ad6f75a880192a749ee481d3fbef17e7597ec8a
nodejs-full-i18n-18.12.1-2.module+el8.7.0+17306+fc023f99.ppc64le.rpm
SHA-256: ffd8883e0bd8dad69aace89f5c64ad45e5becb7a881cc7c17e73781081258aba
npm-8.19.2-1.18.12.1.2.module+el8.7.0+17306+fc023f99.ppc64le.rpm
SHA-256: 2f01cc11286accf328d558db29ff5cef4b3cf94ad456d13228a28791c2fa3e6e
Red Hat Enterprise Linux for ARM 64 8
SRPM
nodejs-18.12.1-2.module+el8.7.0+17306+fc023f99.src.rpm
SHA-256: 2ba6d20a4e72ecb7b5ce585f5f5c582335cff21b540af87c58d18eb6303083f5
nodejs-nodemon-2.0.20-1.module+el8.7.0+17282+f47dd33b.src.rpm
SHA-256: 492ff6b18a2266bb4b415f70c76efa75b5f6fc44b88013cd480c9e8ab3ea59e8
nodejs-packaging-2021.06-4.module+el8.7.0+15582+19c314fa.src.rpm
SHA-256: f1345ed8ecd3230b52424cb789ff10664a96a3e7eac42f3cc5c5e787e4d393bd
aarch64
nodejs-docs-18.12.1-2.module+el8.7.0+17306+fc023f99.noarch.rpm
SHA-256: ce10f4e3504286155e35265cf331d38d13255155c89f741d4ed4352019497145
nodejs-nodemon-2.0.20-1.module+el8.7.0+17282+f47dd33b.noarch.rpm
SHA-256: 354b8acb590ec7aea5199b5037d22b5465cfe19bfd2f953cba939cf45261a2a9
nodejs-packaging-2021.06-4.module+el8.7.0+15582+19c314fa.noarch.rpm
SHA-256: 3ef698eb2f19de97bde0e2e7eb6de64ef1c8370f5c6e4283874b34cce46914d4
nodejs-packaging-bundler-2021.06-4.module+el8.7.0+15582+19c314fa.noarch.rpm
SHA-256: d2fd8d3242cc76d52c1eb84fced4f82b629cce882854ec7189f4de1ea47e20b4
nodejs-18.12.1-2.module+el8.7.0+17306+fc023f99.aarch64.rpm
SHA-256: 08017401e132d7e44e5b548feedd22815a068eff8147992522d5a89464f500bc
nodejs-debuginfo-18.12.1-2.module+el8.7.0+17306+fc023f99.aarch64.rpm
SHA-256: 6e21683d7dacce90ad10c551aa71365fd307d864ff64916146c367f587f2d1c9
nodejs-debugsource-18.12.1-2.module+el8.7.0+17306+fc023f99.aarch64.rpm
SHA-256: 1c34bbfc106c113c76cceae5f82b8070c4633a608f0fd330fa078a3bce8216a3
nodejs-devel-18.12.1-2.module+el8.7.0+17306+fc023f99.aarch64.rpm
SHA-256: ac6636f4fa60d2684b8d03bc880398d3bd1fb8c9a4000e9d835951567d1afc0f
nodejs-full-i18n-18.12.1-2.module+el8.7.0+17306+fc023f99.aarch64.rpm
SHA-256: 45f72cc21dc64b79e243ce3b5156112ba08b22b798fab5ab8712a87acbf05c0a
npm-8.19.2-1.18.12.1.2.module+el8.7.0+17306+fc023f99.aarch64.rpm
SHA-256: 07cdf3f0b05dc45c44c21a5fb8f1a7f2c141857aba38b89631bdd43a6c49b590
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Gentoo Linux Security Advisory 202405-29 - Multiple vulnerabilities have been discovered in Node.js. Versions greater than or equal to 16.20.2 are affected.
Ubuntu Security Notice 6491-1 - Axel Chong discovered that Node.js incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to execute arbitrary code. Zeyu Zhang discovered that Node.js incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 22.04 LTS.
Vulnerability in the Oracle Hyperion Financial Reporting product of Oracle Hyperion (component: Repository). The supported version that is affected is 11.2.13.0.000. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hyperion Financial Reporting. While the vulnerability is in Oracle Hyperion Financial Reporting, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hyperion Financial Reporting accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Hyperion Financial Reporting. CVSS 3.1 Base Score 8.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L).
Updated images that include numerous enhancements, security, and bug fixes are now available in Red Hat Container Registry for Red Hat OpenShift Data Foundation 4.13.0 on Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-16250: A flaw was found in Vault and Vault Enterprise (“Vault”). In the affected versions of Vault, with the AWS Auth Method configured and under certain circumstances, the values relied upon by Vault to validate AWS IAM ident...
Ubuntu Security Notice 6086-1 - It was discovered that minimatch incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service.
Red Hat Security Advisory 2023-1743-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include buffer overflow, bypass, and denial of service vulnerabilities.
An update for the nodejs:14 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-35065: A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability. * CVE-2021-44531: A flaw was found in node.js where it accepted a certificate's Subject Alternative Names (SAN) entry...
An update for the nodejs:14 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-35065: A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability. * CVE-2022-3517: A vulnerability was found in the nodejs-minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) whe...
An update for the nodejs:14 module is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-35065: A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability. * CVE-2021-44906: An Uncontrolled Resource Consumption flaw was found in minimist. This flaw allows an attacker to tr...
An update for rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-35065: A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability. * CVE-2021-44906: An Uncontrolled Resource Consumption flaw was found in minimist. This flaw allows an attacker t...
Red Hat Security Advisory 2023-0471-01 - An update is now available for Migration Toolkit for Runtimes (v1.0.1). Issues addressed include a denial of service vulnerability.
An update is now available for Migration Toolkit for Runtimes (v1.0.1). Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand function * CVE-2022-25914: jib-core: RCE via the isDockerInstalled * CVE-2022-37603: loader-utils:Regular expression denial of service * CVE-2022-42003: jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS * CVE-2022-42004: jackson-databind: use of deeply nested arrays * CVE-2022...
Debian Linux Security Advisory 5326-1 - Multiple vulnerabilities were discovered in Node.js, which could result in HTTP request smuggling, bypass of host IP address validation and weak randomness setup.
An update for nodejs and nodejs-nodemon is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-44906: minimist: prototype pollution * CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand function * CVE-2022-35256: nodejs: HTTP Request Smuggling due to incorrect parsing of header fields * CVE-2022-43548: nodejs: DNS rebinding in inspect via invalid octal IP address
Red Hat Security Advisory 2023-0050-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include a denial of service vulnerability.
An update for the nodejs:14 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-44906: minimist: prototype pollution * CVE-2022-0235: node-fetch: exposure of sensitive information to an unauthorized actor * CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand function * CVE-2022-24999: express: "qs" prototype poisoning causes the hang of the node process * CVE-2022-43548: nodejs: DNS rebinding in inspect via inva...
Red Hat Security Advisory 2022-9073-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include bypass and denial of service vulnerabilities.
An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-44531: nodejs: Improper handling of URI Subject Alternative Names * CVE-2021-44532: nodejs: Certificate Verification Bypass via String Injection * CVE-2021-44533: nodejs: Incorrect handling of certificate subject and issuer fields * CVE-2021-44906: minimist: prototype pollution * CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand fu...
Red Hat Advanced Cluster Management for Kubernetes 2.6.3 General Availability release images, which provide security updates, fix bugs, and update container images. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand function * CVE-2022-41912: crewjam/saml: Authentication bypass when processing SAML responses containing multiple Assertion elements
Red Hat Security Advisory 2022-8832-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2022-8833-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include a denial of service vulnerability.
An update for the nodejs:18 module is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand function * CVE-2022-43548: nodejs: DNS rebinding in inspect via invalid octal IP address
A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.The fix for this issue in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212 was incomplete and this new CVE is to complete the fix.
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
A vulnerability in Qlik Sense Enterprise on Windows could allow an remote attacker to enumerate domain user accounts. An attacker could exploit this vulnerability by sending authentication requests to an affected system. A successful exploit could allow the attacker to compare the response time that are returned by the affected system to determine which accounts are valid user accounts. Affected systems are only vulnerable if they have LDAP configured.