Security
Headlines
HeadlinesLatestCVEs

Headline

RHSA-2023:1583: Red Hat Security Advisory: nodejs:18 security, bug fix, and enhancement update

An update for the nodejs:18 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:

  • CVE-2021-35065: A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability.
  • CVE-2022-25881: A flaw was found in http-cache-semantics. When the server reads the cache policy from the request using this library, a Regular Expression Denial of Service occurs, caused by malicious request header values sent to the server.
  • CVE-2023-23918: A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permissions option with --experimental-policy.
  • CVE-2023-23920: An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges.
  • CVE-2023-23936: A flaw was found in the fetch API in Node.js that did not prevent CRLF injection in the ‘host’ header. This issue could allow HTTP response splitting and HTTP header injection.
  • CVE-2023-24807: Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the Headers.set() and Headers.append() methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the headerValueNormalize() utility function. This vulnerability was patched in v5.19.1. No known workarounds are available.
Red Hat Security Data
#vulnerability#web#linux#red_hat#dos#nodejs#js#java#kubernetes#aws#auth#ibm

Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • OpenShift Dev Spaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager

All Products

Issued:

2023-04-04

Updated:

2023-04-04

RHSA-2023:1583 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Moderate: nodejs:18 security, bug fix, and enhancement update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for the nodejs:18 module is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version: nodejs (18.14.2).

Security Fix(es):

  • glob-parent: Regular Expression Denial of Service (CVE-2021-35065)
  • http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability (CVE-2022-25881)
  • Node.js: Permissions policies can be bypassed via process.mainModule (CVE-2023-23918)
  • Node.js: Fetch API did not protect against CRLF injection in host headers (CVE-2023-23936)
  • Node.js: insecure loading of ICU data through ICU_DATA environment variable (CVE-2023-23920)
  • Node.js: Regular Expression Denial of Service in Headers fetch API (CVE-2023-24807)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Affected Products

  • Red Hat Enterprise Linux for x86_64 8 x86_64
  • Red Hat Enterprise Linux for IBM z Systems 8 s390x
  • Red Hat Enterprise Linux for Power, little endian 8 ppc64le
  • Red Hat Enterprise Linux for ARM 64 8 aarch64

Fixes

  • BZ - 2156324 - CVE-2021-35065 glob-parent: Regular Expression Denial of Service
  • BZ - 2165824 - CVE-2022-25881 http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability
  • BZ - 2171935 - CVE-2023-23918 Node.js: Permissions policies can be bypassed via process.mainModule
  • BZ - 2172190 - CVE-2023-23936 Node.js: Fetch API did not protect against CRLF injection in host headers
  • BZ - 2172204 - CVE-2023-24807 Node.js: Regular Expression Denial of Service in Headers fetch API
  • BZ - 2172217 - CVE-2023-23920 Node.js: insecure loading of ICU data through ICU_DATA environment variable
  • BZ - 2178087 - nodejs:18/nodejs: Rebase to the latest Nodejs 18 release [rhel-8] [rhel-8.7.0.z]

CVEs

  • CVE-2021-35065
  • CVE-2022-25881
  • CVE-2023-23918
  • CVE-2023-23920
  • CVE-2023-23936
  • CVE-2023-24807

Red Hat Enterprise Linux for x86_64 8

SRPM

nodejs-18.14.2-2.module+el8.7.0+18445+9493b6ea.src.rpm

SHA-256: f5da70a06bc272a95c4cfd31b1fe07c2b706c067e7e62b9b63daf5a4502cc9b5

nodejs-nodemon-2.0.20-2.module+el8.7.0+18445+9493b6ea.src.rpm

SHA-256: 9950a14808639885b3f382f79a42074919aad6b8938d4b88facab9fcbb11a022

nodejs-packaging-2021.06-4.module+el8.7.0+15582+19c314fa.src.rpm

SHA-256: f1345ed8ecd3230b52424cb789ff10664a96a3e7eac42f3cc5c5e787e4d393bd

x86_64

nodejs-docs-18.14.2-2.module+el8.7.0+18445+9493b6ea.noarch.rpm

SHA-256: f38797239e7fae6c6b01080f15e99faba47b51af7e27106ee0e8a33c749a2ea9

nodejs-nodemon-2.0.20-2.module+el8.7.0+18445+9493b6ea.noarch.rpm

SHA-256: 48da0e88fa52e38666f4d27e6fc85f3509a92ee9f1186a83ea5ac9ed016bfed5

nodejs-packaging-2021.06-4.module+el8.7.0+15582+19c314fa.noarch.rpm

SHA-256: 3ef698eb2f19de97bde0e2e7eb6de64ef1c8370f5c6e4283874b34cce46914d4

nodejs-packaging-bundler-2021.06-4.module+el8.7.0+15582+19c314fa.noarch.rpm

SHA-256: d2fd8d3242cc76d52c1eb84fced4f82b629cce882854ec7189f4de1ea47e20b4

nodejs-18.14.2-2.module+el8.7.0+18445+9493b6ea.x86_64.rpm

SHA-256: b0f629f9633a1555d236c1584ed53f629037768e30a35b61d9e0a8baa41a8ba6

nodejs-debuginfo-18.14.2-2.module+el8.7.0+18445+9493b6ea.x86_64.rpm

SHA-256: d0b1946e726727ccb67d8ffa57480e1d3207e81f6da58af4479b7f25ce173b31

nodejs-debugsource-18.14.2-2.module+el8.7.0+18445+9493b6ea.x86_64.rpm

SHA-256: f152ae9c667cc8135f259509634241294580d2b9cf5d80ab14291607f2341ae0

nodejs-devel-18.14.2-2.module+el8.7.0+18445+9493b6ea.x86_64.rpm

SHA-256: adc64b59455965daac5bf5a6934074286c85241f333bffd320d0c60f4c72f831

nodejs-full-i18n-18.14.2-2.module+el8.7.0+18445+9493b6ea.x86_64.rpm

SHA-256: 228666437e3c81de1dbf46d3fe54bae190c01a8d2730fd4bc9a0c0ec360d6512

npm-9.5.0-1.18.14.2.2.module+el8.7.0+18445+9493b6ea.x86_64.rpm

SHA-256: a2afb4720d5a5a0cb2418c714f3e535c1d3a00e8f06e52b7b76a03d91a10a162

Red Hat Enterprise Linux for IBM z Systems 8

SRPM

nodejs-18.14.2-2.module+el8.7.0+18445+9493b6ea.src.rpm

SHA-256: f5da70a06bc272a95c4cfd31b1fe07c2b706c067e7e62b9b63daf5a4502cc9b5

nodejs-nodemon-2.0.20-2.module+el8.7.0+18445+9493b6ea.src.rpm

SHA-256: 9950a14808639885b3f382f79a42074919aad6b8938d4b88facab9fcbb11a022

nodejs-packaging-2021.06-4.module+el8.7.0+15582+19c314fa.src.rpm

SHA-256: f1345ed8ecd3230b52424cb789ff10664a96a3e7eac42f3cc5c5e787e4d393bd

s390x

nodejs-18.14.2-2.module+el8.7.0+18445+9493b6ea.s390x.rpm

SHA-256: 1f777523401d9b9b615d40cf37f5e192137aa74a489a732f7d8ffd0904ae7903

nodejs-debuginfo-18.14.2-2.module+el8.7.0+18445+9493b6ea.s390x.rpm

SHA-256: 1f154ed6a7077dea1f62994001051a0ff67e3ccb7e05c91f5421a1f8a08cd8f3

nodejs-debugsource-18.14.2-2.module+el8.7.0+18445+9493b6ea.s390x.rpm

SHA-256: 74f36b46debd5fa4f3c6a6e7befd42f8bbeaea728dd61b10d1521ddfc16f2902

nodejs-devel-18.14.2-2.module+el8.7.0+18445+9493b6ea.s390x.rpm

SHA-256: a5a5cf4ea9641456e7566a86f9eeead4c425fc63bb7b337f63a01e475ea830ab

nodejs-docs-18.14.2-2.module+el8.7.0+18445+9493b6ea.noarch.rpm

SHA-256: f38797239e7fae6c6b01080f15e99faba47b51af7e27106ee0e8a33c749a2ea9

nodejs-full-i18n-18.14.2-2.module+el8.7.0+18445+9493b6ea.s390x.rpm

SHA-256: dbdce50ed23b5907cca87d054cd1950b2cc69e31257b4f1240854dd80c4948b4

nodejs-nodemon-2.0.20-2.module+el8.7.0+18445+9493b6ea.noarch.rpm

SHA-256: 48da0e88fa52e38666f4d27e6fc85f3509a92ee9f1186a83ea5ac9ed016bfed5

nodejs-packaging-2021.06-4.module+el8.7.0+15582+19c314fa.noarch.rpm

SHA-256: 3ef698eb2f19de97bde0e2e7eb6de64ef1c8370f5c6e4283874b34cce46914d4

nodejs-packaging-bundler-2021.06-4.module+el8.7.0+15582+19c314fa.noarch.rpm

SHA-256: d2fd8d3242cc76d52c1eb84fced4f82b629cce882854ec7189f4de1ea47e20b4

npm-9.5.0-1.18.14.2.2.module+el8.7.0+18445+9493b6ea.s390x.rpm

SHA-256: 3c909dbdc9ead0218a8d803b7bc3a3c05bae1fdacff69ddaf58ebbc05b77986f

Red Hat Enterprise Linux for Power, little endian 8

SRPM

nodejs-18.14.2-2.module+el8.7.0+18445+9493b6ea.src.rpm

SHA-256: f5da70a06bc272a95c4cfd31b1fe07c2b706c067e7e62b9b63daf5a4502cc9b5

nodejs-nodemon-2.0.20-2.module+el8.7.0+18445+9493b6ea.src.rpm

SHA-256: 9950a14808639885b3f382f79a42074919aad6b8938d4b88facab9fcbb11a022

nodejs-packaging-2021.06-4.module+el8.7.0+15582+19c314fa.src.rpm

SHA-256: f1345ed8ecd3230b52424cb789ff10664a96a3e7eac42f3cc5c5e787e4d393bd

ppc64le

nodejs-docs-18.14.2-2.module+el8.7.0+18445+9493b6ea.noarch.rpm

SHA-256: f38797239e7fae6c6b01080f15e99faba47b51af7e27106ee0e8a33c749a2ea9

nodejs-nodemon-2.0.20-2.module+el8.7.0+18445+9493b6ea.noarch.rpm

SHA-256: 48da0e88fa52e38666f4d27e6fc85f3509a92ee9f1186a83ea5ac9ed016bfed5

nodejs-packaging-2021.06-4.module+el8.7.0+15582+19c314fa.noarch.rpm

SHA-256: 3ef698eb2f19de97bde0e2e7eb6de64ef1c8370f5c6e4283874b34cce46914d4

nodejs-packaging-bundler-2021.06-4.module+el8.7.0+15582+19c314fa.noarch.rpm

SHA-256: d2fd8d3242cc76d52c1eb84fced4f82b629cce882854ec7189f4de1ea47e20b4

nodejs-18.14.2-2.module+el8.7.0+18445+9493b6ea.ppc64le.rpm

SHA-256: 3f0007af0b20498503a3b7c712f5a1637e73394bea8087bc4602b4a6f989dd5e

nodejs-debuginfo-18.14.2-2.module+el8.7.0+18445+9493b6ea.ppc64le.rpm

SHA-256: 513329173dcbd0d40c566c1ba8c22ddde2b1963d701ab77a1695b1b1b65908fb

nodejs-debugsource-18.14.2-2.module+el8.7.0+18445+9493b6ea.ppc64le.rpm

SHA-256: 3225af7560a8807429f8b433e9a2da991139d744aa15b73c7497a9cbd141b71d

nodejs-devel-18.14.2-2.module+el8.7.0+18445+9493b6ea.ppc64le.rpm

SHA-256: b6bebda7e7e46cd7e1857aac35d397121dae113a023390e0ffd5054d64ac8fde

nodejs-full-i18n-18.14.2-2.module+el8.7.0+18445+9493b6ea.ppc64le.rpm

SHA-256: bf25501e182cc01b161771be4bb5f3b965bdcd6fb77ea2fb1b1410d250edb233

npm-9.5.0-1.18.14.2.2.module+el8.7.0+18445+9493b6ea.ppc64le.rpm

SHA-256: 42fc65bd5baab24d544201cf4474f6e40813128fe477c628b097b9887fa0ba86

Red Hat Enterprise Linux for ARM 64 8

SRPM

nodejs-18.14.2-2.module+el8.7.0+18445+9493b6ea.src.rpm

SHA-256: f5da70a06bc272a95c4cfd31b1fe07c2b706c067e7e62b9b63daf5a4502cc9b5

nodejs-nodemon-2.0.20-2.module+el8.7.0+18445+9493b6ea.src.rpm

SHA-256: 9950a14808639885b3f382f79a42074919aad6b8938d4b88facab9fcbb11a022

nodejs-packaging-2021.06-4.module+el8.7.0+15582+19c314fa.src.rpm

SHA-256: f1345ed8ecd3230b52424cb789ff10664a96a3e7eac42f3cc5c5e787e4d393bd

aarch64

nodejs-docs-18.14.2-2.module+el8.7.0+18445+9493b6ea.noarch.rpm

SHA-256: f38797239e7fae6c6b01080f15e99faba47b51af7e27106ee0e8a33c749a2ea9

nodejs-nodemon-2.0.20-2.module+el8.7.0+18445+9493b6ea.noarch.rpm

SHA-256: 48da0e88fa52e38666f4d27e6fc85f3509a92ee9f1186a83ea5ac9ed016bfed5

nodejs-packaging-2021.06-4.module+el8.7.0+15582+19c314fa.noarch.rpm

SHA-256: 3ef698eb2f19de97bde0e2e7eb6de64ef1c8370f5c6e4283874b34cce46914d4

nodejs-packaging-bundler-2021.06-4.module+el8.7.0+15582+19c314fa.noarch.rpm

SHA-256: d2fd8d3242cc76d52c1eb84fced4f82b629cce882854ec7189f4de1ea47e20b4

nodejs-18.14.2-2.module+el8.7.0+18445+9493b6ea.aarch64.rpm

SHA-256: d71b32c8d0f3c6bce9760ab6b5770a888b7d487a3f75d47434ddca20f9997817

nodejs-debuginfo-18.14.2-2.module+el8.7.0+18445+9493b6ea.aarch64.rpm

SHA-256: e61aa94c80762270dfe1c170c461f4b6abece9fabcc26e4260e9c1c1cf073fe3

nodejs-debugsource-18.14.2-2.module+el8.7.0+18445+9493b6ea.aarch64.rpm

SHA-256: 7cbdb74560ccc55200db7d307bb51beef44d5294f498bd976dcb615ea64dd407

nodejs-devel-18.14.2-2.module+el8.7.0+18445+9493b6ea.aarch64.rpm

SHA-256: 4aa6585dd0c507ff11467f81b456b4de1179b1ba264e3bcf891caad8f8a1bb93

nodejs-full-i18n-18.14.2-2.module+el8.7.0+18445+9493b6ea.aarch64.rpm

SHA-256: 93300ef364f250ab7e54ad72cc0c53a5f698749e08ac89731281affb893f68ce

npm-9.5.0-1.18.14.2.2.module+el8.7.0+18445+9493b6ea.aarch64.rpm

SHA-256: ab493cb9c86ecf18cf9a1c1d1a34a9263625bf1a5675a5a139399124bdf1f00f

The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.

Related news

Ubuntu Security Notice USN-6672-1

Ubuntu Security Notice 6672-1 - Morgan Jones discovered that Node.js incorrectly handled certain inputs that leads to false positive errors during some cryptographic operations. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 23.10. It was discovered that Node.js incorrectly handled certain inputs leaded to a untrusted search path vulnerability. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to perform a privilege escalation.

Debian Security Advisory 5589-1

Debian Linux Security Advisory 5589-1 - Multiple vulnerabilities were discovered in Node.js, which could result in HTTP request smuggling, bypass of policy feature checks, denial of service or loading of incorrect ICU data.

CVE-2023-38735: Security Bulletin: IBM Cognos Dashboards on Cloud Pak for Data has addressed security vulnerabilities

IBM Cognos Dashboards on Cloud Pak for Data 4.7.0 could allow a remote attacker to bypass security restrictions, caused by a reverse tabnabbing flaw. An attacker could exploit this vulnerability and redirect a victim to a phishing site. IBM X-Force ID: 262482.

Red Hat Security Advisory 2023-5533-01

Red Hat Security Advisory 2023-5533-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The package has been upgraded to a later upstream version: nodejs. Issues addressed include HTTP request smuggling, buffer overflow, bypass, crlf injection, and denial of service vulnerabilities.

RHSA-2023:5533: Red Hat Security Advisory: nodejs security, bug fix, and enhancement update

An update for nodejs is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-4904: A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity. * CVE-2022-25881: A flaw was found in http-cache-se...

CVE-2022-4039

A flaw was found in Red Hat Single Sign-On for OpenShift container images, which are configured with an unsecured management interface enabled. This flaw allows an attacker to use this interface to deploy malicious code and access and modify potentially sensitive information in the app server configuration.

RHSA-2023:3815: Red Hat Security Advisory: Service Registry (container images) release and security update [2.4.3 GA]

An update to the images for Red Hat Integration - Service Registry is now available from the Red Hat Container Catalog. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-46877: A flaw was found in Jackson Databind. This issue may allow a malicious user to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK seriali...

Red Hat Security Advisory 2023-2654-01

Red Hat Security Advisory 2023-2654-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include buffer overflow, bypass, crlf injection, and denial of service vulnerabilities.

Red Hat Security Advisory 2023-2655-01

Red Hat Security Advisory 2023-2655-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include buffer overflow, bypass, crlf injection, and denial of service vulnerabilities.

RHSA-2023:2655: Red Hat Security Advisory: nodejs and nodejs-nodemon security, bug fix, and enhancement update

An update for nodejs and nodejs-nodemon is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-4904: A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity. * CVE-2022-25881: A flaw was found in http-cache-semantics....

Red Hat Security Advisory 2023-2104-01

Red Hat Security Advisory 2023-2104-01 - Red Hat Advanced Cluster Management for Kubernetes 2.5.8 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs. Issues addressed include a denial of service vulnerability.

RHSA-2023:2104: Red Hat Security Advisory: Red Hat Advanced Cluster Management 2.5.8 security updates and bug fixes

Red Hat Advanced Cluster Management for Kubernetes 2.5.8 General Availability release images, which fix bugs and security updates container images. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25881: A flaw was found in http-cache-semantics. When the server reads the cache policy from the request using this library, a Regular Expression Denial of Service occurs, caused by malicious request header values sent to the server.

RHSA-2023:2083: Red Hat Security Advisory: Red Hat Advanced Cluster Management 2.6.5 security updates and bug fixes

Red Hat Advanced Cluster Management for Kubernetes 2.6.5 General Availability release images, which fix bugs and security updates container images. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3841: A Server-Side Request Forgery (SSRF) vulnerability was found in the console API endpoint from Red Hat Advanced Cluster Management for Kubernetes (RHACM). An attacker could take advantage of this as the console API endpoint is missing an authentication check, allowing unauth...

Debian Security Advisory 5395-1

Debian Linux Security Advisory 5395-1 - An untrusted search path vulnerability was discovered in Node.js, which could result in unexpected searching or loading ICU data when running with elevated privileges.

Red Hat Security Advisory 2023-2061-01

Red Hat Security Advisory 2023-2061-01 - Multicluster Engine for Kubernetes 2.1.6 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-1887-01

Red Hat Security Advisory 2023-1887-01 - Multicluster Engine for Kubernetes 2.2.3 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-1888-01

Red Hat Security Advisory 2023-1888-01 - Red Hat Advanced Cluster Management for Kubernetes 2.7.3 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs. Issues addressed include denial of service and server-side request forgery vulnerabilities.

RHSA-2023:1888: Red Hat Security Advisory: Red Hat Advanced Cluster Management 2.7.3 security fixes and bug fixes

Red Hat Advanced Cluster Management for Kubernetes 2.7.3 General Availability release images, which fix bugs and security updates container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3841: A Server-Side Request Forgery (SSRF) vulnerability was found in the console API endpoint from Red Hat Advanced Cluster Management for Kubernetes (RHACM). An attacker could take advantage of this as the console API endpoint is missing an authentication check, allowing unauth...

CVE-2023-21954: Oracle Critical Patch Update Advisory - April 2023

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through...

Red Hat Security Advisory 2023-1744-01

Red Hat Security Advisory 2023-1744-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include buffer overflow, bypass, and denial of service vulnerabilities.

Red Hat Security Advisory 2023-1743-01

Red Hat Security Advisory 2023-1743-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include buffer overflow, bypass, and denial of service vulnerabilities.

RHSA-2023:1744: Red Hat Security Advisory: rh-nodejs14-nodejs security, bug fix, and enhancement update

An update for rh-nodejs14-nodejs is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-4904: A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity. * CVE-2022-25881: A flaw was found in http-cache-semantics. Whe...

RHSA-2023:1742: Red Hat Security Advisory: nodejs:14 security, bug fix, and enhancement update

An update for the nodejs:14 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-35065: A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability. * CVE-2021-44531: A flaw was found in node.js where it accepted a certificate's Subject Alternative Names (SAN) entry...

RHSA-2023:1743: Red Hat Security Advisory: nodejs:14 security, bug fix, and enhancement update

An update for the nodejs:14 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-35065: A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability. * CVE-2022-3517: A vulnerability was found in the nodejs-minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) whe...

RHSA-2023:1582: Red Hat Security Advisory: nodejs:16 security, bug fix, and enhancement update

An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-35065: A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability. * CVE-2022-4904: A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which a...

Red Hat Security Advisory 2023-1533-01

Red Hat Security Advisory 2023-1533-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling, buffer overflow, bypass, and denial of service vulnerabilities.

Red Hat Security Advisory 2023-1533-01

Red Hat Security Advisory 2023-1533-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling, buffer overflow, bypass, and denial of service vulnerabilities.

Red Hat Security Advisory 2023-1533-01

Red Hat Security Advisory 2023-1533-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling, buffer overflow, bypass, and denial of service vulnerabilities.

Red Hat Security Advisory 2023-1533-01

Red Hat Security Advisory 2023-1533-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling, buffer overflow, bypass, and denial of service vulnerabilities.

RHSA-2023:1533: Red Hat Security Advisory: nodejs:14 security, bug fix, and enhancement update

An update for the nodejs:14 module is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-35065: A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability. * CVE-2021-44906: An Uncontrolled Resource Consumption flaw was found in minimist. This flaw allows an attacker to tr...

RHSA-2023:1533: Red Hat Security Advisory: nodejs:14 security, bug fix, and enhancement update

An update for the nodejs:14 module is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-35065: A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability. * CVE-2021-44906: An Uncontrolled Resource Consumption flaw was found in minimist. This flaw allows an attacker to tr...

RHSA-2023:1533: Red Hat Security Advisory: nodejs:14 security, bug fix, and enhancement update

An update for the nodejs:14 module is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-35065: A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability. * CVE-2021-44906: An Uncontrolled Resource Consumption flaw was found in minimist. This flaw allows an attacker to tr...

RHSA-2023:1533: Red Hat Security Advisory: nodejs:14 security, bug fix, and enhancement update

An update for the nodejs:14 module is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-35065: A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability. * CVE-2021-44906: An Uncontrolled Resource Consumption flaw was found in minimist. This flaw allows an attacker to tr...

RHSA-2023:1428: Red Hat Security Advisory: Migration Toolkit for Containers (MTC) 1.7.8 security and bug fix update

The Migration Toolkit for Containers (MTC) 1.7.8 is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-36567: A flaw was found in gin. This issue occurs when the default Formatter for the Logger middleware (LoggerConfig.Formatter), which is included in the Default engine, allows attackers to inject arbitrary log entries by manipulating the request path. * CVE-2022-24999: A flaw was found in the express.js npm package. Express.js Express is vulnerable to a d...

Red Hat Security Advisory 2023-1045-01

Red Hat Security Advisory 2023-1045-01 - Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.6.2 on RHEL 9 serves as a replacement for Red Hat Single Sign-On 7.6.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include code execution, cross site scripting, denial of service, deserialization, html injection, memory exhaustion, server-side request forgery, and traversal vulnerabilities.

RHSA-2023:1043: Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 security update on RHEL 7

New Red Hat Single Sign-On 7.6.2 packages are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2018-14040: In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute. * CVE-2018-14042: In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip. * CVE-2019-11358: A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modi...

RHSA-2023:0934: Red Hat Security Advisory: Migration Toolkit for Applications security and bug fix update

Migration Toolkit for Applications 6.0.1 release Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-36567: A flaw was found in gin. This issue occurs when the default Formatter for the Logger middleware (LoggerConfig.Formatter), which is included in the Default engine, allows attackers to inject arbitrary log entries by manipulating the request path. * CVE-2021-35065: A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to...

CVE-2023-23920: Thursday February 16 2023 Security Releases | Node.js

An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges.

CVE-2023-23920: Thursday February 16 2023 Security Releases | Node.js

An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges.

GHSA-5r9g-qh6m-jxff: CRLF Injection in Nodejs ‘undici’ via host

### Impact undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. ### Patches This issue was patched in Undici v5.19.1. ### Workarounds Sanitize the `headers.host` string before passing to undici. ### References Reported at https://hackerone.com/reports/1820955. ### Credits Thank you to Zhipeng Zhang ([@timon8](https://hackerone.com/timon8)) for reporting this vulnerability.

GHSA-r6ch-mqf9-qc9w: Regular Expression Denial of Service in Headers

### Impact The `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` utility function. ### Patches This vulnerability was patched in v5.19.1. ### Workarounds There is no workaround. Please update to an unaffected version. ### References * https://hackerone.com/bugs?report_id=1784449 ### Credits Carter Snook reported this vulnerability.

CVE-2023-24807: Release v5.19.1 · nodejs/undici

Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` utility function. This vulnerability was patched in v5.19.1. No known workarounds are available.

Red Hat Security Advisory 2023-0634-01

Red Hat Security Advisory 2023-0634-01 - Logging Subsystem 5.6.1 - Red Hat OpenShift. Issues addressed include a denial of service vulnerability.

RHSA-2023:0634: Red Hat Security Advisory: Red Hat OpenShift (Logging Subsystem) security update

Logging Subsystem 5.6.1 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-35065: A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability. * CVE-2022-46175: A flaw was found in the json5 package. The affected version of the json5 package could allow an attacker to set arbitrary and unexpected keys on the object returned f...

RHSA-2023:0612: Red Hat Security Advisory: rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon security update

An update for rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-35065: A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability. * CVE-2021-44906: An Uncontrolled Resource Consumption flaw was found in minimist. This flaw allows an attacker t...

GHSA-rc47-6667-2j5j: http-cache-semantics vulnerable to Regular Expression Denial of Service

http-cache semantics contains an Inefficient Regular Expression Complexity , leading to Denial of Service. This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

CVE-2022-25881: Snyk Vulnerability Database | Snyk

This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

CVE-2021-35065: fix: Resolve ReDoS vulnerability from CVE-2021-35065 (#49) · gulpjs/glob-parent@3e9f04a

The glob-parent package before 6.0.1 for Node.js allows ReDoS (regular expression denial of service) attacks against the enclosure regular expression.

GHSA-cj88-88mr-972w: glob-parent before 6.0.1 vulnerable to Regular Expression Denial of Service (ReDoS)

glob-parent before 6.0.1 is vulnerable to Regular Expression Denial of Service (ReDoS).