openSUSE-SU-2020:0293

RHSA-2020:0573

RHSA-2020:0579

RHSA-2020:0597

RHSA-2020:0598

RHSA-2020:0602

https://hackerone.com/reports/746733

https://nodejs.org/en/blog/release/v10.19.0/

https://nodejs.org/en/blog/release/v12.15.0/

https://nodejs.org/en/blog/release/v13.8.0/

https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/

GLSA-202003-48

https://security.netapp.com/advisory/ntap-20200221-0004/

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2020-0598 advisory.

  - Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a     crafted X.509 certificate (CVE-2019-15604)

  - HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding     is malformed (CVE-2019-15605)

  - Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of     authorization based on header value comparisons (CVE-2019-15606)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2020-0579 advisory.

  - Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a     crafted X.509 certificate (CVE-2019-15604)

  - HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding     is malformed (CVE-2019-15605)

  - Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of     authorization based on header value comparisons (CVE-2019-15606)

  - Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for     packages to create symlinks to files outside of thenode_modules folder through the bin field upon     installation. A properly constructed entry in the package.json bin field would allow a package publisher     to create a symlink pointing to arbitrary files on a user's system when the package is installed. This     behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-     scripts install option. (CVE-2019-16775)

  - Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent     access to folders outside of the intended node_modules folder through the bin field. A properly     constructed entry in the package.json bin field would allow a package publisher to modify and/or gain     access to arbitrary files on a user's system when the package is installed. This behavior is still     possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install     option. (CVE-2019-16776)

  - Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent     existing globally-installed binaries to be overwritten by other package installations. For example, if a     package was installed globally and created a serve binary, any subsequent installs of packages that also     create a serve binary would overwrite the previous serve binary. This behavior is still allowed in local     installations and also through install scripts. This vulnerability bypasses a user using the --ignore-     scripts install option. (CVE-2019-16777)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Multiple vulnerabilities were discovered in Node.js, which could result in denial of service or HTTP request smuggling.

An update of the nodejs10 package has been released.

The remote host is affected by the vulnerability described in GLSA-202003-48 (Node.js: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Node.js. Please review       the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could possibly write arbitrary files, cause a Denial       of Service condition or can conduct HTTP request splitting attacks.
  Workaround :

    There is no known workaround at this time.

Node.js reports :

Updates are now available for all active Node.js release lines for the following issues. HTTP request smuggling using malformed Transfer-Encoding header (Critical) (CVE-2019-15605)HTTP request smuggling using malformed Transfer-Encoding header (Critical) (CVE-2019-15605) Affected Node.js versions can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system.
HTTP header values do not have trailing OWS trimmed (High) (CVE-2019-15606) Optional whitespace should be trimmed from HTTP header values. Its presence may allow attackers to bypass security checks based on HTTP header values. Remotely trigger an assertion on a TLS server with a malformed certificate string (High) (CVE-2019-15604) Connecting to a NodeJS TLS server with a client certificate that has a type 19 string in its subjectAltName will crash the TLS server if it tries to read the peer certificate. Strict HTTP header parsing (None) Increase the strictness of HTTP header parsing. There are no known vulnerabilities addressed, but lax HTTP parsing has historically been a source of problems. Some commonly used sites are known to generate invalid HTTP headers, a --insecure-http-parser CLI option or insecureHTTPParser http option can be used if necessary for interoperability, but is not recommended.

This update for nodejs8 fixes the following issues :

Security issues fixed :

  - CVE-2019-15604: Fixed a remotely triggerable assertion     in the TLS server via a crafted certificate string     (CVE-2019-15604, bsc#1163104).

  - CVE-2019-15605: Fixed an HTTP request smuggling     vulnerability via malformed Transfer-Encoding header     (CVE-2019-15605, bsc#1163102).

  - CVE-2019-15606: Fixed the white space sanitation of HTTP     headers (CVE-2019-15606, bsc#1163103).

This update was imported from the SUSE:SLE-15:Update update project.

This update for nodejs6 fixes the following issues :

Security issues fixed :

CVE-2019-15604: Fixed a remotely triggerable assertion in the TLS server via a crafted certificate string (CVE-2019-15604, bsc#1163104).

CVE-2019-15605: Fixed an HTTP request smuggling vulnerability via malformed Transfer-Encoding header (CVE-2019-15605, bsc#1163102).

CVE-2019-15606: Fixed the white space sanitation of HTTP headers (CVE-2019-15606, bsc#1163103).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for nodejs10 fixes the following issues :

nodejs10 was updated to version 10.19.0.

Security issues fixed :

CVE-2019-15604: Fixed a remotely triggerable assertion in the TLS server via a crafted certificate string (CVE-2019-15604, bsc#1163104).

CVE-2019-15605: Fixed an HTTP request smuggling vulnerability via malformed Transfer-Encoding header (CVE-2019-15605, bsc#1163102).

CVE-2019-15606: Fixed the white space sanitation of HTTP headers (CVE-2019-15606, bsc#1163103).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for nodejs8 fixes the following issues :

Security issues fixed :

CVE-2019-15604: Fixed a remotely triggerable assertion in the TLS server via a crafted certificate string (CVE-2019-15604, bsc#1163104).

CVE-2019-15605: Fixed an HTTP request smuggling vulnerability via malformed Transfer-Encoding header (CVE-2019-15605, bsc#1163102).

CVE-2019-15606: Fixed the white space sanitation of HTTP headers (CVE-2019-15606, bsc#1163103).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update for the nodejs:12 module is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version:
nodejs (12.16.1).

Security Fix(es) :

* nodejs: HTTP request smuggling using malformed Transfer-Encoding header (CVE-2019-15605)

* nodejs: Remotely trigger an assertion on a TLS server with a malformed certificate string (CVE-2019-15604)

* nodejs: HTTP header values do not have trailing optional whitespace trimmed (CVE-2019-15606)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

An update for the nodejs:10 module is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version:
nodejs (10.19.0).

Security Fix(es) :

* nodejs: HTTP request smuggling using malformed Transfer-Encoding header (CVE-2019-15605)

* nodejs: Remotely trigger an assertion on a TLS server with a malformed certificate string (CVE-2019-15604)

* nodejs: HTTP header values do not have trailing optional whitespace trimmed (CVE-2019-15606)

* npm: Symlink reference outside of node_modules folder through the bin field upon installation (CVE-2019-16775)

* npm: Arbitrary file write via constructed entry in the package.json bin field (CVE-2019-16776)

* npm: Global node_modules Binary Overwrite (CVE-2019-16777)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

An update for the nodejs:10 module is now available for Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version:
nodejs (10.19.0).

Security Fix(es) :

* nodejs: HTTP request smuggling using malformed Transfer-Encoding header (CVE-2019-15605)

* nodejs: Remotely trigger an assertion on a TLS server with a malformed certificate string (CVE-2019-15604)

* nodejs: HTTP header values do not have trailing optional whitespace trimmed (CVE-2019-15606)

* npm: Symlink reference outside of node_modules folder through the bin field upon installation (CVE-2019-16775)

* npm: Arbitrary file write via constructed entry in the package.json bin field (CVE-2019-16776)

* npm: Global node_modules Binary Overwrite (CVE-2019-16777)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

An update of the nodejs package has been released.

This update for nodejs12 fixes the following issues :

nodejs12 was updated to version 12.15.0.

Security issues fixed :

CVE-2019-15604: Fixed a remotely triggerable assertion in the TLS server via a crafted certificate string (CVE-2019-15604, bsc#1163104).

CVE-2019-15605: Fixed an HTTP request smuggling vulnerability via malformed Transfer-Encoding header (CVE-2019-15605, bsc#1163102).

CVE-2019-15606: Fixed the white space sanitation of HTTP headers (CVE-2019-15606, bsc#1163103).

CVE-2019-16775: Fixed an arbitrary file write vulnerability (bsc#1159352).

CVE-2019-16776: Fixed an arbitrary file write vulnerability (bsc#1159352).

CVE-2019-16777: Fixed an arbitrary file write vulnerability (bsc#1159352).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
140036	Oracle Linux 8 : nodejs:12 (ELSA-2020-0598)	Nessus	Oracle Linux Local Security Checks	high
140035	Oracle Linux 8 : nodejs:10 (ELSA-2020-0579)	Nessus	Oracle Linux Local Security Checks	high
136126	Debian DSA-4669-1 : nodejs - security update (Data Dribble) (Reset Flood) (Resource Loop)	Nessus	Debian Local Security Checks	high
136036	Photon OS 1.0: Nodejs10 PHSA-2020-1.0-0289	Nessus	PhotonOS Local Security Checks	high
134776	GLSA-202003-48 : Node.js: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
134356	FreeBSD : Node.js -- multiple vulnerabilities (0032400f-624f-11ea-b495-000d3ab229d6)	Nessus	FreeBSD Local Security Checks	high
134281	openSUSE Security Update : nodejs8 (openSUSE-2020-293)	Nessus	SuSE Local Security Checks	high
134100	SUSE SLES12 Security Update : nodejs6 (SUSE-SU-2020:0488-1)	Nessus	SuSE Local Security Checks	high
134075	SUSE SLES15 Security Update : nodejs10 (SUSE-SU-2020:0455-1)	Nessus	SuSE Local Security Checks	high
134074	SUSE SLES15 Security Update : nodejs8 (SUSE-SU-2020:0454-1)	Nessus	SuSE Local Security Checks	high
134068	RHEL 8 : nodejs:12 (RHSA-2020:0598)	Nessus	Red Hat Local Security Checks	high
134062	RHEL 8 : nodejs:10 (RHSA-2020:0579)	Nessus	Red Hat Local Security Checks	high
134028	RHEL 8 : nodejs:10 (RHSA-2020:0573)	Nessus	Red Hat Local Security Checks	high
133956	Photon OS 3.0: Nodejs PHSA-2020-3.0-0060	Nessus	PhotonOS Local Security Checks	high
133947	SUSE SLES12 Security Update : nodejs12 (SUSE-SU-2020:0429-1)	Nessus	SuSE Local Security Checks	high
133946	SUSE SLES12 Security Update : nodejs10 (SUSE-SU-2020:0427-1)	Nessus	SuSE Local Security Checks	high

CVE-2019-15604

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins