openSUSE-SU-2020:0059

RHEA-2020:0330

RHSA-2020:0573

RHSA-2020:0579

RHSA-2020:0597

RHSA-2020:0602

https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli

https://github.com/npm/cli/security/advisories/GHSA-4328-8hgf-7wjr

FEDORA-2020-595ce5e3cc

GLSA-202003-48

https://www.oracle.com/security-alerts/cpujan2020.html

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2020:0579 advisory.

  - nodejs: Remotely trigger an assertion on a TLS server with a malformed certificate string (CVE-2019-15604)

  - nodejs: HTTP request smuggling using malformed Transfer-Encoding header (CVE-2019-15605)

  - nodejs: HTTP header values do not have trailing optional whitespace trimmed (CVE-2019-15606)

  - npm: Symlink reference outside of node_modules folder through the bin field upon installation     (CVE-2019-16775)

  - npm: Arbitrary file write via constructed entry in the package.json bin field (CVE-2019-16776)

  - npm: Global node_modules Binary Overwrite (CVE-2019-16777)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2020-0579 advisory.

  - Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a     crafted X.509 certificate (CVE-2019-15604)

  - HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding     is malformed (CVE-2019-15605)

  - Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of     authorization based on header value comparisons (CVE-2019-15606)

  - Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for     packages to create symlinks to files outside of thenode_modules folder through the bin field upon     installation. A properly constructed entry in the package.json bin field would allow a package publisher     to create a symlink pointing to arbitrary files on a user's system when the package is installed. This     behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-     scripts install option. (CVE-2019-16775)

  - Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent     access to folders outside of the intended node_modules folder through the bin field. A properly     constructed entry in the package.json bin field would allow a package publisher to modify and/or gain     access to arbitrary files on a user's system when the package is installed. This behavior is still     possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install     option. (CVE-2019-16776)

  - Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent     existing globally-installed binaries to be overwritten by other package installations. For example, if a     package was installed globally and created a serve binary, any subsequent installs of packages that also     create a serve binary would overwrite the previous serve binary. This behavior is still allowed in local     installations and also through install scripts. This vulnerability bypasses a user using the --ignore-     scripts install option. (CVE-2019-16777)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

NPM reports :

Global node_modules Binary Overwrite

Symlink reference outside of node_modules

Arbitrary File Write

The remote host is affected by the vulnerability described in GLSA-202003-48 (Node.js: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Node.js. Please review       the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could possibly write arbitrary files, cause a Denial       of Service condition or can conduct HTTP request splitting attacks.
  Workaround :

    There is no known workaround at this time.

An update for the nodejs:10 module is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version:
nodejs (10.19.0).

Security Fix(es) :

* nodejs: HTTP request smuggling using malformed Transfer-Encoding header (CVE-2019-15605)

* nodejs: Remotely trigger an assertion on a TLS server with a malformed certificate string (CVE-2019-15604)

* nodejs: HTTP header values do not have trailing optional whitespace trimmed (CVE-2019-15606)

* npm: Symlink reference outside of node_modules folder through the bin field upon installation (CVE-2019-16775)

* npm: Arbitrary file write via constructed entry in the package.json bin field (CVE-2019-16776)

* npm: Global node_modules Binary Overwrite (CVE-2019-16777)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

An update for the nodejs:10 module is now available for Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version:
nodejs (10.19.0).

Security Fix(es) :

* nodejs: HTTP request smuggling using malformed Transfer-Encoding header (CVE-2019-15605)

* nodejs: Remotely trigger an assertion on a TLS server with a malformed certificate string (CVE-2019-15604)

* nodejs: HTTP header values do not have trailing optional whitespace trimmed (CVE-2019-15606)

* npm: Symlink reference outside of node_modules folder through the bin field upon installation (CVE-2019-16775)

* npm: Arbitrary file write via constructed entry in the package.json bin field (CVE-2019-16776)

* npm: Global node_modules Binary Overwrite (CVE-2019-16777)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

This update for nodejs12 fixes the following issues :

nodejs12 was updated to version 12.15.0.

Security issues fixed :

CVE-2019-15604: Fixed a remotely triggerable assertion in the TLS server via a crafted certificate string (CVE-2019-15604, bsc#1163104).

CVE-2019-15605: Fixed an HTTP request smuggling vulnerability via malformed Transfer-Encoding header (CVE-2019-15605, bsc#1163102).

CVE-2019-15606: Fixed the white space sanitation of HTTP headers (CVE-2019-15606, bsc#1163103).

CVE-2019-16775: Fixed an arbitrary file write vulnerability (bsc#1159352).

CVE-2019-16776: Fixed an arbitrary file write vulnerability (bsc#1159352).

CVE-2019-16777: Fixed an arbitrary file write vulnerability (bsc#1159352).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for nodejs6 to version 6.17.1 fixes the following issues :

Security issues fixed :

CVE-2019-16777, CVE-2019-16776, CVE-2019-16775: Updated npm to 6.13.4, fixing an arbitrary path overwrite and access via 'bin' field (bsc#1159352).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Update to 12.14.1

Add new subpackage `nodejs-full-i18n` to provide non-English locale and Unicode support.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for nodejs10 to version 10.18.0 fixes the following issues :

Security issues fixed :

CVE-2019-16777, CVE-2019-16776, CVE-2019-16775: Updated npm to 6.13.4, fixing an arbitrary path overwrite and access via 'bin' field (bsc#1159352).

Added support for chacha20-poly1305 for Authenticated encryption (AEAD).

Non-security issues fixed :

Fixed wrong path in gypi files (bsc#1159812).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for nodejs8 to version 8.17.0 fixes the following issues :

Security issues fixed :

  - CVE-2019-16777, CVE-2019-16776, CVE-2019-16775: Updated     npm to 6.13.4, fixing an arbitrary path overwrite and     access via 'bin' field (bsc#1159352).

This update was imported from the SUSE:SLE-15:Update update project.

This update for nodejs10 to version 10.18.0 fixes the following issues :

Security issues fixed :

CVE-2019-16777, CVE-2019-16776, CVE-2019-16775: Updated npm to 6.13.4, fixing an arbitrary path overwrite and access via 'bin' field (bsc#1159352).

Added support for chacha20-poly1305 for Authenticated encryption (AEAD).

Non-security issues fixed: Fix wrong path in gypi files (bsc#1159812)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for nodejs8 to version 8.17.0 fixes the following issues :

Security issues fixed :

CVE-2019-16777, CVE-2019-16776, CVE-2019-16775: Updated npm to 6.13.4, fixing an arbitrary path overwrite and access via 'bin' field (bsc#1159352).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
145979	CentOS 8 : nodejs:10 (CESA-2020:0579)	Nessus	CentOS Local Security Checks	high
140035	Oracle Linux 8 : nodejs:10 (ELSA-2020-0579)	Nessus	Oracle Linux Local Security Checks	high
137343	FreeBSD : NPM -- Multiple vulnerabilities (2a3588b4-ab12-11ea-a051-001b217b3468)	Nessus	FreeBSD Local Security Checks	medium
134776	GLSA-202003-48 : Node.js: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
134062	RHEL 8 : nodejs:10 (RHSA-2020:0579)	Nessus	Red Hat Local Security Checks	high
134028	RHEL 8 : nodejs:10 (RHSA-2020:0573)	Nessus	Red Hat Local Security Checks	high
133947	SUSE SLES12 Security Update : nodejs12 (SUSE-SU-2020:0429-1)	Nessus	SuSE Local Security Checks	high
133348	SUSE SLES12 Security Update : nodejs6 (SUSE-SU-2020:0247-1)	Nessus	SuSE Local Security Checks	medium
133233	Fedora 31 : 1:libuv / 1:nodejs (2020-595ce5e3cc)	Nessus	Fedora Local Security Checks	medium
132952	SUSE SLES15 Security Update : nodejs10 (SUSE-SU-2020:0104-1)	Nessus	SuSE Local Security Checks	medium
132920	openSUSE Security Update : nodejs8 (openSUSE-2020-59)	Nessus	SuSE Local Security Checks	medium
132850	SUSE SLES12 Security Update : nodejs10 (SUSE-SU-2020:0063-1)	Nessus	SuSE Local Security Checks	medium
132744	SUSE SLES15 Security Update : nodejs8 (SUSE-SU-2020:0043-1)	Nessus	SuSE Local Security Checks	medium

CVE-2019-16777

MEDIUM

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Configuration 4

Configuration 5

Tenable Plugins

high

high

medium

high

high

high

high

medium

medium

medium

medium

medium

medium