This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2022:0014 advisory.

    Package updates are available for TencentOS Server 3 that fix the following vulnerabilities:

    CVE-2020-28469:
    This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in     enclosure containing path separator.

    CVE-2020-7788:
    This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application     that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited     further depending on the context.

    CVE-2021-22959:
    The parser in accepts requests with a space (SP) right after the header name before the colon. This can     lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6.

    CVE-2021-22960:
    The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of     chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions.

    CVE-2021-33502:
    The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS     (regular expression denial of service) issue because it has exponential performance for data: URLs.

    CVE-2021-37701:
    The npm package tar (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file     creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file     whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by     ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat     calls to determine whether a given path is a directory, paths are cached when directories are created.
    This logic was insufficient when extracting tar files that contained both a directory and a symlink with     the same name as the directory, where the symlink and directory names in the archive entry used     backslashes as a path separator on posix systems. The cache checking logic used both `\` and `/`     characters as path separators, however `\` is a valid filename character on posix systems. By first     creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass     node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an     arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary     file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive     filesystems. If a tar archive contained a directory at `FOO`, followed by a symbolic link named `foo`,     then on case-insensitive file systems, the creation of the symbolic link would remove the directory from     the filesystem, but _not_ from the internal directory cache, as it would not be treated as a cache hit. A     subsequent file entry within the `FOO` directory would then be placed in the target of the symbolic link,     thinking that the directory had already been created. These issues were addressed in releases 4.4.16,     5.0.8 and 6.1.7. The v3 branch of node-tar has been deprecated and did not receive patches for these     issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar.
    If this is not possible, a workaround is available in the referenced GHSA-9r2w-394v-53qc.

    CVE-2021-37712:
    The npm package tar (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file     creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file     whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by     ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat     calls to determine whether a given path is a directory, paths are cached when directories are created.
    This logic was insufficient when extracting tar files that contained both a directory and a symlink with     names containing unicode values that normalized to the same value. Additionally, on Windows systems, long     path portions would resolve to the same file system entities as their 8.3 short path counterparts. A     specially crafted tar archive could thus include a directory with one form of the path, followed by a     symbolic link with a different string that resolves to the same file system entity, followed by a file     using the first form. By first creating a directory, and then replacing that directory with a symlink that     had a different apparent name that resolved to the same entry in the filesystem, it was thus possible to     bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into     an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing     arbitrary file creation and overwrite. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9.
    The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are     still using a v3 release we recommend you update to a more recent version of node-tar. If this is not     possible, a workaround is available in the referenced GHSA-qq89-hq3f-393p.

    CVE-2021-3807:
    ansi-regex is vulnerable to Inefficient Regular Expression Complexity

    CVE-2021-3918:
    json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype     Pollution')

Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Alibaba Cloud Linux 3 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALINUX3-SA-2022:0014 advisory.

    Package updates are available for Alibaba Cloud Linux 3 that fix the following vulnerabilities:

    CVE-2020-28469:
    This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in     enclosure containing path separator.

    CVE-2020-7788:
    This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application     that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited     further depending on the context.

    CVE-2021-22959:
    The parser in accepts requests with a space (SP) right after the header name before the colon. This can     lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6.

    CVE-2021-22960:
    The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of     chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions.

    CVE-2021-33502:
    The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS     (regular expression denial of service) issue because it has exponential performance for data: URLs.

    CVE-2021-37701:
    The npm package tar (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file     creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file     whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by     ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat     calls to determine whether a given path is a directory, paths are cached when directories are created.
    This logic was insufficient when extracting tar files that contained both a directory and a symlink with     the same name as the directory, where the symlink and directory names in the archive entry used     backslashes as a path separator on posix systems. The cache checking logic used both `\` and `/`     characters as path separators, however `\` is a valid filename character on posix systems. By first     creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass     node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an     arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary     file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive     filesystems. If a tar archive contained a directory at `FOO`, followed by a symbolic link named `foo`,     then on case-insensitive file systems, the creation of the symbolic link would remove the directory from     the filesystem, but _not_ from the internal directory cache, as it would not be treated as a cache hit. A     subsequent file entry within the `FOO` directory would then be placed in the target of the symbolic link,     thinking that the directory had already been created. These issues were addressed in releases 4.4.16,     5.0.8 and 6.1.7. The v3 branch of node-tar has been deprecated and did not receive patches for these     issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar.
    If this is not possible, a workaround is available in the referenced GHSA-9r2w-394v-53qc.

    CVE-2021-37712:
    The npm package tar (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file     creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file     whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by     ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat     calls to determine whether a given path is a directory, paths are cached when directories are created.
    This logic was insufficient when extracting tar files that contained both a directory and a symlink with     names containing unicode values that normalized to the same value. Additionally, on Windows systems, long     path portions would resolve to the same file system entities as their 8.3 short path counterparts. A     specially crafted tar archive could thus include a directory with one form of the path, followed by a     symbolic link with a different string that resolves to the same file system entity, followed by a file     using the first form. By first creating a directory, and then replacing that directory with a symlink that     had a different apparent name that resolved to the same entry in the filesystem, it was thus possible to     bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into     an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing     arbitrary file creation and overwrite. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9.
    The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are     still using a v3 release we recommend you update to a more recent version of node-tar. If this is not     possible, a workaround is available in the referenced GHSA-qq89-hq3f-393p.

    CVE-2021-3807:
    ansi-regex is vulnerable to Inefficient Regular Expression Complexity

    CVE-2021-3918:
    json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype     Pollution')

Tenable has extracted the preceding description block directly from the Alibaba Cloud Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in     enclosure containing path separator. (CVE-2020-28469)

Note that Nessus relies on the presence of the package as reported by the vendor.

The version of Splunk installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the SVD-2023-0808 advisory.

  - The go command may execute arbitrary code at build time when using cgo. This may occur when running go     get on a malicious module, or when running any other command which builds untrusted code. This is can by     triggered by linker flags, specified via a #cgo LDFLAGS directive. Flags containing embedded spaces are     mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in     the argument of another flag. This only affects usage of the gccgo compiler. (CVE-2023-29405)

  - When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by     finalizing the operation with a rename from a temporary name to the final target file name.In that rename     operation, it might accidentally *widen* the permissions for the target file, leaving the updated file     accessible to more users than intended. (CVE-2022-32207)

  - decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS. (CVE-2022-38900)

  - The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
    (CVE-2022-33987)

  - Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the     name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3. (CVE-2022-37601)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Splunk installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the SVD-2023-0613 advisory.

  - A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as     @xmldom/xmldom) package before 0.8.3 for Node.js via the p variable. NOTE: the vendor states we are in     the process of marking this report as invalid; however, some third parties takes the position that A     prototype injection/Prototype pollution is not just when global objects are polluted with recursive merge     or deep cloning but also when a target object is polluted. (CVE-2022-37616)

  - When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by     finalizing the operation with a rename from a temporary name to the final target file name.In that rename     operation, it might accidentally *widen* the permissions for the target file, leaving the updated file     accessible to more users than intended. (CVE-2022-32207)

  - An issue was discovered in libxml2 before 2.10.3. When parsing a multi-gigabyte XML document with the     XML_PARSE_HUGE parser option enabled, several integer counters can overflow. This results in an attempt to     access an array at a negative 2GB offset, typically leading to a segmentation fault. (CVE-2022-40303)

  - An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a     hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be     provoked. (CVE-2022-40304)

  - There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName.
    X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME     incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently     interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL     checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may     allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or     enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate     chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these     inputs, the other input must already contain an X.400 address as a CRL distribution point, which is     uncommon. As such, this vulnerability is most likely to only affect applications which have implemented     their own functionality for retrieving CRLs over a network. (CVE-2023-0286)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the nodejs-nodemon-2.0.19-1.el9 build changelog.

  - This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in     enclosure containing path separator. (CVE-2020-28469)

  - The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS     (regular expression denial of service) issue because it has exponential performance for data: URLs.
    (CVE-2021-33502)

  - ansi-regex is vulnerable to Inefficient Regular Expression Complexity (CVE-2021-3807)

  - The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
    (CVE-2022-33987)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2022:0350 advisory.

  - This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in     enclosure containing path separator. (CVE-2020-28469)

  - This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application     that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited     further depending on the context. (CVE-2020-7788)

  - The parser in accepts requests with a space (SP) right after the header name before the colon. This can     lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6. (CVE-2021-22959)

  - The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of     chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions. (CVE-2021-22960)

  - The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS     (regular expression denial of service) issue because it has exponential performance for data: URLs.
    (CVE-2021-33502)

  - The npm package tar (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file     creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file     whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by     ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat     calls to determine whether a given path is a directory, paths are cached when directories are created.
    This logic was insufficient when extracting tar files that contained both a directory and a symlink with     the same name as the directory, where the symlink and directory names in the archive entry used     backslashes as a path separator on posix systems. The cache checking logic used both `\` and `/`     characters as path separators, however `\` is a valid filename character on posix systems. By first     creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass     node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an     arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary     file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive     filesystems. If a tar archive contained a directory at `FOO`, followed by a symbolic link named `foo`,     then on case-insensitive file systems, the creation of the symbolic link would remove the directory from     the filesystem, but _not_ from the internal directory cache, as it would not be treated as a cache hit. A     subsequent file entry within the `FOO` directory would then be placed in the target of the symbolic link,     thinking that the directory had already been created. These issues were addressed in releases 4.4.16,     5.0.8 and 6.1.7. The v3 branch of node-tar has been deprecated and did not receive patches for these     issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar.
    If this is not possible, a workaround is available in the referenced GHSA-9r2w-394v-53qc. (CVE-2021-37701)

  - The npm package tar (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file     creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file     whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by     ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat     calls to determine whether a given path is a directory, paths are cached when directories are created.
    This logic was insufficient when extracting tar files that contained both a directory and a symlink with     names containing unicode values that normalized to the same value. Additionally, on Windows systems, long     path portions would resolve to the same file system entities as their 8.3 short path counterparts. A     specially crafted tar archive could thus include a directory with one form of the path, followed by a     symbolic link with a different string that resolves to the same file system entity, followed by a file     using the first form. By first creating a directory, and then replacing that directory with a symlink that     had a different apparent name that resolved to the same entry in the filesystem, it was thus possible to     bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into     an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing     arbitrary file creation and overwrite. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9.
    The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are     still using a v3 release we recommend you update to a more recent version of node-tar. If this is not     possible, a workaround is available in the referenced GHSA-qq89-hq3f-393p. (CVE-2021-37712)

  - ansi-regex is vulnerable to Inefficient Regular Expression Complexity (CVE-2021-3807)

  - json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype     Pollution') (CVE-2021-3918)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2021:5171 advisory.

  - This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in     enclosure containing path separator. (CVE-2020-28469)

  - This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application     that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited     further depending on the context. (CVE-2020-7788)

  - The parser in accepts requests with a space (SP) right after the header name before the colon. This can     lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6. (CVE-2021-22959)

  - The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of     chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions. (CVE-2021-22960)

  - The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS     (regular expression denial of service) issue because it has exponential performance for data: URLs.
    (CVE-2021-33502)

  - ansi-regex is vulnerable to Inefficient Regular Expression Complexity (CVE-2021-3807)

  - json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype     Pollution') (CVE-2021-3918)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Rocky Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the RLSA-2022:6595 advisory.

  - npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or     with a workspace flag (ie. `--workspaces`, `--workspace=<name>`). Anyone who has run `npm pack` or `npm     publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published     files into the npm registry they did not intend to include. Users should upgrade to the latest, patched     version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0     include the patched v8.11.0 version of npm. (CVE-2022-29244)

  - This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application     that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited     further depending on the context. (CVE-2020-7788)

  - This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in     enclosure containing path separator. (CVE-2020-28469)

  - ansi-regex is vulnerable to Inefficient Regular Expression Complexity (CVE-2021-3807)

  - The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS     (regular expression denial of service) issue because it has exponential performance for data: URLs.
    (CVE-2021-33502)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote AlmaLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2022:6595 advisory.

  - This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application     that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited     further depending on the context. (CVE-2020-7788)

  - This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in     enclosure containing path separator. (CVE-2020-28469)

  - ansi-regex is vulnerable to Inefficient Regular Expression Complexity (CVE-2021-3807)

  - The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS     (regular expression denial of service) issue because it has exponential performance for data: URLs.
    (CVE-2021-33502)

  - npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or     with a workspace flag (ie. `--workspaces`, `--workspace=<name>`). Anyone who has run `npm pack` or `npm     publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published     files into the npm registry they did not intend to include. Users should upgrade to the latest, patched     version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0     include the patched v8.11.0 version of npm. (CVE-2022-29244)

  - A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.16.0, <18.5.0 due to an     insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check     if an IP address is invalid before making DBS requests allowing rebinding attacks. (CVE-2022-32212)

  - The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse     and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS). (CVE-2022-32213)

  - The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use     the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).
    (CVE-2022-32214)

  - The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly     handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).
    (CVE-2022-32215)

  - The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
    (CVE-2022-33987)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2022-6595 advisory.

    - Rebase to version 16.16.0       Resolves: RHBZ#2106290       Resolves: CVE-2022-32212 CVE-2022-32213 CVE-2022-32214 CVE-2022-32215

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:6595 advisory.

    Node.js is a software development platform for building fast and scalable network applications in the     JavaScript programming language.

    The following packages have been upgraded to a later upstream version: nodejs (16.16.0), nodejs-nodemon     (2.0.19). (BZ#2124230, BZ#2124233)

    Security Fix(es):

    * nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788)

    * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)

    * nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes     (CVE-2021-3807)

    * normalize-url: ReDoS for data URLs (CVE-2021-33502)

    * nodejs: npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a     workspace (CVE-2022-29244)

    * nodejs: DNS rebinding in --inspect via invalid IP addresses (CVE-2022-32212)

    * nodejs: HTTP request smuggling due to flawed parsing of Transfer-Encoding (CVE-2022-32213)

    * nodejs: HTTP request smuggling due to improper delimiting of header fields (CVE-2022-32214)

    * nodejs: HTTP request smuggling due to incorrect parsing of multi-line Transfer-Encoding (CVE-2022-32215)

    * got: missing verification of requested URLs allows redirects to UNIX sockets (CVE-2022-33987)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Bug Fix(es):

    * nodejs:16/nodejs: Rebase to the latest Nodejs 16 release [rhel-9] (BZ#2121019)

    * nodejs: Specify --with-default-icu-data-dir when using bootstrap build (BZ#2124299)

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of IBM Cognos Analytics installed on the remote host is affected by multiple vulnerabilities, including the following:

  - The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template     injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and     overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template     compilation). (CVE-2022-29078)

  - The netmask package before 2.0.1 for Node.js mishandles certain unexpected characters in an IP address     string, such as an octal digit of 9. This (in some situations) allows attackers to bypass access control     that is based on IP addresses. NOTE: this issue exists because of an incomplete fix for CVE-2021-28918.
    (CVE-2021-29418)

  - Improper input validation of octal strings in netmask npm package v1.0.6 and below allows unauthenticated     remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A     remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical     VPN or LAN hosts. (CVE-2021-28918)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote AlmaLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2021:5171 advisory.

    * nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918)

    * nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788)

    * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)

    * nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes     (CVE-2021-3807)

    * normalize-url: ReDoS for data URLs (CVE-2021-33502)

    * llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959)

    * llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960)

Tenable has extracted the preceding description block directly from the AlmaLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote AlmaLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2022:0350 advisory.

    * nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918)

    * nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788)

    * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)

    * nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes     (CVE-2021-3807)

    * normalize-url: ReDoS for data URLs (CVE-2021-33502)

    * nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links     allowing arbitrary file creation and overwrite (CVE-2021-37701)

    * nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links     allowing arbitrary file creation and overwrite (CVE-2021-37712)

    * llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959)

    * llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960)

Tenable has extracted the preceding description block directly from the AlmaLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2022-0350 advisory.

    nodejs     [1:14.18.2-2]
    - Add missing fixes
    - Resolves: RHBZ#2027642, RHBZ#2027635

    [1:14.18.2-1]
    - Resolves: RHBZ#2027609
    - Resolves: RHBZ#2027649, RHBZ#2027646, RHBZ#2027642, RHBZ#2027635
    - Rebase to new version to fix CVEs

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2022:0350 advisory.

  - nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)

  - nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788)

  - llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959)

  - llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960)

  - normalize-url: ReDoS for data URLs (CVE-2021-33502)

  - nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing     arbitrary file creation and overwrite (CVE-2021-37701, CVE-2021-37712)

  - nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807)

  - nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:0350 advisory.

    Node.js is a software development platform for building fast and scalable network applications in the     JavaScript programming language.

    The following packages have been upgraded to a later upstream version: nodejs (14.18.2), nodejs-nodemon     (2.0.15). (BZ#2027609)

    Security Fix(es):

    * nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918)

    * nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788)

    * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)

    * nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes     (CVE-2021-3807)

    * normalize-url: ReDoS for data URLs (CVE-2021-33502)

    * nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links     allowing arbitrary file creation and overwrite (CVE-2021-37701)

    * nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links     allowing arbitrary file creation and overwrite (CVE-2021-37712)

    * llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959)

    * llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:0246 advisory.

    Node.js is a software development platform for building fast and scalable network applications in the     JavaScript programming language.

    The following packages have been upgraded to a later upstream version: nodejs (14.18.2), nodejs-nodemon     (2.0.15). (BZ#2027608)

    Security Fix(es):

    * nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918)

    * nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788)

    * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)

    * nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes     (CVE-2021-3807)

    * normalize-url: ReDoS for data URLs (CVE-2021-33502)

    * nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links     allowing arbitrary file creation and overwrite (CVE-2021-37701)

    * nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links     allowing arbitrary file creation and overwrite (CVE-2021-37712)

    * llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959)

    * llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:5171 advisory.

    Node.js is a software development platform for building fast and scalable network applications in the     JavaScript programming language.

    The following packages have been upgraded to a later upstream version: nodejs (16.13.1), nodejs-nodemon     (2.0.15). (BZ#2027610)

    Security Fix(es):

    * nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918)

    * nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788)

    * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)

    * nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes     (CVE-2021-3807)

    * normalize-url: ReDoS for data URLs (CVE-2021-33502)

    * llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959)

    * llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the CESA-2021:5171 advisory.

  - nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)

  - nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788)

  - llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959)

  - llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960)

  - normalize-url: ReDoS for data URLs (CVE-2021-33502)

  - nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807)

  - nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-5171 advisory.

    - Resolves CVE-2020-28469

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2021:4626 advisory.

    The ovirt-engine package provides the manager for virtualization     environments.
    This manager enables admins to define hosts and networks, as well as to add     storage, create VMs and manage user permissions.

    A list of bugs fixed in this update is available in the Technical Notes     book:

    https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes

    Security Fix(es):

    * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)

    * nodejs-ua-parser-js: Regular expression denial of service via the regex (CVE-2020-7733)

    For more details about the security issue(s), including the impact, a CVSS score, and other related     information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:3280 advisory.

    Node.js is a software development platform for building fast and scalable network applications in the     JavaScript programming language.

    The following packages have been upgraded to a later upstream version: rh-nodejs14-nodejs (14.17.5).

    Security Fix(es):

    * nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22930)

    * nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22940)

    * nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788)

    * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)

    * c-ares: Missing input validation of host names may lead to domain hijacking (CVE-2021-3672)

    * nodejs: Improper handling of untypical characters in domain names (CVE-2021-22931)

    * nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite     (CVE-2021-32803)

    * nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite     (CVE-2021-32804)

    * nodejs: Incomplete validation of tls rejectUnauthorized parameter (CVE-2021-22939)

    * nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe (CVE-2021-23343)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:3281 advisory.

    Node.js is a software development platform for building fast and scalable network applications in the     JavaScript programming language.

    The following packages have been upgraded to a later upstream version: rh-nodejs12-nodejs (12.22.5).

    Security Fix(es):

    * nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22930)

    * nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22940)

    * nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788)

    * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)

    * c-ares: Missing input validation of host names may lead to domain hijacking (CVE-2021-3672)

    * nodejs: Improper handling of untypical characters in domain names (CVE-2021-22931)

    * nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite     (CVE-2021-32803)

    * nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite     (CVE-2021-32804)

    * nodejs: Incomplete validation of tls rejectUnauthorized parameter (CVE-2021-22939)

    * nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe (CVE-2021-23343)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2021:2865 advisory.

    The ovirt-engine package provides the manager for virtualization environments.
    This manager enables admins to define hosts and networks, as well as to add     storage, create VMs and manage user permissions.

    Security Fix(es):

    * nodejs-underscore: Arbitrary code execution via the template function (CVE-2021-23358)

    * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)

    * nodejs-ua-parser-js: Regular expression denial of service via the regex (CVE-2020-7733)

    * nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe (CVE-2021-23343)

    For more details about the security issue(s), including the impact, a CVSS score, and other related     information, refer to the CVE page(s) listed in the References section.

    Bug Fix(es):

    * Foreman integration, which allows you to provision bare metal hosts from the Administration Portal     using Foreman and then added to the Manager, was deprecated in oVirt 4.4.6 / RHV 4.4.6 and removed     completely in oVirt 4.4.7 / RHV 4.4.7.

    Similar functionality to provision bare metal hosts can be achieved using Foreman directly and adding an     already provisioned host using the Administration Portal or the REST API. (BZ#1901011)

    * Adding a message banner to the web administration welcome page is straight forward using custom branding     that only contains a preamble section.
    An example of preamble branding is given here: https://bugzilla.redhat.com/attachment.cgi?id=1783329.

    In an engine upgrade, the custom preamble brand remains in place and will work without issue.

    During engine backup and subsequent restore, on engine restore the custom preamble branding needs to be     manually restored/reinstalled and verified. (BZ#1804774)

    * The column name threads_per_core in the Red hat Virtualization manager Dashboard is being deprecated,     and will be removed in a future release.
    In version 4.4.7.2 the column name for threads_per_core will be changed to number_of_threads.
    In the Data Warehouse, the old name will be retained as an additional alias, resulting in 2 columns     providing the same data: number_of_threads and threads_per_core, and threads_per_core will be removed in a     future version. (BZ#1896359)

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
239656	TencentOS Server 3: nodejs (TSSA-2022:0014)	Nessus	Tencent Local Security Checks	critical
236651	Alibaba Cloud Linux 3 : 0014: nodejs:14 (ALINUX3-SA-2022:0014)	Nessus	Alibaba Cloud Linux Local Security Checks	critical
223472	Linux Distros Unpatched Vulnerability : CVE-2020-28469	Nessus	Misc.	high
194928	Splunk Enterprise 8.2.0 < 8.2.12, 9.0.0 < 9.0.6, 9.1.0 < 9.1.1 (SVD-2023-0808)	Nessus	CGI abuses	critical
194919	Splunk Enterprise < 8.1.14, 8.2.0 < 8.2.11, 9.0.0 < 9.0.5 (SVD-2023-0613)	Nessus	CGI abuses	critical
191419	CentOS 9 : nodejs-nodemon-2.0.19-1.el9	Nessus	CentOS Local Security Checks	medium
185008	Rocky Linux 8 : nodejs:14 (RLSA-2022:0350)	Nessus	Rocky Linux Local Security Checks	critical
184727	Rocky Linux 8 : nodejs:16 (RLSA-2021:5171)	Nessus	Rocky Linux Local Security Checks	critical
171017	Rocky Linux 9 : nodejs and nodejs-nodemon (RLSA-2022:6595)	Nessus	Rocky Linux Local Security Checks	critical
166249	AlmaLinux 9 : nodejs and nodejs-nodemon (ALSA-2022:6595)	Nessus	Alma Linux Local Security Checks	critical
165309	Oracle Linux 9 : nodejs / and / nodejs-nodemon (ELSA-2022-6595)	Nessus	Oracle Linux Local Security Checks	critical
165270	RHEL 9 : nodejs and nodejs-nodemon (RHSA-2022:6595)	Nessus	Red Hat Local Security Checks	critical
164652	IBM Cognos Analytics Multiple Vulnerabilities (6616285)	Nessus	CGI abuses	critical
158872	AlmaLinux 8 : nodejs:16 (ALSA-2021:5171)	Nessus	Alma Linux Local Security Checks	critical
158862	AlmaLinux 8 : nodejs:14 (ALSA-2022:0350)	Nessus	Alma Linux Local Security Checks	critical
157333	Oracle Linux 8 : nodejs:14 (ELSA-2022-0350)	Nessus	Oracle Linux Local Security Checks	critical
157330	CentOS 8 : nodejs:14 (CESA-2022:0350)	Nessus	CentOS Local Security Checks	critical
157311	RHEL 8 : nodejs:14 (RHSA-2022:0350)	Nessus	Red Hat Local Security Checks	critical
157089	RHEL 8 : nodejs:14 (RHSA-2022:0246)	Nessus	Red Hat Local Security Checks	critical
156129	RHEL 8 : nodejs:16 (RHSA-2021:5171)	Nessus	Red Hat Local Security Checks	critical
156125	CentOS 8 : nodejs:16 (CESA-2021:5171)	Nessus	CentOS Local Security Checks	critical
156123	Oracle Linux 8 : nodejs:16 (ELSA-2021-5171)	Nessus	Oracle Linux Local Security Checks	critical
155612	RHEL 8 : RHV Manager (ovirt-engine) security update [ovirt-4.4.9] (Moderate) (RHSA-2021:4626)	Nessus	Red Hat Local Security Checks	high
152863	RHEL 7 : rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon (RHSA-2021:3280)	Nessus	Red Hat Local Security Checks	critical
152862	RHEL 7 : rh-nodejs12-nodejs and rh-nodejs12-nodejs-nodemon (RHSA-2021:3281)	Nessus	Red Hat Local Security Checks	critical
152005	RHEL 8 : RHV Manager (ovirt-engine) security update [ovirt-4.4.7] (Moderate) (RHSA-2021:2865)	Nessus	Red Hat Local Security Checks	high

Detections

Analytics

CVE-2020-28469

high

Tenable Plugins

critical

critical

high

critical

critical

medium

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

high

critical

critical

high