https://github.com/yargs/y18n/issues/96

https://github.com/yargs/y18n/pull/108

https://snyk.io/vuln/SNYK-JS-Y18N-1021887

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1038306

https://www.oracle.com/security-alerts/cpuApr2021.html

The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2021:1059-1 advisory.

  - This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')();
    y18n.setLocale('__proto__'); y18n.updateLocale({polluted: true}); console.log(polluted); // true     (CVE-2020-7774)

  - Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is     used to convert strings to ASCII. The pointer p is read and increased without checking whether it is     beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information     disclosures or crashes. This function can be triggered via uv_getaddrinfo(). (CVE-2021-22918)

  - The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS)     via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression     exhibits polynomial worst-case time complexity. (CVE-2021-23362)

  - ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a     denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of     service. This issue only affects consumers using the strict option. (CVE-2021-27290)

  - An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a     client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was     present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL     pointer dereference will result, leading to a crash and a denial of service attack. A server is only     vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS     clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of     these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in     OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j). (CVE-2021-3449)

  - The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a     certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow     certificates in the chain that have explicitly encoded elliptic curve parameters was added as an     additional strict check. An error in the implementation of this check meant that the result of a previous     check to confirm that certificates in the chain are valid CA certificates was overwritten. This     effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a     purpose has been configured then there is a subsequent opportunity for checks that the certificate is a     valid CA. All of the named purpose values implemented in libcrypto perform this check. Therefore, where     a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A     purpose is set by default in libssl client and server certificate verification routines, but it can be     overridden or removed by an application. In order to be affected, an application must explicitly set the     X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification     or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions     1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k.
    OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).
    (CVE-2021-3450)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2021:1061-1 advisory.

  - This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')();
    y18n.setLocale('__proto__'); y18n.updateLocale({polluted: true}); console.log(polluted); // true     (CVE-2020-7774)

  - Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is     used to convert strings to ASCII. The pointer p is read and increased without checking whether it is     beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information     disclosures or crashes. This function can be triggered via uv_getaddrinfo(). (CVE-2021-22918)

  - The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS)     via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression     exhibits polynomial worst-case time complexity. (CVE-2021-23362)

  - ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a     denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of     service. This issue only affects consumers using the strict option. (CVE-2021-27290)

  - An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a     client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was     present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL     pointer dereference will result, leading to a crash and a denial of service attack. A server is only     vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS     clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of     these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in     OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j). (CVE-2021-3449)

  - The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a     certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow     certificates in the chain that have explicitly encoded elliptic curve parameters was added as an     additional strict check. An error in the implementation of this check meant that the result of a previous     check to confirm that certificates in the chain are valid CA certificates was overwritten. This     effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a     purpose has been configured then there is a subsequent opportunity for checks that the certificate is a     valid CA. All of the named purpose values implemented in libcrypto perform this check. Therefore, where     a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A     purpose is set by default in libssl client and server certificate verification routines, but it can be     overridden or removed by an application. In order to be affected, an application must explicitly set the     X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification     or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions     1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k.
    OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).
    (CVE-2021-3450)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2021:1060-1 advisory.

  - This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')();
    y18n.setLocale('__proto__'); y18n.updateLocale({polluted: true}); console.log(polluted); // true     (CVE-2020-7774)

  - Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is     used to convert strings to ASCII. The pointer p is read and increased without checking whether it is     beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information     disclosures or crashes. This function can be triggered via uv_getaddrinfo(). (CVE-2021-22918)

  - The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS)     via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression     exhibits polynomial worst-case time complexity. (CVE-2021-23362)

  - ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a     denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of     service. This issue only affects consumers using the strict option. (CVE-2021-27290)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:2354-1 advisory.

  - This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')();
    y18n.setLocale('__proto__'); y18n.updateLocale({polluted: true}); console.log(polluted); // true     (CVE-2020-7774)

  - Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is     used to convert strings to ASCII. The pointer p is read and increased without checking whether it is     beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information     disclosures or crashes. This function can be triggered via uv_getaddrinfo(). (CVE-2021-22918)

  - The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS)     via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression     exhibits polynomial worst-case time complexity. (CVE-2021-23362)

  - ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a     denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of     service. This issue only affects consumers using the strict option. (CVE-2021-27290)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:2353-1 advisory.

  - This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')();
    y18n.setLocale('__proto__'); y18n.updateLocale({polluted: true}); console.log(polluted); // true     (CVE-2020-7774)

  - Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is     used to convert strings to ASCII. The pointer p is read and increased without checking whether it is     beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information     disclosures or crashes. This function can be triggered via uv_getaddrinfo(). (CVE-2021-22918)

  - The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS)     via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression     exhibits polynomial worst-case time complexity. (CVE-2021-23362)

  - ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a     denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of     service. This issue only affects consumers using the strict option. (CVE-2021-27290)

  - An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a     client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was     present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL     pointer dereference will result, leading to a crash and a denial of service attack. A server is only     vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS     clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of     these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in     OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j). (CVE-2021-3449)

  - The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a     certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow     certificates in the chain that have explicitly encoded elliptic curve parameters was added as an     additional strict check. An error in the implementation of this check meant that the result of a previous     check to confirm that certificates in the chain are valid CA certificates was overwritten. This     effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a     purpose has been configured then there is a subsequent opportunity for checks that the certificate is a     valid CA. All of the named purpose values implemented in libcrypto perform this check. Therefore, where     a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A     purpose is set by default in libssl client and server certificate verification routines, but it can be     overridden or removed by an application. In order to be affected, an application must explicitly set the     X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification     or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions     1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k.
    OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).
    (CVE-2021-3450)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2021:2354-1 advisory.

  - This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')();
    y18n.setLocale('__proto__'); y18n.updateLocale({polluted: true}); console.log(polluted); // true     (CVE-2020-7774)

  - Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is     used to convert strings to ASCII. The pointer p is read and increased without checking whether it is     beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information     disclosures or crashes. This function can be triggered via uv_getaddrinfo(). (CVE-2021-22918)

  - The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS)     via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression     exhibits polynomial worst-case time complexity. (CVE-2021-23362)

  - ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a     denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of     service. This issue only affects consumers using the strict option. (CVE-2021-27290)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2021:2327-1 advisory.

  - This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')();
    y18n.setLocale('__proto__'); y18n.updateLocale({polluted: true}); console.log(polluted); // true     (CVE-2020-7774)

  - Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is     used to convert strings to ASCII. The pointer p is read and increased without checking whether it is     beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information     disclosures or crashes. This function can be triggered via uv_getaddrinfo(). (CVE-2021-22918)

  - The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS)     via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression     exhibits polynomial worst-case time complexity. (CVE-2021-23362)

  - ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a     denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of     service. This issue only affects consumers using the strict option. (CVE-2021-27290)

  - An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a     client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was     present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL     pointer dereference will result, leading to a crash and a denial of service attack. A server is only     vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS     clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of     these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in     OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j). (CVE-2021-3449)

  - The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a     certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow     certificates in the chain that have explicitly encoded elliptic curve parameters was added as an     additional strict check. An error in the implementation of this check meant that the result of a previous     check to confirm that certificates in the chain are valid CA certificates was overwritten. This     effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a     purpose has been configured then there is a subsequent opportunity for checks that the certificate is a     valid CA. All of the named purpose values implemented in libcrypto perform this check. Therefore, where     a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A     purpose is set by default in libssl client and server certificate verification routines, but it can be     overridden or removed by an application. In order to be affected, an application must explicitly set the     X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification     or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions     1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k.
    OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).
    (CVE-2021-3450)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2021:2353-1 advisory.

  - This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')();
    y18n.setLocale('__proto__'); y18n.updateLocale({polluted: true}); console.log(polluted); // true     (CVE-2020-7774)

  - Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is     used to convert strings to ASCII. The pointer p is read and increased without checking whether it is     beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information     disclosures or crashes. This function can be triggered via uv_getaddrinfo(). (CVE-2021-22918)

  - The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS)     via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression     exhibits polynomial worst-case time complexity. (CVE-2021-23362)

  - ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a     denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of     service. This issue only affects consumers using the strict option. (CVE-2021-27290)

  - An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a     client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was     present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL     pointer dereference will result, leading to a crash and a denial of service attack. A server is only     vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS     clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of     these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in     OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j). (CVE-2021-3449)

  - The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a     certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow     certificates in the chain that have explicitly encoded elliptic curve parameters was added as an     additional strict check. An error in the implementation of this check meant that the result of a previous     check to confirm that certificates in the chain are valid CA certificates was overwritten. This     effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a     purpose has been configured then there is a subsequent opportunity for checks that the certificate is a     valid CA. All of the named purpose values implemented in libcrypto perform this check. Therefore, where     a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A     purpose is set by default in libssl client and server certificate verification routines, but it can be     overridden or removed by an application. In order to be affected, an application must explicitly set the     X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification     or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions     1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k.
    OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).
    (CVE-2021-3450)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:2323-1 advisory.

  - This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')();
    y18n.setLocale('__proto__'); y18n.updateLocale({polluted: true}); console.log(polluted); // true     (CVE-2020-7774)

  - Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is     used to convert strings to ASCII. The pointer p is read and increased without checking whether it is     beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information     disclosures or crashes. This function can be triggered via uv_getaddrinfo(). (CVE-2021-22918)

  - The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS)     via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression     exhibits polynomial worst-case time complexity. (CVE-2021-23362)

  - ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a     denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of     service. This issue only affects consumers using the strict option. (CVE-2021-27290)

  - An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a     client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was     present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL     pointer dereference will result, leading to a crash and a denial of service attack. A server is only     vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS     clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of     these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in     OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j). (CVE-2021-3449)

  - The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a     certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow     certificates in the chain that have explicitly encoded elliptic curve parameters was added as an     additional strict check. An error in the implementation of this check meant that the result of a previous     check to confirm that certificates in the chain are valid CA certificates was overwritten. This     effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a     purpose has been configured then there is a subsequent opportunity for checks that the certificate is a     valid CA. All of the named purpose values implemented in libcrypto perform this check. Therefore, where     a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A     purpose is set by default in libssl client and server certificate verification routines, but it can be     overridden or removed by an application. In order to be affected, an application must explicitly set the     X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification     or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions     1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k.
    OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).
    (CVE-2021-3450)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:2327-1 advisory.

  - This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')();
    y18n.setLocale('__proto__'); y18n.updateLocale({polluted: true}); console.log(polluted); // true     (CVE-2020-7774)

  - Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is     used to convert strings to ASCII. The pointer p is read and increased without checking whether it is     beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information     disclosures or crashes. This function can be triggered via uv_getaddrinfo(). (CVE-2021-22918)

  - The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS)     via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression     exhibits polynomial worst-case time complexity. (CVE-2021-23362)

  - ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a     denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of     service. This issue only affects consumers using the strict option. (CVE-2021-27290)

  - An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a     client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was     present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL     pointer dereference will result, leading to a crash and a denial of service attack. A server is only     vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS     clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of     these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in     OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j). (CVE-2021-3449)

  - The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a     certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow     certificates in the chain that have explicitly encoded elliptic curve parameters was added as an     additional strict check. An error in the implementation of this check meant that the result of a previous     check to confirm that certificates in the chain are valid CA certificates was overwritten. This     effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a     purpose has been configured then there is a subsequent opportunity for checks that the certificate is a     valid CA. All of the named purpose values implemented in libcrypto perform this check. Therefore, where     a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A     purpose is set by default in libssl client and server certificate verification routines, but it can be     overridden or removed by an application. In order to be affected, an application must explicitly set the     X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification     or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions     1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k.
    OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).
    (CVE-2021-3450)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:2319-1 advisory.

  - This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')();
    y18n.setLocale('__proto__'); y18n.updateLocale({polluted: true}); console.log(polluted); // true     (CVE-2020-7774)

  - Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is     used to convert strings to ASCII. The pointer p is read and increased without checking whether it is     beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information     disclosures or crashes. This function can be triggered via uv_getaddrinfo(). (CVE-2021-22918)

  - The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS)     via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression     exhibits polynomial worst-case time complexity. (CVE-2021-23362)

  - ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a     denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of     service. This issue only affects consumers using the strict option. (CVE-2021-27290)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Node.js reports : OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High) (CVE-2021-3450) This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt OpenSSL - NULL pointer deref in signature_algorithms processing (High) (CVE-2021-3449) This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt npm upgrade - Update y18n to fix Prototype-Pollution (High) (CVE-2020-7774) This is a vulnerability in the y18n npm module which may be exploited by prototype pollution. You can read more about it in https://github.com/advisories/GHSA-c4w7-xm78-47vh

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2021:0548 advisory.

  - npm: sensitive information exposure through logs (CVE-2020-15095)

  - nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366)

  - nodejs-yargs-parser: prototype pollution vulnerability (CVE-2020-7608)

  - nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS     (CVE-2020-7754)

  - nodejs-y18n: prototype pollution vulnerability (CVE-2020-7774)

  - nodejs-ini: prototype pollution via malicious INI file (CVE-2020-7788)

  - nodejs-dot-prop: prototype pollution (CVE-2020-8116)

  - libuv: buffer overflow in realpath (CVE-2020-8252)

  - nodejs: use-after-free in the TLS implementation (CVE-2020-8265)

  - nodejs: HTTP request smuggling via two copies of a header field in an http request (CVE-2020-8287)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-0548 advisory.

  - Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before     5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.
    (CVE-2020-8116)

  - The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly     determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256     bytes. (CVE-2020-8252)

  - Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through     log files. The CLI supports URLs like     ://[[:]@][:][:][/]. The password value is not redacted     and is printed to stdout and also to any generated log files. (CVE-2020-15095)

  - yargs-parser could be tricked into adding or modifying properties of Object.prototype using a __proto__     payload. (CVE-2020-7608)

  - This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took     exponentially longer to process long input strings beginning with @ characters. (CVE-2020-7754)

  - This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application     that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited     further depending on the context. (CVE-2020-7788)

  - Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its     TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls     node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method     does not return an error, this object is passed back to the caller as part of a StreamWriteResult     structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other     exploits. (CVE-2020-8265)

  - Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP     request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first     header field and ignores the second. This can lead to HTTP Request Smuggling. (CVE-2020-8287)

  - This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')();
    y18n.setLocale('__proto__'); y18n.updateLocale({polluted: true}); console.log(polluted); // true     (CVE-2020-7774)

  - An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully     crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While     untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of     service, not execution of code.) (CVE-2020-15366)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-0551 advisory.

  - This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took     exponentially longer to process long input strings beginning with @ characters. (CVE-2020-7754)

  - This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application     that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited     further depending on the context. (CVE-2020-7788)

  - Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its     TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls     node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method     does not return an error, this object is passed back to the caller as part of a StreamWriteResult     structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other     exploits. (CVE-2020-8265)

  - Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP     request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first     header field and ignores the second. This can lead to HTTP Request Smuggling. (CVE-2020-8287)

  - A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could     trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the application to     resolve a DNS record with a larger number of responses. This is fixed in 15.2.1, 14.15.1, and 12.19.1.
    (CVE-2020-8277)

  - An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully     crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While     untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of     service, not execution of code.) (CVE-2020-15366)

  - This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')();
    y18n.setLocale('__proto__'); y18n.updateLocale({polluted: true}); console.log(polluted); // true     (CVE-2020-7774)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2021:0551 advisory.

  - nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366)

  - nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS     (CVE-2020-7754)

  - nodejs-y18n: prototype pollution vulnerability (CVE-2020-7774)

  - nodejs-ini: prototype pollution via malicious INI file (CVE-2020-7788)

  - nodejs: use-after-free in the TLS implementation (CVE-2020-8265)

  - c-ares: ares_parse_{a,aaaa}_reply() insufficient naddrttls validation DoS (CVE-2020-8277)

  - nodejs: HTTP request smuggling via two copies of a header field in an http request (CVE-2020-8287)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:0548 advisory.

  - npm: sensitive information exposure through logs (CVE-2020-15095)

  - nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366)

  - nodejs-yargs-parser: prototype pollution vulnerability (CVE-2020-7608)

  - nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS     (CVE-2020-7754)

  - nodejs-y18n: prototype pollution vulnerability (CVE-2020-7774)

  - nodejs-ini: prototype pollution via malicious INI file (CVE-2020-7788)

  - nodejs-dot-prop: prototype pollution (CVE-2020-8116)

  - libuv: buffer overflow in realpath (CVE-2020-8252)

  - nodejs: use-after-free in the TLS implementation (CVE-2020-8265)

  - nodejs: HTTP request smuggling via two copies of a header field in an http request (CVE-2020-8287)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:0551 advisory.

  - nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366)

  - nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS     (CVE-2020-7754)

  - nodejs-y18n: prototype pollution vulnerability (CVE-2020-7774)

  - nodejs-ini: prototype pollution via malicious INI file (CVE-2020-7788)

  - nodejs: use-after-free in the TLS implementation (CVE-2020-8265)

  - c-ares: ares_parse_{a,aaaa}_reply() insufficient naddrttls validation DoS (CVE-2020-8277)

  - nodejs: HTTP request smuggling via two copies of a header field in an http request (CVE-2020-8287)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2020:5499 advisory.

  - nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366)

  - nodejs-yargs-parser: prototype pollution vulnerability (CVE-2020-7608)

  - nodejs-y18n: prototype pollution vulnerability (CVE-2020-7774)

  - c-ares: ares_parse_{a,aaaa}_reply() insufficient naddrttls validation DoS (CVE-2020-8277)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:5499 advisory.

  - nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366)

  - nodejs-yargs-parser: prototype pollution vulnerability (CVE-2020-7608)

  - nodejs-y18n: prototype pollution vulnerability (CVE-2020-7774)

  - c-ares: ares_parse_{a,aaaa}_reply() insufficient naddrttls validation DoS (CVE-2020-8277)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2020-5499 advisory.

  - A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could     trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the application to     resolve a DNS record with a larger number of responses. This is fixed in 15.2.1, 14.15.1, and 12.19.1.
    (CVE-2020-8277)

  - This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')();
    y18n.setLocale('__proto__'); y18n.updateLocale({polluted: true}); console.log(polluted); // true     (CVE-2020-7774)

  - An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully     crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While     untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of     service, not execution of code.) (CVE-2020-15366)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
151823	openSUSE 15 Security Update : nodejs12 (openSUSE-SU-2021:1059-1)	Nessus	SuSE Local Security Checks	high
151818	openSUSE 15 Security Update : nodejs10 (openSUSE-SU-2021:1061-1)	Nessus	SuSE Local Security Checks	high
151814	openSUSE 15 Security Update : nodejs14 (openSUSE-SU-2021:1060-1)	Nessus	SuSE Local Security Checks	high
151765	SUSE SLES15 Security Update : nodejs14 (SUSE-SU-2021:2354-1)	Nessus	SuSE Local Security Checks	high
151758	SUSE SLES15 Security Update : nodejs10 (SUSE-SU-2021:2353-1)	Nessus	SuSE Local Security Checks	high
151745	openSUSE 15 Security Update : nodejs14 (openSUSE-SU-2021:2354-1)	Nessus	SuSE Local Security Checks	high
151727	openSUSE 15 Security Update : nodejs12 (openSUSE-SU-2021:2327-1)	Nessus	SuSE Local Security Checks	high
151723	openSUSE 15 Security Update : nodejs10 (openSUSE-SU-2021:2353-1)	Nessus	SuSE Local Security Checks	high
151656	SUSE SLES12 Security Update : nodejs10 (SUSE-SU-2021:2323-1)	Nessus	SuSE Local Security Checks	high
151655	SUSE SLES15 Security Update : nodejs12 (SUSE-SU-2021:2327-1)	Nessus	SuSE Local Security Checks	high
151650	SUSE SLES12 Security Update : nodejs14 (SUSE-SU-2021:2319-1)	Nessus	SuSE Local Security Checks	high
148534	FreeBSD : Node.js -- April 2021 Security Releases (c0c1834c-9761-11eb-acfd-0022489ad614)	Nessus	FreeBSD Local Security Checks	high
146802	CentOS 8 : nodejs:10 (CESA-2021:0548)	Nessus	CentOS Local Security Checks	high
146638	Oracle Linux 8 : nodejs:10 (ELSA-2021-0548)	Nessus	Oracle Linux Local Security Checks	high
146637	Oracle Linux 8 : nodejs:14 (ELSA-2021-0551)	Nessus	Oracle Linux Local Security Checks	high
146548	CentOS 8 : nodejs:14 (CESA-2021:0551)	Nessus	CentOS Local Security Checks	high
146547	RHEL 8 : nodejs:10 (RHSA-2021:0548)	Nessus	Red Hat Local Security Checks	high
146540	RHEL 8 : nodejs:14 (RHSA-2021:0551)	Nessus	Red Hat Local Security Checks	high
145990	CentOS 8 : nodejs:12 (CESA-2020:5499)	Nessus	CentOS Local Security Checks	high
144390	RHEL 8 : nodejs:12 (RHSA-2020:5499)	Nessus	Red Hat Local Security Checks	high
144372	Oracle Linux 8 : nodejs:12 (ELSA-2020-5499)	Nessus	Oracle Linux Local Security Checks	high

CVE-2020-7774

HIGH

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high