openSUSE-SU-2020:1616

openSUSE-SU-2020:1660

https://hackerone.com/reports/965914

FEDORA-2020-43d5a372fc

https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/

GLSA-202009-15

https://security.netapp.com/advisory/ntap-20201009-0004/

USN-4548-1

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2021:0548 advisory.

  - npm: sensitive information exposure through logs (CVE-2020-15095)

  - nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366)

  - nodejs-yargs-parser: prototype pollution vulnerability (CVE-2020-7608)

  - nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS     (CVE-2020-7754)

  - nodejs-y18n: prototype pollution vulnerability (CVE-2020-7774)

  - nodejs-ini: prototype pollution via malicious INI file (CVE-2020-7788)

  - nodejs-dot-prop: prototype pollution (CVE-2020-8116)

  - libuv: buffer overflow in realpath (CVE-2020-8252)

  - nodejs: use-after-free in the TLS implementation (CVE-2020-8265)

  - nodejs: HTTP request smuggling via two copies of a header field in an http request (CVE-2020-8287)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-0548 advisory.

  - Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before     5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.
    (CVE-2020-8116)

  - The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly     determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256     bytes. (CVE-2020-8252)

  - Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through     log files. The CLI supports URLs like     ://[[:]@][:][:][/]. The password value is not redacted     and is printed to stdout and also to any generated log files. (CVE-2020-15095)

  - yargs-parser could be tricked into adding or modifying properties of Object.prototype using a __proto__     payload. (CVE-2020-7608)

  - This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took     exponentially longer to process long input strings beginning with @ characters. (CVE-2020-7754)

  - This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application     that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited     further depending on the context. (CVE-2020-7788)

  - Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its     TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls     node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method     does not return an error, this object is passed back to the caller as part of a StreamWriteResult     structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other     exploits. (CVE-2020-8265)

  - Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP     request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first     header field and ignores the second. This can lead to HTTP Request Smuggling. (CVE-2020-8287)

  - This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')();
    y18n.setLocale('__proto__'); y18n.updateLocale({polluted: true}); console.log(polluted); // true     (CVE-2020-7774)

  - An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully     crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While     untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of     service, not execution of code.) (CVE-2020-15366)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:0548 advisory.

  - npm: sensitive information exposure through logs (CVE-2020-15095)

  - nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366)

  - nodejs-yargs-parser: prototype pollution vulnerability (CVE-2020-7608)

  - nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS     (CVE-2020-7754)

  - nodejs-y18n: prototype pollution vulnerability (CVE-2020-7774)

  - nodejs-ini: prototype pollution via malicious INI file (CVE-2020-7788)

  - nodejs-dot-prop: prototype pollution (CVE-2020-8116)

  - libuv: buffer overflow in realpath (CVE-2020-8252)

  - nodejs: use-after-free in the TLS implementation (CVE-2020-8265)

  - nodejs: HTTP request smuggling via two copies of a header field in an http request (CVE-2020-8287)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2020:4272 advisory.

  - npm: sensitive information exposure through logs (CVE-2020-15095)

  - nodejs-dot-prop: prototype pollution (CVE-2020-8116)

  - nodejs: HTTP request smuggling due to CR-to-Hyphen conversion (CVE-2020-8201)

  - libuv: buffer overflow in realpath (CVE-2020-8252)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Update to 14.15.1

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for nodejs10 fixes the following issues :

nodejs10 was updated to 10.22.1 LTS :

  - CVE-2020-8252: Fixed a buffer overflow in realpath     (bsc#1176589).

  - CVE-2020-15095: Fixed an information leak through log     files (bsc#1173937).

Explicitly add -fno-strict-aliasing to CFLAGS to fix compilation on Aarch64 with gcc10 (bsc#1172686)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for nodejs12 fixes the following issues :

nodejs12 was updated to 12.18.4 LTS :

  - CVE-2020-8201: Fixed an HTTP Request Smuggling due to     CR-to-Hyphen conversion (bsc#1176605).

  - CVE-2020-8252: Fixed a buffer overflow in realpath     (bsc#1176589).

  - CVE-2020-15095: Fixed an information leak through log     files (bsc#1173937).

Explicitly add -fno-strict-aliasing to CFLAGS to fix compilation on Aarch64 with gcc10 (bsc#1172686)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:4903 advisory.

  - npm: Sensitive information exposure through logs (CVE-2020-15095)

  - nodejs-dot-prop: prototype pollution (CVE-2020-8116)

  - nodejs: HTTP request smuggling due to CR-to-Hyphen conversion (CVE-2020-8201)

  - libuv: buffer overflow in realpath (CVE-2020-8252)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2020-4272 advisory.

  - Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before     5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.
    (CVE-2020-8116)

  - Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious     payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison     cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the     underlying system. The attack was possible due to a bug in processing of carrier-return symbols in the     HTTP header names. (CVE-2020-8201)

  - The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly     determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256     bytes. (CVE-2020-8252)

  - Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through     log files. The CLI supports URLs like     ://[[:]@][:][:][/]. The password value is not redacted     and is printed to stdout and also to any generated log files. (CVE-2020-15095)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:4272 advisory.

  - npm: Sensitive information exposure through logs (CVE-2020-15095)

  - nodejs-dot-prop: prototype pollution (CVE-2020-8116)

  - nodejs: HTTP request smuggling due to CR-to-Hyphen conversion (CVE-2020-8201)

  - libuv: buffer overflow in realpath (CVE-2020-8252)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

An update of the nodejs package has been released.

An update of the nodejs10 package has been released.

This update for nodejs10 fixes the following issues :

  - nodejs10 was updated to 10.22.1 LTS :

  - CVE-2020-8252: Fixed a buffer overflow in realpath     (bsc#1176589).

  - CVE-2020-15095: Fixed an information leak through log     files (bsc#1173937).

  - Explicitly add -fno-strict-aliasing to CFLAGS to fix     compilation on Aarch64 with gcc10 (bsc#1172686)&#9; 

This update was imported from the SUSE:SLE-15:Update update project.

This update for nodejs12 fixes the following issues :

  - nodejs12 was updated to 12.18.4 LTS :

  - CVE-2020-8201: Fixed an HTTP Request Smuggling due to     CR-to-Hyphen conversion (bsc#1176605).

  - CVE-2020-8252: Fixed a buffer overflow in realpath     (bsc#1176589).

  - CVE-2020-15095: Fixed an information leak through log     files (bsc#1173937).

  - Explicitly add -fno-strict-aliasing to CFLAGS to fix     compilation on Aarch64 with gcc10 (bsc#1172686)

This update was imported from the SUSE:SLE-15-SP2:Update update project.

The remote host is affected by the vulnerability described in GLSA-202009-15 (libuv: Buffer overflow)

    libuv used an incorrect buffer size for paths, causing a buffer       overflow.
  Impact :

    A remote attacker could possibly execute arbitrary code with the       privileges of the process, or cause a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

The remote Ubuntu 20.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-4548-1 advisory.

  - The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly     determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256     bytes. (CVE-2020-8252)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Node.js installed on the remote host is prior to 10.22.1 or 12.18.4 or 14.11.0. It is, therefore, affected by multiple vulnerabilities as referenced in the september-2020-security-releases advisory.

  - Affected Node.js versions converted carriage returns in HTTP request headers to a hyphen before parsing.
    This can lead to HTTP Request Smuggling as it is a non-standard interpretation of the header.
    (CVE-2020-8201)

  - Node.js is vulnerable to HTTP denial of service (DOS) attacks based on delayed requests submission which     can make the server unable to accept new connections. The fix a new http.Server option called requestTimeout     with a default value of 0 which means it is disabled by default. This should be set when Node.js is used     as an edge server. (CVE-2020-8251)

  - libuv's realpath implementation incorrectly determined the buffer size which can result in a buffer overflow     if the resolved path is longer than 256 bytes. (CVE-2020-8252)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Node.js reports :

Updates are now available for v10,x, v12.x and v14.x Node.js release lines for the following issues. HTTP Request Smuggling due to CR-to-Hyphen conversion (High) (CVE-2020-8201) Affected Node.js versions converted carriage returns in HTTP request headers to a hyphen before parsing. This can lead to HTTP Request Smuggling as it is a non-standard interpretation of the header.

Impacts :

- All versions of the 14.x and 12.x releases line Denial of Service by resource exhaustion CWE-400 due to unfinished HTTP/1.1 requests (Critical) (CVE-2020-8251) Node.js is vulnerable to HTTP denial of service (DOS) attacks based on delayed requests submission which can make the server unable to accept new connections. The fix a new http.Server option called requestTimeout with a default value of 0 which means it is disabled by default. This should be set when Node.js is used as an edge server, for more details refer to the documentation.

Impacts :

- All versions of the 14.x release line fs.realpath.native on may cause buffer overflow (Medium) (CVE-2020-8252) libuv's realpath implementation incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes.

Impacts :

- All versions of the 10.x release line

- All versions of the 12.x release line

- All versions of the 14.x release line before 14.9.0

ID	Name	Product	Family	Severity
146802	CentOS 8 : nodejs:10 (CESA-2021:0548)	Nessus	CentOS Local Security Checks	high
146638	Oracle Linux 8 : nodejs:10 (ELSA-2021-0548)	Nessus	Oracle Linux Local Security Checks	high
146547	RHEL 8 : nodejs:10 (RHSA-2021:0548)	Nessus	Red Hat Local Security Checks	high
145813	CentOS 8 : nodejs:12 (CESA-2020:4272)	Nessus	CentOS Local Security Checks	high
144124	Fedora 33 : 1:nodejs (2020-43d5a372fc)	Nessus	Fedora Local Security Checks	high
143819	SUSE SLES12 Security Update : nodejs10 (SUSE-SU-2020:2823-1)	Nessus	SuSE Local Security Checks	medium
143665	SUSE SLES12 Security Update : nodejs12 (SUSE-SU-2020:2812-1)	Nessus	SuSE Local Security Checks	medium
143663	SUSE SLES15 Security Update : nodejs12 (SUSE-SU-2020:2813-1)	Nessus	SuSE Local Security Checks	medium
143657	SUSE SLES15 Security Update : nodejs10 (SUSE-SU-2020:2829-1)	Nessus	SuSE Local Security Checks	medium
142450	RHEL 8 : nodejs:12 (RHSA-2020:4903)	Nessus	Red Hat Local Security Checks	high
141637	Oracle Linux 8 : nodejs:12 (ELSA-2020-4272)	Nessus	Oracle Linux Local Security Checks	high
141536	RHEL 8 : nodejs:12 (RHSA-2020:4272)	Nessus	Red Hat Local Security Checks	high
141481	Photon OS 3.0: Nodejs PHSA-2020-3.0-0150	Nessus	PhotonOS Local Security Checks	medium
141476	Photon OS 1.0: Nodejs10 PHSA-2020-1.0-0331	Nessus	PhotonOS Local Security Checks	medium
141443	Photon OS 2.0: Nodejs PHSA-2020-2.0-0288	Nessus	PhotonOS Local Security Checks	medium
141411	openSUSE Security Update : nodejs10 (openSUSE-2020-1660)	Nessus	SuSE Local Security Checks	medium
141276	openSUSE Security Update : nodejs12 (openSUSE-2020-1616)	Nessus	SuSE Local Security Checks	medium
141065	GLSA-202009-15 : libuv: Buffer overflow	Nessus	Gentoo Local Security Checks	medium
140924	Ubuntu 20.04 LTS : libuv vulnerability (USN-4548-1)	Nessus	Ubuntu Local Security Checks	medium
140795	Node.js Multiple Vulnerabilities (September 2020 Security Releases)	Nessus	Misc.	medium
140627	FreeBSD : Node.js -- September 2020 Security Releases (4ca5894c-f7f1-11ea-8ff8-0022489ad614)	Nessus	FreeBSD Local Security Checks	medium

CVE-2020-8252

MEDIUM

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins

high

high

high

high

high

medium

medium

medium

medium

high

high

high

medium

medium

medium

medium

medium

medium

medium

medium

medium