The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.

The remote CentOS Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the nodejs-nodemon-2.0.19-1.el9 build changelog.

  - This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in     enclosure containing path separator. (CVE-2020-28469)

  - The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS     (regular expression denial of service) issue because it has exponential performance for data: URLs.
    (CVE-2021-33502)

  - ansi-regex is vulnerable to Inefficient Regular Expression Complexity (CVE-2021-3807)

  - The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
    (CVE-2022-33987)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2022:0350 advisory.

  - This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in     enclosure containing path separator. (CVE-2020-28469)

  - This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application     that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited     further depending on the context. (CVE-2020-7788)

  - The parser in accepts requests with a space (SP) right after the header name before the colon. This can     lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6. (CVE-2021-22959)

  - The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of     chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions. (CVE-2021-22960)

  - The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS     (regular expression denial of service) issue because it has exponential performance for data: URLs.
    (CVE-2021-33502)

  - The npm package tar (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file     creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file     whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by     ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat     calls to determine whether a given path is a directory, paths are cached when directories are created.
    This logic was insufficient when extracting tar files that contained both a directory and a symlink with     the same name as the directory, where the symlink and directory names in the archive entry used     backslashes as a path separator on posix systems. The cache checking logic used both `\` and `/`     characters as path separators, however `\` is a valid filename character on posix systems. By first     creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass     node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an     arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary     file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive     filesystems. If a tar archive contained a directory at `FOO`, followed by a symbolic link named `foo`,     then on case-insensitive file systems, the creation of the symbolic link would remove the directory from     the filesystem, but _not_ from the internal directory cache, as it would not be treated as a cache hit. A     subsequent file entry within the `FOO` directory would then be placed in the target of the symbolic link,     thinking that the directory had already been created. These issues were addressed in releases 4.4.16,     5.0.8 and 6.1.7. The v3 branch of node-tar has been deprecated and did not receive patches for these     issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar.
    If this is not possible, a workaround is available in the referenced GHSA-9r2w-394v-53qc. (CVE-2021-37701)

  - The npm package tar (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file     creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file     whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by     ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat     calls to determine whether a given path is a directory, paths are cached when directories are created.
    This logic was insufficient when extracting tar files that contained both a directory and a symlink with     names containing unicode values that normalized to the same value. Additionally, on Windows systems, long     path portions would resolve to the same file system entities as their 8.3 short path counterparts. A     specially crafted tar archive could thus include a directory with one form of the path, followed by a     symbolic link with a different string that resolves to the same file system entity, followed by a file     using the first form. By first creating a directory, and then replacing that directory with a symlink that     had a different apparent name that resolved to the same entry in the filesystem, it was thus possible to     bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into     an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing     arbitrary file creation and overwrite. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9.
    The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are     still using a v3 release we recommend you update to a more recent version of node-tar. If this is not     possible, a workaround is available in the referenced GHSA-qq89-hq3f-393p. (CVE-2021-37712)

  - ansi-regex is vulnerable to Inefficient Regular Expression Complexity (CVE-2021-3807)

  - json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype     Pollution') (CVE-2021-3918)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2021:5171 advisory.

  - This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in     enclosure containing path separator. (CVE-2020-28469)

  - This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application     that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited     further depending on the context. (CVE-2020-7788)

  - The parser in accepts requests with a space (SP) right after the header name before the colon. This can     lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6. (CVE-2021-22959)

  - The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of     chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions. (CVE-2021-22960)

  - The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS     (regular expression denial of service) issue because it has exponential performance for data: URLs.
    (CVE-2021-33502)

  - ansi-regex is vulnerable to Inefficient Regular Expression Complexity (CVE-2021-3807)

  - json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype     Pollution') (CVE-2021-3918)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Rocky Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the RLSA-2022:6595 advisory.

  - npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or     with a workspace flag (ie. `--workspaces`, `--workspace=<name>`). Anyone who has run `npm pack` or `npm     publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published     files into the npm registry they did not intend to include. Users should upgrade to the latest, patched     version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0     include the patched v8.11.0 version of npm. (CVE-2022-29244)

  - This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application     that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited     further depending on the context. (CVE-2020-7788)

  - This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in     enclosure containing path separator. (CVE-2020-28469)

  - ansi-regex is vulnerable to Inefficient Regular Expression Complexity (CVE-2021-3807)

  - The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS     (regular expression denial of service) issue because it has exponential performance for data: URLs.
    (CVE-2021-33502)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote AlmaLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2022:6595 advisory.

  - This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application     that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited     further depending on the context. (CVE-2020-7788)

  - This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in     enclosure containing path separator. (CVE-2020-28469)

  - ansi-regex is vulnerable to Inefficient Regular Expression Complexity (CVE-2021-3807)

  - The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS     (regular expression denial of service) issue because it has exponential performance for data: URLs.
    (CVE-2021-33502)

  - npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or     with a workspace flag (ie. `--workspaces`, `--workspace=<name>`). Anyone who has run `npm pack` or `npm     publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published     files into the npm registry they did not intend to include. Users should upgrade to the latest, patched     version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0     include the patched v8.11.0 version of npm. (CVE-2022-29244)

  - A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.16.0, <18.5.0 due to an     insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check     if an IP address is invalid before making DBS requests allowing rebinding attacks. (CVE-2022-32212)

  - The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse     and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS). (CVE-2022-32213)

  - The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use     the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).
    (CVE-2022-32214)

  - The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly     handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).
    (CVE-2022-32215)

  - The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
    (CVE-2022-33987)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2022-6595 advisory.

  - This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application     that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited     further depending on the context. (CVE-2020-7788)

  - A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.16.0, <18.5.0 due to an     insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check     if an IP address is invalid before making DBS requests allowing rebinding attacks. (CVE-2022-32212)

  - The llhttp parser in the http module in Node.js v17.x does not correctly parse and validate Transfer-     Encoding headers and can lead to HTTP Request Smuggling (HRS). (CVE-2022-32213)

  - The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
    (CVE-2022-33987)

  - The llhttp parser in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP     requests. This can lead to HTTP Request Smuggling (HRS). (CVE-2022-32214)

  - The llhttp parser in the http module in Node v17.6.0 does not correctly handle multi-line Transfer-     Encoding headers. This can lead to HTTP Request Smuggling (HRS). (CVE-2022-32215)

  - npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or     with a workspace flag (ie. `--workspaces`, `--workspace=<name>`). Anyone who has run `npm pack` or `npm     publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published     files into the npm registry they did not intend to include. Users should upgrade to the latest, patched     version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0     include the patched v8.11.0 version of npm. (CVE-2022-29244)

  - This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in     enclosure containing path separator. (CVE-2020-28469)

  - ansi-regex is vulnerable to Inefficient Regular Expression Complexity (CVE-2021-3807)

  - The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS     (regular expression denial of service) issue because it has exponential performance for data: URLs.
    (CVE-2021-33502)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:6595 advisory.

  - nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)

  - nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788)

  - nodejs-normalize-url: ReDoS for data URLs (CVE-2021-33502)

  - nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807)

  - nodejs: npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a     workspace (CVE-2022-29244)

  - nodejs: DNS rebinding in --inspect via invalid IP addresses (CVE-2022-32212)

  - nodejs: HTTP request smuggling due to flawed parsing of Transfer-Encoding (CVE-2022-32213)

  - nodejs: HTTP request smuggling due to improper delimiting of header fields (CVE-2022-32214)

  - nodejs: HTTP request smuggling due to incorrect parsing of multi-line Transfer-Encoding (CVE-2022-32215)

  - nodejs-got: missing verification of requested URLs allows redirects to UNIX sockets (CVE-2022-33987)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:4711 advisory.

  - nodejs-trim-off-newlines: ReDoS via string processing (CVE-2021-23425)

  - nodejs-normalize-url: ReDoS for data URLs (CVE-2021-33502)

  - nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807)

  - jquery-ui: XSS in the altField option of the datepicker widget (CVE-2021-41182)

  - jquery-ui: XSS in *Text options of the datepicker widget (CVE-2021-41183)

  - jquery-ui: XSS in the 'of' option of the .position() util (CVE-2021-41184)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote AlmaLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2021:5171 advisory.

  - This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application     that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited     further depending on the context. (CVE-2020-7788)

  - This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in     enclosure containing path separator. (CVE-2020-28469)

  - ansi-regex is vulnerable to Inefficient Regular Expression Complexity (CVE-2021-3807)

  - json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype     Pollution') (CVE-2021-3918)

  - The parser in accepts requests with a space (SP) right after the header name before the colon. This can     lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6. (CVE-2021-22959)

  - The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of     chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions. (CVE-2021-22960)

  - The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS     (regular expression denial of service) issue because it has exponential performance for data: URLs.
    (CVE-2021-33502)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote AlmaLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2022:0350 advisory.

  - This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application     that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited     further depending on the context. (CVE-2020-7788)

  - This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in     enclosure containing path separator. (CVE-2020-28469)

  - ansi-regex is vulnerable to Inefficient Regular Expression Complexity (CVE-2021-3807)

  - json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype     Pollution') (CVE-2021-3918)

  - The parser in accepts requests with a space (SP) right after the header name before the colon. This can     lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6. (CVE-2021-22959)

  - The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of     chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions. (CVE-2021-22960)

  - The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS     (regular expression denial of service) issue because it has exponential performance for data: URLs.
    (CVE-2021-33502)

  - The npm package tar (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file     creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file     whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by     ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat     calls to determine whether a given path is a directory, paths are cached when directories are created.
    This logic was insufficient when extracting tar files that contained both a directory and a symlink with     the same name as the directory, where the symlink and directory names in the archive entry used     backslashes as a path separator on posix systems. The cache checking logic used both `\` and `/`     characters as path separators, however `\` is a valid filename character on posix systems. By first     creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass     node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an     arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary     file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive     filesystems. If a tar archive contained a directory at `FOO`, followed by a symbolic link named `foo`,     then on case-insensitive file systems, the creation of the symbolic link would remove the directory from     the filesystem, but _not_ from the internal directory cache, as it would not be treated as a cache hit. A     subsequent file entry within the `FOO` directory would then be placed in the target of the symbolic link,     thinking that the directory had already been created. These issues were addressed in releases 4.4.16,     5.0.8 and 6.1.7. The v3 branch of node-tar has been deprecated and did not receive patches for these     issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar.
    If this is not possible, a workaround is available in the referenced GHSA-9r2w-394v-53qc. (CVE-2021-37701)

  - The npm package tar (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file     creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file     whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by     ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat     calls to determine whether a given path is a directory, paths are cached when directories are created.
    This logic was insufficient when extracting tar files that contained both a directory and a symlink with     names containing unicode values that normalized to the same value. Additionally, on Windows systems, long     path portions would resolve to the same file system entities as their 8.3 short path counterparts. A     specially crafted tar archive could thus include a directory with one form of the path, followed by a     symbolic link with a different string that resolves to the same file system entity, followed by a file     using the first form. By first creating a directory, and then replacing that directory with a symlink that     had a different apparent name that resolved to the same entry in the filesystem, it was thus possible to     bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into     an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing     arbitrary file creation and overwrite. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9.
    The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are     still using a v3 release we recommend you update to a more recent version of node-tar. If this is not     possible, a workaround is available in the referenced GHSA-qq89-hq3f-393p. (CVE-2021-37712)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2022-0350 advisory.

  - This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application     that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited     further depending on the context. (CVE-2020-7788)

  - The npm package tar (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file     creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file     whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by     ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat     calls to determine whether a given path is a directory, paths are cached when directories are created.
    This logic was insufficient when extracting tar files that contained both a directory and a symlink with     the same name as the directory, where the symlink and directory names in the archive entry used     backslashes as a path separator on posix systems. The cache checking logic used both `\` and `/`     characters as path separators, however `\` is a valid filename character on posix systems. By first     creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass     node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an     arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary     file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive     filesystems. If a tar archive contained a directory at `FOO`, followed by a symbolic link named `foo`,     then on case-insensitive file systems, the creation of the symbolic link would remove the directory from     the filesystem, but _not_ from the internal directory cache, as it would not be treated as a cache hit. A     subsequent file entry within the `FOO` directory would then be placed in the target of the symbolic link,     thinking that the directory had already been created. These issues were addressed in releases 4.4.16,     5.0.8 and 6.1.7. The v3 branch of node-tar has been deprecated and did not receive patches for these     issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar.
    If this is not possible, a workaround is available in the referenced GHSA-9r2w-394v-53qc. (CVE-2021-37701)

  - The npm package tar (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file     creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file     whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by     ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat     calls to determine whether a given path is a directory, paths are cached when directories are created.
    This logic was insufficient when extracting tar files that contained both a directory and a symlink with     names containing unicode values that normalized to the same value. Additionally, on Windows systems, long     path portions would resolve to the same file system entities as their 8.3 short path counterparts. A     specially crafted tar archive could thus include a directory with one form of the path, followed by a     symbolic link with a different string that resolves to the same file system entity, followed by a file     using the first form. By first creating a directory, and then replacing that directory with a symlink that     had a different apparent name that resolved to the same entry in the filesystem, it was thus possible to     bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into     an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing     arbitrary file creation and overwrite. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9.
    The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are     still using a v3 release we recommend you update to a more recent version of node-tar. If this is not     possible, a workaround is available in the referenced GHSA-qq89-hq3f-393p. (CVE-2021-37712)

  - This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in     enclosure containing path separator. (CVE-2020-28469)

  - ansi-regex is vulnerable to Inefficient Regular Expression Complexity (CVE-2021-3807)

  - json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype     Pollution') (CVE-2021-3918)

  - The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS     (regular expression denial of service) issue because it has exponential performance for data: URLs.
    (CVE-2021-33502)

  - The parser in accepts requests with a space (SP) right after the header name before the colon. This can     lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6. (CVE-2021-22959)

  - The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of     chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions. (CVE-2021-22960)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2022:0350 advisory.

  - nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)

  - nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788)

  - llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959)

  - llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960)

  - normalize-url: ReDoS for data URLs (CVE-2021-33502)

  - nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing     arbitrary file creation and overwrite (CVE-2021-37701, CVE-2021-37712)

  - nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807)

  - nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:0350 advisory.

  - nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)

  - nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788)

  - llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959)

  - llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960)

  - nodejs-normalize-url: ReDoS for data URLs (CVE-2021-33502)

  - nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing     arbitrary file creation and overwrite (CVE-2021-37701, CVE-2021-37712)

  - nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807)

  - nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:0246 advisory.

  - nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)

  - nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788)

  - llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959)

  - llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960)

  - nodejs-normalize-url: ReDoS for data URLs (CVE-2021-33502)

  - nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing     arbitrary file creation and overwrite (CVE-2021-37701, CVE-2021-37712)

  - nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807)

  - nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:5171 advisory.

  - nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)

  - nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788)

  - llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959)

  - llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960)

  - nodejs-normalize-url: ReDoS for data URLs (CVE-2021-33502)

  - nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807)

  - nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the CESA-2021:5171 advisory.

  - nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)

  - nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788)

  - llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959)

  - llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960)

  - normalize-url: ReDoS for data URLs (CVE-2021-33502)

  - nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807)

  - nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-5171 advisory.

  - This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application     that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited     further depending on the context. (CVE-2020-7788)

  - This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in     enclosure containing path separator. (CVE-2020-28469)

  - ansi-regex is vulnerable to Inefficient Regular Expression Complexity (CVE-2021-3807)

  - json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype     Pollution') (CVE-2021-3918)

  - The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS     (regular expression denial of service) issue because it has exponential performance for data: URLs.
    (CVE-2021-33502)

  - The parser in accepts requests with a space (SP) right after the header name before the colon. This can     lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6. (CVE-2021-22959)

  - The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of     chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions. (CVE-2021-22960)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:2932 advisory.

  - libuv: out-of-bounds read in uv__idna_toascii() can lead to information disclosures or crashes     (CVE-2021-22918)

  - nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl()     (CVE-2021-23362)

  - nodejs-ssri: Regular expression DoS (ReDoS) when parsing malicious SRI in strict mode (CVE-2021-27290)

  - nodejs-normalize-url: ReDoS for data URLs (CVE-2021-33502)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:2931 advisory.

  - libuv: out-of-bounds read in uv__idna_toascii() can lead to information disclosures or crashes     (CVE-2021-22918)

  - nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl()     (CVE-2021-23362)

  - nodejs-ssri: Regular expression DoS (ReDoS) when parsing malicious SRI in strict mode (CVE-2021-27290)

  - nodejs-normalize-url: ReDoS for data URLs (CVE-2021-33502)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
191419	CentOS 9 : nodejs-nodemon-2.0.19-1.el9	Nessus	CentOS Local Security Checks	medium
185008	Rocky Linux 8 : nodejs:14 (RLSA-2022:0350)	Nessus	Rocky Linux Local Security Checks	critical
184727	Rocky Linux 8 : nodejs:16 (RLSA-2021:5171)	Nessus	Rocky Linux Local Security Checks	critical
171017	Rocky Linux 9 : nodejs and nodejs-nodemon (RLSA-2022:6595)	Nessus	Rocky Linux Local Security Checks	critical
166249	AlmaLinux 9 : nodejs and nodejs-nodemon (ALSA-2022:6595)	Nessus	Alma Linux Local Security Checks	critical
165309	Oracle Linux 9 : nodejs / and / nodejs-nodemon (ELSA-2022-6595)	Nessus	Oracle Linux Local Security Checks	critical
165270	RHEL 9 : nodejs and nodejs-nodemon (RHSA-2022:6595)	Nessus	Red Hat Local Security Checks	critical
161619	RHEL 8 : RHV Manager (ovirt-engine) [ovirt-4.5.0] (RHSA-2022:4711)	Nessus	Red Hat Local Security Checks	medium
158872	AlmaLinux 8 : nodejs:16 (ALSA-2021:5171)	Nessus	Alma Linux Local Security Checks	critical
158862	AlmaLinux 8 : nodejs:14 (ALSA-2022:0350)	Nessus	Alma Linux Local Security Checks	critical
157333	Oracle Linux 8 : nodejs:14 (ELSA-2022-0350)	Nessus	Oracle Linux Local Security Checks	critical
157330	CentOS 8 : nodejs:14 (CESA-2022:0350)	Nessus	CentOS Local Security Checks	critical
157311	RHEL 8 : nodejs:14 (RHSA-2022:0350)	Nessus	Red Hat Local Security Checks	critical
157089	RHEL 8 : nodejs:14 (RHSA-2022:0246)	Nessus	Red Hat Local Security Checks	critical
156129	RHEL 8 : nodejs:16 (RHSA-2021:5171)	Nessus	Red Hat Local Security Checks	critical
156125	CentOS 8 : nodejs:16 (CESA-2021:5171)	Nessus	CentOS Local Security Checks	critical
156123	Oracle Linux 8 : nodejs:16 (ELSA-2021-5171)	Nessus	Oracle Linux Local Security Checks	critical
152133	RHEL 7 : rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon (RHSA-2021:2932)	Nessus	Red Hat Local Security Checks	medium
152132	RHEL 7 : rh-nodejs12-nodejs and rh-nodejs12-nodejs-nodemon (RHSA-2021:2931)	Nessus	Red Hat Local Security Checks	medium

Detections

Analytics

CVE-2021-33502

high

Tenable Plugins

medium

critical

critical

critical

critical

critical

critical

medium

critical

critical

critical

critical

critical

critical

critical

critical

critical

medium

medium