The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.

The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2022:0014 advisory.

    Package updates are available for TencentOS Server 3 that fix the following vulnerabilities:

    CVE-2020-28469:
    This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in     enclosure containing path separator.

    CVE-2020-7788:
    This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application     that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited     further depending on the context.

    CVE-2021-22959:
    The parser in accepts requests with a space (SP) right after the header name before the colon. This can     lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6.

    CVE-2021-22960:
    The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of     chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions.

    CVE-2021-33502:
    The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS     (regular expression denial of service) issue because it has exponential performance for data: URLs.

    CVE-2021-37701:
    The npm package tar (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file     creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file     whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by     ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat     calls to determine whether a given path is a directory, paths are cached when directories are created.
    This logic was insufficient when extracting tar files that contained both a directory and a symlink with     the same name as the directory, where the symlink and directory names in the archive entry used     backslashes as a path separator on posix systems. The cache checking logic used both `\` and `/`     characters as path separators, however `\` is a valid filename character on posix systems. By first     creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass     node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an     arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary     file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive     filesystems. If a tar archive contained a directory at `FOO`, followed by a symbolic link named `foo`,     then on case-insensitive file systems, the creation of the symbolic link would remove the directory from     the filesystem, but _not_ from the internal directory cache, as it would not be treated as a cache hit. A     subsequent file entry within the `FOO` directory would then be placed in the target of the symbolic link,     thinking that the directory had already been created. These issues were addressed in releases 4.4.16,     5.0.8 and 6.1.7. The v3 branch of node-tar has been deprecated and did not receive patches for these     issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar.
    If this is not possible, a workaround is available in the referenced GHSA-9r2w-394v-53qc.

    CVE-2021-37712:
    The npm package tar (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file     creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file     whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by     ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat     calls to determine whether a given path is a directory, paths are cached when directories are created.
    This logic was insufficient when extracting tar files that contained both a directory and a symlink with     names containing unicode values that normalized to the same value. Additionally, on Windows systems, long     path portions would resolve to the same file system entities as their 8.3 short path counterparts. A     specially crafted tar archive could thus include a directory with one form of the path, followed by a     symbolic link with a different string that resolves to the same file system entity, followed by a file     using the first form. By first creating a directory, and then replacing that directory with a symlink that     had a different apparent name that resolved to the same entry in the filesystem, it was thus possible to     bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into     an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing     arbitrary file creation and overwrite. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9.
    The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are     still using a v3 release we recommend you update to a more recent version of node-tar. If this is not     possible, a workaround is available in the referenced GHSA-qq89-hq3f-393p.

    CVE-2021-3807:
    ansi-regex is vulnerable to Inefficient Regular Expression Complexity

    CVE-2021-3918:
    json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype     Pollution')

Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Alibaba Cloud Linux 3 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALINUX3-SA-2022:0014 advisory.

    Package updates are available for Alibaba Cloud Linux 3 that fix the following vulnerabilities:

    CVE-2020-28469:
    This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in     enclosure containing path separator.

    CVE-2020-7788:
    This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application     that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited     further depending on the context.

    CVE-2021-22959:
    The parser in accepts requests with a space (SP) right after the header name before the colon. This can     lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6.

    CVE-2021-22960:
    The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of     chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions.

    CVE-2021-33502:
    The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS     (regular expression denial of service) issue because it has exponential performance for data: URLs.

    CVE-2021-37701:
    The npm package tar (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file     creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file     whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by     ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat     calls to determine whether a given path is a directory, paths are cached when directories are created.
    This logic was insufficient when extracting tar files that contained both a directory and a symlink with     the same name as the directory, where the symlink and directory names in the archive entry used     backslashes as a path separator on posix systems. The cache checking logic used both `\` and `/`     characters as path separators, however `\` is a valid filename character on posix systems. By first     creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass     node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an     arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary     file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive     filesystems. If a tar archive contained a directory at `FOO`, followed by a symbolic link named `foo`,     then on case-insensitive file systems, the creation of the symbolic link would remove the directory from     the filesystem, but _not_ from the internal directory cache, as it would not be treated as a cache hit. A     subsequent file entry within the `FOO` directory would then be placed in the target of the symbolic link,     thinking that the directory had already been created. These issues were addressed in releases 4.4.16,     5.0.8 and 6.1.7. The v3 branch of node-tar has been deprecated and did not receive patches for these     issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar.
    If this is not possible, a workaround is available in the referenced GHSA-9r2w-394v-53qc.

    CVE-2021-37712:
    The npm package tar (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file     creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file     whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by     ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat     calls to determine whether a given path is a directory, paths are cached when directories are created.
    This logic was insufficient when extracting tar files that contained both a directory and a symlink with     names containing unicode values that normalized to the same value. Additionally, on Windows systems, long     path portions would resolve to the same file system entities as their 8.3 short path counterparts. A     specially crafted tar archive could thus include a directory with one form of the path, followed by a     symbolic link with a different string that resolves to the same file system entity, followed by a file     using the first form. By first creating a directory, and then replacing that directory with a symlink that     had a different apparent name that resolved to the same entry in the filesystem, it was thus possible to     bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into     an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing     arbitrary file creation and overwrite. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9.
    The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are     still using a v3 release we recommend you update to a more recent version of node-tar. If this is not     possible, a workaround is available in the referenced GHSA-qq89-hq3f-393p.

    CVE-2021-3807:
    ansi-regex is vulnerable to Inefficient Regular Expression Complexity

    CVE-2021-3918:
    json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype     Pollution')

Tenable has extracted the preceding description block directly from the Alibaba Cloud Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS     (regular expression denial of service) issue because it has exponential performance for data: URLs.
    (CVE-2021-33502)

Note that Nessus relies on the presence of the package as reported by the vendor.

The version of Splunk installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the SVD-2023-0613 advisory.

  - A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as     @xmldom/xmldom) package before 0.8.3 for Node.js via the p variable. NOTE: the vendor states we are in     the process of marking this report as invalid; however, some third parties takes the position that A     prototype injection/Prototype pollution is not just when global objects are polluted with recursive merge     or deep cloning but also when a target object is polluted. (CVE-2022-37616)

  - When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by     finalizing the operation with a rename from a temporary name to the final target file name.In that rename     operation, it might accidentally *widen* the permissions for the target file, leaving the updated file     accessible to more users than intended. (CVE-2022-32207)

  - An issue was discovered in libxml2 before 2.10.3. When parsing a multi-gigabyte XML document with the     XML_PARSE_HUGE parser option enabled, several integer counters can overflow. This results in an attempt to     access an array at a negative 2GB offset, typically leading to a segmentation fault. (CVE-2022-40303)

  - An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a     hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be     provoked. (CVE-2022-40304)

  - There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName.
    X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME     incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently     interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL     checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may     allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or     enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate     chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these     inputs, the other input must already contain an X.400 address as a CRL distribution point, which is     uncommon. As such, this vulnerability is most likely to only affect applications which have implemented     their own functionality for retrieving CRLs over a network. (CVE-2023-0286)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the nodejs-nodemon-2.0.19-1.el9 build changelog.

  - This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in     enclosure containing path separator. (CVE-2020-28469)

  - The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS     (regular expression denial of service) issue because it has exponential performance for data: URLs.
    (CVE-2021-33502)

  - ansi-regex is vulnerable to Inefficient Regular Expression Complexity (CVE-2021-3807)

  - The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
    (CVE-2022-33987)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2022:0350 advisory.

  - This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in     enclosure containing path separator. (CVE-2020-28469)

  - This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application     that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited     further depending on the context. (CVE-2020-7788)

  - The parser in accepts requests with a space (SP) right after the header name before the colon. This can     lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6. (CVE-2021-22959)

  - The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of     chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions. (CVE-2021-22960)

  - The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS     (regular expression denial of service) issue because it has exponential performance for data: URLs.
    (CVE-2021-33502)

  - The npm package tar (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file     creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file     whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by     ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat     calls to determine whether a given path is a directory, paths are cached when directories are created.
    This logic was insufficient when extracting tar files that contained both a directory and a symlink with     the same name as the directory, where the symlink and directory names in the archive entry used     backslashes as a path separator on posix systems. The cache checking logic used both `\` and `/`     characters as path separators, however `\` is a valid filename character on posix systems. By first     creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass     node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an     arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary     file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive     filesystems. If a tar archive contained a directory at `FOO`, followed by a symbolic link named `foo`,     then on case-insensitive file systems, the creation of the symbolic link would remove the directory from     the filesystem, but _not_ from the internal directory cache, as it would not be treated as a cache hit. A     subsequent file entry within the `FOO` directory would then be placed in the target of the symbolic link,     thinking that the directory had already been created. These issues were addressed in releases 4.4.16,     5.0.8 and 6.1.7. The v3 branch of node-tar has been deprecated and did not receive patches for these     issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar.
    If this is not possible, a workaround is available in the referenced GHSA-9r2w-394v-53qc. (CVE-2021-37701)

  - The npm package tar (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file     creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file     whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by     ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat     calls to determine whether a given path is a directory, paths are cached when directories are created.
    This logic was insufficient when extracting tar files that contained both a directory and a symlink with     names containing unicode values that normalized to the same value. Additionally, on Windows systems, long     path portions would resolve to the same file system entities as their 8.3 short path counterparts. A     specially crafted tar archive could thus include a directory with one form of the path, followed by a     symbolic link with a different string that resolves to the same file system entity, followed by a file     using the first form. By first creating a directory, and then replacing that directory with a symlink that     had a different apparent name that resolved to the same entry in the filesystem, it was thus possible to     bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into     an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing     arbitrary file creation and overwrite. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9.
    The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are     still using a v3 release we recommend you update to a more recent version of node-tar. If this is not     possible, a workaround is available in the referenced GHSA-qq89-hq3f-393p. (CVE-2021-37712)

  - ansi-regex is vulnerable to Inefficient Regular Expression Complexity (CVE-2021-3807)

  - json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype     Pollution') (CVE-2021-3918)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2021:5171 advisory.

  - This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in     enclosure containing path separator. (CVE-2020-28469)

  - This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application     that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited     further depending on the context. (CVE-2020-7788)

  - The parser in accepts requests with a space (SP) right after the header name before the colon. This can     lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6. (CVE-2021-22959)

  - The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of     chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions. (CVE-2021-22960)

  - The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS     (regular expression denial of service) issue because it has exponential performance for data: URLs.
    (CVE-2021-33502)

  - ansi-regex is vulnerable to Inefficient Regular Expression Complexity (CVE-2021-3807)

  - json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype     Pollution') (CVE-2021-3918)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Rocky Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the RLSA-2022:6595 advisory.

  - npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or     with a workspace flag (ie. `--workspaces`, `--workspace=<name>`). Anyone who has run `npm pack` or `npm     publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published     files into the npm registry they did not intend to include. Users should upgrade to the latest, patched     version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0     include the patched v8.11.0 version of npm. (CVE-2022-29244)

  - This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application     that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited     further depending on the context. (CVE-2020-7788)

  - This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in     enclosure containing path separator. (CVE-2020-28469)

  - ansi-regex is vulnerable to Inefficient Regular Expression Complexity (CVE-2021-3807)

  - The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS     (regular expression denial of service) issue because it has exponential performance for data: URLs.
    (CVE-2021-33502)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote AlmaLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2022:6595 advisory.

  - This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application     that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited     further depending on the context. (CVE-2020-7788)

  - This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in     enclosure containing path separator. (CVE-2020-28469)

  - ansi-regex is vulnerable to Inefficient Regular Expression Complexity (CVE-2021-3807)

  - The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS     (regular expression denial of service) issue because it has exponential performance for data: URLs.
    (CVE-2021-33502)

  - npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or     with a workspace flag (ie. `--workspaces`, `--workspace=<name>`). Anyone who has run `npm pack` or `npm     publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published     files into the npm registry they did not intend to include. Users should upgrade to the latest, patched     version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0     include the patched v8.11.0 version of npm. (CVE-2022-29244)

  - A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.16.0, <18.5.0 due to an     insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check     if an IP address is invalid before making DBS requests allowing rebinding attacks. (CVE-2022-32212)

  - The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse     and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS). (CVE-2022-32213)

  - The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use     the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).
    (CVE-2022-32214)

  - The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly     handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).
    (CVE-2022-32215)

  - The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
    (CVE-2022-33987)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2022-6595 advisory.

    - Rebase to version 16.16.0       Resolves: RHBZ#2106290       Resolves: CVE-2022-32212 CVE-2022-32213 CVE-2022-32214 CVE-2022-32215

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:6595 advisory.

    Node.js is a software development platform for building fast and scalable network applications in the     JavaScript programming language.

    The following packages have been upgraded to a later upstream version: nodejs (16.16.0), nodejs-nodemon     (2.0.19). (BZ#2124230, BZ#2124233)

    Security Fix(es):

    * nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788)

    * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)

    * nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes     (CVE-2021-3807)

    * normalize-url: ReDoS for data URLs (CVE-2021-33502)

    * nodejs: npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a     workspace (CVE-2022-29244)

    * nodejs: DNS rebinding in --inspect via invalid IP addresses (CVE-2022-32212)

    * nodejs: HTTP request smuggling due to flawed parsing of Transfer-Encoding (CVE-2022-32213)

    * nodejs: HTTP request smuggling due to improper delimiting of header fields (CVE-2022-32214)

    * nodejs: HTTP request smuggling due to incorrect parsing of multi-line Transfer-Encoding (CVE-2022-32215)

    * got: missing verification of requested URLs allows redirects to UNIX sockets (CVE-2022-33987)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Bug Fix(es):

    * nodejs:16/nodejs: Rebase to the latest Nodejs 16 release [rhel-9] (BZ#2121019)

    * nodejs: Specify --with-default-icu-data-dir when using bootstrap build (BZ#2124299)

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:4711 advisory.

    The ovirt-engine package provides the Red Hat Virtualization Manager, a centralized management platform     that allows system administrators to view and manage virtual machines. The Manager provides a     comprehensive range of features including search capabilities, resource management, live migrations, and     virtual infrastructure provisioning.

    Security Fix(es):

    * nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes     (CVE-2021-3807)

    * nodejs-trim-off-newlines: ReDoS via string processing (CVE-2021-23425)

    * normalize-url: ReDoS for data URLs (CVE-2021-33502)

    * jquery-ui: XSS in the altField option of the datepicker widget (CVE-2021-41182)

    * jquery-ui: XSS in *Text options of the datepicker widget (CVE-2021-41183)

    * jquery-ui: XSS in the 'of' option of the .position() util (CVE-2021-41184)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    A list of bugs fixed in this update is available in the Technical Notes book:

    https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote AlmaLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2021:5171 advisory.

    * nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918)

    * nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788)

    * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)

    * nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes     (CVE-2021-3807)

    * normalize-url: ReDoS for data URLs (CVE-2021-33502)

    * llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959)

    * llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960)

Tenable has extracted the preceding description block directly from the AlmaLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote AlmaLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2022:0350 advisory.

    * nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918)

    * nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788)

    * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)

    * nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes     (CVE-2021-3807)

    * normalize-url: ReDoS for data URLs (CVE-2021-33502)

    * nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links     allowing arbitrary file creation and overwrite (CVE-2021-37701)

    * nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links     allowing arbitrary file creation and overwrite (CVE-2021-37712)

    * llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959)

    * llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960)

Tenable has extracted the preceding description block directly from the AlmaLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2022-0350 advisory.

    nodejs     [1:14.18.2-2]
    - Add missing fixes
    - Resolves: RHBZ#2027642, RHBZ#2027635

    [1:14.18.2-1]
    - Resolves: RHBZ#2027609
    - Resolves: RHBZ#2027649, RHBZ#2027646, RHBZ#2027642, RHBZ#2027635
    - Rebase to new version to fix CVEs

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2022:0350 advisory.

  - nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)

  - nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788)

  - llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959)

  - llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960)

  - normalize-url: ReDoS for data URLs (CVE-2021-33502)

  - nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing     arbitrary file creation and overwrite (CVE-2021-37701, CVE-2021-37712)

  - nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807)

  - nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:0350 advisory.

    Node.js is a software development platform for building fast and scalable network applications in the     JavaScript programming language.

    The following packages have been upgraded to a later upstream version: nodejs (14.18.2), nodejs-nodemon     (2.0.15). (BZ#2027609)

    Security Fix(es):

    * nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918)

    * nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788)

    * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)

    * nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes     (CVE-2021-3807)

    * normalize-url: ReDoS for data URLs (CVE-2021-33502)

    * nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links     allowing arbitrary file creation and overwrite (CVE-2021-37701)

    * nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links     allowing arbitrary file creation and overwrite (CVE-2021-37712)

    * llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959)

    * llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:0246 advisory.

    Node.js is a software development platform for building fast and scalable network applications in the     JavaScript programming language.

    The following packages have been upgraded to a later upstream version: nodejs (14.18.2), nodejs-nodemon     (2.0.15). (BZ#2027608)

    Security Fix(es):

    * nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918)

    * nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788)

    * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)

    * nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes     (CVE-2021-3807)

    * normalize-url: ReDoS for data URLs (CVE-2021-33502)

    * nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links     allowing arbitrary file creation and overwrite (CVE-2021-37701)

    * nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links     allowing arbitrary file creation and overwrite (CVE-2021-37712)

    * llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959)

    * llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:5171 advisory.

    Node.js is a software development platform for building fast and scalable network applications in the     JavaScript programming language.

    The following packages have been upgraded to a later upstream version: nodejs (16.13.1), nodejs-nodemon     (2.0.15). (BZ#2027610)

    Security Fix(es):

    * nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918)

    * nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788)

    * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)

    * nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes     (CVE-2021-3807)

    * normalize-url: ReDoS for data URLs (CVE-2021-33502)

    * llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959)

    * llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the CESA-2021:5171 advisory.

  - nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)

  - nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788)

  - llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959)

  - llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960)

  - normalize-url: ReDoS for data URLs (CVE-2021-33502)

  - nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807)

  - nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-5171 advisory.

    - Resolves CVE-2020-28469

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:2932 advisory.

    Node.js is a software development platform for building fast and scalable network applications in the     JavaScript programming language.

    The following packages have been upgraded to a later upstream version: rh-nodejs14-nodejs (14.17.2).

    Security Fix(es):

    * nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl()     (CVE-2021-23362)

    * nodejs-ssri: Regular expression DoS (ReDoS) when parsing malicious SRI in strict mode (CVE-2021-27290)

    * normalize-url: ReDoS for data URLs (CVE-2021-33502)

    * libuv: out-of-bounds read in uv__idna_toascii() can lead to information disclosures or crashes     (CVE-2021-22918)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Bug Fix(es):

    * ECDHE ciphers missing in rh-nodejs14 (BZ#1942591)

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:2931 advisory.

    Node.js is a software development platform for building fast and scalable network applications in the     JavaScript programming language.

    The following packages have been upgraded to a later upstream version: rh-nodejs12-nodejs (12.22.2).

    Security Fix(es):

    * nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl()     (CVE-2021-23362)

    * nodejs-ssri: Regular expression DoS (ReDoS) when parsing malicious SRI in strict mode (CVE-2021-27290)

    * normalize-url: ReDoS for data URLs (CVE-2021-33502)

    * libuv: out-of-bounds read in uv__idna_toascii() can lead to information disclosures or crashes     (CVE-2021-22918)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Bug Fix(es):

    * ECDHE ciphers missing in rh-nodejs12 (BZ#1942592)

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
239656	TencentOS Server 3: nodejs (TSSA-2022:0014)	Nessus	Tencent Local Security Checks	critical
236651	Alibaba Cloud Linux 3 : 0014: nodejs:14 (ALINUX3-SA-2022:0014)	Nessus	Alibaba Cloud Linux Local Security Checks	critical
223824	Linux Distros Unpatched Vulnerability : CVE-2021-33502	Nessus	Misc.	high
194919	Splunk Enterprise < 8.1.14, 8.2.0 < 8.2.11, 9.0.0 < 9.0.5 (SVD-2023-0613)	Nessus	CGI abuses	critical
191419	CentOS 9 : nodejs-nodemon-2.0.19-1.el9	Nessus	CentOS Local Security Checks	medium
185008	Rocky Linux 8 : nodejs:14 (RLSA-2022:0350)	Nessus	Rocky Linux Local Security Checks	critical
184727	Rocky Linux 8 : nodejs:16 (RLSA-2021:5171)	Nessus	Rocky Linux Local Security Checks	critical
171017	Rocky Linux 9 : nodejs and nodejs-nodemon (RLSA-2022:6595)	Nessus	Rocky Linux Local Security Checks	critical
166249	AlmaLinux 9 : nodejs and nodejs-nodemon (ALSA-2022:6595)	Nessus	Alma Linux Local Security Checks	critical
165309	Oracle Linux 9 : nodejs / and / nodejs-nodemon (ELSA-2022-6595)	Nessus	Oracle Linux Local Security Checks	critical
165270	RHEL 9 : nodejs and nodejs-nodemon (RHSA-2022:6595)	Nessus	Red Hat Local Security Checks	critical
161619	RHEL 8 : RHV Manager (ovirt-engine) [ovirt-4.5.0] (RHSA-2022:4711)	Nessus	Red Hat Local Security Checks	medium
158872	AlmaLinux 8 : nodejs:16 (ALSA-2021:5171)	Nessus	Alma Linux Local Security Checks	critical
158862	AlmaLinux 8 : nodejs:14 (ALSA-2022:0350)	Nessus	Alma Linux Local Security Checks	critical
157333	Oracle Linux 8 : nodejs:14 (ELSA-2022-0350)	Nessus	Oracle Linux Local Security Checks	critical
157330	CentOS 8 : nodejs:14 (CESA-2022:0350)	Nessus	CentOS Local Security Checks	critical
157311	RHEL 8 : nodejs:14 (RHSA-2022:0350)	Nessus	Red Hat Local Security Checks	critical
157089	RHEL 8 : nodejs:14 (RHSA-2022:0246)	Nessus	Red Hat Local Security Checks	critical
156129	RHEL 8 : nodejs:16 (RHSA-2021:5171)	Nessus	Red Hat Local Security Checks	critical
156125	CentOS 8 : nodejs:16 (CESA-2021:5171)	Nessus	CentOS Local Security Checks	critical
156123	Oracle Linux 8 : nodejs:16 (ELSA-2021-5171)	Nessus	Oracle Linux Local Security Checks	critical
152133	RHEL 7 : rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon (RHSA-2021:2932)	Nessus	Red Hat Local Security Checks	medium
152132	RHEL 7 : rh-nodejs12-nodejs and rh-nodejs12-nodejs-nodemon (RHSA-2021:2931)	Nessus	Red Hat Local Security Checks	medium

Detections

Analytics

CVE-2021-33502

high

Tenable Plugins

critical

critical

high

critical

medium

critical

critical

critical

critical

critical

critical

medium

critical

critical

critical

critical

critical

critical

critical

critical

critical

medium

medium