https://github.com/sindresorhus/normalize-url/releases/tag/v6.0.1

https://security.netapp.com/advisory/ntap-20210706-0001/

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:4711 advisory.

  - nodejs-trim-off-newlines: ReDoS via string processing (CVE-2021-23425)

  - normalize-url: ReDoS for data URLs (CVE-2021-33502)

  - nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807)

  - jquery-ui: XSS in the altField option of the datepicker widget (CVE-2021-41182)

  - jquery-ui: XSS in *Text options of the datepicker widget (CVE-2021-41183)

  - jquery-ui: XSS in the 'of' option of the .position() util (CVE-2021-41184)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote AlmaLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2021:5171 advisory.

  - This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application     that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited     further depending on the context. (CVE-2020-7788)

  - This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in     enclosure containing path separator. (CVE-2020-28469)

  - ansi-regex is vulnerable to Inefficient Regular Expression Complexity (CVE-2021-3807)

  - json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype     Pollution') (CVE-2021-3918)

  - The parser in accepts requests with a space (SP) right after the header name before the colon. This can     lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6. (CVE-2021-22959)

  - The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of     chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions. (CVE-2021-22960)

  - The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS     (regular expression denial of service) issue because it has exponential performance for data: URLs.
    (CVE-2021-33502)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote AlmaLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2022:0350 advisory.

  - This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application     that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited     further depending on the context. (CVE-2020-7788)

  - This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in     enclosure containing path separator. (CVE-2020-28469)

  - ansi-regex is vulnerable to Inefficient Regular Expression Complexity (CVE-2021-3807)

  - json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype     Pollution') (CVE-2021-3918)

  - The parser in accepts requests with a space (SP) right after the header name before the colon. This can     lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6. (CVE-2021-22959)

  - The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of     chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions. (CVE-2021-22960)

  - The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS     (regular expression denial of service) issue because it has exponential performance for data: URLs.
    (CVE-2021-33502)

  - The npm package tar (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file     creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file     whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by     ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat     calls to determine whether a given path is a directory, paths are cached when directories are created.
    This logic was insufficient when extracting tar files that contained both a directory and a symlink with     the same name as the directory, where the symlink and directory names in the archive entry used     backslashes as a path separator on posix systems. The cache checking logic used both `\` and `/`     characters as path separators, however `\` is a valid filename character on posix systems. By first     creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass     node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an     arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary     file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive     filesystems. If a tar archive contained a directory at `FOO`, followed by a symbolic link named `foo`,     then on case-insensitive file systems, the creation of the symbolic link would remove the directory from     the filesystem, but _not_ from the internal directory cache, as it would not be treated as a cache hit. A     subsequent file entry within the `FOO` directory would then be placed in the target of the symbolic link,     thinking that the directory had already been created. These issues were addressed in releases 4.4.16,     5.0.8 and 6.1.7. The v3 branch of node-tar has been deprecated and did not receive patches for these     issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar.
    If this is not possible, a workaround is available in the referenced GHSA-9r2w-394v-53qc. (CVE-2021-37701)

  - The npm package tar (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file     creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file     whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by     ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat     calls to determine whether a given path is a directory, paths are cached when directories are created.
    This logic was insufficient when extracting tar files that contained both a directory and a symlink with     names containing unicode values that normalized to the same value. Additionally, on Windows systems, long     path portions would resolve to the same file system entities as their 8.3 short path counterparts. A     specially crafted tar archive could thus include a directory with one form of the path, followed by a     symbolic link with a different string that resolves to the same file system entity, followed by a file     using the first form. By first creating a directory, and then replacing that directory with a symlink that     had a different apparent name that resolved to the same entry in the filesystem, it was thus possible to     bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into     an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing     arbitrary file creation and overwrite. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9.
    The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are     still using a v3 release we recommend you update to a more recent version of node-tar. If this is not     possible, a workaround is available in the referenced GHSA-qq89-hq3f-393p. (CVE-2021-37712)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2022-0350 advisory.

  - This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application     that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited     further depending on the context. (CVE-2020-7788)

  - The npm package tar (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file     creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file     whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by     ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat     calls to determine whether a given path is a directory, paths are cached when directories are created.
    This logic was insufficient when extracting tar files that contained both a directory and a symlink with     the same name as the directory, where the symlink and directory names in the archive entry used     backslashes as a path separator on posix systems. The cache checking logic used both `\` and `/`     characters as path separators, however `\` is a valid filename character on posix systems. By first     creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass     node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an     arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary     file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive     filesystems. If a tar archive contained a directory at `FOO`, followed by a symbolic link named `foo`,     then on case-insensitive file systems, the creation of the symbolic link would remove the directory from     the filesystem, but _not_ from the internal directory cache, as it would not be treated as a cache hit. A     subsequent file entry within the `FOO` directory would then be placed in the target of the symbolic link,     thinking that the directory had already been created. These issues were addressed in releases 4.4.16,     5.0.8 and 6.1.7. The v3 branch of node-tar has been deprecated and did not receive patches for these     issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar.
    If this is not possible, a workaround is available in the referenced GHSA-9r2w-394v-53qc. (CVE-2021-37701)

  - The npm package tar (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file     creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file     whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by     ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat     calls to determine whether a given path is a directory, paths are cached when directories are created.
    This logic was insufficient when extracting tar files that contained both a directory and a symlink with     names containing unicode values that normalized to the same value. Additionally, on Windows systems, long     path portions would resolve to the same file system entities as their 8.3 short path counterparts. A     specially crafted tar archive could thus include a directory with one form of the path, followed by a     symbolic link with a different string that resolves to the same file system entity, followed by a file     using the first form. By first creating a directory, and then replacing that directory with a symlink that     had a different apparent name that resolved to the same entry in the filesystem, it was thus possible to     bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into     an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing     arbitrary file creation and overwrite. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9.
    The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are     still using a v3 release we recommend you update to a more recent version of node-tar. If this is not     possible, a workaround is available in the referenced GHSA-qq89-hq3f-393p. (CVE-2021-37712)

  - This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in     enclosure containing path separator. (CVE-2020-28469)

  - ansi-regex is vulnerable to Inefficient Regular Expression Complexity (CVE-2021-3807)

  - json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype     Pollution') (CVE-2021-3918)

  - The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS     (regular expression denial of service) issue because it has exponential performance for data: URLs.
    (CVE-2021-33502)

  - The parser in accepts requests with a space (SP) right after the header name before the colon. This can     lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6. (CVE-2021-22959)

  - The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of     chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions. (CVE-2021-22960)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2022:0350 advisory.

  - nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)

  - nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788)

  - llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959)

  - llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960)

  - normalize-url: ReDoS for data URLs (CVE-2021-33502)

  - nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing     arbitrary file creation and overwrite (CVE-2021-37701, CVE-2021-37712)

  - nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807)

  - nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:0350 advisory.

  - nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)

  - nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788)

  - llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959)

  - llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960)

  - normalize-url: ReDoS for data URLs (CVE-2021-33502)

  - nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing     arbitrary file creation and overwrite (CVE-2021-37701, CVE-2021-37712)

  - nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807)

  - nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:0246 advisory.

  - nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)

  - nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788)

  - llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959)

  - llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960)

  - normalize-url: ReDoS for data URLs (CVE-2021-33502)

  - nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing     arbitrary file creation and overwrite (CVE-2021-37701, CVE-2021-37712)

  - nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807)

  - nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:5171 advisory.

  - nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)

  - nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788)

  - llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959)

  - llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960)

  - normalize-url: ReDoS for data URLs (CVE-2021-33502)

  - nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807)

  - nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the CESA-2021:5171 advisory.

  - nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)

  - nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788)

  - llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959)

  - llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960)

  - normalize-url: ReDoS for data URLs (CVE-2021-33502)

  - nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807)

  - nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-5171 advisory.

  - This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application     that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited     further depending on the context. (CVE-2020-7788)

  - This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in     enclosure containing path separator. (CVE-2020-28469)

  - ansi-regex is vulnerable to Inefficient Regular Expression Complexity (CVE-2021-3807)

  - json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype     Pollution') (CVE-2021-3918)

  - The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS     (regular expression denial of service) issue because it has exponential performance for data: URLs.
    (CVE-2021-33502)

  - The parser in accepts requests with a space (SP) right after the header name before the colon. This can     lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6. (CVE-2021-22959)

  - The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of     chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions. (CVE-2021-22960)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:2932 advisory.

  - libuv: out-of-bounds read in uv__idna_toascii() can lead to information disclosures or crashes     (CVE-2021-22918)

  - nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl()     (CVE-2021-23362)

  - nodejs-ssri: Regular expression DoS (ReDoS) when parsing malicious SRI in strict mode (CVE-2021-27290)

  - normalize-url: ReDoS for data URLs (CVE-2021-33502)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:2931 advisory.

  - libuv: out-of-bounds read in uv__idna_toascii() can lead to information disclosures or crashes     (CVE-2021-22918)

  - nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl()     (CVE-2021-23362)

  - nodejs-ssri: Regular expression DoS (ReDoS) when parsing malicious SRI in strict mode (CVE-2021-27290)

  - normalize-url: ReDoS for data URLs (CVE-2021-33502)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
161619	RHEL 8 : RHV Manager (ovirt-engine) [ovirt-4.5.0] (RHSA-2022:4711)	Nessus	Red Hat Local Security Checks	medium
158872	AlmaLinux 8 : nodejs:16 (ALSA-2021:5171)	Nessus	Alma Linux Local Security Checks	critical
158862	AlmaLinux 8 : nodejs:14 (ALSA-2022:0350)	Nessus	Alma Linux Local Security Checks	critical
157333	Oracle Linux 8 : nodejs:14 (ELSA-2022-0350)	Nessus	Oracle Linux Local Security Checks	critical
157330	CentOS 8 : nodejs:14 (CESA-2022:0350)	Nessus	CentOS Local Security Checks	critical
157311	RHEL 8 : nodejs:14 (RHSA-2022:0350)	Nessus	Red Hat Local Security Checks	critical
157089	RHEL 8 : nodejs:14 (RHSA-2022:0246)	Nessus	Red Hat Local Security Checks	critical
156129	RHEL 8 : nodejs:16 (RHSA-2021:5171)	Nessus	Red Hat Local Security Checks	critical
156125	CentOS 8 : nodejs:16 (CESA-2021:5171)	Nessus	CentOS Local Security Checks	critical
156123	Oracle Linux 8 : nodejs:16 (ELSA-2021-5171)	Nessus	Oracle Linux Local Security Checks	critical
152133	RHEL 7 : rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon (RHSA-2021:2932)	Nessus	Red Hat Local Security Checks	medium
152132	RHEL 7 : rh-nodejs12-nodejs and rh-nodejs12-nodejs-nodemon (RHSA-2021:2931)	Nessus	Red Hat Local Security Checks	medium

CVE-2021-33502

high

Tenable Plugins

medium

critical

critical

critical

critical

critical

critical

critical

critical

critical

medium

medium