qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).

The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2023:0050 advisory.

  - Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
    (CVE-2021-44906)

  - node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor (CVE-2022-0235)

  - qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node     process hang for an Express application because an __ proto__ key can be used. In many typical Express use     cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that     is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was     backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3,     which has deps: qs@6.9.7 in its release description, is not vulnerable). (CVE-2022-24999)

  - A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of     Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of     Service. (CVE-2022-3517)

  - A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due     to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly     check if an IP address is invalid before making DBS requests allowing rebinding attacks.The fix for this     issue in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212 was incomplete and this new CVE is     to complete the fix. (CVE-2022-43548)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of IBM Cognos Analytics installed on the remote host is 11.1.x prior to 11.1.7 Fix Pack 7 or 11.2.x prior to 11.2.4 FP2. It is, therefore, affected by multiple vulnerabilities, including the following:

  - netplex json-smart-v2 is vulnerable to a denial of service, caused by not limiting the nesting of arrays   or objects. By sending a specially crafted input, a remote attacker could exploit this vulnerability to   cause a stack exhaustion and crash the software. (CVE-2023-1370)

  - Express.js Express is vulnerable to a denial of service, caused by a prototype pollution flaw in qs. By   adding or modifying properties of Object.prototype using a __proto__ or constructor payload, a remote   attacker could exploit this vulnerability to cause a denial of service condition. (CVE-2022-24999)

  - IBM Cognos Analytics is vulnerable to stored cross-site scripting, caused by improper validation of SVG   Files in Custom Visualizations. A remote attacker could exploit this vulnerability to execute scripts in a   victim's Web browser within the security context of the hosting Web site. An attacker could use this   vulnerability to steal the victim's cookie-based authentication credentials. (CVE-2023-28530)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:1742 advisory.

  - glob-parent: Regular Expression Denial of Service (CVE-2021-35065)

  - nodejs: Improper handling of URI Subject Alternative Names (CVE-2021-44531)

  - nodejs: Certificate Verification Bypass via String Injection (CVE-2021-44532)

  - nodejs: Incorrect handling of certificate subject and issuer fields (CVE-2021-44533)

  - minimist: prototype pollution (CVE-2021-44906)

  - node-fetch: exposure of sensitive information to an unauthorized actor (CVE-2022-0235)

  - nodejs-minimatch: ReDoS via the braceExpand function (CVE-2022-3517)

  - c-ares: buffer overflow in config_sortlist() due to missing string length check (CVE-2022-4904)

  - nodejs: Prototype pollution via console.table properties (CVE-2022-21824)

  - express: qs prototype poisoning causes the hang of the node process (CVE-2022-24999)

  - http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability (CVE-2022-25881)

  - nodejs: HTTP Request Smuggling due to incorrect parsing of header fields (CVE-2022-35256)

  - decode-uri-component: improper input validation resulting in DoS (CVE-2022-38900)

  - nodejs: DNS rebinding in inspect via invalid octal IP address (CVE-2022-43548)

  - Node.js: Permissions policies can be bypassed via process.mainModule (CVE-2023-23918)

  - Node.js: insecure loading of ICU data through ICU_DATA environment variable (CVE-2023-23920)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:1533 advisory.

  - glob-parent: Regular Expression Denial of Service (CVE-2021-35065)

  - minimist: prototype pollution (CVE-2021-44906)

  - nodejs-minimatch: ReDoS via the braceExpand function (CVE-2022-3517)

  - c-ares: buffer overflow in config_sortlist() due to missing string length check (CVE-2022-4904)

  - express: qs prototype poisoning causes the hang of the node process (CVE-2022-24999)

  - http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability (CVE-2022-25881)

  - nodejs: HTTP Request Smuggling due to incorrect parsing of header fields (CVE-2022-35256)

  - decode-uri-component: improper input validation resulting in DoS (CVE-2022-38900)

  - nodejs: DNS rebinding in inspect via invalid octal IP address (CVE-2022-43548)

  - Node.js: Permissions policies can be bypassed via process.mainModule (CVE-2023-23918)

  - Node.js: insecure loading of ICU data through ICU_DATA environment variable (CVE-2023-23920)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:0612 advisory.

  - glob-parent: Regular Expression Denial of Service (CVE-2021-35065)

  - minimist: prototype pollution (CVE-2021-44906)

  - node-fetch: exposure of sensitive information to an unauthorized actor (CVE-2022-0235)

  - nodejs-minimatch: ReDoS via the braceExpand function (CVE-2022-3517)

  - express: qs prototype poisoning causes the hang of the node process (CVE-2022-24999)

  - nodejs: DNS rebinding in inspect via invalid octal IP address (CVE-2022-43548)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has a package installed that is affected by a vulnerability as referenced in the dla-3299 advisory.

  - qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node     process hang for an Express application because an __ proto__ key can be used. In many typical Express use     cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that     is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was     backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3,     which has deps: qs@6.9.7 in its release description, is not vulnerable). (CVE-2022-24999)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote AlmaLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2023:0050 advisory.

  - Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
    (CVE-2021-44906)

  - node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor (CVE-2022-0235)

  - A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of     Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of     Service. (CVE-2022-3517)

  - qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node     process hang for an Express application because an __ proto__ key can be used. In many typical Express use     cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that     is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was     backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3,     which has deps: qs@6.9.7 in its release description, is not vulnerable). (CVE-2022-24999)

  - A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due     to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly     check if an IP address is invalid before making DBS requests allowing rebinding attacks.The fix for this     issue in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212 was incomplete and this new CVE is     to complete the fix. (CVE-2022-43548)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2023-0050 advisory.

  - Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
    (CVE-2021-44906)

  - node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor (CVE-2022-0235)

  - A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of     Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of     Service. (CVE-2022-3517)

  - A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due     to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly     check if an IP address is invalid before making DBS requests allowing rebinding attacks.The fix for this     issue in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212 was incomplete and this new CVE is     to complete the fix. (CVE-2022-43548)

  - qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node     process hang for an Express application because an __ proto__ key can be used. In many typical Express use     cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that     is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was     backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3,     which has deps: qs@6.9.7 in its release description, is not vulnerable). (CVE-2022-24999)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:0050 advisory.

  - minimist: prototype pollution (CVE-2021-44906)

  - node-fetch: exposure of sensitive information to an unauthorized actor (CVE-2022-0235)

  - nodejs-minimatch: ReDoS via the braceExpand function (CVE-2022-3517)

  - express: qs prototype poisoning causes the hang of the node process (CVE-2022-24999)

  - nodejs: DNS rebinding in inspect via invalid octal IP address (CVE-2022-43548)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2023:0050 advisory.

  - Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
    (CVE-2021-44906)

  - node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor (CVE-2022-0235)

  - qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node     process hang for an Express application because an __ proto__ key can be used. In many typical Express use     cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that     is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was     backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3,     which has deps: qs@6.9.7 in its release description, is not vulnerable). (CVE-2022-24999)

  - A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of     Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of     Service. (CVE-2022-3517)

  - A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due     to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly     check if an IP address is invalid before making DBS requests allowing rebinding attacks.The fix for this     issue in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212 was incomplete and this new CVE is     to complete the fix. (CVE-2022-43548)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
184632	Rocky Linux 8 : nodejs:14 (RLSA-2023:0050)	Nessus	Rocky Linux Local Security Checks	critical
178850	IBM Cognos Analytics Multiple Vulnerabilities (7012621)	Nessus	CGI abuses	medium
174178	RHEL 8 : nodejs:14 (RHSA-2023:1742)	Nessus	Red Hat Local Security Checks	critical
173777	RHEL 8 : nodejs:14 (RHSA-2023:1533)	Nessus	Red Hat Local Security Checks	critical
171023	RHEL 7 : rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon (RHSA-2023:0612)	Nessus	Red Hat Local Security Checks	critical
170893	Debian DLA-3299-1 : node-qs - LTS security update	Nessus	Debian Local Security Checks	high
169724	AlmaLinux 8 : nodejs:14 (ALSA-2023:0050)	Nessus	Alma Linux Local Security Checks	critical
169719	Oracle Linux 8 : nodejs:14 (ELSA-2023-0050)	Nessus	Oracle Linux Local Security Checks	critical
169710	RHEL 8 : nodejs:14 (RHSA-2023:0050)	Nessus	Red Hat Local Security Checks	critical
169705	CentOS 8 : nodejs:14 (CESA-2023:0050)	Nessus	CentOS Local Security Checks	critical

Detections

Analytics

CVE-2022-24999

high

Tenable Plugins

critical

medium

critical

critical

critical

high

critical

critical

critical

critical