decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.

The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by a vulnerability that has been acknowledged by the vendor but will not be patched.

  - decode-uri-component: improper input validation resulting in DoS (CVE-2022-38900)

Note that Nessus has not tested for this issue but has instead relied on the package manager's report that the package is installed.

The remote Oracle Linux 9 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2023-6316 advisory.

  - decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS. (CVE-2022-38900)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 39 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2023-e4cb7a5bda advisory.

  - decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS. (CVE-2022-38900)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2023:6316 advisory.

  - decode-uri-component: improper input validation resulting in DoS (CVE-2022-38900)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 38 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2023-b86fd9ad80 advisory.

  - decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS. (CVE-2022-38900)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 37 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2023-ae96dd6105 advisory.

  - decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS. (CVE-2022-38900)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of IBM Cognos Analytics installed on the remote host is 11.1.x prior to 11.1.7 Fix Pack 7 or 11.2.x prior to 11.2.4 FP1. It is, therefore, affected by multiple vulnerabilities, including the following:

  - GNOME libxml2 could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free     flaw in the xmlXIncludeDoProcess() function in xinclude.c. By sending a specially-crafted file, an attacker could     exploit this vulnerability to execute arbitrary code on the system. (CVE-2021-3518)

  - Node.js could allow a local attacker to gain elevated privileges on the system, caused by the DLL search order     hijacking of providers.dll. By placing a specially crafted file, an attacker could exploit this vulnerability     to escalate privileges. (CVE-2022-32223)

  - Node.js marked module is vulnerable to a denial of service, caused by a regular expression denial of service     (ReDoS) flaw in inline.reflinkSearch. By sending a specially-crafted regex input, a remote attacker could exploit     this vulnerability to cause a denial of service condition. (CVE-2022-21681)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2023:1743 advisory.

  - The glob-parent package before 6.0.1 for Node.js allows ReDoS (regular expression denial of service)     attacks against the enclosure regular expression. (CVE-2021-35065)

  - This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via     malicious request header values sent to a server, when that server reads the cache policy from the request     using this library. (CVE-2022-25881)

  - A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of     Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of     Service. (CVE-2022-3517)

  - decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS. (CVE-2022-38900)

  - A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the     input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of     service or a limited impact on confidentiality and integrity. (CVE-2022-4904)

  - A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made     it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in     Node.js and access non authorized modules by using process.mainModule.require(). This only affects users     who had enabled the experimental permissions option with --experimental-policy. (CVE-2023-23918)

  - An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that     could allow an attacker to search and potentially load ICU data when running with elevated privileges.
    (CVE-2023-23920)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the CESA-2023:1743 advisory.

  - The glob-parent package before 6.0.1 for Node.js allows ReDoS (regular expression denial of service)     attacks against the enclosure regular expression. (CVE-2021-35065)

  - This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via     malicious request header values sent to a server, when that server reads the cache policy from the request     using this library. (CVE-2022-25881)

  - A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of     Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of     Service. (CVE-2022-3517)

  - decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS. (CVE-2022-38900)

  - A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the     input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of     service or a limited impact on confidentiality and integrity. (CVE-2022-4904)

  - A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made     it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in     Node.js and access non authorized modules by using process.mainModule.require(). This only affects users     who had enabled the experimental permissions option with --experimental-policy. (CVE-2023-23918)

  - An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that     could allow an attacker to search and potentially load ICU data when running with elevated privileges.
    (CVE-2023-23920)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2023-1743 advisory.

  - A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of     Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of     Service. (CVE-2022-3517)

  - A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the     input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of     service or a limited impact on confidentiality and integrity. (CVE-2022-4904)

  - The glob-parent package before 6.0.1 for Node.js allows ReDoS (regular expression denial of service)     attacks against the enclosure regular expression. (CVE-2021-35065)

  - An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that     could allow an attacker to search and potentially load ICU data when running with elevated privileges.
    (CVE-2023-23920)

  - This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via     malicious request header values sent to a server, when that server reads the cache policy from the request     using this library. (CVE-2022-25881)

  - decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS. (CVE-2022-38900)

  - A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made     it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in     Node.js and access non authorized modules by using process.mainModule.require(). This only affects users     who had enabled the experimental permissions option with --experimental-policy. (CVE-2023-23918)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:1743 advisory.

  - glob-parent: Regular Expression Denial of Service (CVE-2021-35065)

  - nodejs-minimatch: ReDoS via the braceExpand function (CVE-2022-3517)

  - c-ares: buffer overflow in config_sortlist() due to missing string length check (CVE-2022-4904)

  - http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability (CVE-2022-25881)

  - decode-uri-component: improper input validation resulting in DoS (CVE-2022-38900)

  - Node.js: Permissions policies can be bypassed via process.mainModule (CVE-2023-23918)

  - Node.js: insecure loading of ICU data through ICU_DATA environment variable (CVE-2023-23920)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:1744 advisory.

  - c-ares: buffer overflow in config_sortlist() due to missing string length check (CVE-2022-4904)

  - http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability (CVE-2022-25881)

  - decode-uri-component: improper input validation resulting in DoS (CVE-2022-38900)

  - Node.js: Permissions policies can be bypassed via process.mainModule (CVE-2023-23918)

  - Node.js: insecure loading of ICU data through ICU_DATA environment variable (CVE-2023-23920)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:1742 advisory.

  - glob-parent: Regular Expression Denial of Service (CVE-2021-35065)

  - nodejs: Improper handling of URI Subject Alternative Names (CVE-2021-44531)

  - nodejs: Certificate Verification Bypass via String Injection (CVE-2021-44532)

  - nodejs: Incorrect handling of certificate subject and issuer fields (CVE-2021-44533)

  - minimist: prototype pollution (CVE-2021-44906)

  - node-fetch: exposure of sensitive information to an unauthorized actor (CVE-2022-0235)

  - nodejs-minimatch: ReDoS via the braceExpand function (CVE-2022-3517)

  - c-ares: buffer overflow in config_sortlist() due to missing string length check (CVE-2022-4904)

  - nodejs: Prototype pollution via console.table properties (CVE-2022-21824)

  - express: qs prototype poisoning causes the hang of the node process (CVE-2022-24999)

  - http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability (CVE-2022-25881)

  - nodejs: HTTP Request Smuggling due to incorrect parsing of header fields (CVE-2022-35256)

  - decode-uri-component: improper input validation resulting in DoS (CVE-2022-38900)

  - nodejs: DNS rebinding in inspect via invalid octal IP address (CVE-2022-43548)

  - Node.js: Permissions policies can be bypassed via process.mainModule (CVE-2023-23918)

  - Node.js: insecure loading of ICU data through ICU_DATA environment variable (CVE-2023-23920)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:1533 advisory.

  - glob-parent: Regular Expression Denial of Service (CVE-2021-35065)

  - minimist: prototype pollution (CVE-2021-44906)

  - nodejs-minimatch: ReDoS via the braceExpand function (CVE-2022-3517)

  - c-ares: buffer overflow in config_sortlist() due to missing string length check (CVE-2022-4904)

  - express: qs prototype poisoning causes the hang of the node process (CVE-2022-24999)

  - http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability (CVE-2022-25881)

  - nodejs: HTTP Request Smuggling due to incorrect parsing of header fields (CVE-2022-35256)

  - decode-uri-component: improper input validation resulting in DoS (CVE-2022-38900)

  - nodejs: DNS rebinding in inspect via invalid octal IP address (CVE-2022-43548)

  - Node.js: Permissions policies can be bypassed via process.mainModule (CVE-2023-23918)

  - Node.js: insecure loading of ICU data through ICU_DATA environment variable (CVE-2023-23920)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 38 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-2e38c3756f advisory.

  - decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS. (CVE-2022-38900)

  - A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in     interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.
    (CVE-2022-37603)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 36 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-a4f0b29f6c advisory.

  - decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS. (CVE-2022-38900)

  - A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in     interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.
    (CVE-2022-37603)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 37 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-86d75130fe advisory.

  - decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS. (CVE-2022-38900)

  - A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in     interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.
    (CVE-2022-37603)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
196254	RHEL 6 : decode-uri-component (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	high
185845	Oracle Linux 9 : pcs / (LOW) (ELSA-2023-6316)	Nessus	Oracle Linux Local Security Checks	high
185245	Fedora 39 : pcs (2023-e4cb7a5bda)	Nessus	Fedora Local Security Checks	high
185088	RHEL 9 : pcs (RHSA-2023:6316)	Nessus	Red Hat Local Security Checks	high
177855	Fedora 38 : pcs (2023-b86fd9ad80)	Nessus	Fedora Local Security Checks	high
177852	Fedora 37 : pcs (2023-ae96dd6105)	Nessus	Fedora Local Security Checks	high
175429	IBM Cognos Analytics Multiple Vulnerabilities (6986505)	Nessus	CGI abuses	critical
174795	Rocky Linux 8 : nodejs:14 (RLSA-2023:1743)	Nessus	Rocky Linux Local Security Checks	high
174251	CentOS 8 : nodejs:14 (CESA-2023:1743)	Nessus	CentOS Local Security Checks	high
174231	Oracle Linux 8 : nodejs:14 (ELSA-2023-1743)	Nessus	Oracle Linux Local Security Checks	high
174181	RHEL 8 : nodejs:14 (RHSA-2023:1743)	Nessus	Red Hat Local Security Checks	high
174180	RHEL 7 : rh-nodejs14-nodejs (RHSA-2023:1744)	Nessus	Red Hat Local Security Checks	high
174178	RHEL 8 : nodejs:14 (RHSA-2023:1742)	Nessus	Red Hat Local Security Checks	critical
173777	RHEL 8 : nodejs:14 (RHSA-2023:1533)	Nessus	Red Hat Local Security Checks	critical
173670	Fedora 38 : yarnpkg (2023-2e38c3756f)	Nessus	Fedora Local Security Checks	high
173669	Fedora 36 : yarnpkg (2023-a4f0b29f6c)	Nessus	Fedora Local Security Checks	high
173656	Fedora 37 : yarnpkg (2023-86d75130fe)	Nessus	Fedora Local Security Checks	high

Detections

Analytics

CVE-2022-38900

high

Tenable Plugins

high

high

high

high

high

high

critical

high

high

high

high

high

critical

critical

high

high

high