A vulnerability has been identified in the Node.js (.msi version) installation process, specifically affecting Windows users who install Node.js using the .msi installer. This vulnerability emerges during the repair operation, where the "msiexec.exe" process, running under the NT AUTHORITY\SYSTEM context, attempts to read the %USERPROFILE% environment variable from the current user's registry. The issue arises when the path referenced by the %USERPROFILE% environment variable does not exist. In such cases, the "msiexec.exe" process attempts to create the specified path in an unsafe manner, potentially leading to the creation of arbitrary folders in arbitrary locations. The severity of this vulnerability is heightened by the fact that the %USERPROFILE% environment variable in the Windows registry can be modified by standard (or "non-privileged") users. Consequently, unprivileged actors, including malicious entities or trojans, can manipulate the environment variable key to deceive the privileged "msiexec.exe" process. This manipulation can result in the creation of folders in unintended and potentially malicious locations. It is important to note that this vulnerability is specific to Windows users who install Node.js using the .msi installer. Users who opt for other installation methods are not affected by this particular issue.

The version of Siemens SINEC NMS installed on the remote host is prior to 2.0.1.0. It is, therefore, affected by multiple vulnerabilities as referenced in the SSA-943925 advisory.

  - coreruleset (aka OWASP ModSecurity Core Rule Set) through 3.3.4 does not detect multiple Content-Type     request headers on some platforms. This might allow attackers to bypass a WAF with a crafted payload,     aka Content-Type confusion between the WAF and the backend application. This occurs when the web     application relies on only the last Content-Type header. Other platforms may reject the additional     Content-Type header or merge conflicting headers, leading to detection as a malformed header.
    (CVE-2023-38199)

  - Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request     Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of     RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied     request-target (URL) data and is then re-inserted into the proxied request-target using variable     substitution. For example, something like: RewriteEngine on RewriteRule ^/here/(.*)     http://example.com:8080/elsewhere?$1; [P] ProxyPassReverse /here/ http://example.com:8080/ Request     splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended     URLs to existing origin servers, and cache poisoning. Users are recommended to update to at least version     2.4.56 of Apache HTTP Server. (CVE-2023-25690)

  - The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json     definition for a given module. This vulnerability affects all users using the experimental policy     mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note that at the time this CVE was     issued, the policy is an experimental feature of Node.js. (CVE-2023-32002)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version, the Tenable Identity Exposure running on the remote host is prior to 3.42.17. It is, therefore, affected by multiple vulnerabilities as referenced in the TNS-2023-33 advisory.
Tenable Identity Exposure leverages third-party software to help provide underlying functionality. Several of the third-party components (RabbitMQ, libcurl, and nodeJS) were found to contain vulnerabilities, and updated versions have been made available by the providers. Out of caution and in line with best practice, Tenable has opted to upgrade these components to address the potential impact of the issues. Tenable Identity Exposure 3.42.17 updates RabbitMQ to version 3.12.6, libcurl to version 8.4.0 and nodeJS to version 18.18.0 to address the identified vulnerabilities. 

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 38 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-608a1417d3 advisory.

  - The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require     modules outside of the policy.json definition. This vulnerability affects all users using the experimental     policy mechanism in all active release lines: v16, v18 and, v20. Please note that at the time this CVE was     issued, the policy is an experimental feature of Node.js (CVE-2023-30581)

  - A vulnerability has been identified in the Node.js (.msi version) installation process, specifically     affecting Windows users who install Node.js using the .msi installer. This vulnerability emerges during     the repair operation, where the msiexec.exe process, running under the NT AUTHORITY\SYSTEM context,     attempts to read the %USERPROFILE% environment variable from the current user's registry. The issue arises     when the path referenced by the %USERPROFILE% environment variable does not exist. In such cases, the     msiexec.exe process attempts to create the specified path in an unsafe manner, potentially leading to     the creation of arbitrary folders in arbitrary locations. The severity of this vulnerability is heightened     by the fact that the %USERPROFILE% environment variable in the Windows registry can be modified by     standard (or non-privileged) users. Consequently, unprivileged actors, including malicious entities or     trojans, can manipulate the environment variable key to deceive the privileged msiexec.exe process. This     manipulation can result in the creation of folders in unintended and potentially malicious locations. It     is important to note that this vulnerability is specific to Windows users who install Node.js using the     .msi installer. Users who opt for other installation methods are not affected by this particular issue.
    (CVE-2023-30585)

  - When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a     non-expect termination occurs making it susceptible to DoS attacks when the attacker could force     interruptions of application processing, as the process terminates when accessing public key info of     provided certificates from user code. The current context of the users will be gone, and that will cause a     DoS scenario. This vulnerability affects all active Node.js versions v16, v18, and, v20. (CVE-2023-30588)

  - The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit     HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient     to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence     should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20     (CVE-2023-30589)

  - The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or     outdated) keys, that is, it only generates a private key if none has been set yet, but the function is     also needed to compute the corresponding public key after calling setPrivateKey(). However, the     documentation says this API call: Generates private and public Diffie-Hellman key values. The documented     behavior is very different from the actual behavior, and this difference could easily lead to security     issues in applications that use these APIs as the DiffieHellman may be used as the basis for application-     level security, implications are consequently broad. (CVE-2023-30590)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 37 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-61e40652be advisory.

  - The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require     modules outside of the policy.json definition. This vulnerability affects all users using the experimental     policy mechanism in all active release lines: v16, v18 and, v20. Please note that at the time this CVE was     issued, the policy is an experimental feature of Node.js (CVE-2023-30581)

  - A vulnerability has been identified in the Node.js (.msi version) installation process, specifically     affecting Windows users who install Node.js using the .msi installer. This vulnerability emerges during     the repair operation, where the msiexec.exe process, running under the NT AUTHORITY\SYSTEM context,     attempts to read the %USERPROFILE% environment variable from the current user's registry. The issue arises     when the path referenced by the %USERPROFILE% environment variable does not exist. In such cases, the     msiexec.exe process attempts to create the specified path in an unsafe manner, potentially leading to     the creation of arbitrary folders in arbitrary locations. The severity of this vulnerability is heightened     by the fact that the %USERPROFILE% environment variable in the Windows registry can be modified by     standard (or non-privileged) users. Consequently, unprivileged actors, including malicious entities or     trojans, can manipulate the environment variable key to deceive the privileged msiexec.exe process. This     manipulation can result in the creation of folders in unintended and potentially malicious locations. It     is important to note that this vulnerability is specific to Windows users who install Node.js using the     .msi installer. Users who opt for other installation methods are not affected by this particular issue.
    (CVE-2023-30585)

  - When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a     non-expect termination occurs making it susceptible to DoS attacks when the attacker could force     interruptions of application processing, as the process terminates when accessing public key info of     provided certificates from user code. The current context of the users will be gone, and that will cause a     DoS scenario. This vulnerability affects all active Node.js versions v16, v18, and, v20. (CVE-2023-30588)

  - The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit     HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient     to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence     should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20     (CVE-2023-30589)

  - The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or     outdated) keys, that is, it only generates a private key if none has been set yet, but the function is     also needed to compute the corresponding public key after calling setPrivateKey(). However, the     documentation says this API call: Generates private and public Diffie-Hellman key values. The documented     behavior is very different from the actual behavior, and this difference could easily lead to security     issues in applications that use these APIs as the DiffieHellman may be used as the basis for application-     level security, implications are consequently broad. (CVE-2023-30590)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 38 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-cdddce304a advisory.

  - The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require     modules outside of the policy.json definition. This vulnerability affects all users using the experimental     policy mechanism in all active release lines: v16, v18 and, v20. Please note that at the time this CVE was     issued, the policy is an experimental feature of Node.js (CVE-2023-30581)

  - A vulnerability has been identified in the Node.js (.msi version) installation process, specifically     affecting Windows users who install Node.js using the .msi installer. This vulnerability emerges during     the repair operation, where the msiexec.exe process, running under the NT AUTHORITY\SYSTEM context,     attempts to read the %USERPROFILE% environment variable from the current user's registry. The issue arises     when the path referenced by the %USERPROFILE% environment variable does not exist. In such cases, the     msiexec.exe process attempts to create the specified path in an unsafe manner, potentially leading to     the creation of arbitrary folders in arbitrary locations. The severity of this vulnerability is heightened     by the fact that the %USERPROFILE% environment variable in the Windows registry can be modified by     standard (or non-privileged) users. Consequently, unprivileged actors, including malicious entities or     trojans, can manipulate the environment variable key to deceive the privileged msiexec.exe process. This     manipulation can result in the creation of folders in unintended and potentially malicious locations. It     is important to note that this vulnerability is specific to Windows users who install Node.js using the     .msi installer. Users who opt for other installation methods are not affected by this particular issue.
    (CVE-2023-30585)

  - When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a     non-expect termination occurs making it susceptible to DoS attacks when the attacker could force     interruptions of application processing, as the process terminates when accessing public key info of     provided certificates from user code. The current context of the users will be gone, and that will cause a     DoS scenario. This vulnerability affects all active Node.js versions v16, v18, and, v20. (CVE-2023-30588)

  - The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit     HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient     to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence     should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20     (CVE-2023-30589)

  - The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or     outdated) keys, that is, it only generates a private key if none has been set yet, but the function is     also needed to compute the corresponding public key after calling setPrivateKey(). However, the     documentation says this API call: Generates private and public Diffie-Hellman key values. The documented     behavior is very different from the actual behavior, and this difference could easily lead to security     issues in applications that use these APIs as the DiffieHellman may be used as the basis for application-     level security, implications are consequently broad. (CVE-2023-30590)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 37 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-6b866fbe84 advisory.

  - The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require     modules outside of the policy.json definition. This vulnerability affects all users using the experimental     policy mechanism in all active release lines: v16, v18 and, v20. Please note that at the time this CVE was     issued, the policy is an experimental feature of Node.js (CVE-2023-30581)

  - A vulnerability has been identified in the Node.js (.msi version) installation process, specifically     affecting Windows users who install Node.js using the .msi installer. This vulnerability emerges during     the repair operation, where the msiexec.exe process, running under the NT AUTHORITY\SYSTEM context,     attempts to read the %USERPROFILE% environment variable from the current user's registry. The issue arises     when the path referenced by the %USERPROFILE% environment variable does not exist. In such cases, the     msiexec.exe process attempts to create the specified path in an unsafe manner, potentially leading to     the creation of arbitrary folders in arbitrary locations. The severity of this vulnerability is heightened     by the fact that the %USERPROFILE% environment variable in the Windows registry can be modified by     standard (or non-privileged) users. Consequently, unprivileged actors, including malicious entities or     trojans, can manipulate the environment variable key to deceive the privileged msiexec.exe process. This     manipulation can result in the creation of folders in unintended and potentially malicious locations. It     is important to note that this vulnerability is specific to Windows users who install Node.js using the     .msi installer. Users who opt for other installation methods are not affected by this particular issue.
    (CVE-2023-30585)

  - When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a     non-expect termination occurs making it susceptible to DoS attacks when the attacker could force     interruptions of application processing, as the process terminates when accessing public key info of     provided certificates from user code. The current context of the users will be gone, and that will cause a     DoS scenario. This vulnerability affects all active Node.js versions v16, v18, and, v20. (CVE-2023-30588)

  - The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit     HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient     to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence     should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20     (CVE-2023-30589)

  - The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or     outdated) keys, that is, it only generates a private key if none has been set yet, but the function is     also needed to compute the corresponding public key after calling setPrivateKey(). However, the     documentation says this API call: Generates private and public Diffie-Hellman key values. The documented     behavior is very different from the actual behavior, and this difference could easily lead to security     issues in applications that use these APIs as the DiffieHellman may be used as the basis for application-     level security, implications are consequently broad. (CVE-2023-30590)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:2861-1 advisory.

  - The vulnerability exists due to the use of proto in process.mainModule.proto.require(). This allows to     bypass the policy mechanism and require modules outside of the policy.json definition. (CVE-2023-30581)

  - The vulnerability exists due to the way Node.js (.msi version) installation process handles a missing     %USERPROFILE% environment variable. If the variable is not set, the .msi installer will try to include a     current working directory into the search path and will libraries in an unsafe manner. A local user can     place a malicious file on the victim's system and execute arbitrary code with elevated privileges.
    (CVE-2023-30585)

  - The vulnerability exists due to insufficient validation of user-supplied public key within the     crypto.X509Certificate() API. A remote user can pass an invalid public key to the application and perform     a denial of service (DoS) attack. (CVE-2023-30588)

  - The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit     HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient     to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence     should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20     (CVE-2023-30589)

  - The vulnerability exists due to inconsistency between implementation and documented design within the     generateKeys() API function. The documented behavior is different from the actual behavior, and this     difference could lead to security issues in applications that use these APIs as the DiffieHellman may be     used as the basis for application-level security. (CVE-2023-30590)

  - c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build     system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will     downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of     entropy by not using a CSPRNG. This issue was patched in version 1.19.1. (CVE-2023-31124)

  - c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for     certain ipv6 addresses, in particular 0::00:00:00/2 was found to cause an issue. C-ares only uses this     function internally for configuration purposes which would require an administrator to configure such an     address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes     and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1. (CVE-2023-31130)

  - c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares     uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not     seeded by srand() so will generate predictable output. Input from the random number generator is fed into     a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt     is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has     been fixed in version 1.19.1. (CVE-2023-31147)

  - c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target     resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to     the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the     connection. This issue has been patched in version 1.19.1. (CVE-2023-32067)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:2669-1 advisory.

  - This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via     malicious request header values sent to a server, when that server reads the cache policy from the request     using this library. (CVE-2022-25881)

  - The vulnerability exists due to the use of proto in process.mainModule.proto.require(). This allows to     bypass the policy mechanism and require modules outside of the policy.json definition. (CVE-2023-30581)

  - The vulnerability exists due to the way Node.js (.msi version) installation process handles a missing     %USERPROFILE% environment variable. If the variable is not set, the .msi installer will try to include a     current working directory into the search path and will libraries in an unsafe manner. A local user can     place a malicious file on the victim's system and execute arbitrary code with elevated privileges.
    (CVE-2023-30585)

  - The vulnerability exists due to insufficient validation of user-supplied public key within the     crypto.X509Certificate() API. A remote user can pass an invalid public key to the application and perform     a denial of service (DoS) attack. (CVE-2023-30588)

  - The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit     HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient     to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence     should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20     (CVE-2023-30589)

  - The vulnerability exists due to inconsistency between implementation and documented design within the     generateKeys() API function. The documented behavior is different from the actual behavior, and this     difference could lead to security issues in applications that use these APIs as the DiffieHellman may be     used as the basis for application-level security. (CVE-2023-30590)

  - c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build     system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will     downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of     entropy by not using a CSPRNG. This issue was patched in version 1.19.1. (CVE-2023-31124)

  - c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for     certain ipv6 addresses, in particular 0::00:00:00/2 was found to cause an issue. C-ares only uses this     function internally for configuration purposes which would require an administrator to configure such an     address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes     and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1. (CVE-2023-31130)

  - c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares     uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not     seeded by srand() so will generate predictable output. Input from the random number generator is fed into     a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt     is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has     been fixed in version 1.19.1. (CVE-2023-31147)

  - c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target     resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to     the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the     connection. This issue has been patched in version 1.19.1. (CVE-2023-32067)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:2655-1 advisory.

  - The vulnerability exists due to the use of proto in process.mainModule.proto.require(). This allows to     bypass the policy mechanism and require modules outside of the policy.json definition. (CVE-2023-30581)

  - The vulnerability exists due to the way Node.js (.msi version) installation process handles a missing     %USERPROFILE% environment variable. If the variable is not set, the .msi installer will try to include a     current working directory into the search path and will libraries in an unsafe manner. A local user can     place a malicious file on the victim's system and execute arbitrary code with elevated privileges.
    (CVE-2023-30585)

  - The vulnerability exists due to insufficient validation of user-supplied public key within the     crypto.X509Certificate() API. A remote user can pass an invalid public key to the application and perform     a denial of service (DoS) attack. (CVE-2023-30588)

  - The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit     HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient     to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence     should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20     (CVE-2023-30589)

  - The vulnerability exists due to inconsistency between implementation and documented design within the     generateKeys() API function. The documented behavior is different from the actual behavior, and this     difference could lead to security issues in applications that use these APIs as the DiffieHellman may be     used as the basis for application-level security. (CVE-2023-30590)

  - c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build     system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will     downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of     entropy by not using a CSPRNG. This issue was patched in version 1.19.1. (CVE-2023-31124)

  - c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for     certain ipv6 addresses, in particular 0::00:00:00/2 was found to cause an issue. C-ares only uses this     function internally for configuration purposes which would require an administrator to configure such an     address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes     and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1. (CVE-2023-31130)

  - c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares     uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not     seeded by srand() so will generate predictable output. Input from the random number generator is fed into     a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt     is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has     been fixed in version 1.19.1. (CVE-2023-31147)

  - c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target     resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to     the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the     connection. This issue has been patched in version 1.19.1. (CVE-2023-32067)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:2662-1 advisory.

  - This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via     malicious request header values sent to a server, when that server reads the cache policy from the request     using this library. (CVE-2022-25881)

  - The vulnerability exists due to the use of proto in process.mainModule.proto.require(). This allows to     bypass the policy mechanism and require modules outside of the policy.json definition. (CVE-2023-30581)

  - The vulnerability exists due to the way Node.js (.msi version) installation process handles a missing     %USERPROFILE% environment variable. If the variable is not set, the .msi installer will try to include a     current working directory into the search path and will libraries in an unsafe manner. A local user can     place a malicious file on the victim's system and execute arbitrary code with elevated privileges.
    (CVE-2023-30585)

  - The vulnerability exists due to insufficient validation of user-supplied public key within the     crypto.X509Certificate() API. A remote user can pass an invalid public key to the application and perform     a denial of service (DoS) attack. (CVE-2023-30588)

  - The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit     HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient     to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence     should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20     (CVE-2023-30589)

  - The vulnerability exists due to inconsistency between implementation and documented design within the     generateKeys() API function. The documented behavior is different from the actual behavior, and this     difference could lead to security issues in applications that use these APIs as the DiffieHellman may be     used as the basis for application-level security. (CVE-2023-30590)

  - c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build     system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will     downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of     entropy by not using a CSPRNG. This issue was patched in version 1.19.1. (CVE-2023-31124)

  - c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for     certain ipv6 addresses, in particular 0::00:00:00/2 was found to cause an issue. C-ares only uses this     function internally for configuration purposes which would require an administrator to configure such an     address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes     and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1. (CVE-2023-31130)

  - c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares     uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not     seeded by srand() so will generate predictable output. Input from the random number generator is fed into     a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt     is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has     been fixed in version 1.19.1. (CVE-2023-31147)

  - c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target     resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to     the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the     connection. This issue has been patched in version 1.19.1. (CVE-2023-32067)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:2663-1 advisory.

  - The vulnerability exists due to the use of proto in process.mainModule.proto.require(). This allows to     bypass the policy mechanism and require modules outside of the policy.json definition. (CVE-2023-30581)

  - The vulnerability exists due to the way Node.js (.msi version) installation process handles a missing     %USERPROFILE% environment variable. If the variable is not set, the .msi installer will try to include a     current working directory into the search path and will libraries in an unsafe manner. A local user can     place a malicious file on the victim's system and execute arbitrary code with elevated privileges.
    (CVE-2023-30585)

  - The vulnerability exists due to insufficient validation of user-supplied public key within the     crypto.X509Certificate() API. A remote user can pass an invalid public key to the application and perform     a denial of service (DoS) attack. (CVE-2023-30588)

  - The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit     HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient     to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence     should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20     (CVE-2023-30589)

  - The vulnerability exists due to inconsistency between implementation and documented design within the     generateKeys() API function. The documented behavior is different from the actual behavior, and this     difference could lead to security issues in applications that use these APIs as the DiffieHellman may be     used as the basis for application-level security. (CVE-2023-30590)

  - c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build     system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will     downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of     entropy by not using a CSPRNG. This issue was patched in version 1.19.1. (CVE-2023-31124)

  - c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for     certain ipv6 addresses, in particular 0::00:00:00/2 was found to cause an issue. C-ares only uses this     function internally for configuration purposes which would require an administrator to configure such an     address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes     and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1. (CVE-2023-31130)

  - c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares     uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not     seeded by srand() so will generate predictable output. Input from the random number generator is fed into     a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt     is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has     been fixed in version 1.19.1. (CVE-2023-31147)

  - c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target     resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to     the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the     connection. This issue has been patched in version 1.19.1. (CVE-2023-32067)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Node.js installed on the remote host is prior to 16.20.1, 18.16.1, 20.3.1. It is, therefore, affected by multiple vulnerabilities as referenced in the Tuesday June 20 2023 Security Releases advisory.

  - The use of proto in process.mainModule.proto.require() can bypass the policy mechanism and require modules     outside of the policy.json definition. This vulnerability affects all users using the experimental policy     mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note that at the time this CVE was     issued, the policy is an experimental feature of Node.js. Thank you, to Axel Chong for reporting this     vulnerability and thank you Rafael Gonzaga for fixing it. (CVE-2023-30581)

  - A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission     model. This flaw relates to improper handling of path traversal bypass when verifying file permissions.
    This vulnerability affects all users using the experimental permission model in Node.js 20. Please note     that at the time this CVE was issued, the permission model is an experimental feature of Node.js. Thank     you, to Axel Chong for reporting this vulnerability and thank you Rafael Gonzaga for fixing it.
    (CVE-2023-30584)

  - A vulnerability in Node.js version 20 allows for bypassing restrictions set by the --experimental-     permission flag using the built-in inspector module (node:inspector). By exploiting the Worker class's     ability to create an internal worker with the kIsInternal Symbol, attackers can modify the isInternal     value when an inspector is attached within the Worker constructor before initializing a new WorkerImpl.
    This vulnerability exclusively affects Node.js users employing the permission model mechanism in Node.js     20. Please note that at the time this CVE was issued, the permission model is an experimental feature of     Node.js. Thank you, to mattaustin for reporting this vulnerability and thank you Rafael Gonzaga for fixing     it. (CVE-2023-30587)

  - A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission     model when the --allow-fs-read flag is used with a non-* argument. This flaw arises from an inadequate     permission model that fails to restrict file watching through the fs.watchFile API. As a result, malicious     actors can monitor files that they do not have explicit read access to. This vulnerability affects all     users using the experimental permission model in Node.js 20. Please note that at the time this CVE was     issued, the permission model is an experimental feature of Node.js. Thanks to Colin Ihrig for reporting     this vulnerability and to Rafael Gonzaga for fixing it. (CVE-2023-30582)

  - fs.openAsBlob() can bypass the experimental permission model when using the file system read restriction     with the --allow-fs-read flag in Node.js 20. This flaw arises from a missing check in the fs.openAsBlob()     API. This vulnerability affects all users using the experimental permission model in Node.js 20. Thanks to     Colin Ihrig for reporting this vulnerability and to Rafael Gonzaga for fixing it. Please note that at the     time this CVE was issued, the permission model is an experimental feature of Node.js. (CVE-2023-30583)

  - A vulnerability has been identified in the Node.js (.msi version) installation process, specifically     affecting Windows users who install Node.js using the .msi installer. This vulnerability emerges during     the repair operation, where the msiexec.exe process, running under the NT AUTHORITY\SYSTEM context,     attempts to read the %USERPROFILE% environment variable from the current user's registry. The issue arises     when the path referenced by the %USERPROFILE% environment variable does not exist. In such cases, the     msiexec.exe process attempts to create the specified path in an unsafe manner, potentially leading to     the creation of arbitrary folders in arbitrary locations. The severity of this vulnerability is heightened     by the fact that the %USERPROFILE% environment variable in the Windows registry can be modified by     standard (or non-privileged) users. Consequently, unprivileged actors, including malicious entities or     trojans, can manipulate the environment variable key to deceive the privileged msiexec.exe process. This     manipulation can result in the creation of folders in unintended and potentially malicious locations. It     is important to note that this vulnerability is specific to Windows users who install Node.js using the     .msi installer. Users who opt for other installation methods are not affected by this particular issue.
    This affects all active Node.js versions: v16, v18, and, v20. Thank you, to @sim0nsecurity for reporting     this vulnerability and thank you Tobias Nieen for fixing it. (CVE-2023-30585)

  - Node.js 20 allows loading arbitrary OpenSSL engines when the experimental permission model is enabled,     which can bypass and/or disable the permission model. The crypto.setEngine() API can be used to bypass the     permission model when called with a compatible OpenSSL engine. The OpenSSL engine can, for example,     disable the permission model in the host process by manipulating the process's stack memory to locate the     permission model Permission::enabled_ in the host process's heap memory. This vulnerability affects all     users using the experimental permission model in Node.js 20. Please note that at the time this CVE was     issued, the permission model is an experimental feature of Node.js. Thanks to Tobias Nieen for reporting     this vulnerability and fixing it. (CVE-2023-30586)

  - When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a     non-expect termination occurs making it susceptible to DoS attacks when the attacker could force     interruptions of application processing, as the process terminates when accessing public key info of     provided certificates from user code. The current context of the users will be gone, and that will cause a     DoS scenario. This vulnerability affects all active Node.js versions v16, v18, and, v20. Thank you, to     Marc Schnefeld for reporting this vulnerability and thank you Tobias Nieen for fixing it.
    (CVE-2023-30588)

  - The llhttp parser in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP     requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to     delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence     should delimit each header-field. This vulnerability impacts all Node.js active versions: v16, v18, and,     v20. Thank you, to Yadhu Krishna M(Team bi0s & CRED Security team) for reporting this vulnerability and     thank you Paolo Insogna for fixing it. (CVE-2023-30589)

  - The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or     outdated) keys, that is, it only generates a private key if none has been set yet. However, the     documentation says this API call: Generates private and public Diffie-Hellman key values. The documented     behavior is different from the actual behavior, and this difference could easily lead to security issues     in applications that use these APIs as the DiffieHellman may be used as the basis for application-level     security. Please note that this is a documentation change an the vulnerability has been classified under     CWE-1068 - Inconsistency Between Implementation and Documented Design. This change applies to all Node.js     active versions: v16, v18, and, v20. Thanks to Ben Smyth for reporting this vulnerability and to Tobias     Nieen for fixing it. (CVE-2023-30590)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
191429	Siemens SINEC NMS < V2.0 SP1 Multiple Vulnerabilities	Nessus	Windows	critical
183963	Tenable Identity Exposure < 3.42.17 Multiple Vulnerabilities (TNS-2023-33)	Nessus	Misc.	critical
178702	Fedora 38 : nodejs16 (2023-608a1417d3)	Nessus	Fedora Local Security Checks	high
178701	Fedora 37 : nodejs16 (2023-61e40652be)	Nessus	Fedora Local Security Checks	high
178699	Fedora 38 : nodejs18 (2023-cdddce304a)	Nessus	Fedora Local Security Checks	high
178462	Fedora 37 : nodejs18 (2023-6b866fbe84)	Nessus	Fedora Local Security Checks	high
178412	SUSE SLES15 Security Update : nodejs16 (SUSE-SU-2023:2861-1)	Nessus	SuSE Local Security Checks	high
177719	SUSE SLES15 / openSUSE 15 Security Update : nodejs18 (SUSE-SU-2023:2669-1)	Nessus	SuSE Local Security Checks	high
177706	SUSE SLES12 Security Update : nodejs16 (SUSE-SU-2023:2655-1)	Nessus	SuSE Local Security Checks	high
177699	SUSE SLES12 Security Update : nodejs18 (SUSE-SU-2023:2662-1)	Nessus	SuSE Local Security Checks	high
177697	SUSE SLES15 / openSUSE 15 Security Update : nodejs16 (SUSE-SU-2023:2663-1)	Nessus	SuSE Local Security Checks	high
177518	Node.js 16.x < 16.20.1 / 18.x < 18.16.1 / 20.x < 20.3.1 Multiple Vulnerabilities (Tuesday June 20 2023 Security Releases).	Nessus	Misc.	high

Detections

Analytics

CVE-2023-30585

high

Tenable Plugins

critical

critical

high

high

high

high

high

high

high

high

high

high