Alpine: nodejs: security update to 0

critical Tenable Cloud Security Plugin ID 405783

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Next.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3, invalid or malformed URLs
could lead to a server crash. In order to be affected by this issue, the deployment must use Next.js
versions above 11.1.0 and below 12.0.5, Node.js above 15.0.0, and next start or a custom server.
Deployments on Vercel are not affected, along with similar environments where invalid requests are
filtered before reaching Next.js. Versions 12.0.5 and 11.1.3 contain patches for this issue.
(CVE-2021-43803)

- A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an
insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check
if an IP address is invalid before making DBS requests allowing rebinding attacks. (CVE-2022-32212)

- Node.js is vulnerable to Hijack Execution Flow: DLL Hijacking under certain conditions on Windows
platforms.This vulnerability can be exploited if the victim has the following dependencies on a Windows
machine:* OpenSSL has been installed and “C:\Program Files\Common Files\SSL\openssl.cnf” exists.Whenever
the above conditions are present, `node.exe` will search for `providers.dll` in the current user
directory.After that, `node.exe` will try to search for `providers.dll` by the DLL Search Order in
Windows.It is possible for an attacker to place the malicious file `providers.dll` under a variety of
paths and exploit this vulnerability. (CVE-2022-32223)

- The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation
can reset many streams quickly, as exploited in the wild in August through October 2023. (CVE-2023-44487)

See Also

https://security.alpinelinux.org/vuln/CVE-2021-43803

https://security.alpinelinux.org/vuln/CVE-2022-32212

https://security.alpinelinux.org/vuln/CVE-2022-32223

https://security.alpinelinux.org/vuln/CVE-2023-44487

https://security.alpinelinux.org/vuln/CVE-2024-36138

https://security.alpinelinux.org/vuln/CVE-2024-37372

Plugin Details

Severity: Critical

ID: 405783

Version: Revision 1.66

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 6

Percentile: 96.7

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.6

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2021-43803

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.5

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

CVSS Score Source: CVE-2022-32212

CVSS v4

Risk Factor: Critical

Base Score: 9.3

Threat Score: 9.3

Threat Vector: CVSS:4.0/E:A

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CVSS Score Source: CVE-2023-44487

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 12/6/2021

CISA Known Exploited Vulnerability Due Dates: 10/31/2023

Reference Information

CVE: CVE-2021-43803, CVE-2022-32212, CVE-2022-32223, CVE-2023-44487, CVE-2024-36138, CVE-2024-37372