Alpine: nodejs: security update to 8.14.0-r0

high Tenable Cloud Security Plugin ID 405834

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be
convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then
data can be provided which will trigger a second, unexpected, and user-defined HTTP request to made to the
same server. (CVE-2018-12116)

- Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large
HTTP headers: By using a combination of many requests with maximum sized headers (almost 80 KB per
connection), and carefully timed completion of the headers, it is possible to cause the HTTP server to
abort from heap allocation failure. Attack potential is mitigated by the use of a load balancer or other
proxy layer. (CVE-2018-12121)

- Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Slowloris HTTP Denial of
Service: An attacker can cause a Denial of Service (DoS) by sending headers very slowly keeping HTTP or
HTTPS connections and associated resources alive for a long period of time. (CVE-2018-12122)

- Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser
for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that
hostname can be spoofed by using a mixed case "javascript:" (e.g. "javAscript:") protocol (other protocols
are not affected). If security decisions are made about the URL based on the hostname, they may be
incorrect. (CVE-2018-12123)

See Also

https://security.alpinelinux.org/vuln/CVE-2018-12116

https://security.alpinelinux.org/vuln/CVE-2018-12121

https://security.alpinelinux.org/vuln/CVE-2018-12122

https://security.alpinelinux.org/vuln/CVE-2018-12123

Plugin Details

Severity: High

ID: 405834

Version: Revision 1.27

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.73

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2018-12116

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 11/28/2018

Reference Information

CVE: CVE-2018-12116, CVE-2018-12121, CVE-2018-12122, CVE-2018-12123

BID: 106043, 107512, 107513