Alpine: multiple nodejs-current packages: security update to 9.10.0-r0

high Tenable Cloud Security Plugin ID 405852

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- The `'path'` module in the Node.js 4.x release line contains a potential regular expression denial of
service (ReDoS) vector. The code in question was replaced in Node.js 6.x and later so this vulnerability
only impacts all versions of Node.js 4.x. The regular expression, `splitPathRe`, used within the `'path'`
module for the various path parsing functions, including `path.dirname()`, `path.extname()` and
`path.parse()` was structured in such a way as to allow an attacker to craft a string, that when passed
through one of these functions, could take a significant amount of time to evaluate, potentially leading
to a full denial of service. (CVE-2018-7158)

- The HTTP parser in all current versions of Node.js ignores spaces in the `Content-Length` header, allowing
input such as `Content-Length: 1 2` to be interpreted as having a value of `12`. The HTTP specification
does not allow for spaces in the `Content-Length` value and the Node.js HTTP parser has been brought into
line on this particular difference. The security risk of this flaw to Node.js users is considered to be
VERY LOW as it is difficult, and may be impossible, to craft an attack that makes use of this flaw in a
way that could not already be achieved by supplying an incorrect value for `Content-Length`.
Vulnerabilities may exist in user-code that make incorrect assumptions about the potential accuracy of
this value compared to the actual length of the data supplied. Node.js users crafting lower-level HTTP
utilities are advised to re-check the length of any input supplied after parsing is complete.
(CVE-2018-7159)

- The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited
to perform remote code execution. An attack is possible from malicious websites open in a web browser on
the same computer, or another computer with network access to the computer running the Node.js process. A
malicious website could use a DNS rebinding attack to trick the web browser to bypass same-origin-policy
checks and to allow HTTP connections to localhost or to hosts on the local network. If a Node.js process
with the debug port active is running on localhost or on a host on the local network, the malicious
website could connect to it as a debugger, and get full code execution access. (CVE-2018-7160)

See Also

https://security.alpinelinux.org/vuln/CVE-2018-7158

https://security.alpinelinux.org/vuln/CVE-2018-7159

https://security.alpinelinux.org/vuln/CVE-2018-7160

Plugin Details

Severity: High

ID: 405852

Version: Revision 1.26

Type: Local

Published: 10/31/2023

Updated: 12/4/2025

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2018-7160

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 3/21/2018

Reference Information

CVE: CVE-2018-7158, CVE-2018-7159, CVE-2018-7160