Alpine: multiple nodejs packages: security update to 18.18.2-r0

high Tenable Cloud Security Plugin ID 424242

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the
application can intercept the operation and return a forged checksum to the node's policy implementation,
thus effectively disabling the integrity check. Impacts: This vulnerability affects all users using the
experimental policy mechanism in all active release lines: 18.x and, 20.x. Please note that at the time
this CVE was issued, the policy mechanism is an experimental feature of Node.js. (CVE-2023-38552)

- Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The
injected code may be able to access data and functions that the WebAssembly module itself does not have
access to, similar to as if the WebAssembly module was a JavaScript module. This vulnerability affects
users of any active release line of Node.js. The vulnerable feature is only available if Node.js is
started with the `--experimental-wasm-modules` command line option. (CVE-2023-39333)

- Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already
cleared Authorization headers on cross-origin redirects, but did not clear `Cookie` headers. By design,
`cookie` headers are forbidden request headers, disallowing them to be set in RequestInit.headers in
browser environments. Since undici handles headers more liberally than the spec, there was a disconnect
from the assumptions the spec made, and undici's implementation of fetch. As such this may lead to
accidental leakage of cookie to a third-party site or a malicious attacker who can control the redirection
target (ie. an open redirector) to leak the cookie to the third party site. This was patched in version
5.26.2. There are no known workarounds. (CVE-2023-45143)

See Also

https://security.alpinelinux.org/vuln/CVE-2023-38552

https://security.alpinelinux.org/vuln/CVE-2023-39333

https://security.alpinelinux.org/vuln/CVE-2023-45143

Plugin Details

Severity: High

ID: 424242

Version: Revision 1.18

Type: Local

Published: 4/4/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.51

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N

CVSS Score Source: CVE-2023-38552

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 10/12/2023

Reference Information

CVE: CVE-2023-38552, CVE-2023-39333, CVE-2023-45143