Alpine: multiple nodejs packages: security update to 8.11.3-r0

high Tenable Cloud Security Plugin ID 424250

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- All versions of Node.js 8.x, 9.x, and 10.x are vulnerable and the severity is HIGH. An attacker can cause
a denial of service (DoS) by causing a node server providing an http2 server to crash. This can be
accomplished by interacting with the http2 server in a manner that triggers a cleanup bug where objects
are used in native code after they are no longer available. This has been addressed by updating the http2
implementation. (CVE-2018-7161)

- Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a hang which could result in a
Denial of Service. In order to address this vulnerability, the implementations of Buffer.alloc() and
Buffer.fill() were updated so that they zero fill instead of hanging in these cases. All versions of
Node.js 6.x (LTS "Boron"), 8.x (LTS "Carbon"), and 9.x are vulnerable. All versions of Node.js 10.x
(Current) are NOT vulnerable. (CVE-2018-7167)

- nghttp2 version >= 1.10.0 and nghttp2 <= v1.31.0 contains an Improper Input Validation CWE-20
vulnerability in ALTSVC frame handling that can result in segmentation fault leading to denial of service.
This attack appears to be exploitable via network client. This vulnerability appears to have been fixed in
>= 1.31.1. (CVE-2018-1000168)

See Also

https://security.alpinelinux.org/vuln/CVE-2018-1000168

https://security.alpinelinux.org/vuln/CVE-2018-7161

https://security.alpinelinux.org/vuln/CVE-2018-7167

Plugin Details

Severity: High

ID: 424250

Version: Revision 1.10

Type: Local

Published: 4/4/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2018-7161

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2018-7167

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 4/12/2018

Reference Information

CVE: CVE-2018-1000168, CVE-2018-7161, CVE-2018-7167

BID: 103952, 106363