Alpine: nodejs: security update to 12.21.0-r0

high Tenable Self-Hosted Container Security Plugin ID 405795

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too
many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file
descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept
new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is
configured, then this lead to an excessive memory usage and cause the system to run out of memory.
(CVE-2021-22883)

- Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the
whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary
domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or
can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As
long as the attacker uses the “localhost6” domain, they can still apply the attack described in
CVE-2018-7160. (CVE-2021-22884)

See Also

https://security.alpinelinux.org/vuln/CVE-2021-22883

https://security.alpinelinux.org/vuln/CVE-2021-22884

Plugin Details

Severity: High

ID: 405795

Version: Revision 1.25

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

CVSS v2

Risk Factor: Medium

Base Score: 5.1

Temporal Score: 4

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2021-22884

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 2/23/2021

Reference Information

CVE: CVE-2021-22883, CVE-2021-22884