Alpine: nodejs: security update to 8.9.3-r0

critical Tenable Self-Hosted Container Security Plugin ID 405835

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS
handshake failure. The result was that an active network attacker could send application data to Node.js
using the TLS or HTTP2 modules in a way that bypassed TLS authentication and encryption. (CVE-2017-15896)

- Node.js had a bug in versions 8.X and 9.X which caused buffers to not be initialized when the encoding for
the fill value did not match the encoding specified. For example, 'Buffer.alloc(0x100, "This is not
correctly encoded", "hex");' The buffer implementation was updated such that the buffer will be
initialized to all zeros in these cases. (CVE-2017-15897)

See Also

https://security.alpinelinux.org/vuln/CVE-2017-15896

https://security.alpinelinux.org/vuln/CVE-2017-15897

Plugin Details

Severity: Critical

ID: 405835

Version: Revision 1.28

Type: Local

Published: 10/31/2023

Updated: 9/11/2025

Supported Sensors: Agentless Assessment

Risk Information

VPR

Risk Factor: Medium

Score: 4.3

Percentile: 53.04

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 4.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2017-15896

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 12/8/2017

Reference Information

CVE: CVE-2017-15896, CVE-2017-15897