Alpine: multiple nodejs-current packages: security update to 11.3.0-r0

medium Tenable Self-Hosted Container Security Plugin ID 405837

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An
attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a
(Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected
1.0.2-1.0.2p). (CVE-2018-0734)

- The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An
attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.0j
(Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.1.1a (Affected 1.1.1). (CVE-2018-0735)

- Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large
HTTP headers: By using a combination of many requests with maximum sized headers (almost 80 KB per
connection), and carefully timed completion of the headers, it is possible to cause the HTTP server to
abort from heap allocation failure. Attack potential is mitigated by the use of a load balancer or other
proxy layer. (CVE-2018-12121)

- Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Slowloris HTTP Denial of
Service: An attacker can cause a Denial of Service (DoS) by sending headers very slowly keeping HTTP or
HTTPS connections and associated resources alive for a long period of time. (CVE-2018-12122)

- Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser
for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that
hostname can be spoofed by using a mixed case "javascript:" (e.g. "javAscript:") protocol (other protocols
are not affected). If security decisions are made about the URL based on the hostname, they may be
incorrect. (CVE-2018-12123)

See Also

https://security.alpinelinux.org/vuln/CVE-2018-0734

https://security.alpinelinux.org/vuln/CVE-2018-0735

https://security.alpinelinux.org/vuln/CVE-2018-12121

https://security.alpinelinux.org/vuln/CVE-2018-12122

https://security.alpinelinux.org/vuln/CVE-2018-12123

Plugin Details

Severity: Medium

ID: 405837

Version: Revision 1.34

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2018-12123

CVSS v3

Risk Factor: Medium

Base Score: 5.9

Temporal Score: 5.2

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2018-0735

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 10/29/2018

Reference Information

CVE: CVE-2018-0734, CVE-2018-0735, CVE-2018-12121, CVE-2018-12122, CVE-2018-12123

BID: 105750, 105758, 106043, 107512