Alpine: nodejs: security update to 18.12.0-r0 (deprecated)

high Tenable Self-Hosted Container Security Plugin ID 409878

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint
checking. Note that this occurs after certificate chain signature verification and requires either a CA to
have signed the malicious certificate or for the application to continue certificate verification despite
failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to
overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash
(causing a denial of service) or potentially remote code execution. Many platforms implement stack
overflow protections which would mitigate against the risk of remote code execution. The risk may be
further mitigated based on stack layout for any given platform/compiler. Pre-announcements of
CVE-2022-3602 described this issue as CRITICAL. Further analysis based on some of the mitigating factors
described above have led this to be downgraded to HIGH. Users are still encouraged to upgrade to a new
version as soon as possible. In a TLS client, this can be triggered by connecting to a malicious server.
In a TLS server, this can be triggered if the server requests client authentication and a malicious client
connects. Fixed in OpenSSL 3.0.7 (Affected 3.0.0,3.0.1,3.0.2,3.0.3,3.0.4,3.0.5,3.0.6). (CVE-2022-3602)

- A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint
checking. Note that this occurs after certificate chain signature verification and requires either a CA to
have signed a malicious certificate or for an application to continue certificate verification despite
failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a
certificate to overflow an arbitrary number of bytes containing the `.' character (decimal 46) on the
stack. This buffer overflow could result in a crash (causing a denial of service). In a TLS client, this
can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server
requests client authentication and a malicious client connects. (CVE-2022-3786)

- A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due
to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly
check if an IP address is invalid before making DBS requests allowing rebinding attacks.The fix for this
issue in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212 was incomplete and this new CVE is
to complete the fix. (CVE-2022-43548)

See Also

https://git.alpinelinux.org/aports/commit/?id=5b6b29361ae9089fe9262e149d78c401d07e1489

https://git.alpinelinux.org/aports/commit/?id=cb5fff7e164429072d360d51726c8ea4e0dc974c

Plugin Details

Severity: High

ID: 409878

Version: Revision 1.43

Type: Local

Published: 11/5/2022

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 94.27

CVSS v2

Risk Factor: High

Base Score: 7.6

Temporal Score: 5.6

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2022-43548

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.1

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 11/5/2022

Vulnerability Publication Date: 10/27/2022

Reference Information

CVE: CVE-2022-3602, CVE-2022-3786, CVE-2022-43548