Alpine: multiple nodejs-current packages: security update to 20.8.1-r0

critical Tenable Self-Hosted Container Security Plugin ID 427206

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the
application can intercept the operation and return a forged checksum to the node's policy implementation,
thus effectively disabling the integrity check. Impacts: This vulnerability affects all users using the
experimental policy mechanism in all active release lines: 18.x and, 20.x. Please note that at the time
this CVE was issued, the policy mechanism is an experimental feature of Node.js. (CVE-2023-38552)

- A previously disclosed vulnerability (CVE-2023-30584) was patched insufficiently in commit 205f1e6. The
new path traversal vulnerability arises because the implementation does not protect itself against the
application overwriting built-in utility functions with user-defined implementations. Please note that at
the time this CVE was issued, the permission model is an experimental feature of Node.js. (CVE-2023-39331)

- Various `node:fs` functions allow specifying paths as either strings or `Uint8Array` objects. In Node.js
environments, the `Buffer` class extends the `Uint8Array` class. Node.js prevents path traversal through
strings (see CVE-2023-30584) and `Buffer` objects (see CVE-2023-32004), but not through non-`Buffer`
`Uint8Array` objects. This is distinct from CVE-2023-32004 which only referred to `Buffer` objects.
However, the vulnerability follows the same pattern using `Uint8Array` instead of `Buffer`. Please note
that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
(CVE-2023-39332)

- Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The
injected code may be able to access data and functions that the WebAssembly module itself does not have
access to, similar to as if the WebAssembly module was a JavaScript module. This vulnerability affects
users of any active release line of Node.js. The vulnerable feature is only available if Node.js is
started with the `--experimental-wasm-modules` command line option. (CVE-2023-39333)

- Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already
cleared Authorization headers on cross-origin redirects, but did not clear `Cookie` headers. By design,
`cookie` headers are forbidden request headers, disallowing them to be set in RequestInit.headers in
browser environments. Since undici handles headers more liberally than the spec, there was a disconnect
from the assumptions the spec made, and undici's implementation of fetch. As such this may lead to
accidental leakage of cookie to a third-party site or a malicious attacker who can control the redirection
target (ie. an open redirector) to leak the cookie to the third party site. This was patched in version
5.26.2. There are no known workarounds. (CVE-2023-45143)

See Also

https://security.alpinelinux.org/vuln/CVE-2023-38552

https://security.alpinelinux.org/vuln/CVE-2023-39331

https://security.alpinelinux.org/vuln/CVE-2023-39332

https://security.alpinelinux.org/vuln/CVE-2023-39333

https://security.alpinelinux.org/vuln/CVE-2023-45143

Plugin Details

Severity: Critical

ID: 427206

Version: Revision 1.5

Type: Local

Published: 5/16/2025

Updated: 11/7/2025

Supported Sensors: Agentless Assessment

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.58

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2023-39332

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 10/12/2023

Reference Information

CVE: CVE-2023-38552, CVE-2023-39331, CVE-2023-39332, CVE-2023-39333, CVE-2023-45143