The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:3280 advisory.

  - nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788)

  - nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)

  - c-ares: Missing input validation of host names may lead to domain hijacking (CVE-2021-3672)

  - nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22930, CVE-2021-22940)

  - nodejs: Improper handling of untypical characters in domain names (CVE-2021-22931)

  - nodejs: Incomplete validation of tls rejectUnauthorized parameter (CVE-2021-22939)

  - nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe (CVE-2021-23343)

  - nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite     (CVE-2021-32803)

  - nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite     (CVE-2021-32804)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

RHEL 7 : rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon (RHSA-2021:3280)

critical Nessus Plugin ID 152863

Version 1.12