FreeBSD : Node.js -- July 2021 Security Releases (c174118e-1b11-11ec-9d9d-0022489ad614)

high Nessus Plugin ID 153822

Language:

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

Node.js reports : libuv upgrade - Out of bounds read (Medium) (CVE-2021-22918) Node.js is vulnerable to out-of-bounds read in libuv's uv__idna_toascii() function which is used to convert strings to ASCII. This is called by Node's dns module's lookup() function and can lead to information disclosures or crashes. Windows installer - Node Installer Local Privilege Escalation (Medium) (CVE-2021-22921) Node.js is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH and DLL hijacking. npm upgrade - ssri Regular Expression Denial of Service (ReDoS) (High) (CVE-2021-27290) This is a vulnerability in the ssri npm module which may be vulnerable to denial of service attacks. npm upgrade - hosted-git-info Regular Expression Denial of Service (ReDoS) (Medium) (CVE-2021-23362) This is a vulnerability in the hosted-git-info npm module which may be vulnerable to denial of service attacks.

Solution

Update the affected packages.

See Also

https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/

http://www.nessus.org/u?bad625d3

Plugin Details

Severity: High

ID: 153822

File Name: freebsd_pkg_c174118e1b1111ec9d9d0022489ad614.nasl

Version: 1.3

Type: local

Published: 10/1/2021

Updated: 5/9/2022

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Temporal Vector: E:U/RL:OF/RC:C

CVSS Score Source: CVE-2021-22918

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: E:U/RL:O/RC:C

CVSS Score Source: CVE-2021-22921

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:node, p-cpe:/a:freebsd:freebsd:node14, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Exploit Ease: No known exploits are available

Patch Publication Date: 9/21/2021

Vulnerability Publication Date: 7/1/2021

Reference Information

CVE: CVE-2021-22918, CVE-2021-22921, CVE-2021-23362, CVE-2021-27290