FreeBSD : Node.js -- August 2021 Security Releases (b092bd4f-1b16-11ec-9d9d-0022489ad614)

critical Nessus Plugin ID 153824

Language:

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

Node.js reports : cares upgrade - Improper handling of untypical characters in domain names (High) (CVE-2021-22931) Node.js was vulnerable to Remote Code Execution, XSS, application crashes due to missing input validation of host names returned by Domain Name Servers in the Node.js DNS library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library. Use after free on close http2 on stream canceling (High) (CVE-2021-22940) Node.js was vulnerable to a use after free attack where an attacker might be able to exploit memory corruption to change process behavior. The issue is a follow on to CVE-2021-22930 as the issue was not completely resolved in the fix for CVE-2021-22930. Incomplete validation of rejectUnauthorized parameter (Low) (CVE-2021-22939) If the Node.js https API was used incorrectly and 'undefined' was in passed for the 'rejectUnauthorized' parameter, no error was returned and connections to servers with an expired certificate would have been accepted.

Solution

Update the affected packages.

See Also

https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/

http://www.nessus.org/u?4eca43d2

Plugin Details

Severity: Critical

ID: 153824

File Name: freebsd_pkg_b092bd4f1b1611ec9d9d0022489ad614.nasl

Version: 1.2

Type: local

Published: 10/1/2021

Updated: 10/5/2021

Risk Information

CVSS Score Source: CVE-2021-22931

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: E:U/RL:OF/RC:C

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:node, p-cpe:/a:freebsd:freebsd:node14, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Exploit Ease: No known exploits are available

Patch Publication Date: 9/21/2021

Vulnerability Publication Date: 8/11/2021

Reference Information

CVE: CVE-2021-22931, CVE-2021-22939, CVE-2021-22940