The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:1742 advisory.

  - glob-parent: Regular Expression Denial of Service (CVE-2021-35065)

  - nodejs: Improper handling of URI Subject Alternative Names (CVE-2021-44531)

  - nodejs: Certificate Verification Bypass via String Injection (CVE-2021-44532)

  - nodejs: Incorrect handling of certificate subject and issuer fields (CVE-2021-44533)

  - minimist: prototype pollution (CVE-2021-44906)

  - node-fetch: exposure of sensitive information to an unauthorized actor (CVE-2022-0235)

  - nodejs-minimatch: ReDoS via the braceExpand function (CVE-2022-3517)

  - c-ares: buffer overflow in config_sortlist() due to missing string length check (CVE-2022-4904)

  - nodejs: Prototype pollution via console.table properties (CVE-2022-21824)

  - express: qs prototype poisoning causes the hang of the node process (CVE-2022-24999)

  - http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability (CVE-2022-25881)

  - nodejs: HTTP Request Smuggling due to incorrect parsing of header fields (CVE-2022-35256)

  - decode-uri-component: improper input validation resulting in DoS (CVE-2022-38900)

  - nodejs: DNS rebinding in inspect via invalid octal IP address (CVE-2022-43548)

  - Node.js: Permissions policies can be bypassed via process.mainModule (CVE-2023-23918)

  - Node.js: insecure loading of ICU data through ICU_DATA environment variable (CVE-2023-23920)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

RHEL 8 : nodejs:14 (RHSA-2023:1742)

critical Nessus Plugin ID 174178

Version 1.4

Version 1.3

Version 1.2

Version 1.2

Version 1.1

Version 1.0

Version 1.4 Apr 28, 2024, 2:25 PM Detection (updated detection logic) Plugin metadata Plugin Feed: 202404281425
Version 1.3 Jan 26, 2024, 11:18 PM Detection (updated detection logic) Plugin Feed: 202401262318
Version 1.2 May 24, 2023, 8:43 PM Logic Changes (Added support for ppc64le architecture) Plugin Feed: 202305242043
Version 1.2 Jan 26, 2024, 9:00 PM Detection (updated detection logic) Plugin Feed: 202401262100
Version 1.1 Apr 19, 2023, 4:23 PM Exploit attributes ("Exploit available" set to "True". "Exploit available" set to "True". "Exploit available" set to "True". "Exploitability ease" changed from "No known exploits are available" to "Exploits are available". "Exploitability ease" changed from "No known exploits are available" to "Exploits are available") CVSS temporal metrics ("CVSSv2 temporal vector" set to "CVSS2#E:POC/RL:OF/RC:C". "CVSSv2 temporal vector" set to "CVSS2#E:POC/RL:OF/RC:C". "CVSSv2 temporal vector" set to "CVSS2#E:POC/RL:OF/RC:C". "CVSSv3 temporal vector" set to "CVSS:3.0/E:P/RL:O/RC:C". "CVSSv3 temporal vector" set to "CVSS:3.0/E:P/RL:O/RC:C") Plugin Feed: 202304191623
Version 1.0 Apr 13, 2023, 12:04 AM New Plugin Feed: 202304130004