The remote Debian 10 host has packages installed that are affected by a vulnerability as referenced in the dla-3618 advisory.

  - Babel is a compiler for writingJavaScript. In `@babel/traverse` prior to versions 7.23.2 and 8.0.0-alpha.4     and all versions of `babel-traverse`, using Babel to compile code that was specifically crafted by an     attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the     `path.evaluate()`or `path.evaluateTruthy()` internal Babel methods. Known affected plugins are     `@babel/plugin-transform-runtime`; `@babel/preset-env` when using its `useBuiltIns` option; and any     polyfill provider plugin that depends on `@babel/helper-define-polyfill-provider`, such as `babel-     plugin-polyfill-corejs3`, `babel-plugin-polyfill-corejs2`, `babel-plugin-polyfill-es-shims`, `babel-     plugin-polyfill-regenerator`. No other plugins under the `@babel/` namespace are impacted, but third-party     plugins might be. Users that only compile trusted code are not impacted. The vulnerability has been fixed     in `@babel/traverse@7.23.2` and `@babel/traverse@8.0.0-alpha.4`. Those who cannot upgrade     `@babel/traverse` and are using one of the affected packages mentioned above should upgrade them to their     latest version to avoid triggering the vulnerable code path in affected `@babel/traverse` versions:
    `@babel/plugin-transform-runtime` v7.23.2, `@babel/preset-env` v7.23.2, `@babel/helper-define-polyfill-     provider` v0.4.3, `babel-plugin-polyfill-corejs2` v0.4.6, `babel-plugin-polyfill-corejs3` v0.8.5, `babel-     plugin-polyfill-es-shims` v0.10.0, `babel-plugin-polyfill-regenerator` v0.5.3. (CVE-2023-45133)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Detections

Analytics

Debian DLA-3618-1 : node-babel - LTS security update

high Nessus Plugin ID 183490

Version 1.2

Version 1.1

Version 1.0

Version 1.2 Oct 25, 2023, 5:17 PM CVSS metrics ("CVSSv2 score" changed from 7.5 to 6.8. "CVSSv2 vector" changed from "CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P" to "CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C". "CVSSv3 score" changed from 9.8 to 8.8. "CVSSv3 vector" changed from "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" to "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H") CVSSv2 severity (based on CVE-2023-45133, severity decreased from "High" to "Medium") Exploit attributes ("Exploit available" set to "False") Plugin Feed: 202310251717
Version 1.1 Oct 23, 2023, 4:39 PM CVSS metrics ("CVSSv2 score" changed from 7.2 to 7.5. "CVSSv3 vector" changed from "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" to "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H". "CVSSv2 vector" changed from "CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C" to "CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P". "CVSSv3 score" changed from 9.3 to 9.8) Plugin Feed: 202310231639
Version 1.0 Oct 20, 2023, 3:51 PM New Plugin Feed: 202310201551