nodejs:14 nodejs-nodemon-2.0.20-2.module+el8+1579+35966ec0, nodejs-packaging-23-3.module+el8+1579+35966ec0, nodejs-14.21.1-2.module+el8+1579+35966ec0
エラータID: AXSA:2023-4653:01
Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.
The following packages have been upgraded to a later upstream version: nodejs (14.21.1), nodejs-nodemon (2.0.20).
Security Fix(es):
* minimist: prototype pollution (CVE-2021-44906)
* node-fetch: exposure of sensitive information to an unauthorized actor (CVE-2022-0235)
* nodejs-minimatch: ReDoS via the braceExpand function (CVE-2022-3517)
* express: "qs" prototype poisoning causes the hang of the node process (CVE-2022-24999)
* nodejs: DNS rebinding in inspect via invalid octal IP address (CVE-2022-43548)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE-2021-44906
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
CVE-2022-0235
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
CVE-2022-24999
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).
CVE-2022-3517
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
CVE-2022-43548
A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.The fix for this issue in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212 was incomplete and this new CVE is to complete the fix.
Modularity name: nodejs
Stream name: 14
Update packages.
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.The fix for this issue in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212 was incomplete and this new CVE is to complete the fix.
N/A
SRPMS
- nodejs-nodemon-2.0.20-2.module+el8+1579+35966ec0.src.rpm
MD5: ee02815ab6b98ce9a59f1337116aa039
SHA-256: ed273612845123a32db918a69e575838353bc3c5629273ba1134d57023c11784
Size: 341.40 kB - nodejs-packaging-23-3.module+el8+1579+35966ec0.src.rpm
MD5: 28037aa1417be3e4d97f2135c1825d11
SHA-256: 50aef9b9f60a93c6a45ff1bc294398cbff5dbd38c1628711b6094e127f37fa22
Size: 26.54 kB - nodejs-14.21.1-2.module+el8+1579+35966ec0.src.rpm
MD5: 32219e88daca2502c66d79cd14d61f72
SHA-256: f08a510bfd410b4ce864467f5deec17c32a0c561322e111a97b182f94ce2c19f
Size: 68.65 MB
Asianux Server 8 for x86_64
- nodejs-nodemon-2.0.20-2.module+el8+1579+35966ec0.noarch.rpm
MD5: 3a7c253bd46f72591d32cf80cf5c7187
SHA-256: 16328d7c2751d1c4b53f323a76cd7ea56655a5cd028ce01125f41f18eb9380f6
Size: 274.47 kB - nodejs-packaging-23-3.module+el8+1579+35966ec0.noarch.rpm
MD5: 7d8de57ec11d517db6218bd93aab8879
SHA-256: 84a7fe14b65a791f7c3e3ca37d1bb25ec7e37dde650f19b036e23009c889085e
Size: 22.98 kB - nodejs-14.21.1-2.module+el8+1579+35966ec0.x86_64.rpm
MD5: 0b6d9514a320c5209eac5df84e89f588
SHA-256: 3ee31968e4156bcd5ab4ba42b3caa00fef030499c2ff6e03096459ae5e16638a
Size: 10.84 MB - nodejs-debugsource-14.21.1-2.module+el8+1579+35966ec0.x86_64.rpm
MD5: 90e2528a885952b07e27c9987d92cf3e
SHA-256: 55cd241158f09efd21dfe5c7ac62a540170aec93804219a1e498067ba3be5e79
Size: 11.06 MB - nodejs-devel-14.21.1-2.module+el8+1579+35966ec0.x86_64.rpm
MD5: 3ea596e111e42e78c8772f37af593e65
SHA-256: ecd955d026b4c070b7a7324ed7b1642e52ea870a0632c6bd822944667c1c69bd
Size: 205.08 kB - nodejs-docs-14.21.1-2.module+el8+1579+35966ec0.noarch.rpm
MD5: 9d45ce6fb82b040243c141ba654d1f2a
SHA-256: 057e5933ec6e2840c0c76c0da4563315215ad2ee6ca9371c2960efa372cf571f
Size: 8.37 MB - nodejs-full-i18n-14.21.1-2.module+el8+1579+35966ec0.x86_64.rpm
MD5: cbfcbd82ebbf8f6a47553849f58c69ee
SHA-256: fa90636c1b6c70477ab649b7e789edbf1cce7ede2166be4302e03ea20651f9f3
Size: 7.85 MB - npm-6.14.17-1.14.21.1.2.module+el8+1579+35966ec0.x86_64.rpm
MD5: d4033237eaaf14c0149f3081e55d8d69
SHA-256: 0a338ea0c469c1ff19c85094796179fea98d5dc4d6679d8655eef6eac3a27ea3
Size: 3.66 MB
日本語