nodejs:14 nodejs-nodemon-2.0.20-2.module+el8+1579+35966ec0, nodejs-packaging-23-3.module+el8+1579+35966ec0, nodejs-14.21.1-2.module+el8+1579+35966ec0
エラータID: AXSA:2023-4653:01
リリース日:
2023/01/10 Tuesday - 23:46
題名:
nodejs:14 nodejs-nodemon-2.0.20-2.module+el8+1579+35966ec0, nodejs-packaging-23-3.module+el8+1579+35966ec0, nodejs-14.21.1-2.module+el8+1579+35966ec0
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- Minimist の index.js ファイルの setKey 関数には、
リモートの攻撃者により、プロトタイプの汚染を可能とする
脆弱性が存在します。(CVE-2021-44906)
- nodejs の node-fetch パッケージには、リモートの
攻撃者により、リダイレクトを介して、情報漏洩を
可能とする脆弱性が存在します。(CVE-2022-0235)
- nodejs の qs モジュールには、__proto__ キーを
利用できてしまう問題があるため、リモートの攻撃者に
より、細工した URL 内のクエリ文字列を介して、
Express アプリケーションのハングアップとこれに起因する
サービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2022-24999)
- nodejs の minimatch パッケージには、特定の引数による
braceExpand 関数の呼び出しを介して、正規表現による
サービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2022-3517)
- nodejs の IsAllowedHost 関数には IP アドレスが
無効化かどうかを正しく検証しない問題があるため、
リモートの攻撃者による DNS リバインド攻撃を
可能とする脆弱性が存在します。(CVE-2022-43548)
Modularity name: nodejs
Stream name: 14
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2021-44906
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
CVE-2022-24999
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).
CVE-2022-3517
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
CVE-2022-43548
A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.The fix for this issue in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212 was incomplete and this new CVE is to complete the fix.
A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.The fix for this issue in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212 was incomplete and this new CVE is to complete the fix.
追加情報:
N/A
ダウンロード:
SRPMS
- nodejs-nodemon-2.0.20-2.module+el8+1579+35966ec0.src.rpm
MD5: ee02815ab6b98ce9a59f1337116aa039
SHA-256: ed273612845123a32db918a69e575838353bc3c5629273ba1134d57023c11784
Size: 341.40 kB - nodejs-packaging-23-3.module+el8+1579+35966ec0.src.rpm
MD5: 28037aa1417be3e4d97f2135c1825d11
SHA-256: 50aef9b9f60a93c6a45ff1bc294398cbff5dbd38c1628711b6094e127f37fa22
Size: 26.54 kB - nodejs-14.21.1-2.module+el8+1579+35966ec0.src.rpm
MD5: 32219e88daca2502c66d79cd14d61f72
SHA-256: f08a510bfd410b4ce864467f5deec17c32a0c561322e111a97b182f94ce2c19f
Size: 68.65 MB
Asianux Server 8 for x86_64
- nodejs-nodemon-2.0.20-2.module+el8+1579+35966ec0.noarch.rpm
MD5: 3a7c253bd46f72591d32cf80cf5c7187
SHA-256: 16328d7c2751d1c4b53f323a76cd7ea56655a5cd028ce01125f41f18eb9380f6
Size: 274.47 kB - nodejs-packaging-23-3.module+el8+1579+35966ec0.noarch.rpm
MD5: 7d8de57ec11d517db6218bd93aab8879
SHA-256: 84a7fe14b65a791f7c3e3ca37d1bb25ec7e37dde650f19b036e23009c889085e
Size: 22.98 kB - nodejs-14.21.1-2.module+el8+1579+35966ec0.x86_64.rpm
MD5: 0b6d9514a320c5209eac5df84e89f588
SHA-256: 3ee31968e4156bcd5ab4ba42b3caa00fef030499c2ff6e03096459ae5e16638a
Size: 10.84 MB - nodejs-debugsource-14.21.1-2.module+el8+1579+35966ec0.x86_64.rpm
MD5: 90e2528a885952b07e27c9987d92cf3e
SHA-256: 55cd241158f09efd21dfe5c7ac62a540170aec93804219a1e498067ba3be5e79
Size: 11.06 MB - nodejs-devel-14.21.1-2.module+el8+1579+35966ec0.x86_64.rpm
MD5: 3ea596e111e42e78c8772f37af593e65
SHA-256: ecd955d026b4c070b7a7324ed7b1642e52ea870a0632c6bd822944667c1c69bd
Size: 205.08 kB - nodejs-docs-14.21.1-2.module+el8+1579+35966ec0.noarch.rpm
MD5: 9d45ce6fb82b040243c141ba654d1f2a
SHA-256: 057e5933ec6e2840c0c76c0da4563315215ad2ee6ca9371c2960efa372cf571f
Size: 8.37 MB - nodejs-full-i18n-14.21.1-2.module+el8+1579+35966ec0.x86_64.rpm
MD5: cbfcbd82ebbf8f6a47553849f58c69ee
SHA-256: fa90636c1b6c70477ab649b7e789edbf1cce7ede2166be4302e03ea20651f9f3
Size: 7.85 MB - npm-6.14.17-1.14.21.1.2.module+el8+1579+35966ec0.x86_64.rpm
MD5: d4033237eaaf14c0149f3081e55d8d69
SHA-256: 0a338ea0c469c1ff19c85094796179fea98d5dc4d6679d8655eef6eac3a27ea3
Size: 3.66 MB