SB2019072241 - Red Hat Software Collections update for rh-nodejs8-nodejs

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2019072241

SB2019072241 - Red Hat Software Collections update for rh-nodejs8-nodejs

Published: July 22, 2019 Updated: April 24, 2025

Security Bulletin ID SB2019072241
Severity
Medium
Patch available
YES
Number of vulnerabilities 6
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 33% Low 67%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 6 secuirty vulnerabilities.


1) Improper input validation (CVE-ID: CVE-2018-12116)

The disclosed vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to insufficient validation of user-provided input. A remote attacker can provide Unicode data for the path option of an HTTP request to trigger a second, unexpected, and user-defined HTTP request to made to the same server and cause the service to crash.


2) Heap-based buffer overflow (CVE-ID: CVE-2018-12121)

The disclosed vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to heap-based buffer overflow. A remote attacker can send many requests with the maximum size HTTP header of nearly 80kb/connection in combination with carefully handled completion of those headers, trigger memory corruption and cause the Node.js HTTP server to abort.


3) Resource exhaustion (CVE-ID: CVE-2018-12122)

The disclosed vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to the socket is destroyed on the next received chunk when headers are not completely received within this period. A remote attacker can send headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time, consume excessive resources and cause the service to crash.


4) Spoofing attack (CVE-ID: CVE-2018-12123)

The disclosed vulnerability allows a remote attacker to conduct spoofing attack on the target system.

The vulnerability exists due to security decisions are made about the URL based on the hostname. A remote attacker can use a mixed case "javascript:" (e.g. "javAscript:") protocol and spoof the hostname when a Node.js application is using url.parse()to determine the URL hostname.


5) Link following (CVE-ID: CVE-2018-20834)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insecure following of hardlinks inside a tarball. A remote attacker can pass a specially crafted archive to the application and overwrite arbitrary files on the system.


6) Resource exhaustion (CVE-ID: CVE-2019-5737)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to incorrect processing of keep-alive packets. A remote attacker can send keep-alive packets very slowly and trigger resource exhaustion.


Remediation

Install update from vendor's website.

References