SUSE update for nodejs12

1) Inconsistent interpretation of HTTP requests

EUVDB-ID: #VU59233

Risk: Medium

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-22959

CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

Exploit availability: No

Description

The vulnerability allows a remote attacker to preform HTTP request smuggling attacks.

The vulnerability exists due to improper validation of HTTP requests, where the application accepts requests with a space right after the header name before the colon. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.

Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.

Mitigation

Update the affected package nodejs12 to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Module for Web Scripting: 12

nodejs12-docs: before 12.22.9-1.38.1

npm12: before 12.22.9-1.38.1

nodejs12-devel: before 12.22.9-1.38.1

nodejs12-debugsource: before 12.22.9-1.38.1

nodejs12-debuginfo: before 12.22.9-1.38.1

nodejs12: before 12.22.9-1.38.1

External links

http://www.suse.com/support/update/announcement/2022/suse-su-20220101-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Inconsistent interpretation of HTTP requests

EUVDB-ID: #VU59234

Risk: Medium

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-22960

CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

Exploit availability: No

Description

The vulnerability allows a remote attacker to preform HTTP request smuggling attacks.

The vulnerability exists due to improper validation of HTTP requests, where the application ignores chunk extensions when parsing the body of chunked requests. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.

Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.

Mitigation

Update the affected package nodejs12 to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Module for Web Scripting: 12

nodejs12-docs: before 12.22.9-1.38.1

npm12: before 12.22.9-1.38.1

nodejs12-devel: before 12.22.9-1.38.1

nodejs12-debugsource: before 12.22.9-1.38.1

nodejs12-debuginfo: before 12.22.9-1.38.1

nodejs12: before 12.22.9-1.38.1

External links

http://www.suse.com/support/update/announcement/2022/suse-su-20220101-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Path traversal

EUVDB-ID: #VU58202

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-37701

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a remote attacker to overwrite arbitrary files on the system.

The vulnerability exists due to input validation error when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. A remote attacker can create a specially crafted archive and overwrite arbitrary files on the system.

Mitigation

Update the affected package nodejs12 to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Module for Web Scripting: 12

nodejs12-docs: before 12.22.9-1.38.1

npm12: before 12.22.9-1.38.1

nodejs12-devel: before 12.22.9-1.38.1

nodejs12-debugsource: before 12.22.9-1.38.1

nodejs12-debuginfo: before 12.22.9-1.38.1

nodejs12: before 12.22.9-1.38.1

External links

http://www.suse.com/support/update/announcement/2022/suse-su-20220101-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Path traversal

EUVDB-ID: #VU58203

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-37712

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when extracting tar files that contained two directories and a symlink with names containing unicode values that normalized to the same value. A remote attacker can create a specially crafted archive that, when extracted, can overwrite arbitrary files on the system.

Mitigation

Update the affected package nodejs12 to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Module for Web Scripting: 12

nodejs12-docs: before 12.22.9-1.38.1

npm12: before 12.22.9-1.38.1

nodejs12-devel: before 12.22.9-1.38.1

nodejs12-debugsource: before 12.22.9-1.38.1

nodejs12-debuginfo: before 12.22.9-1.38.1

nodejs12: before 12.22.9-1.38.1

External links

http://www.suse.com/support/update/announcement/2022/suse-su-20220101-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Path traversal

EUVDB-ID: #VU58204

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-37713

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a remote attacker to overwrite arbitrary files on the system.

The vulnerability exists due insufficient logic on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target, such as C:some\path. If the drive letter does not match the extraction target, for example D:\extraction\dir, then the result of path.resolve(extractionDirectory, entryPath) would resolve against the current working directory on the C: drive, rather than the extraction target directory.

Mitigation

Update the affected package nodejs12 to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Module for Web Scripting: 12

nodejs12-docs: before 12.22.9-1.38.1

npm12: before 12.22.9-1.38.1

nodejs12-devel: before 12.22.9-1.38.1

nodejs12-debugsource: before 12.22.9-1.38.1

nodejs12-debuginfo: before 12.22.9-1.38.1

nodejs12: before 12.22.9-1.38.1

External links

http://www.suse.com/support/update/announcement/2022/suse-su-20220101-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) UNIX symbolic link following

EUVDB-ID: #VU61256

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-39134

CWE-ID: CWE-61 - UNIX Symbolic Link (Symlink) Following

Exploit availability: No

Description

The vulnerability allows a local attacker to escalate privileges on the system.

The vulnerability exists due to a symlink following issue. A local attacker can create a specially crafted symbolic link to a critical file on the system and overwrite it with privileges of the application.

Successful exploitation of this vulnerability may result in privilege escalation.

Mitigation

Update the affected package nodejs12 to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Module for Web Scripting: 12

nodejs12-docs: before 12.22.9-1.38.1

npm12: before 12.22.9-1.38.1

nodejs12-devel: before 12.22.9-1.38.1

nodejs12-debugsource: before 12.22.9-1.38.1

nodejs12-debuginfo: before 12.22.9-1.38.1

nodejs12: before 12.22.9-1.38.1

External links

http://www.suse.com/support/update/announcement/2022/suse-su-20220101-1/

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) UNIX symbolic link following

EUVDB-ID: #VU61257

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-39135

CWE-ID: CWE-61 - UNIX Symbolic Link (Symlink) Following

Exploit availability: No

Description

The vulnerability allows a local attacker to escalate privileges on the system.

The vulnerability exists due to a symlink following issue. A local attacker can create a specially crafted symbolic link to a critical file on the system and overwrite it with privileges of the application.

Successful exploitation of this vulnerability may result in privilege escalation.

Mitigation

Update the affected package nodejs12 to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Module for Web Scripting: 12

nodejs12-docs: before 12.22.9-1.38.1

npm12: before 12.22.9-1.38.1

nodejs12-devel: before 12.22.9-1.38.1

nodejs12-debugsource: before 12.22.9-1.38.1

nodejs12-debuginfo: before 12.22.9-1.38.1

nodejs12: before 12.22.9-1.38.1

External links

http://www.suse.com/support/update/announcement/2022/suse-su-20220101-1/

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Improper Certificate Validation

EUVDB-ID: #VU59548

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-44531

CWE-ID: CWE-295 - Improper Certificate Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to insufficient validation of URI Subject Alternative Names. Node.js accepts arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type. A remote attacker can bypass name-constrained intermediates and perform spoofing attack.

Mitigation

Update the affected package nodejs12 to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Module for Web Scripting: 12

nodejs12-docs: before 12.22.9-1.38.1

npm12: before 12.22.9-1.38.1

nodejs12-devel: before 12.22.9-1.38.1

nodejs12-debugsource: before 12.22.9-1.38.1

nodejs12-debuginfo: before 12.22.9-1.38.1

nodejs12: before 12.22.9-1.38.1

External links

http://www.suse.com/support/update/announcement/2022/suse-su-20220101-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Improper validation of certificate with host mismatch

EUVDB-ID: #VU59549

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-44532

CWE-ID: CWE-297 - Improper Validation of Certificate with Host Mismatch

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to improper validation of certificates, when converting SANs (Subject Alternative Names) to a string format. A remote attacker can inject special characters into the string and perform spoofing attack.

Mitigation

Update the affected package nodejs12 to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Module for Web Scripting: 12

nodejs12-docs: before 12.22.9-1.38.1

npm12: before 12.22.9-1.38.1

nodejs12-devel: before 12.22.9-1.38.1

nodejs12-debugsource: before 12.22.9-1.38.1

nodejs12-debuginfo: before 12.22.9-1.38.1

nodejs12: before 12.22.9-1.38.1

External links

http://www.suse.com/support/update/announcement/2022/suse-su-20220101-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Improper Certificate Validation

EUVDB-ID: #VU59550

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-44533

CWE-ID: CWE-295 - Improper Certificate Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to improper validation of certificate subject and issuer fields. A remote attacker can create a certificate with specially crafted multi-value Relative Distinguished Names and perform spoofing attack.

Mitigation

Update the affected package nodejs12 to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Module for Web Scripting: 12

nodejs12-docs: before 12.22.9-1.38.1

npm12: before 12.22.9-1.38.1

nodejs12-devel: before 12.22.9-1.38.1

nodejs12-debugsource: before 12.22.9-1.38.1

nodejs12-debuginfo: before 12.22.9-1.38.1

nodejs12: before 12.22.9-1.38.1

External links

http://www.suse.com/support/update/announcement/2022/suse-su-20220101-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Prototype pollution

EUVDB-ID: #VU59551

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21824

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to the formatting logic of the console.table() function. A remote attacker can send a specially crafted request and assign an empty string to numerical keys of the object prototype.

Mitigation

Update the affected package nodejs12 to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Module for Web Scripting: 12

nodejs12-docs: before 12.22.9-1.38.1

npm12: before 12.22.9-1.38.1

nodejs12-devel: before 12.22.9-1.38.1

nodejs12-debugsource: before 12.22.9-1.38.1

nodejs12-debuginfo: before 12.22.9-1.38.1

nodejs12: before 12.22.9-1.38.1

External links

http://www.suse.com/support/update/announcement/2022/suse-su-20220101-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.