SB2022020223 - Red Hat Enterprise Linux 8 update for the nodejs:14 module

Description

This security bulletin contains information about 9 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2021-3807)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input when matching crafted invalid ANSI escape codes in ansi-regex. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

2) Path traversal (CVE-ID: CVE-2021-37712)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when extracting tar files that contained two directories and a symlink with names containing unicode values that normalized to the same value. A remote attacker can create a specially crafted archive that, when extracted, can overwrite arbitrary files on the system.

3) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2021-22960)

The vulnerability allows a remote attacker to preform HTTP request smuggling attacks.

The vulnerability exists due to improper validation of HTTP requests, where the application ignores chunk extensions when parsing the body of chunked requests. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.

Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.

4) Incorrect Regular Expression (CVE-ID: CVE-2020-28469)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to incorrect handling of user-supplied input in regular expression. A remote attacker can pass specially crafted input to the application and perform regular expression denial of service (ReDoS) attack.

5) Prototype pollution (CVE-ID: CVE-2020-7788)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper input validation when handling INI files. A remote attacker can pass a specially crafted INI file to the application and perform prototype pollution attacks.

6) Code Injection (CVE-ID: CVE-2021-3918)

The disclosed vulnerability allows a remote attacker to execute arbitrary code on the system.

The vulnerability exists due to insufficient sanitization of user-supplied data during the validation of a JSON object. A remote attacker can pass a specially crafted JSON file for validation and execute arbitrary code.

7) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2021-22959)

The vulnerability allows a remote attacker to preform HTTP request smuggling attacks.

The vulnerability exists due to improper validation of HTTP requests, where the application accepts requests with a space right after the header name before the colon. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.

Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.

8) Path traversal (CVE-ID: CVE-2021-37701)

The vulnerability allows a remote attacker to overwrite arbitrary files on the system.

The vulnerability exists due to input validation error when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. A remote attacker can create a specially crafted archive and overwrite arbitrary files on the system.

9) Incorrect Regular Expression (CVE-ID: CVE-2021-33502)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to exponential performance for data. A remote attacker can pass specially crafted data to the application and perform a regular expression denial of service (ReDos) attack.

Remediation

Install update from vendor's website.

References

• https://access.redhat.com/errata/RHSA-2022:0350