SUSE update for nodejs16



Published: 2022-09-11
Risk Medium
Patch available YES
Number of vulnerabilities 4
CVE-ID CVE-2022-29244
CVE-2022-31150
CVE-2022-35948
CVE-2022-35949
CWE-ID CWE-200
CWE-93
CWE-918
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		SUSE Linux Enterprise Server for SAP Applications
Operating systems & Components / Operating system

SUSE Linux Enterprise High Performance Computing
Operating systems & Components / Operating system

SUSE Linux Enterprise Server
Operating systems & Components / Operating system

SUSE Linux Enterprise Module for Web Scripting
Operating systems & Components / Operating system

nodejs16-docs
Operating systems & Components / Operating system package or component

npm16
Operating systems & Components / Operating system package or component

nodejs16-devel
Operating systems & Components / Operating system package or component

nodejs16-debugsource
Operating systems & Components / Operating system package or component

nodejs16-debuginfo
Operating systems & Components / Operating system package or component

nodejs16
Operating systems & Components / Operating system package or component

Vendor SUSE

Security Bulletin

This security bulletin contains information about 4 vulnerabilities.

1) Information disclosure

EUVDB-ID: #VU66698

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-29244

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. `--workspaces`, `--workspace=`). Anyone who has run `npm pack` or `npm publish` inside a workspace, may be affected and have published files into the npm registry they did not intend to include.

Mitigation

Update the affected package nodejs16 to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Server for SAP Applications: 12-SP3 - 12-SP5

SUSE Linux Enterprise High Performance Computing: 12

SUSE Linux Enterprise Server: 12-SP2-LTSS-ERICSSON - 12-SP5

SUSE Linux Enterprise Module for Web Scripting: 12

nodejs16-docs: before 16.17.0-8.9.1

npm16: before 16.17.0-8.9.1

nodejs16-devel: before 16.17.0-8.9.1

nodejs16-debugsource: before 16.17.0-8.9.1

nodejs16-debuginfo: before 16.17.0-8.9.1

nodejs16: before 16.17.0-8.9.1

External links

http://www.suse.com/support/update/announcement/2022/suse-su-20223196-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) CRLF injection

EUVDB-ID: #VU67163

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-31150

CWE-ID: CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to inject arbitrary data in server response.

The vulnerability exists due to insufficient validation of attacker-supplied data. A remote attacker can pass specially crafted data to the application containing CR-LF characters and modify application behavior.

Mitigation

Update the affected package nodejs16 to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Server for SAP Applications: 12-SP3 - 12-SP5

SUSE Linux Enterprise High Performance Computing: 12

SUSE Linux Enterprise Server: 12-SP2-LTSS-ERICSSON - 12-SP5

SUSE Linux Enterprise Module for Web Scripting: 12

nodejs16-docs: before 16.17.0-8.9.1

npm16: before 16.17.0-8.9.1

nodejs16-devel: before 16.17.0-8.9.1

nodejs16-debugsource: before 16.17.0-8.9.1

nodejs16-debuginfo: before 16.17.0-8.9.1

nodejs16: before 16.17.0-8.9.1

External links

http://www.suse.com/support/update/announcement/2022/suse-su-20223196-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) CRLF injection

EUVDB-ID: #VU67164

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-35948

CWE-ID: CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to inject arbitrary data in server response.

The vulnerability exists due to insufficient validation of unsanitized input passed as request headers. A remote attacker can pass specially crafted data to the application containing CR-LF characters and modify application behavior.

Mitigation

Update the affected package nodejs16 to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Server for SAP Applications: 12-SP3 - 12-SP5

SUSE Linux Enterprise High Performance Computing: 12

SUSE Linux Enterprise Server: 12-SP2-LTSS-ERICSSON - 12-SP5

SUSE Linux Enterprise Module for Web Scripting: 12

nodejs16-docs: before 16.17.0-8.9.1

npm16: before 16.17.0-8.9.1

nodejs16-devel: before 16.17.0-8.9.1

nodejs16-debugsource: before 16.17.0-8.9.1

nodejs16-debuginfo: before 16.17.0-8.9.1

nodejs16: before 16.17.0-8.9.1

External links

http://www.suse.com/support/update/announcement/2022/suse-su-20223196-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Server-Side Request Forgery (SSRF)

EUVDB-ID: #VU67166

Risk: Medium

CVSSv3.1: 5.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-35949

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform SSRF attacks.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.

Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.

Mitigation

Update the affected package nodejs16 to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Server for SAP Applications: 12-SP3 - 12-SP5

SUSE Linux Enterprise High Performance Computing: 12

SUSE Linux Enterprise Server: 12-SP2-LTSS-ERICSSON - 12-SP5

SUSE Linux Enterprise Module for Web Scripting: 12

nodejs16-docs: before 16.17.0-8.9.1

npm16: before 16.17.0-8.9.1

nodejs16-devel: before 16.17.0-8.9.1

nodejs16-debugsource: before 16.17.0-8.9.1

nodejs16-debuginfo: before 16.17.0-8.9.1

nodejs16: before 16.17.0-8.9.1

External links

http://www.suse.com/support/update/announcement/2022/suse-su-20223196-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###