Risk | High |
Patch available | YES |
Number of vulnerabilities | 6 |
CVE-ID | CVE-2021-35065 CVE-2021-44906 CVE-2022-0235 CVE-2022-24999 CVE-2022-3517 CVE-2022-43548 |
CWE-ID | CWE-400 CWE-200 CWE-94 CWE-185 CWE-350 |
Exploitation vector | Network |
Public exploit | Public exploit code for vulnerability #4 is available. |
Vulnerable software Subscribe |
rh-nodejs14-nodejs-nodemon (Red Hat package) Operating systems & Components / Operating system package or component rh-nodejs14-nodejs (Red Hat package) Operating systems & Components / Operating system package or component |
Vendor | Red Hat Inc. |
Security Bulletin
This security bulletin contains information about 6 vulnerabilities.
EUVDB-ID: #VU55102
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-35065
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when processing regular expressions. A remote attacker can trigger resource exhaustion and perform a regular expression denial of service (ReDoS) attack.
MitigationInstall updates from vendor's website.
rh-nodejs14-nodejs-nodemon (Red Hat package): before 2.0.20-2.el7
rh-nodejs14-nodejs (Red Hat package): before 14.21.1-3.el7
External linkshttp://access.redhat.com/errata/RHSA-2023:0612
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU64030
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-44906
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trick the library into adding or modifying the properties of Object.prototype, using a constructor or __proto__ payload, resulting in prototype pollution and loss of confidentiality, availability, and integrity.
MitigationInstall updates from vendor's website.
rh-nodejs14-nodejs-nodemon (Red Hat package): before 2.0.20-2.el7
rh-nodejs14-nodejs (Red Hat package): before 14.21.1-3.el7
External linkshttp://access.redhat.com/errata/RHSA-2023:0612
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU61471
Risk: Low
CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-0235
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the application follows the "Location" HTTP header redirect and passes authorization cookie to a third-party resource. A remote attacker can gain access to sensitive information.
MitigationInstall updates from vendor's website.
rh-nodejs14-nodejs-nodemon (Red Hat package): before 2.0.20-2.el7
rh-nodejs14-nodejs (Red Hat package): before 14.21.1-3.el7
External linkshttp://access.redhat.com/errata/RHSA-2023:0612
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU69675
Risk: Medium
CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2022-24999
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation. A remote attacker can send a specially crafted request and perform a denial of service (DoS) attack.
Install updates from vendor's website.
rh-nodejs14-nodejs-nodemon (Red Hat package): before 2.0.20-2.el7
rh-nodejs14-nodejs (Red Hat package): before 14.21.1-3.el7
External linkshttp://access.redhat.com/errata/RHSA-2023:0612
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
EUVDB-ID: #VU69942
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-3517
CWE-ID:
CWE-185 - Incorrect Regular Expression
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation when processing regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.
Install updates from vendor's website.
rh-nodejs14-nodejs-nodemon (Red Hat package): before 2.0.20-2.el7
rh-nodejs14-nodejs (Red Hat package): before 14.21.1-3.el7
External linkshttp://access.redhat.com/errata/RHSA-2023:0612
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU69354
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-43548
CWE-ID:
CWE-350 - Reliance on Reverse DNS Resolution for a Security-Critical Action
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform DNS rebinding attacks.
The vulnerability exists due to improper validation of octal IP address within the Node.js rebinding protector for --inspec. A remote attacker can
resolve the invalid octal address via DNS. When combined with an active
--inspect session, such as when using VSCode, an attacker can perform DNS
rebinding and execute arbitrary code in client's browser.
Install updates from vendor's website.
rh-nodejs14-nodejs-nodemon (Red Hat package): before 2.0.20-2.el7
rh-nodejs14-nodejs (Red Hat package): before 14.21.1-3.el7
External linkshttp://access.redhat.com/errata/RHSA-2023:0612
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.