Risk | High |
Patch available | YES |
Number of vulnerabilities | 18 |
CVE-ID | CVE-2021-22959 CVE-2021-22960 CVE-2021-43616 CVE-2021-44531 CVE-2021-44532 CVE-2021-44533 CVE-2022-21824 CVE-2022-32212 CVE-2022-32213 CVE-2022-32214 CVE-2022-32215 CVE-2022-32222 CVE-2022-32223 CVE-2022-35255 CVE-2022-35256 CVE-2022-3602 CVE-2022-3786 CVE-2022-43548 |
CWE-ID | CWE-444 CWE-345 CWE-295 CWE-297 CWE-94 CWE-703 CWE-254 CWE-427 CWE-330 CWE-119 CWE-350 |
Exploitation vector | Network |
Public exploit |
Public exploit code for vulnerability #13 is available. Public exploit code for vulnerability #16 is available. Public exploit code for vulnerability #17 is available. |
Vulnerable software |
Amazon Linux AMI Operating systems & Components / Operating system nodejs Operating systems & Components / Operating system package or component |
Vendor | Amazon Web Services |
Security Bulletin
This security bulletin contains information about 18 vulnerabilities.
EUVDB-ID: #VU59233
Risk: Medium
CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-22959
CWE-ID:
CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to preform HTTP request smuggling attacks.
The vulnerability exists due to improper validation of HTTP requests, where the application accepts requests with a space right after the header name before the colon. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.
Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.
MitigationUpdate the affected packages:
aarch64:Vulnerable software versions
nodejs-libs-debuginfo-18.12.1-1.amzn2023.0.2.aarch64
nodejs-devel-18.12.1-1.amzn2023.0.2.aarch64
nodejs-full-i18n-18.12.1-1.amzn2023.0.2.aarch64
nodejs-debuginfo-18.12.1-1.amzn2023.0.2.aarch64
nodejs-libs-18.12.1-1.amzn2023.0.2.aarch64
v8-devel-10.2.154.15-1.18.12.1.1.amzn2023.0.2.aarch64
nodejs-18.12.1-1.amzn2023.0.2.aarch64
npm-8.19.2-1.18.12.1.1.amzn2023.0.2.aarch64
nodejs-debugsource-18.12.1-1.amzn2023.0.2.aarch64
noarch:
nodejs-docs-18.12.1-1.amzn2023.0.2.noarch
src:
nodejs-18.12.1-1.amzn2023.0.2.src
x86_64:
nodejs-libs-debuginfo-18.12.1-1.amzn2023.0.2.x86_64
nodejs-devel-18.12.1-1.amzn2023.0.2.x86_64
nodejs-18.12.1-1.amzn2023.0.2.x86_64
nodejs-debuginfo-18.12.1-1.amzn2023.0.2.x86_64
v8-devel-10.2.154.15-1.18.12.1.1.amzn2023.0.2.x86_64
nodejs-full-i18n-18.12.1-1.amzn2023.0.2.x86_64
nodejs-libs-18.12.1-1.amzn2023.0.2.x86_64
npm-8.19.2-1.18.12.1.1.amzn2023.0.2.x86_64
nodejs-debugsource-18.12.1-1.amzn2023.0.2.x86_64
Amazon Linux AMI: All versions
nodejs: before 18.12.1-1
CPE2.3http://alas.aws.amazon.com/AL2023/ALAS-2023-084.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU59234
Risk: Medium
CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-22960
CWE-ID:
CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to preform HTTP request smuggling attacks.
The vulnerability exists due to improper validation of HTTP requests, where the application ignores chunk extensions when parsing the body of chunked requests. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.
Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.
MitigationUpdate the affected packages:
aarch64:Vulnerable software versions
nodejs-libs-debuginfo-18.12.1-1.amzn2023.0.2.aarch64
nodejs-devel-18.12.1-1.amzn2023.0.2.aarch64
nodejs-full-i18n-18.12.1-1.amzn2023.0.2.aarch64
nodejs-debuginfo-18.12.1-1.amzn2023.0.2.aarch64
nodejs-libs-18.12.1-1.amzn2023.0.2.aarch64
v8-devel-10.2.154.15-1.18.12.1.1.amzn2023.0.2.aarch64
nodejs-18.12.1-1.amzn2023.0.2.aarch64
npm-8.19.2-1.18.12.1.1.amzn2023.0.2.aarch64
nodejs-debugsource-18.12.1-1.amzn2023.0.2.aarch64
noarch:
nodejs-docs-18.12.1-1.amzn2023.0.2.noarch
src:
nodejs-18.12.1-1.amzn2023.0.2.src
x86_64:
nodejs-libs-debuginfo-18.12.1-1.amzn2023.0.2.x86_64
nodejs-devel-18.12.1-1.amzn2023.0.2.x86_64
nodejs-18.12.1-1.amzn2023.0.2.x86_64
nodejs-debuginfo-18.12.1-1.amzn2023.0.2.x86_64
v8-devel-10.2.154.15-1.18.12.1.1.amzn2023.0.2.x86_64
nodejs-full-i18n-18.12.1-1.amzn2023.0.2.x86_64
nodejs-libs-18.12.1-1.amzn2023.0.2.x86_64
npm-8.19.2-1.18.12.1.1.amzn2023.0.2.x86_64
nodejs-debugsource-18.12.1-1.amzn2023.0.2.x86_64
Amazon Linux AMI: All versions
nodejs: before 18.12.1-1
CPE2.3http://alas.aws.amazon.com/AL2023/ALAS-2023-084.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU63842
Risk: High
CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2021-43616
CWE-ID:
CWE-345 - Insufficient Verification of Data Authenticity
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the system.
The vulnerability exists due to insufficient verification of data authenticity in the npm ci command. A remote attacker can exploit the vulnerability to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json.
MitigationUpdate the affected packages:
aarch64:Vulnerable software versions
nodejs-libs-debuginfo-18.12.1-1.amzn2023.0.2.aarch64
nodejs-devel-18.12.1-1.amzn2023.0.2.aarch64
nodejs-full-i18n-18.12.1-1.amzn2023.0.2.aarch64
nodejs-debuginfo-18.12.1-1.amzn2023.0.2.aarch64
nodejs-libs-18.12.1-1.amzn2023.0.2.aarch64
v8-devel-10.2.154.15-1.18.12.1.1.amzn2023.0.2.aarch64
nodejs-18.12.1-1.amzn2023.0.2.aarch64
npm-8.19.2-1.18.12.1.1.amzn2023.0.2.aarch64
nodejs-debugsource-18.12.1-1.amzn2023.0.2.aarch64
noarch:
nodejs-docs-18.12.1-1.amzn2023.0.2.noarch
src:
nodejs-18.12.1-1.amzn2023.0.2.src
x86_64:
nodejs-libs-debuginfo-18.12.1-1.amzn2023.0.2.x86_64
nodejs-devel-18.12.1-1.amzn2023.0.2.x86_64
nodejs-18.12.1-1.amzn2023.0.2.x86_64
nodejs-debuginfo-18.12.1-1.amzn2023.0.2.x86_64
v8-devel-10.2.154.15-1.18.12.1.1.amzn2023.0.2.x86_64
nodejs-full-i18n-18.12.1-1.amzn2023.0.2.x86_64
nodejs-libs-18.12.1-1.amzn2023.0.2.x86_64
npm-8.19.2-1.18.12.1.1.amzn2023.0.2.x86_64
nodejs-debugsource-18.12.1-1.amzn2023.0.2.x86_64
Amazon Linux AMI: All versions
nodejs: before 18.12.1-1
CPE2.3http://alas.aws.amazon.com/AL2023/ALAS-2023-084.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU59548
Risk: Medium
CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-44531
CWE-ID:
CWE-295 - Improper Certificate Validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The
vulnerability exists due to insufficient validation of URI Subject
Alternative Names. Node.js accepts arbitrary Subject Alternative Name
(SAN) types, unless a PKI
is specifically defined to use a particular SAN type. A remote attacker
can bypass name-constrained intermediates and perform spoofing attack.
Update the affected packages:
aarch64:Vulnerable software versions
nodejs-libs-debuginfo-18.12.1-1.amzn2023.0.2.aarch64
nodejs-devel-18.12.1-1.amzn2023.0.2.aarch64
nodejs-full-i18n-18.12.1-1.amzn2023.0.2.aarch64
nodejs-debuginfo-18.12.1-1.amzn2023.0.2.aarch64
nodejs-libs-18.12.1-1.amzn2023.0.2.aarch64
v8-devel-10.2.154.15-1.18.12.1.1.amzn2023.0.2.aarch64
nodejs-18.12.1-1.amzn2023.0.2.aarch64
npm-8.19.2-1.18.12.1.1.amzn2023.0.2.aarch64
nodejs-debugsource-18.12.1-1.amzn2023.0.2.aarch64
noarch:
nodejs-docs-18.12.1-1.amzn2023.0.2.noarch
src:
nodejs-18.12.1-1.amzn2023.0.2.src
x86_64:
nodejs-libs-debuginfo-18.12.1-1.amzn2023.0.2.x86_64
nodejs-devel-18.12.1-1.amzn2023.0.2.x86_64
nodejs-18.12.1-1.amzn2023.0.2.x86_64
nodejs-debuginfo-18.12.1-1.amzn2023.0.2.x86_64
v8-devel-10.2.154.15-1.18.12.1.1.amzn2023.0.2.x86_64
nodejs-full-i18n-18.12.1-1.amzn2023.0.2.x86_64
nodejs-libs-18.12.1-1.amzn2023.0.2.x86_64
npm-8.19.2-1.18.12.1.1.amzn2023.0.2.x86_64
nodejs-debugsource-18.12.1-1.amzn2023.0.2.x86_64
Amazon Linux AMI: All versions
nodejs: before 18.12.1-1
CPE2.3http://alas.aws.amazon.com/AL2023/ALAS-2023-084.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU59549
Risk: Medium
CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-44532
CWE-ID:
CWE-297 - Improper Validation of Certificate with Host Mismatch
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to improper validation of certificates, when converting SANs (Subject Alternative Names) to a string format. A remote attacker can inject special characters into the string and perform spoofing attack.
Update the affected packages:
aarch64:Vulnerable software versions
nodejs-libs-debuginfo-18.12.1-1.amzn2023.0.2.aarch64
nodejs-devel-18.12.1-1.amzn2023.0.2.aarch64
nodejs-full-i18n-18.12.1-1.amzn2023.0.2.aarch64
nodejs-debuginfo-18.12.1-1.amzn2023.0.2.aarch64
nodejs-libs-18.12.1-1.amzn2023.0.2.aarch64
v8-devel-10.2.154.15-1.18.12.1.1.amzn2023.0.2.aarch64
nodejs-18.12.1-1.amzn2023.0.2.aarch64
npm-8.19.2-1.18.12.1.1.amzn2023.0.2.aarch64
nodejs-debugsource-18.12.1-1.amzn2023.0.2.aarch64
noarch:
nodejs-docs-18.12.1-1.amzn2023.0.2.noarch
src:
nodejs-18.12.1-1.amzn2023.0.2.src
x86_64:
nodejs-libs-debuginfo-18.12.1-1.amzn2023.0.2.x86_64
nodejs-devel-18.12.1-1.amzn2023.0.2.x86_64
nodejs-18.12.1-1.amzn2023.0.2.x86_64
nodejs-debuginfo-18.12.1-1.amzn2023.0.2.x86_64
v8-devel-10.2.154.15-1.18.12.1.1.amzn2023.0.2.x86_64
nodejs-full-i18n-18.12.1-1.amzn2023.0.2.x86_64
nodejs-libs-18.12.1-1.amzn2023.0.2.x86_64
npm-8.19.2-1.18.12.1.1.amzn2023.0.2.x86_64
nodejs-debugsource-18.12.1-1.amzn2023.0.2.x86_64
Amazon Linux AMI: All versions
nodejs: before 18.12.1-1
CPE2.3http://alas.aws.amazon.com/AL2023/ALAS-2023-084.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU59550
Risk: Medium
CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-44533
CWE-ID:
CWE-295 - Improper Certificate Validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to improper validation of certificate subject and issuer fields. A remote attacker can create a certificate with specially crafted multi-value Relative Distinguished Names and perform spoofing attack.
Update the affected packages:
aarch64:Vulnerable software versions
nodejs-libs-debuginfo-18.12.1-1.amzn2023.0.2.aarch64
nodejs-devel-18.12.1-1.amzn2023.0.2.aarch64
nodejs-full-i18n-18.12.1-1.amzn2023.0.2.aarch64
nodejs-debuginfo-18.12.1-1.amzn2023.0.2.aarch64
nodejs-libs-18.12.1-1.amzn2023.0.2.aarch64
v8-devel-10.2.154.15-1.18.12.1.1.amzn2023.0.2.aarch64
nodejs-18.12.1-1.amzn2023.0.2.aarch64
npm-8.19.2-1.18.12.1.1.amzn2023.0.2.aarch64
nodejs-debugsource-18.12.1-1.amzn2023.0.2.aarch64
noarch:
nodejs-docs-18.12.1-1.amzn2023.0.2.noarch
src:
nodejs-18.12.1-1.amzn2023.0.2.src
x86_64:
nodejs-libs-debuginfo-18.12.1-1.amzn2023.0.2.x86_64
nodejs-devel-18.12.1-1.amzn2023.0.2.x86_64
nodejs-18.12.1-1.amzn2023.0.2.x86_64
nodejs-debuginfo-18.12.1-1.amzn2023.0.2.x86_64
v8-devel-10.2.154.15-1.18.12.1.1.amzn2023.0.2.x86_64
nodejs-full-i18n-18.12.1-1.amzn2023.0.2.x86_64
nodejs-libs-18.12.1-1.amzn2023.0.2.x86_64
npm-8.19.2-1.18.12.1.1.amzn2023.0.2.x86_64
nodejs-debugsource-18.12.1-1.amzn2023.0.2.x86_64
Amazon Linux AMI: All versions
nodejs: before 18.12.1-1
CPE2.3http://alas.aws.amazon.com/AL2023/ALAS-2023-084.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU59551
Risk: Medium
CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-21824
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to the formatting logic of the console.table()
function. A remote attacker can send a specially crafted request and assign an empty string to numerical keys of the object prototype.
Update the affected packages:
aarch64:Vulnerable software versions
nodejs-libs-debuginfo-18.12.1-1.amzn2023.0.2.aarch64
nodejs-devel-18.12.1-1.amzn2023.0.2.aarch64
nodejs-full-i18n-18.12.1-1.amzn2023.0.2.aarch64
nodejs-debuginfo-18.12.1-1.amzn2023.0.2.aarch64
nodejs-libs-18.12.1-1.amzn2023.0.2.aarch64
v8-devel-10.2.154.15-1.18.12.1.1.amzn2023.0.2.aarch64
nodejs-18.12.1-1.amzn2023.0.2.aarch64
npm-8.19.2-1.18.12.1.1.amzn2023.0.2.aarch64
nodejs-debugsource-18.12.1-1.amzn2023.0.2.aarch64
noarch:
nodejs-docs-18.12.1-1.amzn2023.0.2.noarch
src:
nodejs-18.12.1-1.amzn2023.0.2.src
x86_64:
nodejs-libs-debuginfo-18.12.1-1.amzn2023.0.2.x86_64
nodejs-devel-18.12.1-1.amzn2023.0.2.x86_64
nodejs-18.12.1-1.amzn2023.0.2.x86_64
nodejs-debuginfo-18.12.1-1.amzn2023.0.2.x86_64
v8-devel-10.2.154.15-1.18.12.1.1.amzn2023.0.2.x86_64
nodejs-full-i18n-18.12.1-1.amzn2023.0.2.x86_64
nodejs-libs-18.12.1-1.amzn2023.0.2.x86_64
npm-8.19.2-1.18.12.1.1.amzn2023.0.2.x86_64
nodejs-debugsource-18.12.1-1.amzn2023.0.2.x86_64
Amazon Linux AMI: All versions
nodejs: before 18.12.1-1
CPE2.3http://alas.aws.amazon.com/AL2023/ALAS-2023-084.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU65273
Risk: Medium
CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-32212
CWE-ID:
CWE-703 - Improper Check or Handling of Exceptional Conditions
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to IsIPAddress does not properly checks if an IP address is invalid or not. A remote unauthenticated attacker can exploit this vulnerability to bypass the IsAllowedHost check and execute arbitrary code on the system.
MitigationUpdate the affected packages:
aarch64:Vulnerable software versions
nodejs-libs-debuginfo-18.12.1-1.amzn2023.0.2.aarch64
nodejs-devel-18.12.1-1.amzn2023.0.2.aarch64
nodejs-full-i18n-18.12.1-1.amzn2023.0.2.aarch64
nodejs-debuginfo-18.12.1-1.amzn2023.0.2.aarch64
nodejs-libs-18.12.1-1.amzn2023.0.2.aarch64
v8-devel-10.2.154.15-1.18.12.1.1.amzn2023.0.2.aarch64
nodejs-18.12.1-1.amzn2023.0.2.aarch64
npm-8.19.2-1.18.12.1.1.amzn2023.0.2.aarch64
nodejs-debugsource-18.12.1-1.amzn2023.0.2.aarch64
noarch:
nodejs-docs-18.12.1-1.amzn2023.0.2.noarch
src:
nodejs-18.12.1-1.amzn2023.0.2.src
x86_64:
nodejs-libs-debuginfo-18.12.1-1.amzn2023.0.2.x86_64
nodejs-devel-18.12.1-1.amzn2023.0.2.x86_64
nodejs-18.12.1-1.amzn2023.0.2.x86_64
nodejs-debuginfo-18.12.1-1.amzn2023.0.2.x86_64
v8-devel-10.2.154.15-1.18.12.1.1.amzn2023.0.2.x86_64
nodejs-full-i18n-18.12.1-1.amzn2023.0.2.x86_64
nodejs-libs-18.12.1-1.amzn2023.0.2.x86_64
npm-8.19.2-1.18.12.1.1.amzn2023.0.2.x86_64
nodejs-debugsource-18.12.1-1.amzn2023.0.2.x86_64
Amazon Linux AMI: All versions
nodejs: before 18.12.1-1
CPE2.3http://alas.aws.amazon.com/AL2023/ALAS-2023-084.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU65275
Risk: Medium
CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-32213
CWE-ID:
CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform HTTP request smuggling attacks.
The vulnerability exists due to improper validation of HTTP requests. A remote attacker can send a specially-crafted request to lead to HTTP Request Smuggling to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
MitigationUpdate the affected packages:
aarch64:Vulnerable software versions
nodejs-libs-debuginfo-18.12.1-1.amzn2023.0.2.aarch64
nodejs-devel-18.12.1-1.amzn2023.0.2.aarch64
nodejs-full-i18n-18.12.1-1.amzn2023.0.2.aarch64
nodejs-debuginfo-18.12.1-1.amzn2023.0.2.aarch64
nodejs-libs-18.12.1-1.amzn2023.0.2.aarch64
v8-devel-10.2.154.15-1.18.12.1.1.amzn2023.0.2.aarch64
nodejs-18.12.1-1.amzn2023.0.2.aarch64
npm-8.19.2-1.18.12.1.1.amzn2023.0.2.aarch64
nodejs-debugsource-18.12.1-1.amzn2023.0.2.aarch64
noarch:
nodejs-docs-18.12.1-1.amzn2023.0.2.noarch
src:
nodejs-18.12.1-1.amzn2023.0.2.src
x86_64:
nodejs-libs-debuginfo-18.12.1-1.amzn2023.0.2.x86_64
nodejs-devel-18.12.1-1.amzn2023.0.2.x86_64
nodejs-18.12.1-1.amzn2023.0.2.x86_64
nodejs-debuginfo-18.12.1-1.amzn2023.0.2.x86_64
v8-devel-10.2.154.15-1.18.12.1.1.amzn2023.0.2.x86_64
nodejs-full-i18n-18.12.1-1.amzn2023.0.2.x86_64
nodejs-libs-18.12.1-1.amzn2023.0.2.x86_64
npm-8.19.2-1.18.12.1.1.amzn2023.0.2.x86_64
nodejs-debugsource-18.12.1-1.amzn2023.0.2.x86_64
Amazon Linux AMI: All versions
nodejs: before 18.12.1-1
CPE2.3http://alas.aws.amazon.com/AL2023/ALAS-2023-084.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU65278
Risk: Medium
CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-32214
CWE-ID:
CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform HTTP request smuggling attacks.
The vulnerability exists due to llhttp parser in the http module does not strictly use the CRLF sequence to delimit HTTP requests. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.
Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.
MitigationUpdate the affected packages:
aarch64:Vulnerable software versions
nodejs-libs-debuginfo-18.12.1-1.amzn2023.0.2.aarch64
nodejs-devel-18.12.1-1.amzn2023.0.2.aarch64
nodejs-full-i18n-18.12.1-1.amzn2023.0.2.aarch64
nodejs-debuginfo-18.12.1-1.amzn2023.0.2.aarch64
nodejs-libs-18.12.1-1.amzn2023.0.2.aarch64
v8-devel-10.2.154.15-1.18.12.1.1.amzn2023.0.2.aarch64
nodejs-18.12.1-1.amzn2023.0.2.aarch64
npm-8.19.2-1.18.12.1.1.amzn2023.0.2.aarch64
nodejs-debugsource-18.12.1-1.amzn2023.0.2.aarch64
noarch:
nodejs-docs-18.12.1-1.amzn2023.0.2.noarch
src:
nodejs-18.12.1-1.amzn2023.0.2.src
x86_64:
nodejs-libs-debuginfo-18.12.1-1.amzn2023.0.2.x86_64
nodejs-devel-18.12.1-1.amzn2023.0.2.x86_64
nodejs-18.12.1-1.amzn2023.0.2.x86_64
nodejs-debuginfo-18.12.1-1.amzn2023.0.2.x86_64
v8-devel-10.2.154.15-1.18.12.1.1.amzn2023.0.2.x86_64
nodejs-full-i18n-18.12.1-1.amzn2023.0.2.x86_64
nodejs-libs-18.12.1-1.amzn2023.0.2.x86_64
npm-8.19.2-1.18.12.1.1.amzn2023.0.2.x86_64
nodejs-debugsource-18.12.1-1.amzn2023.0.2.x86_64
Amazon Linux AMI: All versions
nodejs: before 18.12.1-1
CPE2.3http://alas.aws.amazon.com/AL2023/ALAS-2023-084.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU65282
Risk: Medium
CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-32215
CWE-ID:
CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform HTTP request smuggling attacks.
The vulnerability exists due to llhttp parser in the http module does not correctly handle multi-line Transfer-Encoding headers. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.
Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.
MitigationUpdate the affected packages:
aarch64:Vulnerable software versions
nodejs-libs-debuginfo-18.12.1-1.amzn2023.0.2.aarch64
nodejs-devel-18.12.1-1.amzn2023.0.2.aarch64
nodejs-full-i18n-18.12.1-1.amzn2023.0.2.aarch64
nodejs-debuginfo-18.12.1-1.amzn2023.0.2.aarch64
nodejs-libs-18.12.1-1.amzn2023.0.2.aarch64
v8-devel-10.2.154.15-1.18.12.1.1.amzn2023.0.2.aarch64
nodejs-18.12.1-1.amzn2023.0.2.aarch64
npm-8.19.2-1.18.12.1.1.amzn2023.0.2.aarch64
nodejs-debugsource-18.12.1-1.amzn2023.0.2.aarch64
noarch:
nodejs-docs-18.12.1-1.amzn2023.0.2.noarch
src:
nodejs-18.12.1-1.amzn2023.0.2.src
x86_64:
nodejs-libs-debuginfo-18.12.1-1.amzn2023.0.2.x86_64
nodejs-devel-18.12.1-1.amzn2023.0.2.x86_64
nodejs-18.12.1-1.amzn2023.0.2.x86_64
nodejs-debuginfo-18.12.1-1.amzn2023.0.2.x86_64
v8-devel-10.2.154.15-1.18.12.1.1.amzn2023.0.2.x86_64
nodejs-full-i18n-18.12.1-1.amzn2023.0.2.x86_64
nodejs-libs-18.12.1-1.amzn2023.0.2.x86_64
npm-8.19.2-1.18.12.1.1.amzn2023.0.2.x86_64
nodejs-debugsource-18.12.1-1.amzn2023.0.2.x86_64
Amazon Linux AMI: All versions
nodejs: before 18.12.1-1
CPE2.3http://alas.aws.amazon.com/AL2023/ALAS-2023-084.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU65280
Risk: Medium
CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-32222
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass security restrictions
The vulnerability exists due to Node.js after start on linux based systems attempts to read /home/iojs/build/ws/out/Release/obj.target/deps/openssl/openssl.cnf, which ordinarily doesn't exist. A remote unauthenticated attacker can attemp to read openssl.cnf from /home/iojs/build/ upon startup to create this file and affect the default OpenSSL configuration for other users.
MitigationUpdate the affected packages:
aarch64:Vulnerable software versions
nodejs-libs-debuginfo-18.12.1-1.amzn2023.0.2.aarch64
nodejs-devel-18.12.1-1.amzn2023.0.2.aarch64
nodejs-full-i18n-18.12.1-1.amzn2023.0.2.aarch64
nodejs-debuginfo-18.12.1-1.amzn2023.0.2.aarch64
nodejs-libs-18.12.1-1.amzn2023.0.2.aarch64
v8-devel-10.2.154.15-1.18.12.1.1.amzn2023.0.2.aarch64
nodejs-18.12.1-1.amzn2023.0.2.aarch64
npm-8.19.2-1.18.12.1.1.amzn2023.0.2.aarch64
nodejs-debugsource-18.12.1-1.amzn2023.0.2.aarch64
noarch:
nodejs-docs-18.12.1-1.amzn2023.0.2.noarch
src:
nodejs-18.12.1-1.amzn2023.0.2.src
x86_64:
nodejs-libs-debuginfo-18.12.1-1.amzn2023.0.2.x86_64
nodejs-devel-18.12.1-1.amzn2023.0.2.x86_64
nodejs-18.12.1-1.amzn2023.0.2.x86_64
nodejs-debuginfo-18.12.1-1.amzn2023.0.2.x86_64
v8-devel-10.2.154.15-1.18.12.1.1.amzn2023.0.2.x86_64
nodejs-full-i18n-18.12.1-1.amzn2023.0.2.x86_64
nodejs-libs-18.12.1-1.amzn2023.0.2.x86_64
npm-8.19.2-1.18.12.1.1.amzn2023.0.2.x86_64
nodejs-debugsource-18.12.1-1.amzn2023.0.2.x86_64
Amazon Linux AMI: All versions
nodejs: before 18.12.1-1
CPE2.3http://alas.aws.amazon.com/AL2023/ALAS-2023-084.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU65276
Risk: Low
CVSSv4.0: [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2022-32223
CWE-ID:
CWE-427 - Uncontrolled Search Path Element
Exploit availability: Yes
DescriptionThe vulnerability allows a local attacker to elevate privileges on the system
The vulnerability exists due to DLL search order hijacking of providers.dll. A local attacker can place a specially crafted .dll file and elevate privileges on the system
MitigationUpdate the affected packages:
aarch64:Vulnerable software versions
nodejs-libs-debuginfo-18.12.1-1.amzn2023.0.2.aarch64
nodejs-devel-18.12.1-1.amzn2023.0.2.aarch64
nodejs-full-i18n-18.12.1-1.amzn2023.0.2.aarch64
nodejs-debuginfo-18.12.1-1.amzn2023.0.2.aarch64
nodejs-libs-18.12.1-1.amzn2023.0.2.aarch64
v8-devel-10.2.154.15-1.18.12.1.1.amzn2023.0.2.aarch64
nodejs-18.12.1-1.amzn2023.0.2.aarch64
npm-8.19.2-1.18.12.1.1.amzn2023.0.2.aarch64
nodejs-debugsource-18.12.1-1.amzn2023.0.2.aarch64
noarch:
nodejs-docs-18.12.1-1.amzn2023.0.2.noarch
src:
nodejs-18.12.1-1.amzn2023.0.2.src
x86_64:
nodejs-libs-debuginfo-18.12.1-1.amzn2023.0.2.x86_64
nodejs-devel-18.12.1-1.amzn2023.0.2.x86_64
nodejs-18.12.1-1.amzn2023.0.2.x86_64
nodejs-debuginfo-18.12.1-1.amzn2023.0.2.x86_64
v8-devel-10.2.154.15-1.18.12.1.1.amzn2023.0.2.x86_64
nodejs-full-i18n-18.12.1-1.amzn2023.0.2.x86_64
nodejs-libs-18.12.1-1.amzn2023.0.2.x86_64
npm-8.19.2-1.18.12.1.1.amzn2023.0.2.x86_64
nodejs-debugsource-18.12.1-1.amzn2023.0.2.x86_64
Amazon Linux AMI: All versions
nodejs: before 18.12.1-1
CPE2.3http://alas.aws.amazon.com/AL2023/ALAS-2023-084.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
EUVDB-ID: #VU67849
Risk: Medium
CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-35255
CWE-ID:
CWE-330 - Use of Insufficiently Random Values
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to decrypt sensitive information.
The vulnerability exists due to usage of weak randomness in WebCrypto keygen within the SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. A remote attacker can decrypt sensitive information.
Update the affected packages:
aarch64:Vulnerable software versions
nodejs-libs-debuginfo-18.12.1-1.amzn2023.0.2.aarch64
nodejs-devel-18.12.1-1.amzn2023.0.2.aarch64
nodejs-full-i18n-18.12.1-1.amzn2023.0.2.aarch64
nodejs-debuginfo-18.12.1-1.amzn2023.0.2.aarch64
nodejs-libs-18.12.1-1.amzn2023.0.2.aarch64
v8-devel-10.2.154.15-1.18.12.1.1.amzn2023.0.2.aarch64
nodejs-18.12.1-1.amzn2023.0.2.aarch64
npm-8.19.2-1.18.12.1.1.amzn2023.0.2.aarch64
nodejs-debugsource-18.12.1-1.amzn2023.0.2.aarch64
noarch:
nodejs-docs-18.12.1-1.amzn2023.0.2.noarch
src:
nodejs-18.12.1-1.amzn2023.0.2.src
x86_64:
nodejs-libs-debuginfo-18.12.1-1.amzn2023.0.2.x86_64
nodejs-devel-18.12.1-1.amzn2023.0.2.x86_64
nodejs-18.12.1-1.amzn2023.0.2.x86_64
nodejs-debuginfo-18.12.1-1.amzn2023.0.2.x86_64
v8-devel-10.2.154.15-1.18.12.1.1.amzn2023.0.2.x86_64
nodejs-full-i18n-18.12.1-1.amzn2023.0.2.x86_64
nodejs-libs-18.12.1-1.amzn2023.0.2.x86_64
npm-8.19.2-1.18.12.1.1.amzn2023.0.2.x86_64
nodejs-debugsource-18.12.1-1.amzn2023.0.2.x86_64
Amazon Linux AMI: All versions
nodejs: before 18.12.1-1
CPE2.3http://alas.aws.amazon.com/AL2023/ALAS-2023-084.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU67850
Risk: Medium
CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-35256
CWE-ID:
CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform HTTP request smuggling attacks.
The vulnerability exists due to improper validation of HTTP requests. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.
Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.
MitigationUpdate the affected packages:
aarch64:Vulnerable software versions
nodejs-libs-debuginfo-18.12.1-1.amzn2023.0.2.aarch64
nodejs-devel-18.12.1-1.amzn2023.0.2.aarch64
nodejs-full-i18n-18.12.1-1.amzn2023.0.2.aarch64
nodejs-debuginfo-18.12.1-1.amzn2023.0.2.aarch64
nodejs-libs-18.12.1-1.amzn2023.0.2.aarch64
v8-devel-10.2.154.15-1.18.12.1.1.amzn2023.0.2.aarch64
nodejs-18.12.1-1.amzn2023.0.2.aarch64
npm-8.19.2-1.18.12.1.1.amzn2023.0.2.aarch64
nodejs-debugsource-18.12.1-1.amzn2023.0.2.aarch64
noarch:
nodejs-docs-18.12.1-1.amzn2023.0.2.noarch
src:
nodejs-18.12.1-1.amzn2023.0.2.src
x86_64:
nodejs-libs-debuginfo-18.12.1-1.amzn2023.0.2.x86_64
nodejs-devel-18.12.1-1.amzn2023.0.2.x86_64
nodejs-18.12.1-1.amzn2023.0.2.x86_64
nodejs-debuginfo-18.12.1-1.amzn2023.0.2.x86_64
v8-devel-10.2.154.15-1.18.12.1.1.amzn2023.0.2.x86_64
nodejs-full-i18n-18.12.1-1.amzn2023.0.2.x86_64
nodejs-libs-18.12.1-1.amzn2023.0.2.x86_64
npm-8.19.2-1.18.12.1.1.amzn2023.0.2.x86_64
nodejs-debugsource-18.12.1-1.amzn2023.0.2.x86_64
Amazon Linux AMI: All versions
nodejs: before 18.12.1-1
CPE2.3http://alas.aws.amazon.com/AL2023/ALAS-2023-084.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU68895
Risk: High
CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]
CVE-ID: CVE-2022-3602
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing the email address field inside X.509 certificate. A remote attacker can supply a specially crafted certificate to the application, trigger a 4-byte buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system but requires that either a CA signs the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer.
Update the affected packages:
aarch64:Vulnerable software versions
nodejs-libs-debuginfo-18.12.1-1.amzn2023.0.2.aarch64
nodejs-devel-18.12.1-1.amzn2023.0.2.aarch64
nodejs-full-i18n-18.12.1-1.amzn2023.0.2.aarch64
nodejs-debuginfo-18.12.1-1.amzn2023.0.2.aarch64
nodejs-libs-18.12.1-1.amzn2023.0.2.aarch64
v8-devel-10.2.154.15-1.18.12.1.1.amzn2023.0.2.aarch64
nodejs-18.12.1-1.amzn2023.0.2.aarch64
npm-8.19.2-1.18.12.1.1.amzn2023.0.2.aarch64
nodejs-debugsource-18.12.1-1.amzn2023.0.2.aarch64
noarch:
nodejs-docs-18.12.1-1.amzn2023.0.2.noarch
src:
nodejs-18.12.1-1.amzn2023.0.2.src
x86_64:
nodejs-libs-debuginfo-18.12.1-1.amzn2023.0.2.x86_64
nodejs-devel-18.12.1-1.amzn2023.0.2.x86_64
nodejs-18.12.1-1.amzn2023.0.2.x86_64
nodejs-debuginfo-18.12.1-1.amzn2023.0.2.x86_64
v8-devel-10.2.154.15-1.18.12.1.1.amzn2023.0.2.x86_64
nodejs-full-i18n-18.12.1-1.amzn2023.0.2.x86_64
nodejs-libs-18.12.1-1.amzn2023.0.2.x86_64
npm-8.19.2-1.18.12.1.1.amzn2023.0.2.x86_64
nodejs-debugsource-18.12.1-1.amzn2023.0.2.x86_64
Amazon Linux AMI: All versions
nodejs: before 18.12.1-1
CPE2.3http://alas.aws.amazon.com/AL2023/ALAS-2023-084.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
EUVDB-ID: #VU68896
Risk: Medium
CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2022-3786
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The
vulnerability exists due to a boundary error when processing the email
address field length inside a X.509 certificate. A remote attacker can supply a
specially crafted certificate to the application, trigger a buffer overflow and crash the application.
Update the affected packages:
aarch64:Vulnerable software versions
nodejs-libs-debuginfo-18.12.1-1.amzn2023.0.2.aarch64
nodejs-devel-18.12.1-1.amzn2023.0.2.aarch64
nodejs-full-i18n-18.12.1-1.amzn2023.0.2.aarch64
nodejs-debuginfo-18.12.1-1.amzn2023.0.2.aarch64
nodejs-libs-18.12.1-1.amzn2023.0.2.aarch64
v8-devel-10.2.154.15-1.18.12.1.1.amzn2023.0.2.aarch64
nodejs-18.12.1-1.amzn2023.0.2.aarch64
npm-8.19.2-1.18.12.1.1.amzn2023.0.2.aarch64
nodejs-debugsource-18.12.1-1.amzn2023.0.2.aarch64
noarch:
nodejs-docs-18.12.1-1.amzn2023.0.2.noarch
src:
nodejs-18.12.1-1.amzn2023.0.2.src
x86_64:
nodejs-libs-debuginfo-18.12.1-1.amzn2023.0.2.x86_64
nodejs-devel-18.12.1-1.amzn2023.0.2.x86_64
nodejs-18.12.1-1.amzn2023.0.2.x86_64
nodejs-debuginfo-18.12.1-1.amzn2023.0.2.x86_64
v8-devel-10.2.154.15-1.18.12.1.1.amzn2023.0.2.x86_64
nodejs-full-i18n-18.12.1-1.amzn2023.0.2.x86_64
nodejs-libs-18.12.1-1.amzn2023.0.2.x86_64
npm-8.19.2-1.18.12.1.1.amzn2023.0.2.x86_64
nodejs-debugsource-18.12.1-1.amzn2023.0.2.x86_64
Amazon Linux AMI: All versions
nodejs: before 18.12.1-1
CPE2.3http://alas.aws.amazon.com/AL2023/ALAS-2023-084.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
EUVDB-ID: #VU69354
Risk: Medium
CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-43548
CWE-ID:
CWE-350 - Reliance on Reverse DNS Resolution for a Security-Critical Action
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform DNS rebinding attacks.
The vulnerability exists due to improper validation of octal IP address within the Node.js rebinding protector for --inspec. A remote attacker can
resolve the invalid octal address via DNS. When combined with an active
--inspect session, such as when using VSCode, an attacker can perform DNS
rebinding and execute arbitrary code in client's browser.
Update the affected packages:
aarch64:Vulnerable software versions
nodejs-libs-debuginfo-18.12.1-1.amzn2023.0.2.aarch64
nodejs-devel-18.12.1-1.amzn2023.0.2.aarch64
nodejs-full-i18n-18.12.1-1.amzn2023.0.2.aarch64
nodejs-debuginfo-18.12.1-1.amzn2023.0.2.aarch64
nodejs-libs-18.12.1-1.amzn2023.0.2.aarch64
v8-devel-10.2.154.15-1.18.12.1.1.amzn2023.0.2.aarch64
nodejs-18.12.1-1.amzn2023.0.2.aarch64
npm-8.19.2-1.18.12.1.1.amzn2023.0.2.aarch64
nodejs-debugsource-18.12.1-1.amzn2023.0.2.aarch64
noarch:
nodejs-docs-18.12.1-1.amzn2023.0.2.noarch
src:
nodejs-18.12.1-1.amzn2023.0.2.src
x86_64:
nodejs-libs-debuginfo-18.12.1-1.amzn2023.0.2.x86_64
nodejs-devel-18.12.1-1.amzn2023.0.2.x86_64
nodejs-18.12.1-1.amzn2023.0.2.x86_64
nodejs-debuginfo-18.12.1-1.amzn2023.0.2.x86_64
v8-devel-10.2.154.15-1.18.12.1.1.amzn2023.0.2.x86_64
nodejs-full-i18n-18.12.1-1.amzn2023.0.2.x86_64
nodejs-libs-18.12.1-1.amzn2023.0.2.x86_64
npm-8.19.2-1.18.12.1.1.amzn2023.0.2.x86_64
nodejs-debugsource-18.12.1-1.amzn2023.0.2.x86_64
Amazon Linux AMI: All versions
nodejs: before 18.12.1-1
CPE2.3http://alas.aws.amazon.com/AL2023/ALAS-2023-084.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.