Anolis OS update for nodejs:18 module
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2024-22020 CVE-2024-28863 |
| CWE-ID | CWE-918 CWE-400 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #2 is available. |
| Vulnerable software |
Anolis OS Operating systems & Components / Operating system nodejs-docs Operating systems & Components / Operating system package or component npm Operating systems & Components / Operating system package or component nodejs-full-i18n Operating systems & Components / Operating system package or component nodejs-devel Operating systems & Components / Operating system package or component nodejs Operating systems & Components / Operating system package or component nodejs-nodemon Operating systems & Components / Operating system package or component nodejs-packaging-bundler Operating systems & Components / Operating system package or component nodejs-packaging Operating systems & Components / Operating system package or component |
| Vendor | OpenAnolis |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Server-Side Request Forgery (SSRF)
EUVDB-ID: #VU93880
Risk: Medium
CVSSv4.0: 5.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-22020
CWE-ID:
CWE-918 - Server-Side Request Forgery (SSRF)
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote user to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input when handling non-network imports in data URLs. A remote user can bypass network import restrictions and execute arbitrary code.
Install updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
nodejs-docs: before 18.20.4-1
npm: before 10.7.0-1.18.20.4.1
nodejs-full-i18n: before 18.20.4-1
nodejs-devel: before 18.20.4-1
nodejs: before 18.20.4-1
nodejs-nodemon: before 3.0.1-1
nodejs-packaging-bundler: before 2021.06-4
nodejs-packaging: before 2021.06-4
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:a:openanolis:nodejs-docs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:npm:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:nodejs-full-i18n:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:nodejs-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:nodejs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:nodejs-nodemon:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:nodejs-packaging-bundler:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:nodejs-packaging:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2024:0890
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Resource exhaustion
EUVDB-ID: #VU87734
Risk: Medium
CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2024-28863
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources while parsing a tar file. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
nodejs-docs: before 18.20.4-1
npm: before 10.7.0-1.18.20.4.1
nodejs-full-i18n: before 18.20.4-1
nodejs-devel: before 18.20.4-1
nodejs: before 18.20.4-1
nodejs-nodemon: before 3.0.1-1
nodejs-packaging-bundler: before 2021.06-4
nodejs-packaging: before 2021.06-4
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:a:openanolis:nodejs-docs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:npm:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:nodejs-full-i18n:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:nodejs-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:nodejs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:nodejs-nodemon:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:nodejs-packaging-bundler:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:nodejs-packaging:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2024:0890
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
