Gentoo update for Node.js
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 15 |
| CVE-ID | CVE-2018-12115 CVE-2018-12116 CVE-2018-12121 CVE-2018-12122 CVE-2018-12123 CVE-2018-7161 CVE-2018-7162 CVE-2018-7164 CVE-2018-7167 CVE-2019-15604 CVE-2019-15605 CVE-2019-15606 CVE-2019-16777 CVE-2019-5737 CVE-2019-5739 |
| CWE-ID | CWE-787 CWE-20 CWE-122 CWE-400 CWE-451 CWE-617 CWE-444 CWE-22 CWE-399 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Gentoo Linux Operating systems & Components / Operating system |
| Vendor | Gentoo |
Security Bulletin
This security bulletin contains information about 15 vulnerabilities.
1) Out-of-bounds write
EUVDB-ID: #VU14498
Risk: Low
CVSSv3.1: 7.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-12115
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to gain elevated privileges on the target system.
The vulnerability exists due to an out-of-bounds write condition in the Buffer component when used with UCS-2 encoding. A local attacker can cause a targeted system to stop functioning or execute arbitrary code with elevated privileges.
MitigationUpdate the affected packages.
net-libs/nodejs to version: 12.15.0
Gentoo Linux: All versions
CPE2.3 External linkshttp://security.gentoo.org/
http://security.gentoo.org/glsa/202003-48
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper input validation
EUVDB-ID: #VU16171
Risk: Low
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-12116
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists due to insufficient validation of user-provided input. A remote attacker can provide Unicode data for the path option of an HTTP request to trigger a second, unexpected, and user-defined HTTP request to made to the same server and cause the service to crash.
Update the affected packages.
net-libs/nodejs to version: 12.15.0
Gentoo Linux: All versions
CPE2.3 External linkshttp://security.gentoo.org/
http://security.gentoo.org/glsa/202003-48
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Heap-based buffer overflow
EUVDB-ID: #VU16168
Risk: Low
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-12121
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists due to heap-based buffer overflow. A remote attacker can send many requests with the maximum size HTTP header of nearly 80kb/connection in combination with carefully handled completion of those headers, trigger memory corruption and cause the Node.js HTTP server to abort.
MitigationUpdate the affected packages.
net-libs/nodejs to version: 12.15.0
Gentoo Linux: All versions
CPE2.3 External linkshttp://security.gentoo.org/
http://security.gentoo.org/glsa/202003-48
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Resource exhaustion
EUVDB-ID: #VU16169
Risk: Low
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-12122
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists due to the socket is destroyed on the next received chunk when headers are not completely received within this period. A remote attacker can send headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time, consume excessive resources and cause the service to crash.
MitigationUpdate the affected packages.
net-libs/nodejs to version: 12.15.0
Gentoo Linux: All versions
CPE2.3 External linkshttp://security.gentoo.org/
http://security.gentoo.org/glsa/202003-48
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Spoofing attack
EUVDB-ID: #VU16170
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-12123
CWE-ID:
CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to conduct spoofing attack on the target system.
The vulnerability exists due to security decisions are made about the URL based on the hostname. A remote attacker can use a mixed case "javascript:" (e.g. "javAscript:") protocol and spoof the hostname when a Node.js application is using url.parse()to determine the URL hostname.
Update the affected packages.
net-libs/nodejs to version: 12.15.0
Gentoo Linux: All versions
CPE2.3 External linkshttp://security.gentoo.org/
http://security.gentoo.org/glsa/202003-48
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Improper input validation
EUVDB-ID: #VU13376
Risk: Low
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-7161
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists due to a cleanup bug where objects are used in native code after they are no longer available when the affected software interacts with an HTTP/2 server. A remote attacker can send a specially crafted request that submits malicious input to the targeted node server that provides an HTTP/2 server and cause the node server to crash.
MitigationUpdate the affected packages.
net-libs/nodejs to version: 12.15.0
Gentoo Linux: All versions
CPE2.3 External linkshttp://security.gentoo.org/
http://security.gentoo.org/glsa/202003-48
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Improper input validation
EUVDB-ID: #VU13377
Risk: Low
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-7162
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists due to insufficient input validation when TLS implementation. A remote attacker can send a specially crafted request that submits malicious input to the targeted node server and cause it to crash.
MitigationUpdate the affected packages.
net-libs/nodejs to version: 12.15.0
Gentoo Linux: All versions
CPE2.3 External linkshttp://security.gentoo.org/
http://security.gentoo.org/glsa/202003-48
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Resource exhaustion
EUVDB-ID: #VU13378
Risk: Low
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-7164
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists due to insufficient input validation when reading from the network into JavaScript using the net.Socket object directly as a stream. A remote attacker can send tiny chunks of data in short succession, trigger resource exhaustion and cause the server to crash.
MitigationUpdate the affected packages.
net-libs/nodejs to version: 12.15.0
Gentoo Linux: All versions
CPE2.3 External linkshttp://security.gentoo.org/
http://security.gentoo.org/glsa/202003-48
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Improper input validation
EUVDB-ID: #VU13379
Risk: Low
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-7167
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can supply Calling Buffer.fill() or Buffer.alloc() with some parameters and cause the server to hang.
MitigationUpdate the affected packages.
net-libs/nodejs to version: 12.15.0
Gentoo Linux: All versions
CPE2.3 External linkshttp://security.gentoo.org/
http://security.gentoo.org/glsa/202003-48
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Reachable assertion
EUVDB-ID: #VU25014
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-15604
CWE-ID:
CWE-617 - Reachable Assertion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of X509 certificates in X509V3_EXT_print(). A remote attacker can supply a specially crafted client certificate to the application and perform a denial of service attack.
Update the affected packages.
net-libs/nodejs to version: 12.15.0
Gentoo Linux: All versions
CPE2.3 External linkshttp://security.gentoo.org/
http://security.gentoo.org/glsa/202003-48
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) HTTP request smuggling
EUVDB-ID: #VU25013
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-15605
CWE-ID:
CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform HTTP request smuggling attack.
The vulnerability exists due to insufficient validation of Transfer-Encoding header. A remote attacker can send a specially crafted HTTP request to the application and perform a request smuggling attack.
MitigationUpdate the affected packages.
net-libs/nodejs to version: 12.15.0
Gentoo Linux: All versions
CPE2.3 External linkshttp://security.gentoo.org/
http://security.gentoo.org/glsa/202003-48
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Input validation error
EUVDB-ID: #VU25012
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-15606
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to manipulate HTTP headers.
The vulnerability exists due to insufficient validation of a trailing white-space character in the request headers. A remote attacker can send a specially crafted HTTP request to the application and bypass certain security restrictions.
Update the affected packages.
net-libs/nodejs to version: 12.15.0
Gentoo Linux: All versions
CPE2.3 External linkshttp://security.gentoo.org/
http://security.gentoo.org/glsa/202003-48
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Path traversal
EUVDB-ID: #VU23880
Risk: Low
CVSSv3.1: 3.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-16777
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. The software fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the first binary. This only affects files in /usr/local/bin
A remote attacker can overwrite arbitrary files on the system.
MitigationUpdate the affected packages.
net-libs/nodejs to version: 12.15.0
Gentoo Linux: All versions
CPE2.3 External linkshttp://security.gentoo.org/
http://security.gentoo.org/glsa/202003-48
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Resource exhaustion
EUVDB-ID: #VU26284
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-5737
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to incorrect processing of keep-alive packets. A remote attacker can send keep-alive packets very slowly and trigger resource exhaustion.
MitigationUpdate the affected packages.
net-libs/nodejs to version: 12.15.0
Gentoo Linux: All versions
CPE2.3 External linkshttp://security.gentoo.org/
http://security.gentoo.org/glsa/202003-48
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Resource management error
EUVDB-ID: #VU26292
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-5739
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a very long keep-alive window of 2 minutes that Node.js uses by default for every HTTP and HTTPS connection. A remote attacker can create a bige amount of keep-alive connections and consume all available resources on the system.
Update the affected packages.
net-libs/nodejs to version: 12.15.0
Gentoo Linux: All versions
CPE2.3 External linkshttp://security.gentoo.org/
http://security.gentoo.org/glsa/202003-48
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
