Red Hat Software Collections update for rh-nodejs12-nodejs
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2020-15366 CVE-2020-7774 CVE-2020-8277 |
| CWE-ID | CWE-94 CWE-399 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #2 is available. Public exploit code for vulnerability #3 is available. |
| Vulnerable software |
rh-nodejs12-nodejs (Red Hat package) Operating systems & Components / Operating system package or component |
| Vendor | Red Hat Inc. |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Prototype pollution
EUVDB-ID: #VU55498
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-15366
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can inject and execute arbitrary script code.
MitigationInstall updates from vendor's website.
rh-nodejs12-nodejs (Red Hat package): before 12.19.1-2.el7
CPE2.3 External linkshttps://access.redhat.com/errata/RHSA-2020:5305
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Prototype pollution
EUVDB-ID: #VU52909
Risk: Medium
CVSSv4.0: 2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2020-7774
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary JavaScript code.
The vulnerability exists due to improper input validation. A remote attacker can send a specially crafted request and execute arbitrary JavaScript code.
Install updates from vendor's website.
rh-nodejs12-nodejs (Red Hat package): before 12.19.1-2.el7
CPE2.3 External linkshttps://access.redhat.com/errata/RHSA-2020:5305
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
3) Resource management error
EUVDB-ID: #VU48569
Risk: Medium
CVSSv4.0: 6.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2020-8277
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the application when processing a large number of DNS responses. A Node.js application that allows an attacker to trigger a DNS request
for a host of their choice could trigger a denial of service condition.
Install updates from vendor's website.
rh-nodejs12-nodejs (Red Hat package): before 12.19.1-2.el7
CPE2.3 External linkshttps://access.redhat.com/errata/RHSA-2020:5305
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
