SUSE update for nodejs12
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 7 |
| CVE-ID | CVE-2021-22959 CVE-2021-22960 CVE-2021-37701 CVE-2021-37712 CVE-2021-37713 CVE-2021-39134 CVE-2021-39135 |
| CWE-ID | CWE-444 CWE-22 CWE-61 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
SUSE Linux Enterprise Module for Web Scripting Operating systems & Components / Operating system nodejs12-docs Operating systems & Components / Operating system package or component npm12 Operating systems & Components / Operating system package or component nodejs12-devel Operating systems & Components / Operating system package or component nodejs12-debugsource Operating systems & Components / Operating system package or component nodejs12-debuginfo Operating systems & Components / Operating system package or component nodejs12 Operating systems & Components / Operating system package or component |
| Vendor | SUSE |
Security Bulletin
This security bulletin contains information about 7 vulnerabilities.
1) Inconsistent interpretation of HTTP requests
EUVDB-ID: #VU59233
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-22959
CWE-ID:
CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to preform HTTP request smuggling attacks.
The vulnerability exists due to improper validation of HTTP requests, where the application accepts requests with a space right after the header name before the colon. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.
Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.
MitigationUpdate the affected package nodejs12 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Module for Web Scripting: 15-SP2 - 15-SP3
nodejs12-docs: before 12.22.7-4.22.1
npm12: before 12.22.7-4.22.1
nodejs12-devel: before 12.22.7-4.22.1
nodejs12-debugsource: before 12.22.7-4.22.1
nodejs12-debuginfo: before 12.22.7-4.22.1
nodejs12: before 12.22.7-4.22.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_module_for_web_scripting:15-SP2:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_module_for_web_scripting:15-SP3:*:*:*:*:*:*:*
- cpe:2.3:o:suse:nodejs12-docs:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:npm12:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:nodejs12-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:nodejs12-debugsource:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:nodejs12-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:nodejs12:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2021/suse-su-20213940-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Inconsistent interpretation of HTTP requests
EUVDB-ID: #VU59234
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-22960
CWE-ID:
CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to preform HTTP request smuggling attacks.
The vulnerability exists due to improper validation of HTTP requests, where the application ignores chunk extensions when parsing the body of chunked requests. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.
Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.
MitigationUpdate the affected package nodejs12 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Module for Web Scripting: 15-SP2 - 15-SP3
nodejs12-docs: before 12.22.7-4.22.1
npm12: before 12.22.7-4.22.1
nodejs12-devel: before 12.22.7-4.22.1
nodejs12-debugsource: before 12.22.7-4.22.1
nodejs12-debuginfo: before 12.22.7-4.22.1
nodejs12: before 12.22.7-4.22.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_module_for_web_scripting:15-SP2:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_module_for_web_scripting:15-SP3:*:*:*:*:*:*:*
- cpe:2.3:o:suse:nodejs12-docs:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:npm12:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:nodejs12-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:nodejs12-debugsource:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:nodejs12-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:nodejs12:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2021/suse-su-20213940-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Path traversal
EUVDB-ID: #VU58202
Risk: Medium
CVSSv4.0: 2.1 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-37701
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to overwrite arbitrary files on the system.
The vulnerability exists due to input validation error when extracting tar files that contained both a directory and a symlink with
the same name as the directory, where the symlink and directory names in
the archive entry used backslashes as a path separator on posix
systems. A remote attacker can create a specially crafted archive and overwrite arbitrary files on the system.
Update the affected package nodejs12 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Module for Web Scripting: 15-SP2 - 15-SP3
nodejs12-docs: before 12.22.7-4.22.1
npm12: before 12.22.7-4.22.1
nodejs12-devel: before 12.22.7-4.22.1
nodejs12-debugsource: before 12.22.7-4.22.1
nodejs12-debuginfo: before 12.22.7-4.22.1
nodejs12: before 12.22.7-4.22.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_module_for_web_scripting:15-SP2:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_module_for_web_scripting:15-SP3:*:*:*:*:*:*:*
- cpe:2.3:o:suse:nodejs12-docs:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:npm12:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:nodejs12-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:nodejs12-debugsource:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:nodejs12-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:nodejs12:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2021/suse-su-20213940-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Path traversal
EUVDB-ID: #VU58203
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-37712
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when extracting tar files that contained two directories and a symlink
with names containing unicode values that normalized to the same value. A remote attacker can create a specially crafted archive that, when extracted, can overwrite arbitrary files on the system.
Update the affected package nodejs12 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Module for Web Scripting: 15-SP2 - 15-SP3
nodejs12-docs: before 12.22.7-4.22.1
npm12: before 12.22.7-4.22.1
nodejs12-devel: before 12.22.7-4.22.1
nodejs12-debugsource: before 12.22.7-4.22.1
nodejs12-debuginfo: before 12.22.7-4.22.1
nodejs12: before 12.22.7-4.22.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_module_for_web_scripting:15-SP2:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_module_for_web_scripting:15-SP3:*:*:*:*:*:*:*
- cpe:2.3:o:suse:nodejs12-docs:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:npm12:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:nodejs12-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:nodejs12-debugsource:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:nodejs12-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:nodejs12:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2021/suse-su-20213940-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Path traversal
EUVDB-ID: #VU58204
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-37713
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to overwrite arbitrary files on the system.
The vulnerability exists due insufficient logic on Windows systems when extracting tar files that contained a path that
was not an absolute path, but specified a drive letter different from
the extraction target, such as C:some\path. If the drive letter does not match the extraction target, for example D:\extraction\dir, then the result of path.resolve(extractionDirectory, entryPath) would resolve against the current working directory on the C: drive, rather than the extraction target directory.
Update the affected package nodejs12 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Module for Web Scripting: 15-SP2 - 15-SP3
nodejs12-docs: before 12.22.7-4.22.1
npm12: before 12.22.7-4.22.1
nodejs12-devel: before 12.22.7-4.22.1
nodejs12-debugsource: before 12.22.7-4.22.1
nodejs12-debuginfo: before 12.22.7-4.22.1
nodejs12: before 12.22.7-4.22.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_module_for_web_scripting:15-SP2:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_module_for_web_scripting:15-SP3:*:*:*:*:*:*:*
- cpe:2.3:o:suse:nodejs12-docs:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:npm12:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:nodejs12-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:nodejs12-debugsource:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:nodejs12-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:nodejs12:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2021/suse-su-20213940-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) UNIX symbolic link following
EUVDB-ID: #VU61256
Risk: Low
CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-39134
CWE-ID:
CWE-61 - UNIX Symbolic Link (Symlink) Following
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to escalate privileges on the system.
The vulnerability exists due to a symlink following issue. A local attacker can create a specially crafted symbolic link to a critical file on the system and overwrite it with privileges of the application.
Successful exploitation of this vulnerability may result in privilege escalation.
MitigationUpdate the affected package nodejs12 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Module for Web Scripting: 15-SP2 - 15-SP3
nodejs12-docs: before 12.22.7-4.22.1
npm12: before 12.22.7-4.22.1
nodejs12-devel: before 12.22.7-4.22.1
nodejs12-debugsource: before 12.22.7-4.22.1
nodejs12-debuginfo: before 12.22.7-4.22.1
nodejs12: before 12.22.7-4.22.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_module_for_web_scripting:15-SP2:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_module_for_web_scripting:15-SP3:*:*:*:*:*:*:*
- cpe:2.3:o:suse:nodejs12-docs:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:npm12:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:nodejs12-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:nodejs12-debugsource:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:nodejs12-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:nodejs12:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2021/suse-su-20213940-1/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) UNIX symbolic link following
EUVDB-ID: #VU61257
Risk: Low
CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-39135
CWE-ID:
CWE-61 - UNIX Symbolic Link (Symlink) Following
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to escalate privileges on the system.
The vulnerability exists due to a symlink following issue. A local attacker can create a specially crafted symbolic link to a critical file on the system and overwrite it with privileges of the application.
Successful exploitation of this vulnerability may result in privilege escalation.
MitigationUpdate the affected package nodejs12 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Module for Web Scripting: 15-SP2 - 15-SP3
nodejs12-docs: before 12.22.7-4.22.1
npm12: before 12.22.7-4.22.1
nodejs12-devel: before 12.22.7-4.22.1
nodejs12-debugsource: before 12.22.7-4.22.1
nodejs12-debuginfo: before 12.22.7-4.22.1
nodejs12: before 12.22.7-4.22.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_module_for_web_scripting:15-SP2:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_module_for_web_scripting:15-SP3:*:*:*:*:*:*:*
- cpe:2.3:o:suse:nodejs12-docs:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:npm12:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:nodejs12-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:nodejs12-debugsource:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:nodejs12-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:nodejs12:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2021/suse-su-20213940-1/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
