SUSE update for nodejs8
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 5 |
| CVE-ID | CVE-2021-23343 CVE-2021-32803 CVE-2021-32804 CVE-2021-3807 CVE-2021-3918 |
| CWE-ID | CWE-185 CWE-36 CWE-20 CWE-94 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
SUSE Linux Enterprise Server for SAP Operating systems & Components / Operating system SUSE Linux Enterprise High Performance Computing Operating systems & Components / Operating system SUSE Enterprise Storage Operating systems & Components / Operating system SUSE CaaS Platform Operating systems & Components / Operating system SUSE Linux Enterprise Server Operating systems & Components / Operating system nodejs8-docs Operating systems & Components / Operating system package or component npm8 Operating systems & Components / Operating system package or component nodejs8-devel Operating systems & Components / Operating system package or component nodejs8-debugsource Operating systems & Components / Operating system package or component nodejs8-debuginfo Operating systems & Components / Operating system package or component nodejs8 Operating systems & Components / Operating system package or component |
| Vendor | SUSE |
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
1) Incorrect Regular Expression
EUVDB-ID: #VU55315
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-23343
CWE-ID:
CWE-185 - Incorrect Regular Expression
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation in splitDeviceRe, splitTailRe, and splitPathRe regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.
Update the affected package nodejs8 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server for SAP: 15-SP1 - 15-SP3
SUSE Linux Enterprise High Performance Computing: 15-LTSS - 15-SP1-ESPOS
SUSE Enterprise Storage: 6
SUSE CaaS Platform: 4.0
SUSE Linux Enterprise Server: 15-LTSS - 15-SP1-LTSS
nodejs8-docs: before 8.17.0-3.54.2
npm8: before 8.17.0-3.54.2
nodejs8-devel: before 8.17.0-3.54.2
nodejs8-debugsource: before 8.17.0-3.54.2
nodejs8-debuginfo: before 8.17.0-3.54.2
nodejs8: before 8.17.0-3.54.2
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap:15-SP1:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap:15-SP3:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing:15-LTSS:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing:15-ESPOS:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing:15-SP1-LTSS:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_enterprise_storage:6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_caas_platform:4.0:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server:15-LTSS:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server:15-SP1-BCL:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server:15-SP1-LTSS:*:*:*:*:*:*:*
- cpe:2.3:o:suse:nodejs8-docs:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:npm8:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:nodejs8-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:nodejs8-debugsource:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:nodejs8-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:nodejs8:*:*:*:*:*:suse_linux:*:*
http://www.suse.com/support/update/announcement/2022/suse-su-20220563-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Absolute Path Traversal
EUVDB-ID: #VU58206
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-32803
CWE-ID:
CWE-36 - Absolute Path Traversal
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to overwrite arbitrary files on the system.
The vulnerability exists due to a logic issue when extracting tar files that contained both a directory
and a symlink with the same name as the directory. This order of
operations resulted in the directory being created and added to the node-tar
directory cache. When a directory is present in the directory cache,
subsequent calls to mkdir for that directory are skipped. However, this
is also where node-tar checks for symlinks occur.
By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar
symlink checks on directories, essentially allowing an untrusted tar
file to symlink into an arbitrary location and subsequently extracting
arbitrary files into that location, thus allowing arbitrary file
creation and overwrite.
Update the affected package nodejs8 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server for SAP: 15-SP1 - 15-SP3
SUSE Linux Enterprise High Performance Computing: 15-LTSS - 15-SP1-ESPOS
SUSE Enterprise Storage: 6
SUSE CaaS Platform: 4.0
SUSE Linux Enterprise Server: 15-LTSS - 15-SP1-LTSS
nodejs8-docs: before 8.17.0-3.54.2
npm8: before 8.17.0-3.54.2
nodejs8-devel: before 8.17.0-3.54.2
nodejs8-debugsource: before 8.17.0-3.54.2
nodejs8-debuginfo: before 8.17.0-3.54.2
nodejs8: before 8.17.0-3.54.2
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap:15-SP1:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap:15-SP3:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing:15-LTSS:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing:15-ESPOS:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing:15-SP1-LTSS:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_enterprise_storage:6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_caas_platform:4.0:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server:15-LTSS:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server:15-SP1-BCL:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server:15-SP1-LTSS:*:*:*:*:*:*:*
- cpe:2.3:o:suse:nodejs8-docs:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:npm8:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:nodejs8-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:nodejs8-debugsource:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:nodejs8-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:nodejs8:*:*:*:*:*:suse_linux:*:*
http://www.suse.com/support/update/announcement/2022/suse-su-20220563-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Absolute Path Traversal
EUVDB-ID: #VU58205
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-32804
CWE-ID:
CWE-36 - Absolute Path Traversal
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to overwrite arbitrary files on the system.
The vulnerability exists due to a logic issue when file paths contained repeated path roots such as ////home/user/.bashrc. node-tar
would only strip a single path root from such paths. When given an
absolute file path with repeating path roots, the resulting path (e.g. ///home/user/.bashrc) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite.
Update the affected package nodejs8 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server for SAP: 15-SP1 - 15-SP3
SUSE Linux Enterprise High Performance Computing: 15-LTSS - 15-SP1-ESPOS
SUSE Enterprise Storage: 6
SUSE CaaS Platform: 4.0
SUSE Linux Enterprise Server: 15-LTSS - 15-SP1-LTSS
nodejs8-docs: before 8.17.0-3.54.2
npm8: before 8.17.0-3.54.2
nodejs8-devel: before 8.17.0-3.54.2
nodejs8-debugsource: before 8.17.0-3.54.2
nodejs8-debuginfo: before 8.17.0-3.54.2
nodejs8: before 8.17.0-3.54.2
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap:15-SP1:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap:15-SP3:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing:15-LTSS:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing:15-ESPOS:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing:15-SP1-LTSS:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_enterprise_storage:6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_caas_platform:4.0:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server:15-LTSS:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server:15-SP1-BCL:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server:15-SP1-LTSS:*:*:*:*:*:*:*
- cpe:2.3:o:suse:nodejs8-docs:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:npm8:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:nodejs8-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:nodejs8-debugsource:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:nodejs8-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:nodejs8:*:*:*:*:*:suse_linux:*:*
http://www.suse.com/support/update/announcement/2022/suse-su-20220563-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Input validation error
EUVDB-ID: #VU57967
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-3807
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input when matching crafted invalid ANSI escape codes in ansi-regex. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
MitigationUpdate the affected package nodejs8 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server for SAP: 15-SP1 - 15-SP3
SUSE Linux Enterprise High Performance Computing: 15-LTSS - 15-SP1-ESPOS
SUSE Enterprise Storage: 6
SUSE CaaS Platform: 4.0
SUSE Linux Enterprise Server: 15-LTSS - 15-SP1-LTSS
nodejs8-docs: before 8.17.0-3.54.2
npm8: before 8.17.0-3.54.2
nodejs8-devel: before 8.17.0-3.54.2
nodejs8-debugsource: before 8.17.0-3.54.2
nodejs8-debuginfo: before 8.17.0-3.54.2
nodejs8: before 8.17.0-3.54.2
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap:15-SP1:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap:15-SP3:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing:15-LTSS:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing:15-ESPOS:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing:15-SP1-LTSS:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_enterprise_storage:6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_caas_platform:4.0:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server:15-LTSS:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server:15-SP1-BCL:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server:15-SP1-LTSS:*:*:*:*:*:*:*
- cpe:2.3:o:suse:nodejs8-docs:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:npm8:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:nodejs8-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:nodejs8-debugsource:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:nodejs8-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:nodejs8:*:*:*:*:*:suse_linux:*:*
http://www.suse.com/support/update/announcement/2022/suse-su-20220563-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Code Injection
EUVDB-ID: #VU64034
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2021-3918
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to execute arbitrary code on the system.
The vulnerability exists due to insufficient sanitization of user-supplied data during the validation of a JSON object. A remote attacker can pass a specially crafted JSON file for validation and execute arbitrary code.
MitigationUpdate the affected package nodejs8 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server for SAP: 15-SP1 - 15-SP3
SUSE Linux Enterprise High Performance Computing: 15-LTSS - 15-SP1-ESPOS
SUSE Enterprise Storage: 6
SUSE CaaS Platform: 4.0
SUSE Linux Enterprise Server: 15-LTSS - 15-SP1-LTSS
nodejs8-docs: before 8.17.0-3.54.2
npm8: before 8.17.0-3.54.2
nodejs8-devel: before 8.17.0-3.54.2
nodejs8-debugsource: before 8.17.0-3.54.2
nodejs8-debuginfo: before 8.17.0-3.54.2
nodejs8: before 8.17.0-3.54.2
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap:15-SP1:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap:15-SP3:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing:15-LTSS:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing:15-ESPOS:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing:15-SP1-LTSS:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_enterprise_storage:6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_caas_platform:4.0:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server:15-LTSS:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server:15-SP1-BCL:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server:15-SP1-LTSS:*:*:*:*:*:*:*
- cpe:2.3:o:suse:nodejs8-docs:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:npm8:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:nodejs8-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:nodejs8-debugsource:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:nodejs8-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:nodejs8:*:*:*:*:*:suse_linux:*:*
http://www.suse.com/support/update/announcement/2022/suse-su-20220563-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
