SUSE update for nodejs12
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2021-44906 CVE-2022-0235 |
| CWE-ID | CWE-400 CWE-200 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
SUSE Linux Enterprise Server for SAP Applications Operating systems & Components / Operating system SUSE Linux Enterprise High Performance Computing Operating systems & Components / Operating system SUSE Linux Enterprise Server Operating systems & Components / Operating system SUSE Linux Enterprise Module for Web Scripting Operating systems & Components / Operating system nodejs12-docs Operating systems & Components / Operating system package or component npm12 Operating systems & Components / Operating system package or component nodejs12-devel Operating systems & Components / Operating system package or component nodejs12-debugsource Operating systems & Components / Operating system package or component nodejs12-debuginfo Operating systems & Components / Operating system package or component nodejs12 Operating systems & Components / Operating system package or component |
| Vendor | SUSE |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Resource exhaustion
EUVDB-ID: #VU64030
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2021-44906
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trick the library into adding or modifying the properties of Object.prototype, using a constructor or __proto__ payload, resulting in prototype pollution and loss of confidentiality, availability, and integrity.
MitigationUpdate the affected package nodejs12 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server for SAP Applications: 12-SP3 - 12-SP5
SUSE Linux Enterprise High Performance Computing: 12
SUSE Linux Enterprise Server: 12-SP2-LTSS-ERICSSON - 12-SP5
SUSE Linux Enterprise Module for Web Scripting: 12
nodejs12-docs: before 12.22.12-1.48.1
npm12: before 12.22.12-1.48.1
nodejs12-devel: before 12.22.12-1.48.1
nodejs12-debugsource: before 12.22.12-1.48.1
nodejs12-debuginfo: before 12.22.12-1.48.1
nodejs12: before 12.22.12-1.48.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications:12-SP3:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications:12-SP4:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications:12-SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing:12:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server:12-SP2-LTSS-ERICSSON:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server:12-SP3:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server:12-SP4:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_module_for_web_scripting:12:*:*:*:*:*:*:*
- cpe:2.3:o:suse:nodejs12-docs:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:npm12:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:nodejs12-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:nodejs12-debugsource:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:nodejs12-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:nodejs12:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2022/suse-su-20221466-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Information disclosure
EUVDB-ID: #VU61471
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-0235
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the application follows the "Location" HTTP header redirect and passes authorization cookie to a third-party resource. A remote attacker can gain access to sensitive information.
MitigationUpdate the affected package nodejs12 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server for SAP Applications: 12-SP3 - 12-SP5
SUSE Linux Enterprise High Performance Computing: 12
SUSE Linux Enterprise Server: 12-SP2-LTSS-ERICSSON - 12-SP5
SUSE Linux Enterprise Module for Web Scripting: 12
nodejs12-docs: before 12.22.12-1.48.1
npm12: before 12.22.12-1.48.1
nodejs12-devel: before 12.22.12-1.48.1
nodejs12-debugsource: before 12.22.12-1.48.1
nodejs12-debuginfo: before 12.22.12-1.48.1
nodejs12: before 12.22.12-1.48.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications:12-SP3:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications:12-SP4:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications:12-SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing:12:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server:12-SP2-LTSS-ERICSSON:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server:12-SP3:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server:12-SP4:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_module_for_web_scripting:12:*:*:*:*:*:*:*
- cpe:2.3:o:suse:nodejs12-docs:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:npm12:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:nodejs12-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:nodejs12-debugsource:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:nodejs12-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:nodejs12:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2022/suse-su-20221466-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
