SB2022072231 - openEuler update for nodejs

Description

This security bulletin contains information about 5 secuirty vulnerabilities.

1) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2020-15095)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to NPM Cli stores sensitive information into log files and supports URLs like "://[[:]@][:][:][/]". A local user can redirect output of a log file to an external URL.

2) Prototype pollution (CVE-ID: CVE-2020-7774)

The vulnerability allows a remote attacker to execute arbitrary JavaScript code.

The vulnerability exists due to improper input validation. A remote attacker can send a specially crafted request and execute arbitrary JavaScript code.

3) Incorrect Regular Expression (CVE-ID: CVE-2020-7754)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

4) Prototype pollution (CVE-ID: CVE-2020-7788)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper input validation when handling INI files. A remote attacker can pass a specially crafted INI file to the application and perform prototype pollution attacks.

5) Code Injection (CVE-ID: CVE-2021-3918)

The disclosed vulnerability allows a remote attacker to execute arbitrary code on the system.

The vulnerability exists due to insufficient sanitization of user-supplied data during the validation of a JSON object. A remote attacker can pass a specially crafted JSON file for validation and execute arbitrary code.

Remediation

Install update from vendor's website.

References

• https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-1769