SB2022091338 - Red Hat Enterprise Linux 8 update for the nodejs:12 module
Published: September 13, 2022
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 9 secuirty vulnerabilities.
1) Code Injection (CVE-ID: CVE-2021-3918)
The disclosed vulnerability allows a remote attacker to execute arbitrary code on the system.
The vulnerability exists due to insufficient sanitization of user-supplied data during the validation of a JSON object. A remote attacker can pass a specially crafted JSON file for validation and execute arbitrary code.
2) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2021-22959)
The vulnerability allows a remote attacker to preform HTTP request smuggling attacks.
The vulnerability exists due to improper validation of HTTP requests, where the application accepts requests with a space right after the header name before the colon. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.
Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.
3) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2021-22960)
The vulnerability allows a remote attacker to preform HTTP request smuggling attacks.
The vulnerability exists due to improper validation of HTTP requests, where the application ignores chunk extensions when parsing the body of chunked requests. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.
Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.
4) Path traversal (CVE-ID: CVE-2021-37701)
The vulnerability allows a remote attacker to overwrite arbitrary files on the system.
The vulnerability exists due to input validation error when extracting tar files that contained both a directory and a symlink with
the same name as the directory, where the symlink and directory names in
the archive entry used backslashes as a path separator on posix
systems. A remote attacker can create a specially crafted archive and overwrite arbitrary files on the system.
5) Path traversal (CVE-ID: CVE-2021-37712)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when extracting tar files that contained two directories and a symlink
with names containing unicode values that normalized to the same value. A remote attacker can create a specially crafted archive that, when extracted, can overwrite arbitrary files on the system.
6) Improper Certificate Validation (CVE-ID: CVE-2021-44531)
The vulnerability allows a remote attacker to perform spoofing attack.
The
vulnerability exists due to insufficient validation of URI Subject
Alternative Names. Node.js accepts arbitrary Subject Alternative Name
(SAN) types, unless a PKI
is specifically defined to use a particular SAN type. A remote attacker
can bypass name-constrained intermediates and perform spoofing attack.
7) Improper validation of certificate with host mismatch (CVE-ID: CVE-2021-44532)
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to improper validation of certificates, when converting SANs (Subject Alternative Names) to a string format. A remote attacker can inject special characters into the string and perform spoofing attack.
8) Improper Certificate Validation (CVE-ID: CVE-2021-44533)
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to improper validation of certificate subject and issuer fields. A remote attacker can create a certificate with specially crafted multi-value Relative Distinguished Names and perform spoofing attack.
9) Prototype pollution (CVE-ID: CVE-2022-21824)
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to the formatting logic of the console.table() function. A remote attacker can send a specially crafted request and assign an empty string to numerical keys of the object prototype.
Remediation
Install update from vendor's website.