Anolis OS update for nodejs:16 module



| Updated: 2025-03-28
Risk Medium
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2022-35255
CVE-2022-35256
CWE-ID CWE-330
CWE-444
Exploitation vector Network
Public exploit N/A
Vulnerable software
 Anolis OS
Operating systems & Components / Operating system

nodejs-docs
Operating systems & Components / Operating system package or component

npm
Operating systems & Components / Operating system package or component

nodejs-full-i18n
Operating systems & Components / Operating system package or component

nodejs-devel
Operating systems & Components / Operating system package or component

nodejs
Operating systems & Components / Operating system package or component

nodejs-nodemon
Operating systems & Components / Operating system package or component

nodejs-packaging
Operating systems & Components / Operating system package or component

Vendor OpenAnolis

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Use of insufficiently random values

EUVDB-ID: #VU67849

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-35255

CWE-ID: CWE-330 - Use of Insufficiently Random Values

Exploit availability: No

Description

The vulnerability allows a remote attacker to decrypt sensitive information.

The vulnerability exists due to usage of weak randomness in WebCrypto keygen within the SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. A remote attacker can decrypt sensitive information.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

nodejs-docs: before 16.17.1-1

npm: before 8.15.0-1.16.17.1.1

nodejs-full-i18n: before 16.17.1-1

nodejs-devel: before 16.17.1-1

nodejs: before 16.17.1-1

nodejs-nodemon: before 2.0.19-2

nodejs-packaging: before 25-1

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2022:0745


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Inconsistent interpretation of HTTP requests

EUVDB-ID: #VU67850

Risk: Medium

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-35256

CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.

The vulnerability exists due to improper validation of HTTP requests. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.

Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

nodejs-docs: before 16.17.1-1

npm: before 8.15.0-1.16.17.1.1

nodejs-full-i18n: before 16.17.1-1

nodejs-devel: before 16.17.1-1

nodejs: before 16.17.1-1

nodejs-nodemon: before 2.0.19-2

nodejs-packaging: before 25-1

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2022:0745


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###