Anolis OS update for nodejs:14 module
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 6 |
| CVE-ID | CVE-2021-44906 CVE-2022-0235 CVE-2022-24999 CVE-2022-3517 CVE-2022-43548 CVE-2022-32212 |
| CWE-ID | CWE-400 CWE-200 CWE-94 CWE-185 CWE-350 CWE-703 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #3 is available. |
| Vulnerable software |
Anolis OS Operating systems & Components / Operating system nodejs-docs Operating systems & Components / Operating system package or component npm Operating systems & Components / Operating system package or component nodejs-full-i18n Operating systems & Components / Operating system package or component nodejs-devel Operating systems & Components / Operating system package or component nodejs Operating systems & Components / Operating system package or component nodejs-nodemon Operating systems & Components / Operating system package or component nodejs-packaging Operating systems & Components / Operating system package or component |
| Vendor | OpenAnolis |
Security Bulletin
This security bulletin contains information about 6 vulnerabilities.
1) Resource exhaustion
EUVDB-ID: #VU64030
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2021-44906
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trick the library into adding or modifying the properties of Object.prototype, using a constructor or __proto__ payload, resulting in prototype pollution and loss of confidentiality, availability, and integrity.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
nodejs-docs: before 14.21.1-2.0.1
npm: before 6.14.17-1.14.21.1.2.0.1
nodejs-full-i18n: before 14.21.1-2.0.1
nodejs-devel: before 14.21.1-2.0.1
nodejs: before 14.21.1-2.0.1
nodejs-nodemon: before 2.0.20-2
nodejs-packaging: before 23-3
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:a:openanolis:nodejs-docs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:npm:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:nodejs-full-i18n:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:nodejs-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:nodejs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:nodejs-nodemon:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:nodejs-packaging:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2023:0110
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Information disclosure
EUVDB-ID: #VU61471
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-0235
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the application follows the "Location" HTTP header redirect and passes authorization cookie to a third-party resource. A remote attacker can gain access to sensitive information.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
nodejs-docs: before 14.21.1-2.0.1
npm: before 6.14.17-1.14.21.1.2.0.1
nodejs-full-i18n: before 14.21.1-2.0.1
nodejs-devel: before 14.21.1-2.0.1
nodejs: before 14.21.1-2.0.1
nodejs-nodemon: before 2.0.20-2
nodejs-packaging: before 23-3
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:a:openanolis:nodejs-docs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:npm:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:nodejs-full-i18n:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:nodejs-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:nodejs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:nodejs-nodemon:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:nodejs-packaging:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2023:0110
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Prototype pollution
EUVDB-ID: #VU69675
Risk: Medium
CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2022-24999
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation. A remote attacker can send a specially crafted request and perform a denial of service (DoS) attack.
Install updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
nodejs-docs: before 14.21.1-2.0.1
npm: before 6.14.17-1.14.21.1.2.0.1
nodejs-full-i18n: before 14.21.1-2.0.1
nodejs-devel: before 14.21.1-2.0.1
nodejs: before 14.21.1-2.0.1
nodejs-nodemon: before 2.0.20-2
nodejs-packaging: before 23-3
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:a:openanolis:nodejs-docs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:npm:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:nodejs-full-i18n:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:nodejs-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:nodejs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:nodejs-nodemon:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:nodejs-packaging:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2023:0110
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
4) Incorrect Regular Expression
EUVDB-ID: #VU69942
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-3517
CWE-ID:
CWE-185 - Incorrect Regular Expression
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation when processing regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.
Install updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
nodejs-docs: before 14.21.1-2.0.1
npm: before 6.14.17-1.14.21.1.2.0.1
nodejs-full-i18n: before 14.21.1-2.0.1
nodejs-devel: before 14.21.1-2.0.1
nodejs: before 14.21.1-2.0.1
nodejs-nodemon: before 2.0.20-2
nodejs-packaging: before 23-3
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:a:openanolis:nodejs-docs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:npm:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:nodejs-full-i18n:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:nodejs-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:nodejs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:nodejs-nodemon:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:nodejs-packaging:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2023:0110
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Reliance on Reverse DNS Resolution for a Security-Critical Action
EUVDB-ID: #VU69354
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-43548
CWE-ID:
CWE-350 - Reliance on Reverse DNS Resolution for a Security-Critical Action
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform DNS rebinding attacks.
The vulnerability exists due to improper validation of octal IP address within the Node.js rebinding protector for --inspec. A remote attacker can
resolve the invalid octal address via DNS. When combined with an active
--inspect session, such as when using VSCode, an attacker can perform DNS
rebinding and execute arbitrary code in client's browser.
Install updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
nodejs-docs: before 14.21.1-2.0.1
npm: before 6.14.17-1.14.21.1.2.0.1
nodejs-full-i18n: before 14.21.1-2.0.1
nodejs-devel: before 14.21.1-2.0.1
nodejs: before 14.21.1-2.0.1
nodejs-nodemon: before 2.0.20-2
nodejs-packaging: before 23-3
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:a:openanolis:nodejs-docs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:npm:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:nodejs-full-i18n:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:nodejs-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:nodejs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:nodejs-nodemon:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:nodejs-packaging:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2023:0110
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Improper Check or Handling of Exceptional Conditions
EUVDB-ID: #VU65273
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-32212
CWE-ID:
CWE-703 - Improper Check or Handling of Exceptional Conditions
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to IsIPAddress does not properly checks if an IP address is invalid or not. A remote unauthenticated attacker can exploit this vulnerability to bypass the IsAllowedHost check and execute arbitrary code on the system.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
nodejs-docs: before 14.21.1-2.0.1
npm: before 6.14.17-1.14.21.1.2.0.1
nodejs-full-i18n: before 14.21.1-2.0.1
nodejs-devel: before 14.21.1-2.0.1
nodejs: before 14.21.1-2.0.1
nodejs-nodemon: before 2.0.20-2
nodejs-packaging: before 23-3
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:a:openanolis:nodejs-docs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:npm:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:nodejs-full-i18n:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:nodejs-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:nodejs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:nodejs-nodemon:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:nodejs-packaging:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2023:0110
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
