Anolis OS update for nodejs:18 module
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2022-25883 CVE-2023-32002 CVE-2023-32006 CVE-2023-32559 |
| CWE-ID | CWE-185 CWE-264 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Anolis OS Operating systems & Components / Operating system nodejs-nodemon Operating systems & Components / Operating system package or component nodejs-docs Operating systems & Components / Operating system package or component npm Operating systems & Components / Operating system package or component nodejs-full-i18n Operating systems & Components / Operating system package or component nodejs-devel Operating systems & Components / Operating system package or component nodejs Operating systems & Components / Operating system package or component nodejs-packaging-bundler Operating systems & Components / Operating system package or component nodejs-packaging Operating systems & Components / Operating system package or component |
| Vendor | OpenAnolis |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Incorrect Regular Expression
EUVDB-ID: #VU78932
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-25883
CWE-ID:
CWE-185 - Incorrect Regular Expression
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation when processing regular expressions. A remote attacker can pass specially crafted data to the application via the new Range function and perform regular expression denial of service (ReDos) attack.
Install updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
nodejs-nodemon: before 3.0.1-1
nodejs-docs: before 18.17.1-1.0.2
npm: before 9.6.7-1.18.17.1.1.0.2
nodejs-full-i18n: before 18.17.1-1.0.2
nodejs-devel: before 18.17.1-1.0.2
nodejs: before 18.17.1-1.0.2
nodejs-packaging-bundler: before 2021.06-4
nodejs-packaging: before 2021.06-4
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:o:openanolis:nodejs-nodemon:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-docs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:npm:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-full-i18n:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-packaging-bundler:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-packaging:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2023:0553
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU79332
Risk: Medium
CVSSv4.0: 6.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-32002
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to improperly imposed security restrictions for the Module._load() method. A remote attacker can bypass the policy mechanism and include modules outside of the policy.json definition for a given module.
Install updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
nodejs-nodemon: before 3.0.1-1
nodejs-docs: before 18.17.1-1.0.2
npm: before 9.6.7-1.18.17.1.1.0.2
nodejs-full-i18n: before 18.17.1-1.0.2
nodejs-devel: before 18.17.1-1.0.2
nodejs: before 18.17.1-1.0.2
nodejs-packaging-bundler: before 2021.06-4
nodejs-packaging: before 2021.06-4
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:o:openanolis:nodejs-nodemon:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-docs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:npm:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-full-i18n:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-packaging-bundler:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-packaging:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2023:0553
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU79334
Risk: Medium
CVSSv4.0: 6.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-32006
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
Install updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
nodejs-nodemon: before 3.0.1-1
nodejs-docs: before 18.17.1-1.0.2
npm: before 9.6.7-1.18.17.1.1.0.2
nodejs-full-i18n: before 18.17.1-1.0.2
nodejs-devel: before 18.17.1-1.0.2
nodejs: before 18.17.1-1.0.2
nodejs-packaging-bundler: before 2021.06-4
nodejs-packaging: before 2021.06-4
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:o:openanolis:nodejs-nodemon:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-docs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:npm:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-full-i18n:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-packaging-bundler:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-packaging:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2023:0553
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU79335
Risk: Medium
CVSSv4.0: 6.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-32559
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
Mitigation
Install updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
nodejs-nodemon: before 3.0.1-1
nodejs-docs: before 18.17.1-1.0.2
npm: before 9.6.7-1.18.17.1.1.0.2
nodejs-full-i18n: before 18.17.1-1.0.2
nodejs-devel: before 18.17.1-1.0.2
nodejs: before 18.17.1-1.0.2
nodejs-packaging-bundler: before 2021.06-4
nodejs-packaging: before 2021.06-4
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:o:openanolis:nodejs-nodemon:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-docs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:npm:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-full-i18n:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-packaging-bundler:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-packaging:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2023:0553
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
