SUSE update for nodejs18

1) Server-Side Request Forgery (SSRF)

EUVDB-ID: #VU93880

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-22020

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

Exploit availability: No

Description

The disclosed vulnerability allows a remote user to perform SSRF attacks.

The vulnerability exists due to insufficient validation of user-supplied input when handling non-network imports in data URLs. A remote user can bypass network import restrictions and execute arbitrary code.

Mitigation

Update the affected package nodejs18 to the latest version.

Vulnerable software versions

Web and Scripting Module: 12

SUSE Linux Enterprise Server for SAP Applications 12: SP1 - SP5

SUSE Linux Enterprise Server 12: SP1 - SP5

SUSE Linux Enterprise High Performance Computing 12: SP2 - SP5

SUSE Linux Enterprise Server for SAP Applications: 12-SP4

SUSE Linux Enterprise Server: 12-SP2-LTSS-ERICSSON

nodejs18-docs: before 18.20.4-8.24.1

nodejs18-debuginfo: before 18.20.4-8.24.1

nodejs18: before 18.20.4-8.24.1

npm18: before 18.20.4-8.24.1

nodejs18-debugsource: before 18.20.4-8.24.1

nodejs18-devel: before 18.20.4-8.24.1

CPE2.3

• cpe:2.3:o:suse:web_and_scripting_module:12:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_12:SP3:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_12:SP2:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_12:SP1:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_linux_enterprise_server_12:SP1:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_linux_enterprise_server_12:SP3:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_linux_enterprise_server_12:SP4:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_12:SP3:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_12:SP4:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_12:SP2:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications:12-SP4:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_linux_enterprise_server:12-SP2-LTSS-ERICSSON:*:*:*:*:*:*:

External links

http://www.suse.com/support/update/announcement/2024/suse-su-20242496-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Command Injection

EUVDB-ID: #VU88462

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-27980

CWE-ID: CWE-77 - Command injection

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to improper handling of batch files in child_process.spawn / child_process.spawnSync. An attacker can inject a malicious command line argument and achieve code execution even if the shell option is not enabled.

Mitigation

Update the affected package nodejs18 to the latest version.

Vulnerable software versions

Web and Scripting Module: 12

SUSE Linux Enterprise Server for SAP Applications 12: SP1 - SP5

SUSE Linux Enterprise Server 12: SP1 - SP5

SUSE Linux Enterprise High Performance Computing 12: SP2 - SP5

SUSE Linux Enterprise Server for SAP Applications: 12-SP4

SUSE Linux Enterprise Server: 12-SP2-LTSS-ERICSSON

nodejs18-docs: before 18.20.4-8.24.1

nodejs18-debuginfo: before 18.20.4-8.24.1

nodejs18: before 18.20.4-8.24.1

npm18: before 18.20.4-8.24.1

nodejs18-debugsource: before 18.20.4-8.24.1

nodejs18-devel: before 18.20.4-8.24.1

CPE2.3

• cpe:2.3:o:suse:web_and_scripting_module:12:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_12:SP3:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_12:SP2:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_12:SP1:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_linux_enterprise_server_12:SP1:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_linux_enterprise_server_12:SP3:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_linux_enterprise_server_12:SP4:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_12:SP3:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_12:SP4:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_12:SP2:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications:12-SP4:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_linux_enterprise_server:12-SP2-LTSS-ERICSSON:*:*:*:*:*:*:

External links

http://www.suse.com/support/update/announcement/2024/suse-su-20242496-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Command Injection

EUVDB-ID: #VU93879

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-36138

CWE-ID: CWE-77 - Command injection

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to improper handling of batch files in child_process.spawn / child_process.spawnSync on Windows. An attacker can inject a malicious command line argument and achieve code execution even if the shell option is not enabled.

Note, the vulnerability exists due to incomplete fix for #VU88462 (CVE-2024-27980).

Mitigation

Update the affected package nodejs18 to the latest version.

Vulnerable software versions

Web and Scripting Module: 12

SUSE Linux Enterprise Server for SAP Applications 12: SP1 - SP5

SUSE Linux Enterprise Server 12: SP1 - SP5

SUSE Linux Enterprise High Performance Computing 12: SP2 - SP5

SUSE Linux Enterprise Server for SAP Applications: 12-SP4

SUSE Linux Enterprise Server: 12-SP2-LTSS-ERICSSON

nodejs18-docs: before 18.20.4-8.24.1

nodejs18-debuginfo: before 18.20.4-8.24.1

nodejs18: before 18.20.4-8.24.1

npm18: before 18.20.4-8.24.1

nodejs18-debugsource: before 18.20.4-8.24.1

nodejs18-devel: before 18.20.4-8.24.1

CPE2.3

• cpe:2.3:o:suse:web_and_scripting_module:12:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_12:SP3:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_12:SP2:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_12:SP1:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_linux_enterprise_server_12:SP1:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_linux_enterprise_server_12:SP3:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_linux_enterprise_server_12:SP4:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_12:SP3:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_12:SP4:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_12:SP2:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications:12-SP4:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_linux_enterprise_server:12-SP2-LTSS-ERICSSON:*:*:*:*:*:*:

External links

http://www.suse.com/support/update/announcement/2024/suse-su-20242496-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.