Anolis OS update for nodejs:20 module
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 12 |
| CVE-ID | CVE-2024-22018 CVE-2024-22020 CVE-2024-28863 CVE-2024-36137 CVE-2024-21890 CVE-2024-21891 CVE-2024-21896 CVE-2024-22017 CVE-2023-39331 CVE-2023-30584 CVE-2023-39332 CVE-2023-32004 |
| CWE-ID | CWE-264 CWE-918 CWE-400 CWE-1068 CWE-22 CWE-269 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #3 is available. |
| Vulnerable software |
Anolis OS Operating systems & Components / Operating system nodejs-docs Operating systems & Components / Operating system package or component npm Operating systems & Components / Operating system package or component nodejs-full-i18n Operating systems & Components / Operating system package or component nodejs-devel Operating systems & Components / Operating system package or component nodejs Operating systems & Components / Operating system package or component nodejs-nodemon Operating systems & Components / Operating system package or component nodejs-packaging-bundler Operating systems & Components / Operating system package or component nodejs-packaging Operating systems & Components / Operating system package or component |
| Vendor | OpenAnolis |
Security Bulletin
This security bulletin contains information about 12 vulnerabilities.
1) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU93882
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-22018
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote user to bypass permissions model.
The vulnerability exists due to application does not properly impose security restrictions when experimental permission model when the --allow-fs-read flag is used. A remote user can retrieve stats from files that they do not have explicit read access to.
Install updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
nodejs-docs: before 20.16.0-1
npm: before 10.8.1-1.20.16.0.1
nodejs-full-i18n: before 20.16.0-1
nodejs-devel: before 20.16.0-1
nodejs: before 20.16.0-1
nodejs-nodemon: before 3.0.1-1
nodejs-packaging-bundler: before 2021.06-4
nodejs-packaging: before 2021.06-4
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:o:openanolis:nodejs-docs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:npm:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-full-i18n:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-nodemon:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-packaging-bundler:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-packaging:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2024:0864
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Server-Side Request Forgery (SSRF)
EUVDB-ID: #VU93880
Risk: Medium
CVSSv4.0: 5.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-22020
CWE-ID:
CWE-918 - Server-Side Request Forgery (SSRF)
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote user to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input when handling non-network imports in data URLs. A remote user can bypass network import restrictions and execute arbitrary code.
Install updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
nodejs-docs: before 20.16.0-1
npm: before 10.8.1-1.20.16.0.1
nodejs-full-i18n: before 20.16.0-1
nodejs-devel: before 20.16.0-1
nodejs: before 20.16.0-1
nodejs-nodemon: before 3.0.1-1
nodejs-packaging-bundler: before 2021.06-4
nodejs-packaging: before 2021.06-4
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:o:openanolis:nodejs-docs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:npm:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-full-i18n:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-nodemon:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-packaging-bundler:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-packaging:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2024:0864
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Resource exhaustion
EUVDB-ID: #VU87734
Risk: Medium
CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2024-28863
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources while parsing a tar file. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
nodejs-docs: before 20.16.0-1
npm: before 10.8.1-1.20.16.0.1
nodejs-full-i18n: before 20.16.0-1
nodejs-devel: before 20.16.0-1
nodejs: before 20.16.0-1
nodejs-nodemon: before 3.0.1-1
nodejs-packaging-bundler: before 2021.06-4
nodejs-packaging: before 2021.06-4
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:o:openanolis:nodejs-docs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:npm:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-full-i18n:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-nodemon:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-packaging-bundler:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-packaging:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2024:0864
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
4) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU93881
Risk: Low
CVSSv4.0: 0.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-36137
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote user to escalate privileges within the application.
The vulnerability exists due to application does not properly impose security restrictions in the experimental permission model when the --allow-fs-write flag is used. A remote user can change file ownership and permissions via fs.fchown and fs.fchmod.
Install updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
nodejs-docs: before 20.16.0-1
npm: before 10.8.1-1.20.16.0.1
nodejs-full-i18n: before 20.16.0-1
nodejs-devel: before 20.16.0-1
nodejs: before 20.16.0-1
nodejs-nodemon: before 3.0.1-1
nodejs-packaging-bundler: before 2021.06-4
nodejs-packaging: before 2021.06-4
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:o:openanolis:nodejs-docs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:npm:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-full-i18n:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-nodemon:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-packaging-bundler:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-packaging:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2024:0864
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Inconsistency between implementation and documented design
EUVDB-ID: #VU86728
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-21890
CWE-ID:
CWE-1068 - Inconsistency Between Implementation and Documented Design
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to improper handling of wildcards in --allow-fs-read and --allow-fs-write. A remote attacker can gain access to sensitive information.
Install updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
nodejs-docs: before 20.16.0-1
npm: before 10.8.1-1.20.16.0.1
nodejs-full-i18n: before 20.16.0-1
nodejs-devel: before 20.16.0-1
nodejs: before 20.16.0-1
nodejs-nodemon: before 3.0.1-1
nodejs-packaging-bundler: before 2021.06-4
nodejs-packaging: before 2021.06-4
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:o:openanolis:nodejs-docs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:npm:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-full-i18n:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-nodemon:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-packaging-bundler:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-packaging:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2024:0864
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Path traversal
EUVDB-ID: #VU86726
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-21891
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
nodejs-docs: before 20.16.0-1
npm: before 10.8.1-1.20.16.0.1
nodejs-full-i18n: before 20.16.0-1
nodejs-devel: before 20.16.0-1
nodejs: before 20.16.0-1
nodejs-nodemon: before 3.0.1-1
nodejs-packaging-bundler: before 2021.06-4
nodejs-packaging: before 2021.06-4
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:o:openanolis:nodejs-docs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:npm:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-full-i18n:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-nodemon:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-packaging-bundler:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-packaging:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2024:0864
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Path traversal
EUVDB-ID: #VU86722
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-21896
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences in Buffer.prototype.utf8Write. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
nodejs-docs: before 20.16.0-1
npm: before 10.8.1-1.20.16.0.1
nodejs-full-i18n: before 20.16.0-1
nodejs-devel: before 20.16.0-1
nodejs: before 20.16.0-1
nodejs-nodemon: before 3.0.1-1
nodejs-packaging-bundler: before 2021.06-4
nodejs-packaging: before 2021.06-4
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:o:openanolis:nodejs-docs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:npm:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-full-i18n:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-nodemon:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-packaging-bundler:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-packaging:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2024:0864
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Improper Privilege Management
EUVDB-ID: #VU86723
Risk: Low
CVSSv4.0: 7.4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/U:Clear]
CVE-ID: CVE-2024-22017
CWE-ID:
CWE-269 - Improper Privilege Management
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges.
The vulnerability exists due to setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid(). A local user can escalate privileges on the system.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
nodejs-docs: before 20.16.0-1
npm: before 10.8.1-1.20.16.0.1
nodejs-full-i18n: before 20.16.0-1
nodejs-devel: before 20.16.0-1
nodejs: before 20.16.0-1
nodejs-nodemon: before 3.0.1-1
nodejs-packaging-bundler: before 2021.06-4
nodejs-packaging: before 2021.06-4
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:o:openanolis:nodejs-docs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:npm:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-full-i18n:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-nodemon:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-packaging-bundler:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-packaging:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2024:0864
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Path traversal
EUVDB-ID: #VU82067
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-39331
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to insufficient patch for #VU77594 (CVE-2023-30584). A remote user can send a specially crafted request and read arbitrary files on the system.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
nodejs-docs: before 20.16.0-1
npm: before 10.8.1-1.20.16.0.1
nodejs-full-i18n: before 20.16.0-1
nodejs-devel: before 20.16.0-1
nodejs: before 20.16.0-1
nodejs-nodemon: before 3.0.1-1
nodejs-packaging-bundler: before 2021.06-4
nodejs-packaging: before 2021.06-4
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:o:openanolis:nodejs-docs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:npm:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-full-i18n:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-nodemon:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-packaging-bundler:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-packaging:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2024:0864
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Path traversal
EUVDB-ID: #VU77594
Risk: Medium
CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-30584
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform directory traversal attacks.
The vulnerability exists due to input validation error within the experimental permission model when verifying file permissions. A remote user can send a specially crafted request and read arbitrary files on the system.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
nodejs-docs: before 20.16.0-1
npm: before 10.8.1-1.20.16.0.1
nodejs-full-i18n: before 20.16.0-1
nodejs-devel: before 20.16.0-1
nodejs: before 20.16.0-1
nodejs-nodemon: before 3.0.1-1
nodejs-packaging-bundler: before 2021.06-4
nodejs-packaging: before 2021.06-4
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:o:openanolis:nodejs-docs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:npm:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-full-i18n:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-nodemon:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-packaging-bundler:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-packaging:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2024:0864
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Path traversal
EUVDB-ID: #VU82068
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-39332
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences in paths stored in Uint8Array. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
nodejs-docs: before 20.16.0-1
npm: before 10.8.1-1.20.16.0.1
nodejs-full-i18n: before 20.16.0-1
nodejs-devel: before 20.16.0-1
nodejs: before 20.16.0-1
nodejs-nodemon: before 3.0.1-1
nodejs-packaging-bundler: before 2021.06-4
nodejs-packaging: before 2021.06-4
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:o:openanolis:nodejs-docs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:npm:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-full-i18n:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-nodemon:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-packaging-bundler:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-packaging:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2024:0864
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Path traversal
EUVDB-ID: #VU79337
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-32004
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to improper handling of Buffers in file system APIs. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
nodejs-docs: before 20.16.0-1
npm: before 10.8.1-1.20.16.0.1
nodejs-full-i18n: before 20.16.0-1
nodejs-devel: before 20.16.0-1
nodejs: before 20.16.0-1
nodejs-nodemon: before 3.0.1-1
nodejs-packaging-bundler: before 2021.06-4
nodejs-packaging: before 2021.06-4
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:o:openanolis:nodejs-docs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:npm:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-full-i18n:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-nodemon:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-packaging-bundler:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:nodejs-packaging:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2024:0864
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
