Vulnerabilities

 51 via 58 paths

Dependencies

 17

Source

 Group 6 Copy Created with Sketch. Docker

Target OS

 alpine:3.14.6
Test your Docker Hub image against our market leading vulnerability database Sign up for free
Severity
  • 1
  • 17
  • 29
  • 4
Status
  • 51
  • 0
  • 0
OS binaries
  • 8
  • 43

critical severity

Out-of-bounds Write

  • Vulnerable module: zlib/zlib
  • Introduced through: zlib/zlib@1.2.12-r0
  • Fixed in: 1.2.12-r2

Detailed paths

  • Introduced through: node@16.14.2-alpine3.14 zlib/zlib@1.2.12-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream zlib package and not the zlib package as distributed by Alpine. See How to fix? for Alpine:3.14 relevant fixed versions and status.

zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).

Remediation

Upgrade Alpine:3.14 zlib to version 1.2.12-r2 or higher.

References

Out-of-bounds Write vulnerability report

high severity

DNS Rebinding

  • Vulnerable module: node
  • Introduced through: node@16.14.2
  • Fixed in: 16.18.1

Detailed paths

  • Introduced through: docker-image|node@16.14.2-alpine3.14 node@16.14.2

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to DNS Rebinding due to the way the IsIPAddress() function in inspector_socket.cc processes invalid octal format IP addresses during an --inspect session. This could allow attackers to execute arbitrary code.

Remediation

Upgrade node to version 14.21.1, 16.18.1, 18.12.1, 19.0.1 or higher.

References

DNS Rebinding vulnerability report

high severity

Code Injection

  • Vulnerable module: node
  • Introduced through: node@16.14.2

Detailed paths

  • Introduced through: docker-image|node@16.14.2-alpine3.14 node@16.14.2

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Code Injection due to the incorrect handling of environment variables on Linux when the process is running with elevated privileges that the current user lacks (does not apply to CAP_NET_BIND_SERVICE).

Remediation

Upgrade node to version 18.19.1, 20.11.1, 21.6.2 or higher.

References

Code Injection vulnerability report

high severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: node
  • Introduced through: node@16.14.2

Detailed paths

  • Introduced through: docker-image|node@16.14.2-alpine3.14 node@16.14.2

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to a lack of safeguards on chunk extension bytes. The server may read an unbounded number of bytes from a single connection, which allows an attacker to cause denial of service via CPU and network bandwidth exhaustion.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade node to version 18.19.1, 20.11.1, 21.6.2 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: node
  • Introduced through: node@16.14.2

Detailed paths

  • Introduced through: docker-image|node@16.14.2-alpine3.14 node@16.14.2

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to a race condition in Http2Session when nghttp2 data is left in memory after a connection is reset while processing HTTP/2 CONTINUATION frames. An attacker can cause denial of service by sending such frames then triggering the Http2Session destructor.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade node to version 18.20.1, 20.12.1, 21.7.2 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity

Arbitrary Code Injection

  • Vulnerable module: node
  • Introduced through: node@16.14.2
  • Fixed in: 16.20.2

Detailed paths

  • Introduced through: docker-image|node@16.14.2-alpine3.14 node@16.14.2

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Arbitrary Code Injection. The use of the deprecated API process.binding() can bypass the policy mechanism by requiring internal modules and eventually take advantage of process.binding('spawn_sync') to run arbitrary code, outside of the limits defined in a policy.json file.

Note:

At the time this advisory was issued, the policy is an experimental feature of Node.js, which is not enabled by default.

Remediation

Upgrade node to version 16.20.2, 18.17.1, 20.5.1 or higher.

References

Arbitrary Code Injection vulnerability report

high severity

Denial of Service (DoS)

  • Vulnerable module: node
  • Introduced through: node@16.14.2
  • Fixed in: 16.19.1

Detailed paths

  • Introduced through: docker-image|node@16.14.2-alpine3.14 node@16.14.2

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Denial of Service (DoS) due to a null pointer dereference in when signatures are being verified on PKCS7 signed or signedAndEnveloped data in pkcs7/pk7_doit.c. If the hash algorithm used for the signature is known to the OpenSSL library but the implementation of the hash algorithm is not available, the digest initialization will fail.

NOTE: The TLS implementation in OpenSSL does not call these functions.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade node to version 16.19.1, 18.14.1, 19.6.1 or higher.

References

Denial of Service (DoS) vulnerability report

high severity

Denial of Service (DoS)

  • Vulnerable module: node
  • Introduced through: node@16.14.2
  • Fixed in: 16.19.1

Detailed paths

  • Introduced through: docker-image|node@16.14.2-alpine3.14 node@16.14.2

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Denial of Service (DoS) such that in some cases Node.js does not clear the OpenSSL error stack after operations that may set it. This may lead to false positive errors during subsequent cryptographic operations that happen to be on the same thread.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade node to version 16.19.1, 18.14.1, 19.2.0 or higher.

References

Denial of Service (DoS) vulnerability report

high severity

Denial of Service (DoS)

  • Vulnerable module: node
  • Introduced through: node@16.14.2
  • Fixed in: 16.20.1

Detailed paths

  • Introduced through: docker-image|node@16.14.2-alpine3.14 node@16.14.2

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Denial of Service (DoS) via a 0-byte UDP payload.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade node to version 16.20.1, 18.16.1, 20.3.1 or higher.

References

Denial of Service (DoS) vulnerability report

high severity

Insecure Permissions

  • Vulnerable module: node
  • Introduced through: node@16.14.2
  • Fixed in: 16.19.1

Detailed paths

  • Introduced through: docker-image|node@16.14.2-alpine3.14 node@16.14.2

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Insecure Permissions which allow users to access unauthorized modules with process.mainModule.require() if the --experimental-policy option is in use.

Remediation

Upgrade node to version 14.21.3, 16.19.1, 18.14.1, 19.6.1 or higher.

References

Insecure Permissions vulnerability report

high severity

Insecure Randomness

  • Vulnerable module: node
  • Introduced through: node@16.14.2
  • Fixed in: 16.17.1

Detailed paths

  • Introduced through: docker-image|node@16.14.2-alpine3.14 node@16.14.2

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Insecure Randomness via the EntropySource() function in SecretKeyGenTraits::DoKeyGen(), due to improper checking the return value, allowing an attacker to perform cryptographic attacks.

Remediation

Upgrade node to version 16.17.1, 18.9.1 or higher.

References

Insecure Randomness vulnerability report

high severity

Double Free

  • Vulnerable module: openssl/libcrypto1.1
  • Introduced through: openssl/libcrypto1.1@1.1.1n-r0 and openssl/libssl1.1@1.1.1n-r0
  • Fixed in: 1.1.1t-r0

Detailed paths

  • Introduced through: node@16.14.2-alpine3.14 openssl/libcrypto1.1@1.1.1n-r0
  • Introduced through: node@16.14.2-alpine3.14 openssl/libssl1.1@1.1.1n-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. See How to fix? for Alpine:3.14 relevant fixed versions and status.

The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack.

The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected.

These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0.

The OpenSSL asn1parse command line application is also impacted by this issue.

Remediation

Upgrade Alpine:3.14 openssl to version 1.1.1t-r0 or higher.

References

Double Free vulnerability report

high severity

Improper Certificate Validation

  • Vulnerable module: openssl/libcrypto1.1
  • Introduced through: openssl/libcrypto1.1@1.1.1n-r0 and openssl/libssl1.1@1.1.1n-r0
  • Fixed in: 1.1.1t-r1

Detailed paths

  • Introduced through: node@16.14.2-alpine3.14 openssl/libcrypto1.1@1.1.1n-r0
  • Introduced through: node@16.14.2-alpine3.14 openssl/libssl1.1@1.1.1n-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. See How to fix? for Alpine:3.14 relevant fixed versions and status.

A security vulnerability has been identified in all supported versions

of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems.

Policy processing is disabled by default but can be enabled by passing the -policy' argument to the command line utilities or by calling the X509_VERIFY_PARAM_set1_policies()' function.

Remediation

Upgrade Alpine:3.14 openssl to version 1.1.1t-r1 or higher.

References

Improper Certificate Validation vulnerability report

high severity

Use After Free

  • Vulnerable module: openssl/libcrypto1.1
  • Introduced through: openssl/libcrypto1.1@1.1.1n-r0 and openssl/libssl1.1@1.1.1n-r0
  • Fixed in: 1.1.1t-r0

Detailed paths

  • Introduced through: node@16.14.2-alpine3.14 openssl/libcrypto1.1@1.1.1n-r0
  • Introduced through: node@16.14.2-alpine3.14 openssl/libssl1.1@1.1.1n-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. See How to fix? for Alpine:3.14 relevant fixed versions and status.

The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications.

The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO then a use-after-free will occur. This will most likely result in a crash.

This scenario occurs directly in the internal function B64_write_ASN1() which may cause BIO_new_NDEF() to be called and will subsequently call BIO_pop() on the BIO. This internal function is in turn called by the public API functions PEM_write_bio_ASN1_stream, PEM_write_bio_CMS_stream, PEM_write_bio_PKCS7_stream, SMIME_write_ASN1, SMIME_write_CMS and SMIME_write_PKCS7.

Other public API functions that may be impacted by this include i2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7, i2d_CMS_bio_stream and i2d_PKCS7_bio_stream.

The OpenSSL cms and smime command line applications are similarly affected.

Remediation

Upgrade Alpine:3.14 openssl to version 1.1.1t-r0 or higher.

References

Use After Free vulnerability report

high severity

Access of Resource Using Incompatible Type ('Type Confusion')

  • Vulnerable module: node
  • Introduced through: node@16.14.2
  • Fixed in: 16.19.1

Detailed paths

  • Introduced through: docker-image|node@16.14.2-alpine3.14 node@16.14.2

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') in x509/v3_genn.c, when processing X.400 addresses with CRL checking enabled (e.g. when X509_V_FLAG_CRL_CHECK is set). An attacker in possession of both the certificate chain and CRL, of which neither needs a valid signature, can expose memory or cause a denial of service. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon.

Remediation

Upgrade node to version 14.21.3, 16.19.1, 18.14.1, 19.6.1 or higher.

References

Access of Resource Using Incompatible Type ('Type Confusion') vulnerability report

high severity

Access of Resource Using Incompatible Type ('Type Confusion')

  • Vulnerable module: openssl/libcrypto1.1
  • Introduced through: openssl/libcrypto1.1@1.1.1n-r0 and openssl/libssl1.1@1.1.1n-r0
  • Fixed in: 1.1.1t-r0

Detailed paths

  • Introduced through: node@16.14.2-alpine3.14 openssl/libcrypto1.1@1.1.1n-r0
  • Introduced through: node@16.14.2-alpine3.14 openssl/libssl1.1@1.1.1n-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. See How to fix? for Alpine:3.14 relevant fixed versions and status.

There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING.

When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.

Remediation

Upgrade Alpine:3.14 openssl to version 1.1.1t-r0 or higher.

References

Access of Resource Using Incompatible Type ('Type Confusion') vulnerability report

high severity

Prototype Pollution

  • Vulnerable module: node
  • Introduced through: node@16.14.2
  • Fixed in: 16.20.1

Detailed paths

  • Introduced through: docker-image|node@16.14.2-alpine3.14 node@16.14.2

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Prototype Pollution. The use of proto in process.mainModule.proto.require() can bypass the policy mechanism and require modules outside of the policy.json definition.

Note:

At the time this CVE was issued, the policy is an experimental feature of Node.js.

Details

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

There are two main ways in which the pollution of prototypes occurs:

  • Unsafe Object recursive merge

  • Property definition by path

Unsafe Object recursive merge

The logic of a vulnerable recursive merge function follows the following high-level model:

merge (target, source)

  foreach property of source

    if property exists and is an object on both the target and the source

      merge(target[property], source[property])

    else

      target[property] = source[property]

When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

Property definition by path

There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

Types of attacks

There are a few methods by which Prototype Pollution can be manipulated:

Type Origin Short description
Denial of service (DoS) Client This is the most likely attack.
DoS occurs when Object holds generic functions that are implicitly called for various operations (for example, toString and valueOf).
The attacker pollutes Object.prototype.someattr and alters its state to an unexpected value such as Int or Object. In this case, the code fails and is likely to cause a denial of service.
For example: if an attacker pollutes Object.prototype.toString by defining it as an integer, if the codebase at any point was reliant on someobject.toString() it would fail.
Remote Code Execution Client Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
For example: eval(someobject.someattr). In this case, if the attacker pollutes Object.prototype.someattr they are likely to be able to leverage this in order to execute code.
Property Injection Client The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
For example: if a codebase checks privileges for someuser.isAdmin, then when the attacker pollutes Object.prototype.isAdmin and sets it to equal true, they can then achieve admin privileges.

Affected environments

The following environments are susceptible to a Prototype Pollution attack:

  • Application server

  • Web server

  • Web browser

How to prevent

  1. Freeze the prototype— use Object.freeze (Object.prototype).

  2. Require schema validation of JSON input.

  3. Avoid using unsafe recursive merge functions.

  4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

  5. As a best practice use Map instead of Object.

For more information on this vulnerability type:

Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

Remediation

Upgrade node to version 16.20.1, 18.16.1, 20.3.1 or higher.

References

Prototype Pollution vulnerability report

high severity

Improper Control of Generation of Code ('Code Injection')

  • Vulnerable module: node
  • Introduced through: node@16.14.2

Detailed paths

  • Introduced through: docker-image|node@16.14.2-alpine3.14 node@16.14.2

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection') due to the improper handling of batch files in child_process.spawn or child_process.spawnSync. An attacker can inject arbitrary commands and achieve code execution even if the shell option is not enabled.

Note: This vulnerability only affects Windows machines.

Remediation

Upgrade node to version 18.20.2, 20.12.2, 21.7.3 or higher.

References

Improper Control of Generation of Code ('Code Injection') vulnerability report

medium severity

Access Restriction Bypass

  • Vulnerable module: node
  • Introduced through: node@16.14.2
  • Fixed in: 16.20.2

Detailed paths

  • Introduced through: docker-image|node@16.14.2-alpine3.14 node@16.14.2

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Access Restriction Bypass via the Module._load which can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.

Remediation

Upgrade node to version 16.20.2, 18.17.1, 20.5.1 or higher.

References

Access Restriction Bypass vulnerability report

medium severity

HTTP Request Smuggling

  • Vulnerable module: node
  • Introduced through: node@16.14.2
  • Fixed in: 16.16.0

Detailed paths

  • Introduced through: docker-image|node@16.14.2-alpine3.14 node@16.14.2

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to HTTP Request Smuggling when the llhttp parser in the http module does not correctly parse and validate Transfer-Encoding headers.

Remediation

Upgrade node to version 14.20.0, 16.16.0, 18.5.0 or higher.

References

HTTP Request Smuggling vulnerability report

medium severity

HTTP Request Smuggling

  • Vulnerable module: node
  • Introduced through: node@16.14.2
  • Fixed in: 16.16.0

Detailed paths

  • Introduced through: docker-image|node@16.14.2-alpine3.14 node@16.14.2

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to HTTP Request Smuggling. The llhttp parser in the http module does not correctly handle multi-line Transfer-Encoding headers.

Remediation

Upgrade node to version 14.20.0, 16.16.0, 18.5.0 or higher.

References

HTTP Request Smuggling vulnerability report

medium severity

HTTP Request Smuggling

  • Vulnerable module: node
  • Introduced through: node@16.14.2
  • Fixed in: 16.16.0

Detailed paths

  • Introduced through: docker-image|node@16.14.2-alpine3.14 node@16.14.2

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to HTTP Request Smuggling. when the llhttp parser in the http module does not adequately delimit HTTP requests with CRLF sequences.

Remediation

Upgrade node to version 14.20.0, 16.16.0, 18.5.0 or higher.

References

HTTP Request Smuggling vulnerability report

medium severity

HTTP Request Smuggling

  • Vulnerable module: node
  • Introduced through: node@16.14.2
  • Fixed in: 16.17.1

Detailed paths

  • Introduced through: docker-image|node@16.14.2-alpine3.14 node@16.14.2

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to HTTP Request Smuggling via the llhttp parser in the http module, due to improper parsing of header fields that are not terminated with CLRF.

Remediation

Upgrade node to version 14.20.1, 16.17.1, 18.9.1 or higher.

References

HTTP Request Smuggling vulnerability report

medium severity

Improper Access Control

  • Vulnerable module: node
  • Introduced through: node@16.14.2
  • Fixed in: 16.20.2

Detailed paths

  • Introduced through: docker-image|node@16.14.2-alpine3.14 node@16.14.2

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Improper Access Control through the usage of module.constructor.createRequire(), which allows an attacker to bypass the policy mechanism and require modules outside of the policy.json definition for a given module.

Note: This vulnerability affects all users using the experimental policy mechanism.

Remediation

Upgrade node to version 16.20.2, 18.17.1, 20.5.1 or higher.

References

Improper Access Control vulnerability report

medium severity

Privilege Escalation

  • Vulnerable module: node
  • Introduced through: node@16.14.2
  • Fixed in: 16.19.1

Detailed paths

  • Introduced through: docker-image|node@16.14.2-alpine3.14 node@16.14.2

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Privilege Escalation due to insecure loading of ICU data through ICU_DATA environment variable.

Remediation

Upgrade node to version 14.21.3, 16.19.1, 18.14.1, 19.6.1 or higher.

References

Privilege Escalation vulnerability report

medium severity

Denial of Service (DoS)

  • Vulnerable module: node
  • Introduced through: node@16.14.2
  • Fixed in: 16.19.1

Detailed paths

  • Introduced through: docker-image|node@16.14.2-alpine3.14 node@16.14.2

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Denial of Service (DoS) due to a read buffer overflow in certificate name constraint checking in x509/v3_ncons.c. This occurs after certificate chain signature verification, and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade node to version 14.21.3, 16.19.1, 18.14.1, 19.6.1 or higher.

References

Denial of Service (DoS) vulnerability report

medium severity

Denial of Service (DoS)

  • Vulnerable module: node
  • Introduced through: node@16.14.2
  • Fixed in: 16.19.1

Detailed paths

  • Introduced through: docker-image|node@16.14.2-alpine3.14 node@16.14.2

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Denial of Service (DoS) due to a double free after calling the PEM_read_bio_ex() function. An attacker who supplies a malicious PEM file with a 0-length payload can trigger a crash.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade node to version 14.21.3, 16.19.1, 18.14.1, 19.6.1 or higher.

References

Denial of Service (DoS) vulnerability report

medium severity

Denial of Service (DoS)

  • Vulnerable module: node
  • Introduced through: node@16.14.2
  • Fixed in: 16.19.1

Detailed paths

  • Introduced through: docker-image|node@16.14.2-alpine3.14 node@16.14.2

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Denial of Service (DoS) due to an invalid pointer dereference in the d2i_PKCS7(), d2i_PKCS7_bio() and d2i_PKCS7_fp(). An attacker could trigger a crash by supplying malicious PKCS7 data.

NOTE: The TLS implementation in OpenSSL does not call these functions.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade node to version 16.19.1, 18.14.1, 19.6.1 or higher.

References

Denial of Service (DoS) vulnerability report

medium severity

Denial of Service (DoS)

  • Vulnerable module: node
  • Introduced through: node@16.14.2
  • Fixed in: 16.19.1

Detailed paths

  • Introduced through: docker-image|node@16.14.2-alpine3.14 node@16.14.2

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Denial of Service (DoS) due to a null dereference when validating DSA public keys in the EVP_PKEY_public_check() function.

NOTE: The TLS implementation in OpenSSL does not call this function.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade node to version 16.19.1, 18.14.1, 19.6.1 or higher.

References

Denial of Service (DoS) vulnerability report

medium severity

Denial of Service (DoS)

  • Vulnerable module: node
  • Introduced through: node@16.14.2
  • Fixed in: 16.20.1

Detailed paths

  • Introduced through: docker-image|node@16.14.2-alpine3.14 node@16.14.2

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Denial of Service (DoS) when processing specially crafted ASN.1 objects identifiers. Applications that use OBJ_obj2txt() directly, or use any of the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message size limit may experience notable to very long delays when processing those messages, which may lead to a exploitation of this vulnerability.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade node to version 16.20.1, 18.16.1, 20.3.1 or higher.

References

Denial of Service (DoS) vulnerability report

medium severity

DLL Hijacking

  • Vulnerable module: node
  • Introduced through: node@16.14.2
  • Fixed in: 16.16.0

Detailed paths

  • Introduced through: docker-image|node@16.14.2-alpine3.14 node@16.14.2

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to DLL Hijacking. on Windows based systems running OpenSSL that use a C:\Program Files\Common Files\SSL\openssl.cnf file. Attackers could place a malicious providers.dll file at one of the locations checked according to DLL Search Order and it would be used by the application.

Remediation

Upgrade node to version 14.20.0, 16.16.0, 18.5.0 or higher.

References

DLL Hijacking vulnerability report

medium severity

DNS Rebinding

  • Vulnerable module: node
  • Introduced through: node@16.14.2
  • Fixed in: 16.16.0

Detailed paths

  • Introduced through: docker-image|node@16.14.2-alpine3.14 node@16.14.2

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to DNS Rebinding by bypassing IsAllowedHost because IsIPAddress does not properly check if an IP address is invalid or not. This vulnerability is a bypass of CVE-2021-22884.

Remediation

Upgrade node to version 14.20.0, 16.16.0, 18.5.0 or higher.

References

DNS Rebinding vulnerability report

medium severity

Insecure Randomness

  • Vulnerable module: node
  • Introduced through: node@16.14.2
  • Fixed in: 16.20.1

Detailed paths

  • Introduced through: docker-image|node@16.14.2-alpine3.14 node@16.14.2

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Insecure Randomness in the generation of DNS query IDs.

Remediation

Upgrade node to version 16.20.1, 18.16.1, 20.3.1 or higher.

References

Insecure Randomness vulnerability report

medium severity

Observable Timing Discrepancy

  • Vulnerable module: node
  • Introduced through: node@16.14.2

Detailed paths

  • Introduced through: docker-image|node@16.14.2-alpine3.14 node@16.14.2

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Observable Timing Discrepancy due to the implementation of PKCS#1 v1.5 padding. An attacker can infer the private key used in the cryptographic operation by observing the time taken to execute cryptographic operations (Marvin).

Remediation

Upgrade node to version 18.19.1, 20.11.1, 21.6.2 or higher.

References

Observable Timing Discrepancy vulnerability report

medium severity

Privilege Escalation

  • Vulnerable module: node
  • Introduced through: node@16.14.2
  • Fixed in: 16.20.1

Detailed paths

  • Introduced through: docker-image|node@16.14.2-alpine3.14 node@16.14.2

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Privilege Escalation via Malicious Registry Key manipulation during Node.js installer repair process. The issue arises when the path referenced by the %USERPROFILE% environment variable does not exist. In such cases, the "msiexec.exe" process attempts to create the specified path in an unsafe manner, potentially leading to the creation of arbitrary folders in arbitrary locations.

Note:

This vulnerability is specific to Windows users who install Node.js using the .msi installer. Users who opt for other installation methods are not affected by this particular issue.

Remediation

Upgrade node to version 16.20.1, 18.16.1, 20.3.1 or higher.

References

Privilege Escalation vulnerability report

medium severity

Use After Free

  • Vulnerable module: node
  • Introduced through: node@16.14.2
  • Fixed in: 16.19.1

Detailed paths

  • Introduced through: docker-image|node@16.14.2-alpine3.14 node@16.14.2

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Use After Free in the BIO_new_NDEF() function. A new filter BIO can be freed, with the function returning a NULL result indicating a failure. But the BIO passed by the caller still holds pointers to the previously freed filter BIO. This could allow an attacker to cause a crash.

Remediation

Upgrade node to version 14.21.3, 16.19.1, 18.14.1, 19.6.1 or higher.

References

Use After Free vulnerability report

medium severity

Information Exposure

  • Vulnerable module: openssl/libcrypto1.1
  • Introduced through: openssl/libcrypto1.1@1.1.1n-r0 and openssl/libssl1.1@1.1.1n-r0
  • Fixed in: 1.1.1t-r0

Detailed paths

  • Introduced through: node@16.14.2-alpine3.14 openssl/libcrypto1.1@1.1.1n-r0
  • Introduced through: node@16.14.2-alpine3.14 openssl/libssl1.1@1.1.1n-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. See How to fix? for Alpine:3.14 relevant fixed versions and status.

A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.

For example, in a TLS connection, RSA is commonly used by a client to send an encrypted pre-master secret to the server. An attacker that had observed a genuine connection between a client and a server could use this flaw to send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection.

Remediation

Upgrade Alpine:3.14 openssl to version 1.1.1t-r0 or higher.

References

Information Exposure vulnerability report

medium severity

Denial of Service (DoS)

  • Vulnerable module: node
  • Introduced through: node@16.14.2
  • Fixed in: 16.20.1

Detailed paths

  • Introduced through: docker-image|node@16.14.2-alpine3.14 node@16.14.2

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Denial of Service (DoS). When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination occurs making it susceptible to DoS attacks when the attacker could force interruptions of application processing, as the process terminates when accessing public key info of provided certificates from user code. The current context of the users will be gone, and that will cause a DoS scenario.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade node to version 16.20.1, 18.16.1, 20.3.1 or higher.

References

Denial of Service (DoS) vulnerability report

medium severity

HTTP Request Smuggling

  • Vulnerable module: node
  • Introduced through: node@16.14.2
  • Fixed in: 16.20.1

Detailed paths

  • Introduced through: docker-image|node@16.14.2-alpine3.14 node@16.14.2

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to HTTP Request Smuggling. The llhttp parser in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests.

Remediation

Upgrade node to version 16.20.1, 18.16.1, 20.3.1 or higher.

References

HTTP Request Smuggling vulnerability report

medium severity

HTTP Request Smuggling

  • Vulnerable module: node
  • Introduced through: node@16.14.2

Detailed paths

  • Introduced through: docker-image|node@16.14.2-alpine3.14 node@16.14.2

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to HTTP Request Smuggling via content length ofuscation. An attacker can smuggle an HTTP request by including a space before a Content-Length header.

Remediation

Upgrade node to version 18.20.1, 20.12.1, 21.7.2 or higher.

References

HTTP Request Smuggling vulnerability report

medium severity

Inconsistency Between Implementation and Documented Design

  • Vulnerable module: node
  • Introduced through: node@16.14.2

Detailed paths

  • Introduced through: docker-image|node@16.14.2-alpine3.14 node@16.14.2

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Inconsistency Between Implementation and Documented Design where the generateKeys() API function returned from crypto.createDiffieHellman() do not generate keys after setting a private key.

Remediation

Upgrade node to version 16.20.1, 18.16.1, 20.3.1 or higher.

References

Inconsistency Between Implementation and Documented Design vulnerability report

medium severity

Information Exposure

  • Vulnerable module: node
  • Introduced through: node@16.14.2
  • Fixed in: 16.16.0

Detailed paths

  • Introduced through: docker-image|node@16.14.2-alpine3.14 node@16.14.2

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Information Exposure in the aesni_ocb_encrypt and aesni_ocb_decrypt, which reveal 16 unencrypted bytes of memory.

NOTE: Implementations using TLS or DTLS are not affected by this vulnerability.

Remediation

Upgrade node to version 14.20.0, 16.16.0, 18.5.0 or higher.

References

Information Exposure vulnerability report

medium severity

Timing Attack

  • Vulnerable module: node
  • Introduced through: node@16.14.2
  • Fixed in: 16.19.1

Detailed paths

  • Introduced through: docker-image|node@16.14.2-alpine3.14 node@16.14.2

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Timing Attack in rsa/rsa_ossl.c. An attacker can recover ciphertext with a Bleichenbacher style attack by sending a large number of trial messages (Marvin). This affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP, and RSASVE.

Remediation

Upgrade node to version 14.21.3, 16.19.1, 18.14.1, 19.6.1 or higher.

References

Timing Attack vulnerability report

medium severity

Improper Certificate Validation

  • Vulnerable module: openssl/libcrypto1.1
  • Introduced through: openssl/libcrypto1.1@1.1.1n-r0 and openssl/libssl1.1@1.1.1n-r0
  • Fixed in: 1.1.1t-r2

Detailed paths

  • Introduced through: node@16.14.2-alpine3.14 openssl/libcrypto1.1@1.1.1n-r0
  • Introduced through: node@16.14.2-alpine3.14 openssl/libssl1.1@1.1.1n-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. See How to fix? for Alpine:3.14 relevant fixed versions and status.

Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks.

Invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether.

Policy processing is disabled by default but can be enabled by passing the -policy' argument to the command line utilities or by calling the X509_VERIFY_PARAM_set1_policies()' function.

Remediation

Upgrade Alpine:3.14 openssl to version 1.1.1t-r2 or higher.

References

Improper Certificate Validation vulnerability report

medium severity

Use of a Broken or Risky Cryptographic Algorithm

  • Vulnerable module: openssl/libcrypto1.1
  • Introduced through: openssl/libcrypto1.1@1.1.1n-r0 and openssl/libssl1.1@1.1.1n-r0
  • Fixed in: 1.1.1q-r0

Detailed paths

  • Introduced through: node@16.14.2-alpine3.14 openssl/libcrypto1.1@1.1.1n-r0
  • Introduced through: node@16.14.2-alpine3.14 openssl/libssl1.1@1.1.1n-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. See How to fix? for Alpine:3.14 relevant fixed versions and status.

AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).

Remediation

Upgrade Alpine:3.14 openssl to version 1.1.1q-r0 or higher.

References

Use of a Broken or Risky Cryptographic Algorithm vulnerability report

medium severity

Buffer Over-read

  • Vulnerable module: node
  • Introduced through: node@16.14.2
  • Fixed in: 16.20.1

Detailed paths

  • Introduced through: docker-image|node@16.14.2-alpine3.14 node@16.14.2

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Buffer Over-read on 64-bit ARM systems using AES-XTS cipher decryption. Attackers in control of the size and location of the ciphertext buffer can cause a crash by supplying a buffer of length 4 mod 5 at a location just before unmapped memory.

NOTE: This issue can be patched by applying the fix commits to versions 3.0 and 3.1, but no dedicated fixed release is planned until the next scheduled one.

Remediation

Upgrade node to version 16.20.1, 18.16.1, 20.3.1 or higher.

References

Buffer Over-read vulnerability report

medium severity

Buffer Underwrite (Buffer Underflow)

  • Vulnerable module: node
  • Introduced through: node@16.14.2
  • Fixed in: 16.20.1

Detailed paths

  • Introduced through: docker-image|node@16.14.2-alpine3.14 node@16.14.2

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Buffer Underwrite (Buffer Underflow) in the ares_inet_net_pton() function. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues.

Remediation

Upgrade node to version 16.20.1, 18.16.1, 20.3.1 or higher.

References

Buffer Underwrite (Buffer Underflow) vulnerability report

low severity

Permissive Cross-domain Policy with Untrusted Domains

  • Vulnerable module: node
  • Introduced through: node@16.14.2

Detailed paths

  • Introduced through: docker-image|node@16.14.2-alpine3.14 node@16.14.2

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Permissive Cross-domain Policy with Untrusted Domains due to not clearing Proxy-Authentication headers on cross-origin redirects. An attacker can intercept the improperly cleared headers.

Remediation

Upgrade node to version 18.19.1, 20.11.1, 21.6.2 or higher.

References

Permissive Cross-domain Policy with Untrusted Domains vulnerability report

low severity

Improper Certificate Validation

  • Vulnerable module: node
  • Introduced through: node@16.14.2
  • Fixed in: 16.20.1

Detailed paths

  • Introduced through: docker-image|node@16.14.2-alpine3.14 node@16.14.2

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Improper Certificate Validation due to invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies to circumvent policy checking on the certificate altogether.

Note: Exploiting this vulnerability is possible on applications that use a non-default option when verifying certificates.

Remediation

Upgrade node to version 16.20.1, 18.16.1, 20.3.1 or higher.

References

Improper Certificate Validation vulnerability report

low severity

Improper Certificate Validation

  • Vulnerable module: node
  • Introduced through: node@16.14.2
  • Fixed in: 16.20.1

Detailed paths

  • Introduced through: docker-image|node@16.14.2-alpine3.14 node@16.14.2

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Improper Certificate Validation because the implementation of the X509_VERIFY_PARAM_add0_policy() function does not enable certificate policy check, it allows certificates with invalid or incorrect policies to pass the certificate verification.

Note:

Since enabling the policy check could break existing deployments, it was decided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy() function. Applications that require OpenSSL to perform certificate policy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly enable the policy check by calling X509_VERIFY_PARAM_set_flags() with the X509_V_FLAG_POLICY_CHECK flag argument.

Remediation

Upgrade node to version 16.20.1, 18.16.1, 20.3.1 or higher.

References

Improper Certificate Validation vulnerability report

low severity

Insecure Randomness

  • Vulnerable module: node
  • Introduced through: node@16.14.2
  • Fixed in: 16.20.1

Detailed paths

  • Introduced through: docker-image|node@16.14.2-alpine3.14 node@16.14.2

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Insecure Randomness such that AutoTools does not set CARES_RANDOM_FILE during cross compilation.

Remediation

Upgrade node to version 16.20.1, 18.16.1, 20.3.1 or higher.

References

Insecure Randomness vulnerability report