npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. `--workspaces`, `--workspace=<name>`). Anyone who has run `npm pack` or `npm publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include. Users should upgrade to the latest, patched version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0 include the patched v8.11.0 version of npm.

The remote Rocky Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the RLSA-2022:6595 advisory.

  - npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or     with a workspace flag (ie. `--workspaces`, `--workspace=<name>`). Anyone who has run `npm pack` or `npm     publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published     files into the npm registry they did not intend to include. Users should upgrade to the latest, patched     version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0     include the patched v8.11.0 version of npm. (CVE-2022-29244)

  - This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application     that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited     further depending on the context. (CVE-2020-7788)

  - This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in     enclosure containing path separator. (CVE-2020-28469)

  - ansi-regex is vulnerable to Inefficient Regular Expression Complexity (CVE-2021-3807)

  - The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS     (regular expression denial of service) issue because it has exponential performance for data: URLs.
    (CVE-2021-33502)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote AlmaLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2022:6595 advisory.

  - This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application     that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited     further depending on the context. (CVE-2020-7788)

  - This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in     enclosure containing path separator. (CVE-2020-28469)

  - ansi-regex is vulnerable to Inefficient Regular Expression Complexity (CVE-2021-3807)

  - The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS     (regular expression denial of service) issue because it has exponential performance for data: URLs.
    (CVE-2021-33502)

  - npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or     with a workspace flag (ie. `--workspaces`, `--workspace=<name>`). Anyone who has run `npm pack` or `npm     publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published     files into the npm registry they did not intend to include. Users should upgrade to the latest, patched     version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0     include the patched v8.11.0 version of npm. (CVE-2022-29244)

  - A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.16.0, <18.5.0 due to an     insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check     if an IP address is invalid before making DBS requests allowing rebinding attacks. (CVE-2022-32212)

  - The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse     and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS). (CVE-2022-32213)

  - The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use     the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).
    (CVE-2022-32214)

  - The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly     handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).
    (CVE-2022-32215)

  - The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
    (CVE-2022-33987)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2022-6595 advisory.

    - Rebase to version 16.16.0       Resolves: RHBZ#2106290       Resolves: CVE-2022-32212 CVE-2022-32213 CVE-2022-32214 CVE-2022-32215

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:6595 advisory.

    Node.js is a software development platform for building fast and scalable network applications in the     JavaScript programming language.

    The following packages have been upgraded to a later upstream version: nodejs (16.16.0), nodejs-nodemon     (2.0.19). (BZ#2124230, BZ#2124233)

    Security Fix(es):

    * nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788)

    * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)

    * nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes     (CVE-2021-3807)

    * normalize-url: ReDoS for data URLs (CVE-2021-33502)

    * nodejs: npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a     workspace (CVE-2022-29244)

    * nodejs: DNS rebinding in --inspect via invalid IP addresses (CVE-2022-32212)

    * nodejs: HTTP request smuggling due to flawed parsing of Transfer-Encoding (CVE-2022-32213)

    * nodejs: HTTP request smuggling due to improper delimiting of header fields (CVE-2022-32214)

    * nodejs: HTTP request smuggling due to incorrect parsing of multi-line Transfer-Encoding (CVE-2022-32215)

    * got: missing verification of requested URLs allows redirects to UNIX sockets (CVE-2022-33987)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Bug Fix(es):

    * nodejs:16/nodejs: Rebase to the latest Nodejs 16 release [rhel-9] (BZ#2121019)

    * nodejs: Specify --with-default-icu-data-dir when using bootstrap build (BZ#2124299)

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:3251-1 advisory.

  - npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or     with a workspace flag (ie. `--workspaces`, `--workspace=<name>`). Anyone who has run `npm pack` or `npm     publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published     files into the npm registry they did not intend to include. Users should upgrade to the latest, patched     version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0     include the patched v8.11.0 version of npm. (CVE-2022-29244)

  - undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences     into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0.
    Sanitizing all HTTP headers from untrusted sources to eliminate `\r ` is a workaround for this issue.
    (CVE-2022-31150)

  - undici is an HTTP/1.1 client, written from scratch for Node.js.`=< undici@5.8.0` users are vulnerable to
    _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the     `content-type` header. Example: ``` import { request } from 'undici' const unsanitizedContentTypeInput =     'application/json\r \r GET /foo2 HTTP/1.1' await request('http://localhost:3000, { method: 'GET',     headers: { 'content-type': unsanitizedContentTypeInput }, }) ``` The above snippet will perform two     requests in a single `request` API call: 1) `http://localhost:3000/` 2) `http://localhost:3000/foo2` This     issue was patched in Undici v5.8.1. Sanitize input when sending content-type headers using user input as a     workaround. (CVE-2022-35948)

  - undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side     Request Forgery) when an application takes in **user input** into the `path/pathname` option of     `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js const undici     = require(undici) undici.request({origin: http://example.com, pathname: //127.0.0.1}) ``` Instead of     processing the request as `http://example.org//127.0.0.1` (or `http://example.org/http://127.0.0.1` when     `http://127.0.0.1 is used`), it actually processes the request as `http://127.0.0.1/` and sends it to     `http://127.0.0.1`. If a developer passes in user input into `path` parameter of `undici.request`, it can     result in an _SSRF_ as they will assume that the hostname cannot change, when in actual fact it can change     because the specified path parameter is combined with the base URL. This issue was fixed in     `undici@5.8.1`. The best workaround is to validate user input before passing it to the `undici.request`     call. (CVE-2022-35949)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:3250-1 advisory.

  - npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or     with a workspace flag (ie. `--workspaces`, `--workspace=<name>`). Anyone who has run `npm pack` or `npm     publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published     files into the npm registry they did not intend to include. Users should upgrade to the latest, patched     version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0     include the patched v8.11.0 version of npm. (CVE-2022-29244)

  - undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences     into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0.
    Sanitizing all HTTP headers from untrusted sources to eliminate `\r ` is a workaround for this issue.
    (CVE-2022-31150)

  - undici is an HTTP/1.1 client, written from scratch for Node.js.`=< undici@5.8.0` users are vulnerable to
    _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the     `content-type` header. Example: ``` import { request } from 'undici' const unsanitizedContentTypeInput =     'application/json\r \r GET /foo2 HTTP/1.1' await request('http://localhost:3000, { method: 'GET',     headers: { 'content-type': unsanitizedContentTypeInput }, }) ``` The above snippet will perform two     requests in a single `request` API call: 1) `http://localhost:3000/` 2) `http://localhost:3000/foo2` This     issue was patched in Undici v5.8.1. Sanitize input when sending content-type headers using user input as a     workaround. (CVE-2022-35948)

  - undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side     Request Forgery) when an application takes in **user input** into the `path/pathname` option of     `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js const undici     = require(undici) undici.request({origin: http://example.com, pathname: //127.0.0.1}) ``` Instead of     processing the request as `http://example.org//127.0.0.1` (or `http://example.org/http://127.0.0.1` when     `http://127.0.0.1 is used`), it actually processes the request as `http://127.0.0.1/` and sends it to     `http://127.0.0.1`. If a developer passes in user input into `path` parameter of `undici.request`, it can     result in an _SSRF_ as they will assume that the hostname cannot change, when in actual fact it can change     because the specified path parameter is combined with the base URL. This issue was fixed in     `undici@5.8.1`. The best workaround is to validate user input before passing it to the `undici.request`     call. (CVE-2022-35949)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:3196-1 advisory.

  - npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or     with a workspace flag (ie. `--workspaces`, `--workspace=<name>`). Anyone who has run `npm pack` or `npm     publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published     files into the npm registry they did not intend to include. Users should upgrade to the latest, patched     version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0     include the patched v8.11.0 version of npm. (CVE-2022-29244)

  - undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences     into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0.
    Sanitizing all HTTP headers from untrusted sources to eliminate `\r ` is a workaround for this issue.
    (CVE-2022-31150)

  - undici is an HTTP/1.1 client, written from scratch for Node.js.`=< undici@5.8.0` users are vulnerable to
    _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the     `content-type` header. Example: ``` import { request } from 'undici' const unsanitizedContentTypeInput =     'application/json\r \r GET /foo2 HTTP/1.1' await request('http://localhost:3000, { method: 'GET',     headers: { 'content-type': unsanitizedContentTypeInput }, }) ``` The above snippet will perform two     requests in a single `request` API call: 1) `http://localhost:3000/` 2) `http://localhost:3000/foo2` This     issue was patched in Undici v5.8.1. Sanitize input when sending content-type headers using user input as a     workaround. (CVE-2022-35948)

  - undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side     Request Forgery) when an application takes in **user input** into the `path/pathname` option of     `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js const undici     = require(undici) undici.request({origin: http://example.com, pathname: //127.0.0.1}) ``` Instead of     processing the request as `http://example.org//127.0.0.1` (or `http://example.org/http://127.0.0.1` when     `http://127.0.0.1 is used`), it actually processes the request as `http://127.0.0.1/` and sends it to     `http://127.0.0.1`. If a developer passes in user input into `path` parameter of `undici.request`, it can     result in an _SSRF_ as they will assume that the hostname cannot change, when in actual fact it can change     because the specified path parameter is combined with the base URL. This issue was fixed in     `undici@5.8.1`. The best workaround is to validate user input before passing it to the `undici.request`     call. (CVE-2022-35949)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
171017	Rocky Linux 9 : nodejs and nodejs-nodemon (RLSA-2022:6595)	Nessus	Rocky Linux Local Security Checks	critical
166249	AlmaLinux 9 : nodejs and nodejs-nodemon (ALSA-2022:6595)	Nessus	Alma Linux Local Security Checks	critical
165309	Oracle Linux 9 : nodejs / and / nodejs-nodemon (ELSA-2022-6595)	Nessus	Oracle Linux Local Security Checks	critical
165270	RHEL 9 : nodejs and nodejs-nodemon (RHSA-2022:6595)	Nessus	Red Hat Local Security Checks	critical
164977	SUSE SLES15 Security Update : nodejs16 (SUSE-SU-2022:3251-1)	Nessus	SuSE Local Security Checks	critical
164969	SUSE SLES15 Security Update : nodejs16 (SUSE-SU-2022:3250-1)	Nessus	SuSE Local Security Checks	critical
164902	SUSE SLES12 Security Update : nodejs16 (SUSE-SU-2022:3196-1)	Nessus	SuSE Local Security Checks	critical

Detections

Analytics

CVE-2022-29244

high

Tenable Plugins

critical

critical

critical

critical

critical

critical

critical