Detections
Analytics

Node.js 14.x < 14.21.1 / 16.x < 16.18.1 / 18.x < 18.12.1 / 19.x < 19.0.1 Multiple Vulnerabilities (Nov 3 2022 Security Releases).

high Nessus Plugin ID 167024

Language:

Synopsis

Node.js - JavaScript run-time environment is affected by multiple vulnerabilities.

Description

The version of Node.js installed on the remote host is prior to 14.21.1, 16.18.1, 18.12.1, 19.0.1. It is, therefore, affected by multiple vulnerabilities as referenced in the Nov 3 2022 Security Releases advisory.

 - A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Impacts: (CVE-2022-3602)

 - A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the . character (decimal 46) on the stack.
 This buffer overflow could result in a crash (causing a denial of service). In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. OpenSSL versions 3.0.0 to 3.0.6 are vulnerable to this issue. Impacts: (CVE-2022-3786)

 - The Node.js rebinding protector for --inspect still allows invalid IP address, specifically, the octal format. An example of an octal IP address is 1.09.0.0, the 09 octet is invalid because 9 is not a number in the base 8 number system. Browsers such as Firefox (tested on latest version m105) will still attempt to resolve this invalid octal address via DNS. When combined with an active --inspect session, such as when using VSCode, an attacker can perform DNS rebinding and execute arbitrary code Thank you to @haxatron1 for reporting this vulnerability. Impacts: (CVE-2022-43548)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Node.js version 14.21.1 / 16.18.1 / 18.12.1 / 19.0.1 or later.

See Also

http://www.nessus.org/u?01a243d6

Plugin Details

Severity: High

ID: 167024

File Name: nodejs_2022_nov.nasl

Version: 1.10

Type: local

Agent: windows, macosx, unix

Family: Misc.

Published: 11/5/2022

Updated: 1/9/2024

Configuration: Enable thorough checks

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.6

Temporal Score: 5.6

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2022-43548

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.1

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:nodejs:node.js

Required KB Items: installed_sw/Node.js

Exploit Ease: No known exploits are available

Patch Publication Date: 11/1/2022

Vulnerability Publication Date: 10/27/2022

Reference Information

CVE: CVE-2022-3602, CVE-2022-3786, CVE-2022-43548

IAVB: 2022-B-0047-S