Detections
Analytics

Debian dla-3221 : node-cached-path-relative - security update

critical Nessus Plugin ID 168403

Language:

Synopsis

The remote Debian host is missing one or more security-related updates.

Description

The remote Debian 10 host has a package installed that is affected by multiple vulnerabilities as referenced in the dla-3221 advisory.

 ------------------------------------------------------------------------- Debian LTS Advisory DLA-3221-1 [email protected] https://www.debian.org/lts/security/ Guilhem Moulin December 05, 2022 https://wiki.debian.org/LTS
 -------------------------------------------------------------------------

 Package : node-cached-path-relative Version : 1.0.1-2+deb10u1 CVE ID : CVE-2018-16472 CVE-2021-23518 Debian Bug : #1004338

 Cristian-Alexandru Staicu discovered a prototype pollution vulnerability in inode-cached-path-relative, a Node.js module used to cache (memoize) the result of path.relative.

 CVE-2018-16472

 An attacker controlling both the path and the cached value, can mount a prototype pollution attack and thus overwrite arbitrary properties on Object.prototype, which may result in denial of service.

 CVE-2021-23518

 The fix for CVE-2018-16472 was incomplete and other prototype pollution vulnerabilities were found in the meantime, resulting in a new CVE.

 For Debian 10 buster, these problems have been fixed in version 1.0.1-2+deb10u1.

 We recommend that you upgrade your node-cached-path-relative packages.

 For the detailed security status of node-cached-path-relative please refer to its security tracker page at:
 https://security-tracker.debian.org/tracker/node-cached-path-relative

 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS Attachment:
 signature.asc Description: PGP signature

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the node-cached-path-relative packages.

See Also

http://www.nessus.org/u?b4504c44

https://security-tracker.debian.org/tracker/CVE-2018-16472

https://security-tracker.debian.org/tracker/CVE-2021-23518

https://packages.debian.org/source/buster/node-cached-path-relative

Plugin Details

Severity: Critical

ID: 168403

File Name: debian_DLA-3221.nasl

Version: 1.4

Type: local

Agent: unix

Published: 12/5/2022

Updated: 1/22/2025

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2021-23518

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:debian:debian_linux:10.0, p-cpe:/a:debian:debian_linux:node-cached-path-relative

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 12/5/2022

Vulnerability Publication Date: 11/6/2018

Reference Information

CVE: CVE-2018-16472, CVE-2021-23518