The version of nodejs installed on the remote host is prior to 18.4.0-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2022-2022-214 advisory.

  - The parser in accepts requests with a space (SP) right after the header name before the colon. This can     lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6. (CVE-2021-22959)

  - The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of     chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions. (CVE-2021-22960)

  - The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency     information in package-lock.json differs from package.json. This behavior is inconsistent with the     documentation, and makes it easier for attackers to install malware that was supposed to have been blocked     by an exact version match requirement in package-lock.json. NOTE: The npm team believes this is not a     vulnerability. It would require someone to socially engineer package.json which has different dependencies     than package-lock.json. That user would have to have file system or write access to change dependencies.
    The npm team states preventing malicious actors from socially engineering or gaining file system access is     outside the scope of the npm CLI. (CVE-2021-43616)

  - Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a     particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3,     < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are often not defined to use.
    Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.Versions of Node.js     with the fix for this disable the URI SAN type when checking a certificate against a hostname. This     behavior can be reverted through the --security-revert command-line option. (CVE-2021-44531)

  - Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a     string format. It uses this string to check peer certificates against hostnames when validating     connections. The string format was subject to an injection vulnerability when name constraints were used     within a certificate chain, allowing the bypass of these name constraints.Versions of Node.js with the fix     for this escape SANs containing the problematic characters in order to prevent the injection. This     behavior can be reverted through the --security-revert command-line option. (CVE-2021-44532)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Amazon Linux 2022 : nodejs (ALAS2022-2022-214)

critical Nessus Plugin ID 168555

Version 1.4

Version 1.3

Version 1.2

Version 1.4 Dec 12, 2024, 9:55 AM CVSS metrics ("Cvssv4 score" set to 0.0) CVSSv2 severity (based on None, severity decreased from "High" to "Low") Detection (updated detection logic) Plugin metadata Plugin Feed: 202412120955
Version 1.3 Sep 20, 2023, 4:09 PM CVSS temporal metrics ("CVSSv2 temporal vector" set to "CVSS2#E:POC/RL:OF/RC:C". "CVSSv3 temporal vector" set to "CVSS:3.0/E:P/RL:O/RC:C") Exploit attributes ("Exploit available" set to "True". "Exploitability ease" changed from "No known exploits are available" to "Exploits are available") Plugin Feed: 202309201609
Version 1.2 Dec 10, 2022, 1:46 AM New Plugin Feed: 202212100146