The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:0321 advisory.

    Node.js is a software development platform for building fast and scalable network applications in the     JavaScript programming language.

    The following packages have been upgraded to a later upstream version: nodejs (16.18.1), nodejs-nodemon     (2.0.20).

    Security Fix(es):

    * minimist: prototype pollution (CVE-2021-44906)

    * nodejs-minimatch: ReDoS via the braceExpand function (CVE-2022-3517)

    * nodejs: HTTP Request Smuggling due to incorrect parsing of header fields (CVE-2022-35256)

    * nodejs: DNS rebinding in inspect via invalid octal IP address (CVE-2022-43548)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Bug Fix(es):

    * nodejs: Packaged version of undici does not fit with declared version. [rhel-9] (BZ#2151627)

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

RHEL 9 : nodejs and nodejs-nodemon (RHSA-2023:0321)

critical Nessus Plugin ID 170406

Version 1.5