Detections
Analytics

Rocky Linux 9 : nodejs and nodejs-nodemon (RLSA-2022:6595)

critical Nessus Plugin ID 171017

Synopsis

The remote Rocky Linux host is missing one or more security updates.

Description

The remote Rocky Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the RLSA-2022:6595 advisory.

 - npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. `--workspaces`, `--workspace=<name>`). Anyone who has run `npm pack` or `npm publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include. Users should upgrade to the latest, patched version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0 include the patched v8.11.0 version of npm. (CVE-2022-29244)

 - This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context. (CVE-2020-7788)

 - This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator. (CVE-2020-28469)

 - ansi-regex is vulnerable to Inefficient Regular Expression Complexity (CVE-2021-3807)

 - The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
 (CVE-2021-33502)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected nodejs-nodemon package.

See Also

https://errata.rockylinux.org/RLSA-2022:6595

https://bugzilla.redhat.com/show_bug.cgi?id=1907444

https://bugzilla.redhat.com/show_bug.cgi?id=1945459

https://bugzilla.redhat.com/show_bug.cgi?id=1964461

https://bugzilla.redhat.com/show_bug.cgi?id=2007557

https://bugzilla.redhat.com/show_bug.cgi?id=2098556

https://bugzilla.redhat.com/show_bug.cgi?id=2102001

https://bugzilla.redhat.com/show_bug.cgi?id=2105422

https://bugzilla.redhat.com/show_bug.cgi?id=2105426

https://bugzilla.redhat.com/show_bug.cgi?id=2105428

https://bugzilla.redhat.com/show_bug.cgi?id=2105430

https://bugzilla.redhat.com/show_bug.cgi?id=2121019

https://bugzilla.redhat.com/show_bug.cgi?id=2124299

Plugin Details

Severity: Critical

ID: 171017

File Name: rocky_linux_RLSA-2022-6595.nasl

Version: 1.4

Type: local

Published: 2/6/2023

Updated: 9/5/2023

Supported Sensors: Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2020-7788

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:rocky:linux:9, p-cpe:/a:rocky:linux:nodejs-nodemon

Required KB Items: Host/local_checks_enabled, Host/RockyLinux/release, Host/RockyLinux/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/20/2022

Vulnerability Publication Date: 9/20/2022

Reference Information

CVE: CVE-2020-28469, CVE-2020-7788, CVE-2021-33502, CVE-2021-3807, CVE-2022-29244, CVE-2022-32212, CVE-2022-32213, CVE-2022-32214, CVE-2022-32215, CVE-2022-33987