The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:5533 advisory.

  - c-ares: buffer overflow in config_sortlist() due to missing string length check (CVE-2022-4904)

  - http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability (CVE-2022-25881)

  - Node.js: insecure loading of ICU data through ICU_DATA environment variable (CVE-2023-23920)

  - Node.js: Fetch API did not protect against CRLF injection in host headers (CVE-2023-23936)

  - Node.js: Regular Expression Denial of Service in Headers fetch API (CVE-2023-24807)

  - nodejs: mainModule.proto bypass experimental policy mechanism (CVE-2023-30581)

  - nodejs: process interuption due to invalid Public Key information in x509 certificates (CVE-2023-30588)

  - nodejs: HTTP Request Smuggling via Empty headers separated by CR (CVE-2023-30589)

  - nodejs: DiffieHellman do not generate keys after setting a private key (CVE-2023-30590)

  - nodejs: Permissions policies can be bypassed via Module._load (CVE-2023-32002)

  - nodejs: Permissions policies can impersonate other modules in using module.constructor.createRequire()     (CVE-2023-32006)

  - nodejs: Permissions policies can be bypassed via process.binding (CVE-2023-32559)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

RHEL 9 : nodejs (RHSA-2023:5533)

critical Nessus Plugin ID 182781

Version 1.2

Version 1.1

Version 1.0

Version 1.0

Version 1.2 Apr 28, 2024, 2:25 PM Detection (updated detection logic) Plugin metadata Reference Plugin Feed: 202404281425
Version 1.1 Jan 26, 2024, 11:18 PM Plugin metadata Plugin Feed: 202401262318
Version 1.0 Oct 9, 2023, 8:58 PM New Plugin Feed: 202310092058
Version 1.0 Jan 26, 2024, 9:00 PM Plugin metadata Plugin Feed: 202401262100