Node.js 18.x < 18.18.2 / 20.x < 20.8.1 Multiple Vulnerabilities (Friday October 13 2023 Security Releases).

critical Nessus Plugin ID 183390

Synopsis

Node.js - JavaScript run-time environment is affected by multiple vulnerabilities.

Description

The version of Node.js installed on the remote host is prior to 18.18.2, 20.8.1. It is, therefore, affected by multiple vulnerabilities as referenced in the Friday October 13 2023 Security Releases advisory.

- Undici did not always clear Cookie headers on cross-origin redirects. By design, cookie headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments.
Since undici handles headers more liberally than the spec, there was a disconnect from the assumptions the spec made, and undici's implementation of fetch. As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site. More details area available in GHSA-wqq4-5wpv-mx2g (CVE-2023-45143)

- Rapidly creating and cancelling streams (HEADERS frame immediately followed by RST_STREAM) without bound causes denial of service. See https://www.cve.org/CVERecord?id=CVE-2023-44487 for details. Impacts:
(CVE-2023-44487)

- A previously disclosed vulnerability (CVE-2023-30584) was patched insufficiently. The new path traversal vulnerability arises because the implementation does not protect itself against the application overwriting built-in utility functions with user-defined implementations. Impacts: Please note that at the time this CVE is issued, the permission model is an experimental feature of Node.js. Thanks to Tobias Nieen who reported and created the security patch. (CVE-2023-39331)

- Various node:fs functions allow specifying paths as either strings or Uint8Array objects. In Node.js environments, the Buffer class extends the Uint8Array class. Node.js prevents path traversal through strings (see CVE-2023-30584) and Buffer objects (see CVE-2023-32004), but not through non-Buffer Uint8Array objects. This is distinct from CVE-2023-32004 (report 2038134), which only referred to Buffer objects. However, the vulnerability follows the same pattern using Uint8Array instead of Buffer. Impacts:
Please note that at the time this CVE is issued, the permission model is an experimental feature of Node.js. Thanks to Tobias Nieen who reported and created the security patch. (CVE-2023-39332)

- When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation and return a forged checksum to node's policy implementation, thus effectively disabling the integrity check. Impacts: Please note that at the time this CVE is issued, the policy mechanism is an experimental feature of Node.js. Thanks to Tobias Nieen who reported and created the security patch. (CVE-2023-38552)

- Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The injected code may be able to access data and functions that the WebAssembly module itself does not have access to, similar to as if the WebAssembly module was a JavaScript module. Impacts: Thanks to dittyroma for reporting the issue and to Tobias Nieen for fixing it. (CVE-2023-39333)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Node.js version 18.18.2 / 20.8.1 or later.

See Also

http://www.nessus.org/u?158127f8

Plugin Details

Severity: Critical

ID: 183390

File Name: nodejs_2023_oct.nasl

Version: 1.7

Type: local

Agent: windows, macosx, unix

Family: Misc.

Published: 10/19/2023

Updated: 2/23/2024

Configuration: Enable thorough checks

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2023-39332

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:nodejs:node.js

Required KB Items: installed_sw/Node.js

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/13/2023

Vulnerability Publication Date: 10/10/2023

CISA Known Exploited Vulnerability Due Dates: 10/31/2023

Reference Information

CVE: CVE-2023-38552, CVE-2023-39331, CVE-2023-39332, CVE-2023-39333, CVE-2023-44487, CVE-2023-45143

IAVB: 2023-B-0083-S