Detections
Analytics

Rocky Linux 8 : nodejs:12 (RLSA-2020:5499)

critical Nessus Plugin ID 184662

Synopsis

The remote Rocky Linux host is missing one or more security updates.

Description

The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2020:5499 advisory.

 - An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.) (CVE-2020-15366)

 - yargs-parser could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload. (CVE-2020-7608)

 - The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution. (CVE-2020-7774)

 - A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed in 15.2.1, 14.15.1, and 12.19.1.
 (CVE-2020-8277)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected nodejs-nodemon and / or nodejs-packaging packages.

See Also

https://errata.rockylinux.org/RLSA-2020:5499

https://bugzilla.redhat.com/show_bug.cgi?id=1857977

https://bugzilla.redhat.com/show_bug.cgi?id=1898554

https://bugzilla.redhat.com/show_bug.cgi?id=1898680

Plugin Details

Severity: Critical

ID: 184662

File Name: rocky_linux_RLSA-2020-5499.nasl

Version: 1.1

Type: local

Published: 11/6/2023

Updated: 11/7/2023

Supported Sensors: Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2020-7774

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:rocky:linux:nodejs-packaging, cpe:/o:rocky:linux:8, p-cpe:/a:rocky:linux:nodejs-nodemon

Required KB Items: Host/local_checks_enabled, Host/RockyLinux/release, Host/RockyLinux/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 12/15/2020

Vulnerability Publication Date: 3/16/2020

Reference Information

CVE: CVE-2020-15366, CVE-2020-7608, CVE-2020-7774, CVE-2020-8277