SUSE SLES12 Security Update : nodejs18 (SUSE-SU-2024:2496-1)

high Nessus Plugin ID 202562

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:2496-1 advisory.

Update to 18.20.4:

- CVE-2024-36138: Fixed CVE-2024-27980 fix bypass (bsc#1227560)
- CVE-2024-22020: Fixed a bypass of network import restriction via data URL (bsc#1227554)

Changes in 18.20.3:

- This release fixes a regression introduced in Node.js 18.19.0 where http.server.close() was incorrectly closing idle connections.
deps:
- acorn updated to 8.11.3.
- acorn-walk updated to 8.3.2.
- ada updated to 2.7.8.
- c-ares updated to 1.28.1.
- corepack updated to 0.28.0.
- nghttp2 updated to 1.61.0.
- ngtcp2 updated to 1.3.0.
- npm updated to 10.7.0. Includes a fix from [email protected] to limit the number of open connections npm/cli#7324.
- simdutf updated to 5.2.4.

Changes in 18.20.2:

- CVE-2024-27980: Fixed command injection via args parameter of child_process.spawn without shell option enabled on Windows (bsc#1222665)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected nodejs18, nodejs18-devel, nodejs18-docs and / or npm18 packages.

See Also

https://bugzilla.suse.com/1222665

https://bugzilla.suse.com/1227554

https://bugzilla.suse.com/1227560

http://www.nessus.org/u?be0ee4f8

https://www.suse.com/security/cve/CVE-2024-22020

https://www.suse.com/security/cve/CVE-2024-27980

https://www.suse.com/security/cve/CVE-2024-36138

Plugin Details

Severity: High

ID: 202562

File Name: suse_SU-2024-2496-1.nasl

Version: 1.2

Type: local

Agent: unix

Published: 7/17/2024

Updated: 9/9/2024

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 5.9

Temporal Score: 4.4

Vector: CVSS2#AV:L/AC:H/Au:N/C:P/I:C/A:C

CVSS Score Source: CVE-2024-22020

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.1

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2024-36138

Vulnerability Information

CPE: cpe:/o:novell:suse_linux:12, p-cpe:/a:novell:suse_linux:nodejs18, p-cpe:/a:novell:suse_linux:nodejs18-docs, p-cpe:/a:novell:suse_linux:npm18, p-cpe:/a:novell:suse_linux:nodejs18-devel

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 7/16/2024

Vulnerability Publication Date: 4/11/2024

Reference Information

CVE: CVE-2024-22020, CVE-2024-27980, CVE-2024-36138

SuSE: SUSE-SU-2024:2496-1