Detections
Analytics

openSUSE 15 Security Update : nodejs18 (SUSE-SU-2024:2542-1)

medium Nessus Plugin ID 202586

Synopsis

The remote openSUSE host is missing one or more security updates.

Description

The remote openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:2542-1 advisory.

 Update to 18.20.4:

 - CVE-2024-36138: Fixed CVE-2024-27980 fix bypass (bsc#1227560)
 - CVE-2024-22020: Fixed a bypass of network import restriction via data URL (bsc#1227554)

 Changes in 18.20.3:

 - This release fixes a regression introduced in Node.js 18.19.0 where http.server.close() was incorrectly closing idle connections.
 deps:
 - acorn updated to 8.11.3.
 - acorn-walk updated to 8.3.2.
 - ada updated to 2.7.8.
 - c-ares updated to 1.28.1.
 - corepack updated to 0.28.0.
 - nghttp2 updated to 1.61.0.
 - ngtcp2 updated to 1.3.0.
 - npm updated to 10.7.0. Includes a fix from [email protected] to limit the number of open connections npm/cli#7324.
 - simdutf updated to 5.2.4.

 Changes in 18.20.2:

 - CVE-2024-27980: Fixed command injection via args parameter of child_process.spawn without shell option enabled on Windows (bsc#1222665)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://bugzilla.suse.com/1222665

https://bugzilla.suse.com/1227554

https://bugzilla.suse.com/1227560

http://www.nessus.org/u?4b645420

https://www.suse.com/security/cve/CVE-2024-22020

https://www.suse.com/security/cve/CVE-2024-27980

https://www.suse.com/security/cve/CVE-2024-36138

Plugin Details

Severity: Medium

ID: 202586

File Name: suse_SU-2024-2542-1.nasl

Version: 1.1

Type: local

Agent: unix

Published: 7/18/2024

Updated: 7/18/2024

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Critical

Score: 9.0

CVSS v2

Risk Factor: High

Base Score: 8.5

Temporal Score: 6.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:C

CVSS Score Source: CVE-2024-27980

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2024-22020

Vulnerability Information

CPE: cpe:/o:novell:suse_linux:15

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 7/17/2024

Vulnerability Publication Date: 4/11/2024

Reference Information

CVE: CVE-2024-22020, CVE-2024-27980, CVE-2024-36138

SuSE: SUSE-SU-2024:2542-1