Synopsis
The remote Amazon Linux 2023 host is missing a security update.
Description
It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2024-749 advisory.
A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used. This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to. (CVE-2024-22018)
A security flaw in Node.js allows a bypass of network import restrictions.By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security.Verified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports.Exploiting this flaw can violate network import security, posing a risk to developers and servers. (CVE-2024-22020)
node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders. (CVE-2024-28863)
A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used.
Node.js Permission Model do not operate on file descriptors, however, operations such as fs.fchown or fs.fchmod can use a read-only file descriptor to change the owner and permissions of a file.
(CVE-2024-36137)
Tenable has extracted the preceding description block directly from the tested product security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Run 'dnf update nodejs20 --releasever 2023.6.20241028' to update your system.
Plugin Details
File Name: al2023_ALAS2023-2024-749.nasl
Agent: unix
Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus
Risk Information
Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C
Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: cpe:/o:amazon:linux:2023, p-cpe:/a:amazon:linux:nodejs20, p-cpe:/a:amazon:linux:nodejs20-debuginfo, p-cpe:/a:amazon:linux:nodejs20-debugsource, p-cpe:/a:amazon:linux:nodejs20-devel, p-cpe:/a:amazon:linux:nodejs20-docs, p-cpe:/a:amazon:linux:nodejs20-full-i18n, p-cpe:/a:amazon:linux:nodejs20-libs, p-cpe:/a:amazon:linux:nodejs20-libs-debuginfo, p-cpe:/a:amazon:linux:nodejs20-npm, p-cpe:/a:amazon:linux:v8-11.3-devel
Required KB Items: Host/local_checks_enabled, Host/AmazonLinux/release, Host/AmazonLinux/rpm-list
Exploit Ease: No known exploits are available
Patch Publication Date: 10/24/2024
Vulnerability Publication Date: 3/21/2024