Mageia Linux Local Security Checks : Mageia: Security Advisory (MGASA-2021-0372)

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 145615 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.1.10.2021.0372

Categoría: Mageia Linux Local Security Checks

Título: Mageia: Security Advisory (MGASA-2021-0372)

Resumen: The remote host is missing an update for the 'nodejs' package(s) announced via the MGASA-2021-0372 advisory.

Descripción: Summary:
The remote host is missing an update for the 'nodejs' package(s) announced via the MGASA-2021-0372 advisory.

Vulnerability Insight:
This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix:
const y18n = require('y18n')(),
y18n.setLocale('__proto__'), y18n.updateLocale({polluted: true}),
console.log(polluted), // true (CVE-2020-7774).

The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression
Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl
function in index.js. The affected regular expression exhibits polynomial
worst-case time complexity (CVE-2021-23362).

ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression
which is vulnerable to a denial of service. Malicious SRIs could take an
extremely long time to process, leading to denial of service. This issue only
affects consumers using the strict option (CVE-2021-27290).

These, thesis issues are fixed by upgrading nodejs packages to latest available
LTS 14.17.3 version. See upstream releases notes for other included bugfixes.

Affected Software/OS:
'nodejs' package(s) on Mageia 8.

Solution:
Please install the updated package(s).

CVSS Score:
7.5

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2020-7774
https://github.com/yargs/y18n/issues/96
https://github.com/yargs/y18n/pull/108
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1038306
https://snyk.io/vuln/SNYK-JS-Y18N-1021887
https://www.oracle.com/security-alerts/cpuApr2021.html
Common Vulnerability Exposure (CVE) ID: CVE-2021-23362
https://github.com/npm/hosted-git-info/commit/29adfe5ef789784c861b2cdeb15051ec2ba651a7
https://github.com/npm/hosted-git-info/commit/8d4b3697d79bcd89cdb36d1db165e3696c783a01
https://github.com/npm/hosted-git-info/commits/v2
https://github.com/npm/hosted-git-info/commit/bede0dc38e1785e732bf0a48ba6f81a4a908eba3
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1088356
https://snyk.io/vuln/SNYK-JS-HOSTEDGITINFO-1088355
Common Vulnerability Exposure (CVE) ID: CVE-2021-27290
https://doyensec.com/resources/Doyensec_Advisory_ssri_redos.pdf
https://github.com/yetingli/SaveResults/blob/main/pdf/ssri-redos.pdf
https://npmjs.com
https://www.oracle.com/security-alerts/cpuoct2021.html

Copyright Copyright (C) 2022 Greenbone AG

Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.1.10.2021.0372
Categoría:	Mageia Linux Local Security Checks
Título:	Mageia: Security Advisory (MGASA-2021-0372)
Resumen:	The remote host is missing an update for the 'nodejs' package(s) announced via the MGASA-2021-0372 advisory.
Descripción:	Summary: The remote host is missing an update for the 'nodejs' package(s) announced via the MGASA-2021-0372 advisory. Vulnerability Insight: This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')(), y18n.setLocale('__proto__'), y18n.updateLocale({polluted: true}), console.log(polluted), // true (CVE-2020-7774). The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity (CVE-2021-23362). ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option (CVE-2021-27290). These, thesis issues are fixed by upgrading nodejs packages to latest available LTS 14.17.3 version. See upstream releases notes for other included bugfixes. Affected Software/OS: 'nodejs' package(s) on Mageia 8. Solution: Please install the updated package(s). CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2020-7774 https://github.com/yargs/y18n/issues/96 https://github.com/yargs/y18n/pull/108 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1038306 https://snyk.io/vuln/SNYK-JS-Y18N-1021887 https://www.oracle.com/security-alerts/cpuApr2021.html Common Vulnerability Exposure (CVE) ID: CVE-2021-23362 https://github.com/npm/hosted-git-info/commit/29adfe5ef789784c861b2cdeb15051ec2ba651a7 https://github.com/npm/hosted-git-info/commit/8d4b3697d79bcd89cdb36d1db165e3696c783a01 https://github.com/npm/hosted-git-info/commits/v2 https://github.com/npm/hosted-git-info/commit/bede0dc38e1785e732bf0a48ba6f81a4a908eba3 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1088356 https://snyk.io/vuln/SNYK-JS-HOSTEDGITINFO-1088355 Common Vulnerability Exposure (CVE) ID: CVE-2021-27290 https://doyensec.com/resources/Doyensec_Advisory_ssri_redos.pdf https://github.com/yetingli/SaveResults/blob/main/pdf/ssri-redos.pdf https://npmjs.com https://www.oracle.com/security-alerts/cpuoct2021.html
Copyright	Copyright (C) 2022 Greenbone AG