English | Deutsch | Español
 
Home ▼
Home About Us Contact Us Privacy Partner Programs Testimonials In Press Mailing Lists Abuse Developer APIs
Bookkeeping
Online ▼
Home Free Trial FAQ
Open/Create Company File Accept an Invite Order/Renew
Security
Audits ▼
Home Dedicated audits Advanced audits Standard audits Recurring audits No Risk audits Desktop audits Basic audit Security Seal FAQ Price/Feature Summary Order New Tests All Tests Confidentiality Vulnerability search Run Audit Scheduler IP Permissions Audit Configuration Editor Scan Queue Reminder Notification Schedule Seal Reports Reports Style Editor
Managed
DNS ▼
About Order FAQ Acceptable Use Policy Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password
Network
Monitor ▼
Enterprise Package Advanced Package Standard Package Free Trial FAQ Price/Feature Summary Order/Renew Examples
Configure/Status Alert Profiles
Research
Reports ▼
Home FAQ Glossary Archive
 Login/Register 
 
 Vulnerability   
Search   		     Search 324607 CVE descriptions
and 145615 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.1.10.2021.0372
Category:Mageia Linux Local Security Checks
Title:Mageia: Security Advisory (MGASA-2021-0372)
Summary:The remote host is missing an update for the 'nodejs' package(s) announced via the MGASA-2021-0372 advisory.
Description:Summary:
The remote host is missing an update for the 'nodejs' package(s) announced via the MGASA-2021-0372 advisory.

Vulnerability Insight:
This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix:
const y18n = require('y18n')(),
y18n.setLocale('__proto__'), y18n.updateLocale({polluted: true}),
console.log(polluted), // true (CVE-2020-7774).

The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression
Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl
function in index.js. The affected regular expression exhibits polynomial
worst-case time complexity (CVE-2021-23362).

ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression
which is vulnerable to a denial of service. Malicious SRIs could take an
extremely long time to process, leading to denial of service. This issue only
affects consumers using the strict option (CVE-2021-27290).

These, thesis issues are fixed by upgrading nodejs packages to latest available
LTS 14.17.3 version. See upstream releases notes for other included bugfixes.

Affected Software/OS:
'nodejs' package(s) on Mageia 8.

Solution:
Please install the updated package(s).

CVSS Score:
7.5

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2020-7774
https://github.com/yargs/y18n/issues/96
https://github.com/yargs/y18n/pull/108
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1038306
https://snyk.io/vuln/SNYK-JS-Y18N-1021887
https://www.oracle.com/security-alerts/cpuApr2021.html
Common Vulnerability Exposure (CVE) ID: CVE-2021-23362
https://github.com/npm/hosted-git-info/commit/29adfe5ef789784c861b2cdeb15051ec2ba651a7
https://github.com/npm/hosted-git-info/commit/8d4b3697d79bcd89cdb36d1db165e3696c783a01
https://github.com/npm/hosted-git-info/commits/v2
https://github.com/npm/hosted-git-info/commit/bede0dc38e1785e732bf0a48ba6f81a4a908eba3
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1088356
https://snyk.io/vuln/SNYK-JS-HOSTEDGITINFO-1088355
Common Vulnerability Exposure (CVE) ID: CVE-2021-27290
https://doyensec.com/resources/Doyensec_Advisory_ssri_redos.pdf
https://github.com/yetingli/SaveResults/blob/main/pdf/ssri-redos.pdf
https://npmjs.com
https://www.oracle.com/security-alerts/cpuoct2021.html
CopyrightCopyright (C) 2022 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.



© 1998-2025 E-Soft Inc. All rights reserved.