Test ID:	1.3.6.1.4.1.25623.1.1.10.2024.0046
Category:	Mageia Linux Local Security Checks
Title:	Mageia: Security Advisory (MGASA-2024-0046)
Summary:	The remote host is missing an update for the 'nodejs, yarnpkg' package(s) announced via the MGASA-2024-0046 advisory.
Description:	Summary: The remote host is missing an update for the 'nodejs, yarnpkg' package(s) announced via the MGASA-2024-0046 advisory. Vulnerability Insight: This is a security release. The following CVEs are fixed in this release: CVE-2024-21892 - Code injection and privilege escalation through Linux capabilities- (High) CVE-2024-22019 - http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks- (High) CVE-2023-46809 - Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) - (Medium) CVE-2024-22025 - Denial of Service by resource exhaustion in fetch() brotli decoding - (Medium) More detailed information on each of the vulnerabilities can be found in february 2024 Security Releases blog post. Affected Software/OS: 'nodejs, yarnpkg' package(s) on Mageia 9. Solution: Please install the updated package(s). CVSS Score: 6.8 CVSS Vector: AV:L/AC:L/Au:S/C:C/I:C/A:C
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2023-46809 Common Vulnerability Exposure (CVE) ID: CVE-2024-21892 https://hackerone.com/reports/2237545 http://www.openwall.com/lists/oss-security/2024/03/11/1 Common Vulnerability Exposure (CVE) ID: CVE-2024-22019 https://hackerone.com/reports/2233486 Common Vulnerability Exposure (CVE) ID: CVE-2024-22025 https://hackerone.com/reports/2284065 https://lists.debian.org/debian-lts-announce/2024/03/msg00029.html
Copyright	Copyright (C) 2024 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.