Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2021-3918 (GCVE-0-2021-3918)
Vulnerability from cvelistv5 – Published: 2021-11-13 00:00 – Updated: 2025-01-17 20:02
VLAI
EPSS
Title
Prototype Pollution in kriszyp/json-schema
Summary
json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Severity
9.8 (Critical)
CWE
- CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| kriszyp | kriszyp/json-schema |
Affected:
unspecified , ≤ 0.3.0
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-01-17T20:02:47.966Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/bb6ccd63-f505-4e3a-b55f-cd2662c261a9"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741"
},
{
"name": "[debian-lts-announce] 20221206 [SECURITY] [DLA 3228-1] node-json-schema security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00013.html"
},
{
"url": "https://security.netapp.com/advisory/ntap-20250117-0004/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "kriszyp/json-schema",
"vendor": "kriszyp",
"versions": [
{
"lessThanOrEqual": "0.3.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1321",
"description": "CWE-1321 Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-06T00:00:00.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/bb6ccd63-f505-4e3a-b55f-cd2662c261a9"
},
{
"url": "https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741"
},
{
"name": "[debian-lts-announce] 20221206 [SECURITY] [DLA 3228-1] node-json-schema security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00013.html"
}
],
"source": {
"advisory": "bb6ccd63-f505-4e3a-b55f-cd2662c261a9",
"discovery": "EXTERNAL"
},
"title": "Prototype Pollution in kriszyp/json-schema"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2021-3918",
"datePublished": "2021-11-13T00:00:00.000Z",
"dateReserved": "2021-11-02T00:00:00.000Z",
"dateUpdated": "2025-01-17T20:02:47.966Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2021-3918",
"date": "2026-06-12",
"epss": "0.01262",
"percentile": "0.7991"
},
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:json-schema_project:json-schema:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"0.4.0\", \"matchCriteriaId\": \"44F0C109-0C7A-4A2F-ABED-6E67433E4FBD\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)\"}, {\"lang\": \"es\", \"value\": \"json-schema es vulnerable a la Modificaci\\u00f3n Indebida de Atributos de Prototipos de Objetos (\u0027Contaminaci\\u00f3n de Prototipos\u0027)\"}]",
"id": "CVE-2021-3918",
"lastModified": "2024-11-21T06:22:46.393",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}], \"cvssMetricV30\": [{\"source\": \"security@huntr.dev\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\", \"baseScore\": 7.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 10.0, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2021-11-13T09:15:06.737",
"references": "[{\"url\": \"https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741\", \"source\": \"security@huntr.dev\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://huntr.dev/bounties/bb6ccd63-f505-4e3a-b55f-cd2662c261a9\", \"source\": \"security@huntr.dev\", \"tags\": [\"Exploit\", \"Issue Tracking\", \"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2022/12/msg00013.html\", \"source\": \"security@huntr.dev\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://huntr.dev/bounties/bb6ccd63-f505-4e3a-b55f-cd2662c261a9\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Issue Tracking\", \"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2022/12/msg00013.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}]",
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"security@huntr.dev\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-1321\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-1321\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2021-3918\",\"sourceIdentifier\":\"security@huntr.dev\",\"published\":\"2021-11-13T09:15:06.737\",\"lastModified\":\"2025-01-17T20:15:26.073\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)\"},{\"lang\":\"es\",\"value\":\"json-schema es vulnerable a la Modificaci\u00f3n Indebida de Atributos de Prototipos de Objetos (\u0027Contaminaci\u00f3n de Prototipos\u0027)\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV30\":[{\"source\":\"security@huntr.dev\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security@huntr.dev\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1321\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1321\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:json-schema_project:json-schema:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.4.0\",\"matchCriteriaId\":\"44F0C109-0C7A-4A2F-ABED-6E67433E4FBD\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73\"}]}]}],\"references\":[{\"url\":\"https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741\",\"source\":\"security@huntr.dev\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://huntr.dev/bounties/bb6ccd63-f505-4e3a-b55f-cd2662c261a9\",\"source\":\"security@huntr.dev\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2022/12/msg00013.html\",\"source\":\"security@huntr.dev\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://huntr.dev/bounties/bb6ccd63-f505-4e3a-b55f-cd2662c261a9\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2022/12/msg00013.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20250117-0004/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
}
}
GHSA-896R-F27R-55MW
Vulnerability from github – Published: 2021-11-19 20:16 – Updated: 2025-01-17 21:31
VLAI
Summary
json-schema is vulnerable to Prototype Pollution
Details
json-schema before version 0.4.0 is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution').
Severity
9.8 (Critical)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "json-schema"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.4.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-3918"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2021-11-15T22:44:27Z",
"nvd_published_at": "2021-11-13T09:15:00Z",
"severity": "CRITICAL"
},
"details": "json-schema before version 0.4.0 is vulnerable to Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027).",
"id": "GHSA-896r-f27r-55mw",
"modified": "2025-01-17T21:31:38Z",
"published": "2021-11-19T20:16:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3918"
},
{
"type": "WEB",
"url": "https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741"
},
{
"type": "WEB",
"url": "https://github.com/kriszyp/json-schema/commit/b62f1da1ff5442f23443d6be6a92d00e65cba93a"
},
{
"type": "WEB",
"url": "https://github.com/kriszyp/json-schema/commit/f6f6a3b02d667aa4ba2d5d50cc19208c4462abfa"
},
{
"type": "PACKAGE",
"url": "https://github.com/kriszyp/json-schema"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/bb6ccd63-f505-4e3a-b55f-cd2662c261a9"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00013.html"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20250117-0004"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "json-schema is vulnerable to Prototype Pollution"
}
GSD-2021-3918
Vulnerability from gsd - Updated: 2023-12-13 01:23Details
json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2021-3918",
"description": "json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
"id": "GSD-2021-3918",
"references": [
"https://www.suse.com/security/cve/CVE-2021-3918.html",
"https://access.redhat.com/errata/RHSA-2022:0735",
"https://access.redhat.com/errata/RHSA-2022:0595",
"https://access.redhat.com/errata/RHSA-2022:0350",
"https://access.redhat.com/errata/RHSA-2022:0246",
"https://access.redhat.com/errata/RHSA-2022:0041",
"https://access.redhat.com/errata/RHSA-2021:5171",
"https://linux.oracle.com/cve/CVE-2021-3918.html",
"https://access.redhat.com/errata/RHSA-2022:4914",
"https://access.redhat.com/errata/RHSA-2022:4956",
"https://advisories.mageia.org/CVE-2021-3918.html",
"https://access.redhat.com/errata/RHEA-2022:4925",
"https://access.redhat.com/errata/RHEA-2022:5139",
"https://access.redhat.com/errata/RHEA-2022:5221",
"https://access.redhat.com/errata/RHEA-2022:5615",
"https://access.redhat.com/errata/RHSA-2022:7055"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2021-3918"
],
"details": "json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
"id": "GSD-2021-3918",
"modified": "2023-12-13T01:23:34.926464Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2021-3918",
"STATE": "PUBLIC",
"TITLE": "Prototype Pollution in kriszyp/json-schema"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "kriszyp/json-schema",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "0.3.0"
}
]
}
}
]
},
"vendor_name": "kriszyp"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-1321 Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/bb6ccd63-f505-4e3a-b55f-cd2662c261a9",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/bb6ccd63-f505-4e3a-b55f-cd2662c261a9"
},
{
"name": "https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741",
"refsource": "MISC",
"url": "https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741"
},
{
"name": "[debian-lts-announce] 20221206 [SECURITY] [DLA 3228-1] node-json-schema security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00013.html"
}
]
},
"source": {
"advisory": "bb6ccd63-f505-4e3a-b55f-cd2662c261a9",
"discovery": "EXTERNAL"
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c0.4.0",
"affected_versions": "All versions before 0.4.0",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-1321",
"CWE-937"
],
"date": "2023-02-03",
"description": "json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
"fixed_versions": [
"0.4.0"
],
"identifier": "CVE-2021-3918",
"identifiers": [
"CVE-2021-3918"
],
"not_impacted": "All versions starting from 0.4.0",
"package_slug": "npm/json-schema",
"pubdate": "2021-11-13",
"solution": "Upgrade to version 0.4.0 or above.",
"title": "Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2021-3918",
"https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741",
"https://huntr.dev/bounties/bb6ccd63-f505-4e3a-b55f-cd2662c261a9"
],
"uuid": "f9634854-aeb7-47bc-a325-450a86202b86"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:json-schema_project:json-schema:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "0.4.0",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2021-3918"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-1321"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741"
},
{
"name": "https://huntr.dev/bounties/bb6ccd63-f505-4e3a-b55f-cd2662c261a9",
"refsource": "CONFIRM",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/bb6ccd63-f505-4e3a-b55f-cd2662c261a9"
},
{
"name": "[debian-lts-announce] 20221206 [SECURITY] [DLA 3228-1] node-json-schema security update",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00013.html"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9
}
},
"lastModifiedDate": "2023-02-03T19:15Z",
"publishedDate": "2021-11-13T09:15Z"
}
}
}
OPENSUSE-SU-2022:0657-1
Vulnerability from csaf_opensuse - Published: 2022-03-02 09:11 - Updated: 2022-03-02 09:11Summary
Security update for nodejs12
Severity
Important
Notes
Title of the patch: Security update for nodejs12
Description of the patch: This update for nodejs12 fixes the following issues:
- CVE-2021-23343: Fixed ReDoS via splitDeviceRe, splitTailRe and splitPathRe (bsc#1192153).
- CVE-2021-32803: Fixed insufficient symlink protection in node-tar allowing arbitrary file creation and overwrite (bsc#1191963).
- CVE-2021-32804: Fixed insufficient absolute path sanitization in node-tar allowing arbitrary file creation and overwrite (bsc#1191962).
- CVE-2021-3918: Fixed improper controlled modification of object prototype attributes in json-schema (bsc#1192696).
- CVE-2021-3807: Fixed regular expression denial of service (ReDoS) matching ANSI escape codes in node-ansi-regex (bsc#1192154).
Patchnames: openSUSE-SLE-15.3-2022-657,openSUSE-SLE-15.4-2022-657
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.3 (Medium)
Affected products
Recommended
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs12-docs-12.22.10-4.29.3.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm12-12.22.10-4.29.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm12-12.22.10-4.29.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm12-12.22.10-4.29.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm12-12.22.10-4.29.3.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
8.1 (High)
Affected products
Recommended
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs12-docs-12.22.10-4.29.3.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm12-12.22.10-4.29.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm12-12.22.10-4.29.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm12-12.22.10-4.29.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm12-12.22.10-4.29.3.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.1 (High)
Affected products
Recommended
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs12-docs-12.22.10-4.29.3.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm12-12.22.10-4.29.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm12-12.22.10-4.29.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm12-12.22.10-4.29.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm12-12.22.10-4.29.3.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs12-docs-12.22.10-4.29.3.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm12-12.22.10-4.29.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm12-12.22.10-4.29.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm12-12.22.10-4.29.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm12-12.22.10-4.29.3.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.1 (High)
Affected products
Recommended
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs12-docs-12.22.10-4.29.3.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm12-12.22.10-4.29.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm12-12.22.10-4.29.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm12-12.22.10-4.29.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm12-12.22.10-4.29.3.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
25 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for nodejs12",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for nodejs12 fixes the following issues:\n\t \n- CVE-2021-23343: Fixed ReDoS via splitDeviceRe, splitTailRe and splitPathRe (bsc#1192153).\n- CVE-2021-32803: Fixed insufficient symlink protection in node-tar allowing arbitrary file creation and overwrite (bsc#1191963).\n- CVE-2021-32804: Fixed insufficient absolute path sanitization in node-tar allowing arbitrary file creation and overwrite (bsc#1191962).\n- CVE-2021-3918: Fixed improper controlled modification of object prototype attributes in json-schema (bsc#1192696).\n- CVE-2021-3807: Fixed regular expression denial of service (ReDoS) matching ANSI escape codes in node-ansi-regex (bsc#1192154).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-SLE-15.3-2022-657,openSUSE-SLE-15.4-2022-657",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2022_0657-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2022:0657-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NCH4EEBMT6XZIRNVGTNBOCQCY4JVZ4IN/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2022:0657-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NCH4EEBMT6XZIRNVGTNBOCQCY4JVZ4IN/"
},
{
"category": "self",
"summary": "SUSE Bug 1191962",
"url": "https://bugzilla.suse.com/1191962"
},
{
"category": "self",
"summary": "SUSE Bug 1191963",
"url": "https://bugzilla.suse.com/1191963"
},
{
"category": "self",
"summary": "SUSE Bug 1192153",
"url": "https://bugzilla.suse.com/1192153"
},
{
"category": "self",
"summary": "SUSE Bug 1192154",
"url": "https://bugzilla.suse.com/1192154"
},
{
"category": "self",
"summary": "SUSE Bug 1192696",
"url": "https://bugzilla.suse.com/1192696"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-23343 page",
"url": "https://www.suse.com/security/cve/CVE-2021-23343/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-32803 page",
"url": "https://www.suse.com/security/cve/CVE-2021-32803/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-32804 page",
"url": "https://www.suse.com/security/cve/CVE-2021-32804/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-3807 page",
"url": "https://www.suse.com/security/cve/CVE-2021-3807/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-3918 page",
"url": "https://www.suse.com/security/cve/CVE-2021-3918/"
}
],
"title": "Security update for nodejs12",
"tracking": {
"current_release_date": "2022-03-02T09:11:57Z",
"generator": {
"date": "2022-03-02T09:11:57Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2022:0657-1",
"initial_release_date": "2022-03-02T09:11:57Z",
"revision_history": [
{
"date": "2022-03-02T09:11:57Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "nodejs12-12.22.10-4.29.3.aarch64",
"product": {
"name": "nodejs12-12.22.10-4.29.3.aarch64",
"product_id": "nodejs12-12.22.10-4.29.3.aarch64"
}
},
{
"category": "product_version",
"name": "nodejs12-devel-12.22.10-4.29.3.aarch64",
"product": {
"name": "nodejs12-devel-12.22.10-4.29.3.aarch64",
"product_id": "nodejs12-devel-12.22.10-4.29.3.aarch64"
}
},
{
"category": "product_version",
"name": "npm12-12.22.10-4.29.3.aarch64",
"product": {
"name": "npm12-12.22.10-4.29.3.aarch64",
"product_id": "npm12-12.22.10-4.29.3.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs12-docs-12.22.10-4.29.3.noarch",
"product": {
"name": "nodejs12-docs-12.22.10-4.29.3.noarch",
"product_id": "nodejs12-docs-12.22.10-4.29.3.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs12-12.22.10-4.29.3.ppc64le",
"product": {
"name": "nodejs12-12.22.10-4.29.3.ppc64le",
"product_id": "nodejs12-12.22.10-4.29.3.ppc64le"
}
},
{
"category": "product_version",
"name": "nodejs12-devel-12.22.10-4.29.3.ppc64le",
"product": {
"name": "nodejs12-devel-12.22.10-4.29.3.ppc64le",
"product_id": "nodejs12-devel-12.22.10-4.29.3.ppc64le"
}
},
{
"category": "product_version",
"name": "npm12-12.22.10-4.29.3.ppc64le",
"product": {
"name": "npm12-12.22.10-4.29.3.ppc64le",
"product_id": "npm12-12.22.10-4.29.3.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs12-12.22.10-4.29.3.s390x",
"product": {
"name": "nodejs12-12.22.10-4.29.3.s390x",
"product_id": "nodejs12-12.22.10-4.29.3.s390x"
}
},
{
"category": "product_version",
"name": "nodejs12-devel-12.22.10-4.29.3.s390x",
"product": {
"name": "nodejs12-devel-12.22.10-4.29.3.s390x",
"product_id": "nodejs12-devel-12.22.10-4.29.3.s390x"
}
},
{
"category": "product_version",
"name": "npm12-12.22.10-4.29.3.s390x",
"product": {
"name": "npm12-12.22.10-4.29.3.s390x",
"product_id": "npm12-12.22.10-4.29.3.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs12-12.22.10-4.29.3.x86_64",
"product": {
"name": "nodejs12-12.22.10-4.29.3.x86_64",
"product_id": "nodejs12-12.22.10-4.29.3.x86_64"
}
},
{
"category": "product_version",
"name": "nodejs12-devel-12.22.10-4.29.3.x86_64",
"product": {
"name": "nodejs12-devel-12.22.10-4.29.3.x86_64",
"product_id": "nodejs12-devel-12.22.10-4.29.3.x86_64"
}
},
{
"category": "product_version",
"name": "npm12-12.22.10-4.29.3.x86_64",
"product": {
"name": "npm12-12.22.10-4.29.3.x86_64",
"product_id": "npm12-12.22.10-4.29.3.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 15.3",
"product": {
"name": "openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.3"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs12-12.22.10-4.29.3.aarch64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.aarch64"
},
"product_reference": "nodejs12-12.22.10-4.29.3.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs12-12.22.10-4.29.3.ppc64le as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.ppc64le"
},
"product_reference": "nodejs12-12.22.10-4.29.3.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs12-12.22.10-4.29.3.s390x as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.s390x"
},
"product_reference": "nodejs12-12.22.10-4.29.3.s390x",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs12-12.22.10-4.29.3.x86_64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.x86_64"
},
"product_reference": "nodejs12-12.22.10-4.29.3.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs12-devel-12.22.10-4.29.3.aarch64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.aarch64"
},
"product_reference": "nodejs12-devel-12.22.10-4.29.3.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs12-devel-12.22.10-4.29.3.ppc64le as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.ppc64le"
},
"product_reference": "nodejs12-devel-12.22.10-4.29.3.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs12-devel-12.22.10-4.29.3.s390x as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.s390x"
},
"product_reference": "nodejs12-devel-12.22.10-4.29.3.s390x",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs12-devel-12.22.10-4.29.3.x86_64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.x86_64"
},
"product_reference": "nodejs12-devel-12.22.10-4.29.3.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs12-docs-12.22.10-4.29.3.noarch as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:nodejs12-docs-12.22.10-4.29.3.noarch"
},
"product_reference": "nodejs12-docs-12.22.10-4.29.3.noarch",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm12-12.22.10-4.29.3.aarch64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:npm12-12.22.10-4.29.3.aarch64"
},
"product_reference": "npm12-12.22.10-4.29.3.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm12-12.22.10-4.29.3.ppc64le as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:npm12-12.22.10-4.29.3.ppc64le"
},
"product_reference": "npm12-12.22.10-4.29.3.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm12-12.22.10-4.29.3.s390x as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:npm12-12.22.10-4.29.3.s390x"
},
"product_reference": "npm12-12.22.10-4.29.3.s390x",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm12-12.22.10-4.29.3.x86_64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:npm12-12.22.10-4.29.3.x86_64"
},
"product_reference": "npm12-12.22.10-4.29.3.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.3"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-23343",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-23343"
}
],
"notes": [
{
"category": "general",
"text": "All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.aarch64",
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.ppc64le",
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.s390x",
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.x86_64",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.aarch64",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.ppc64le",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.s390x",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.x86_64",
"openSUSE Leap 15.3:nodejs12-docs-12.22.10-4.29.3.noarch",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.aarch64",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.ppc64le",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.s390x",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-23343",
"url": "https://www.suse.com/security/cve/CVE-2021-23343"
},
{
"category": "external",
"summary": "SUSE Bug 1192153 for CVE-2021-23343",
"url": "https://bugzilla.suse.com/1192153"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.aarch64",
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.ppc64le",
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.s390x",
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.x86_64",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.aarch64",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.ppc64le",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.s390x",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.x86_64",
"openSUSE Leap 15.3:nodejs12-docs-12.22.10-4.29.3.noarch",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.aarch64",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.ppc64le",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.s390x",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.aarch64",
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.ppc64le",
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.s390x",
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.x86_64",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.aarch64",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.ppc64le",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.s390x",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.x86_64",
"openSUSE Leap 15.3:nodejs12-docs-12.22.10-4.29.3.noarch",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.aarch64",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.ppc64le",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.s390x",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2022-03-02T09:11:57Z",
"details": "moderate"
}
],
"title": "CVE-2021-23343"
},
{
"cve": "CVE-2021-32803",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-32803"
}
],
"notes": [
{
"category": "general",
"text": "The npm package \"tar\" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary `stat` calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the `node-tar` directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where `node-tar` checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass `node-tar` symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.aarch64",
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.ppc64le",
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.s390x",
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.x86_64",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.aarch64",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.ppc64le",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.s390x",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.x86_64",
"openSUSE Leap 15.3:nodejs12-docs-12.22.10-4.29.3.noarch",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.aarch64",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.ppc64le",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.s390x",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-32803",
"url": "https://www.suse.com/security/cve/CVE-2021-32803"
},
{
"category": "external",
"summary": "SUSE Bug 1191962 for CVE-2021-32803",
"url": "https://bugzilla.suse.com/1191962"
},
{
"category": "external",
"summary": "SUSE Bug 1191963 for CVE-2021-32803",
"url": "https://bugzilla.suse.com/1191963"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.aarch64",
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.ppc64le",
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.s390x",
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.x86_64",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.aarch64",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.ppc64le",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.s390x",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.x86_64",
"openSUSE Leap 15.3:nodejs12-docs-12.22.10-4.29.3.noarch",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.aarch64",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.ppc64le",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.s390x",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.aarch64",
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.ppc64le",
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.s390x",
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.x86_64",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.aarch64",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.ppc64le",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.s390x",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.x86_64",
"openSUSE Leap 15.3:nodejs12-docs-12.22.10-4.29.3.noarch",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.aarch64",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.ppc64le",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.s390x",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2022-03-02T09:11:57Z",
"details": "important"
}
],
"title": "CVE-2021-32803"
},
{
"cve": "CVE-2021-32804",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-32804"
}
],
"notes": [
{
"category": "general",
"text": "The npm package \"tar\" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom `onentry` method which sanitizes the `entry.path` or a `filter` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.aarch64",
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.ppc64le",
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.s390x",
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.x86_64",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.aarch64",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.ppc64le",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.s390x",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.x86_64",
"openSUSE Leap 15.3:nodejs12-docs-12.22.10-4.29.3.noarch",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.aarch64",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.ppc64le",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.s390x",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-32804",
"url": "https://www.suse.com/security/cve/CVE-2021-32804"
},
{
"category": "external",
"summary": "SUSE Bug 1191962 for CVE-2021-32804",
"url": "https://bugzilla.suse.com/1191962"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.aarch64",
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.ppc64le",
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.s390x",
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.x86_64",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.aarch64",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.ppc64le",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.s390x",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.x86_64",
"openSUSE Leap 15.3:nodejs12-docs-12.22.10-4.29.3.noarch",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.aarch64",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.ppc64le",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.s390x",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.aarch64",
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.ppc64le",
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.s390x",
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.x86_64",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.aarch64",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.ppc64le",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.s390x",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.x86_64",
"openSUSE Leap 15.3:nodejs12-docs-12.22.10-4.29.3.noarch",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.aarch64",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.ppc64le",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.s390x",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2022-03-02T09:11:57Z",
"details": "important"
}
],
"title": "CVE-2021-32804"
},
{
"cve": "CVE-2021-3807",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-3807"
}
],
"notes": [
{
"category": "general",
"text": "ansi-regex is vulnerable to Inefficient Regular Expression Complexity",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.aarch64",
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.ppc64le",
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.s390x",
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.x86_64",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.aarch64",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.ppc64le",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.s390x",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.x86_64",
"openSUSE Leap 15.3:nodejs12-docs-12.22.10-4.29.3.noarch",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.aarch64",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.ppc64le",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.s390x",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-3807",
"url": "https://www.suse.com/security/cve/CVE-2021-3807"
},
{
"category": "external",
"summary": "SUSE Bug 1192154 for CVE-2021-3807",
"url": "https://bugzilla.suse.com/1192154"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.aarch64",
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.ppc64le",
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.s390x",
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.x86_64",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.aarch64",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.ppc64le",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.s390x",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.x86_64",
"openSUSE Leap 15.3:nodejs12-docs-12.22.10-4.29.3.noarch",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.aarch64",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.ppc64le",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.s390x",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.aarch64",
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.ppc64le",
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.s390x",
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.x86_64",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.aarch64",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.ppc64le",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.s390x",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.x86_64",
"openSUSE Leap 15.3:nodejs12-docs-12.22.10-4.29.3.noarch",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.aarch64",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.ppc64le",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.s390x",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2022-03-02T09:11:57Z",
"details": "important"
}
],
"title": "CVE-2021-3807"
},
{
"cve": "CVE-2021-3918",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-3918"
}
],
"notes": [
{
"category": "general",
"text": "json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.aarch64",
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.ppc64le",
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.s390x",
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.x86_64",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.aarch64",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.ppc64le",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.s390x",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.x86_64",
"openSUSE Leap 15.3:nodejs12-docs-12.22.10-4.29.3.noarch",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.aarch64",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.ppc64le",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.s390x",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-3918",
"url": "https://www.suse.com/security/cve/CVE-2021-3918"
},
{
"category": "external",
"summary": "SUSE Bug 1192696 for CVE-2021-3918",
"url": "https://bugzilla.suse.com/1192696"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.aarch64",
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.ppc64le",
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.s390x",
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.x86_64",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.aarch64",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.ppc64le",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.s390x",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.x86_64",
"openSUSE Leap 15.3:nodejs12-docs-12.22.10-4.29.3.noarch",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.aarch64",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.ppc64le",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.s390x",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.aarch64",
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.ppc64le",
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.s390x",
"openSUSE Leap 15.3:nodejs12-12.22.10-4.29.3.x86_64",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.aarch64",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.ppc64le",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.s390x",
"openSUSE Leap 15.3:nodejs12-devel-12.22.10-4.29.3.x86_64",
"openSUSE Leap 15.3:nodejs12-docs-12.22.10-4.29.3.noarch",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.aarch64",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.ppc64le",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.s390x",
"openSUSE Leap 15.3:npm12-12.22.10-4.29.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2022-03-02T09:11:57Z",
"details": "important"
}
],
"title": "CVE-2021-3918"
}
]
}
OPENSUSE-SU-2022:0704-1
Vulnerability from csaf_opensuse - Published: 2022-03-03 17:26 - Updated: 2022-03-03 17:26Summary
Security update for nodejs8
Severity
Important
Notes
Title of the patch: Security update for nodejs8
Description of the patch: This update for nodejs8 fixes the following issues:
- CVE-2021-23343: Fixed ReDoS via splitDeviceRe, splitTailRe and splitPathRe (bsc#1192153).
- CVE-2021-32803: Fixed insufficient symlink protection in node-tar allowing arbitrary file creation and overwrite (bsc#1191963).
- CVE-2021-32804: Fixed insufficient absolute path sanitization in node-tar allowing arbitrary file creation and overwrite (bsc#1191962).
- CVE-2021-3918: Fixed improper controlled modification of object prototype attributes in json-schema (bsc#1192696).
- CVE-2021-3807: Fixed regular expression denial of service (ReDoS) matching ANSI escape codes in node-ansi-regex (bsc#1192154).
Patchnames: openSUSE-SLE-15.3-2022-704,openSUSE-SLE-15.4-2022-704
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.3 (Medium)
Affected products
Recommended
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs8-docs-8.17.0-10.19.2.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm8-8.17.0-10.19.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm8-8.17.0-10.19.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm8-8.17.0-10.19.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm8-8.17.0-10.19.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
8.1 (High)
Affected products
Recommended
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs8-docs-8.17.0-10.19.2.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm8-8.17.0-10.19.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm8-8.17.0-10.19.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm8-8.17.0-10.19.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm8-8.17.0-10.19.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.1 (High)
Affected products
Recommended
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs8-docs-8.17.0-10.19.2.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm8-8.17.0-10.19.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm8-8.17.0-10.19.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm8-8.17.0-10.19.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm8-8.17.0-10.19.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs8-docs-8.17.0-10.19.2.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm8-8.17.0-10.19.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm8-8.17.0-10.19.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm8-8.17.0-10.19.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm8-8.17.0-10.19.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.1 (High)
Affected products
Recommended
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs8-docs-8.17.0-10.19.2.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm8-8.17.0-10.19.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm8-8.17.0-10.19.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm8-8.17.0-10.19.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm8-8.17.0-10.19.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
25 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for nodejs8",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for nodejs8 fixes the following issues:\n\n- CVE-2021-23343: Fixed ReDoS via splitDeviceRe, splitTailRe and splitPathRe (bsc#1192153).\n- CVE-2021-32803: Fixed insufficient symlink protection in node-tar allowing arbitrary file creation and overwrite (bsc#1191963).\n- CVE-2021-32804: Fixed insufficient absolute path sanitization in node-tar allowing arbitrary file creation and overwrite (bsc#1191962).\n- CVE-2021-3918: Fixed improper controlled modification of object prototype attributes in json-schema (bsc#1192696).\n- CVE-2021-3807: Fixed regular expression denial of service (ReDoS) matching ANSI escape codes in node-ansi-regex (bsc#1192154).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-SLE-15.3-2022-704,openSUSE-SLE-15.4-2022-704",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2022_0704-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2022:0704-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4BTHU2F626CTZYCXOBT5S7GWU3QXNTMZ/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2022:0704-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4BTHU2F626CTZYCXOBT5S7GWU3QXNTMZ/"
},
{
"category": "self",
"summary": "SUSE Bug 1191962",
"url": "https://bugzilla.suse.com/1191962"
},
{
"category": "self",
"summary": "SUSE Bug 1191963",
"url": "https://bugzilla.suse.com/1191963"
},
{
"category": "self",
"summary": "SUSE Bug 1192153",
"url": "https://bugzilla.suse.com/1192153"
},
{
"category": "self",
"summary": "SUSE Bug 1192154",
"url": "https://bugzilla.suse.com/1192154"
},
{
"category": "self",
"summary": "SUSE Bug 1192696",
"url": "https://bugzilla.suse.com/1192696"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-23343 page",
"url": "https://www.suse.com/security/cve/CVE-2021-23343/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-32803 page",
"url": "https://www.suse.com/security/cve/CVE-2021-32803/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-32804 page",
"url": "https://www.suse.com/security/cve/CVE-2021-32804/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-3807 page",
"url": "https://www.suse.com/security/cve/CVE-2021-3807/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-3918 page",
"url": "https://www.suse.com/security/cve/CVE-2021-3918/"
}
],
"title": "Security update for nodejs8",
"tracking": {
"current_release_date": "2022-03-03T17:26:35Z",
"generator": {
"date": "2022-03-03T17:26:35Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2022:0704-1",
"initial_release_date": "2022-03-03T17:26:35Z",
"revision_history": [
{
"date": "2022-03-03T17:26:35Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "nodejs8-8.17.0-10.19.2.aarch64",
"product": {
"name": "nodejs8-8.17.0-10.19.2.aarch64",
"product_id": "nodejs8-8.17.0-10.19.2.aarch64"
}
},
{
"category": "product_version",
"name": "nodejs8-devel-8.17.0-10.19.2.aarch64",
"product": {
"name": "nodejs8-devel-8.17.0-10.19.2.aarch64",
"product_id": "nodejs8-devel-8.17.0-10.19.2.aarch64"
}
},
{
"category": "product_version",
"name": "npm8-8.17.0-10.19.2.aarch64",
"product": {
"name": "npm8-8.17.0-10.19.2.aarch64",
"product_id": "npm8-8.17.0-10.19.2.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs8-docs-8.17.0-10.19.2.noarch",
"product": {
"name": "nodejs8-docs-8.17.0-10.19.2.noarch",
"product_id": "nodejs8-docs-8.17.0-10.19.2.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs8-8.17.0-10.19.2.ppc64le",
"product": {
"name": "nodejs8-8.17.0-10.19.2.ppc64le",
"product_id": "nodejs8-8.17.0-10.19.2.ppc64le"
}
},
{
"category": "product_version",
"name": "nodejs8-devel-8.17.0-10.19.2.ppc64le",
"product": {
"name": "nodejs8-devel-8.17.0-10.19.2.ppc64le",
"product_id": "nodejs8-devel-8.17.0-10.19.2.ppc64le"
}
},
{
"category": "product_version",
"name": "npm8-8.17.0-10.19.2.ppc64le",
"product": {
"name": "npm8-8.17.0-10.19.2.ppc64le",
"product_id": "npm8-8.17.0-10.19.2.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs8-8.17.0-10.19.2.s390x",
"product": {
"name": "nodejs8-8.17.0-10.19.2.s390x",
"product_id": "nodejs8-8.17.0-10.19.2.s390x"
}
},
{
"category": "product_version",
"name": "nodejs8-devel-8.17.0-10.19.2.s390x",
"product": {
"name": "nodejs8-devel-8.17.0-10.19.2.s390x",
"product_id": "nodejs8-devel-8.17.0-10.19.2.s390x"
}
},
{
"category": "product_version",
"name": "npm8-8.17.0-10.19.2.s390x",
"product": {
"name": "npm8-8.17.0-10.19.2.s390x",
"product_id": "npm8-8.17.0-10.19.2.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs8-8.17.0-10.19.2.x86_64",
"product": {
"name": "nodejs8-8.17.0-10.19.2.x86_64",
"product_id": "nodejs8-8.17.0-10.19.2.x86_64"
}
},
{
"category": "product_version",
"name": "nodejs8-devel-8.17.0-10.19.2.x86_64",
"product": {
"name": "nodejs8-devel-8.17.0-10.19.2.x86_64",
"product_id": "nodejs8-devel-8.17.0-10.19.2.x86_64"
}
},
{
"category": "product_version",
"name": "npm8-8.17.0-10.19.2.x86_64",
"product": {
"name": "npm8-8.17.0-10.19.2.x86_64",
"product_id": "npm8-8.17.0-10.19.2.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 15.3",
"product": {
"name": "openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.3"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs8-8.17.0-10.19.2.aarch64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.aarch64"
},
"product_reference": "nodejs8-8.17.0-10.19.2.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs8-8.17.0-10.19.2.ppc64le as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.ppc64le"
},
"product_reference": "nodejs8-8.17.0-10.19.2.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs8-8.17.0-10.19.2.s390x as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.s390x"
},
"product_reference": "nodejs8-8.17.0-10.19.2.s390x",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs8-8.17.0-10.19.2.x86_64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.x86_64"
},
"product_reference": "nodejs8-8.17.0-10.19.2.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs8-devel-8.17.0-10.19.2.aarch64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.aarch64"
},
"product_reference": "nodejs8-devel-8.17.0-10.19.2.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs8-devel-8.17.0-10.19.2.ppc64le as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.ppc64le"
},
"product_reference": "nodejs8-devel-8.17.0-10.19.2.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs8-devel-8.17.0-10.19.2.s390x as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.s390x"
},
"product_reference": "nodejs8-devel-8.17.0-10.19.2.s390x",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs8-devel-8.17.0-10.19.2.x86_64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.x86_64"
},
"product_reference": "nodejs8-devel-8.17.0-10.19.2.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs8-docs-8.17.0-10.19.2.noarch as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:nodejs8-docs-8.17.0-10.19.2.noarch"
},
"product_reference": "nodejs8-docs-8.17.0-10.19.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm8-8.17.0-10.19.2.aarch64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:npm8-8.17.0-10.19.2.aarch64"
},
"product_reference": "npm8-8.17.0-10.19.2.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm8-8.17.0-10.19.2.ppc64le as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:npm8-8.17.0-10.19.2.ppc64le"
},
"product_reference": "npm8-8.17.0-10.19.2.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm8-8.17.0-10.19.2.s390x as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:npm8-8.17.0-10.19.2.s390x"
},
"product_reference": "npm8-8.17.0-10.19.2.s390x",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm8-8.17.0-10.19.2.x86_64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:npm8-8.17.0-10.19.2.x86_64"
},
"product_reference": "npm8-8.17.0-10.19.2.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.3"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-23343",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-23343"
}
],
"notes": [
{
"category": "general",
"text": "All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.aarch64",
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.ppc64le",
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.s390x",
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.x86_64",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.aarch64",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.ppc64le",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.s390x",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.x86_64",
"openSUSE Leap 15.3:nodejs8-docs-8.17.0-10.19.2.noarch",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.aarch64",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.ppc64le",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.s390x",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-23343",
"url": "https://www.suse.com/security/cve/CVE-2021-23343"
},
{
"category": "external",
"summary": "SUSE Bug 1192153 for CVE-2021-23343",
"url": "https://bugzilla.suse.com/1192153"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.aarch64",
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.ppc64le",
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.s390x",
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.x86_64",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.aarch64",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.ppc64le",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.s390x",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.x86_64",
"openSUSE Leap 15.3:nodejs8-docs-8.17.0-10.19.2.noarch",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.aarch64",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.ppc64le",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.s390x",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.aarch64",
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.ppc64le",
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.s390x",
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.x86_64",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.aarch64",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.ppc64le",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.s390x",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.x86_64",
"openSUSE Leap 15.3:nodejs8-docs-8.17.0-10.19.2.noarch",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.aarch64",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.ppc64le",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.s390x",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2022-03-03T17:26:35Z",
"details": "moderate"
}
],
"title": "CVE-2021-23343"
},
{
"cve": "CVE-2021-32803",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-32803"
}
],
"notes": [
{
"category": "general",
"text": "The npm package \"tar\" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary `stat` calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the `node-tar` directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where `node-tar` checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass `node-tar` symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.aarch64",
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.ppc64le",
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.s390x",
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.x86_64",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.aarch64",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.ppc64le",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.s390x",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.x86_64",
"openSUSE Leap 15.3:nodejs8-docs-8.17.0-10.19.2.noarch",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.aarch64",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.ppc64le",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.s390x",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-32803",
"url": "https://www.suse.com/security/cve/CVE-2021-32803"
},
{
"category": "external",
"summary": "SUSE Bug 1191962 for CVE-2021-32803",
"url": "https://bugzilla.suse.com/1191962"
},
{
"category": "external",
"summary": "SUSE Bug 1191963 for CVE-2021-32803",
"url": "https://bugzilla.suse.com/1191963"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.aarch64",
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.ppc64le",
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.s390x",
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.x86_64",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.aarch64",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.ppc64le",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.s390x",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.x86_64",
"openSUSE Leap 15.3:nodejs8-docs-8.17.0-10.19.2.noarch",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.aarch64",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.ppc64le",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.s390x",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.aarch64",
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.ppc64le",
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.s390x",
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.x86_64",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.aarch64",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.ppc64le",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.s390x",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.x86_64",
"openSUSE Leap 15.3:nodejs8-docs-8.17.0-10.19.2.noarch",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.aarch64",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.ppc64le",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.s390x",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2022-03-03T17:26:35Z",
"details": "important"
}
],
"title": "CVE-2021-32803"
},
{
"cve": "CVE-2021-32804",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-32804"
}
],
"notes": [
{
"category": "general",
"text": "The npm package \"tar\" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom `onentry` method which sanitizes the `entry.path` or a `filter` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.aarch64",
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.ppc64le",
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.s390x",
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.x86_64",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.aarch64",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.ppc64le",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.s390x",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.x86_64",
"openSUSE Leap 15.3:nodejs8-docs-8.17.0-10.19.2.noarch",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.aarch64",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.ppc64le",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.s390x",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-32804",
"url": "https://www.suse.com/security/cve/CVE-2021-32804"
},
{
"category": "external",
"summary": "SUSE Bug 1191962 for CVE-2021-32804",
"url": "https://bugzilla.suse.com/1191962"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.aarch64",
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.ppc64le",
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.s390x",
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.x86_64",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.aarch64",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.ppc64le",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.s390x",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.x86_64",
"openSUSE Leap 15.3:nodejs8-docs-8.17.0-10.19.2.noarch",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.aarch64",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.ppc64le",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.s390x",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.aarch64",
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.ppc64le",
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.s390x",
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.x86_64",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.aarch64",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.ppc64le",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.s390x",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.x86_64",
"openSUSE Leap 15.3:nodejs8-docs-8.17.0-10.19.2.noarch",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.aarch64",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.ppc64le",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.s390x",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2022-03-03T17:26:35Z",
"details": "important"
}
],
"title": "CVE-2021-32804"
},
{
"cve": "CVE-2021-3807",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-3807"
}
],
"notes": [
{
"category": "general",
"text": "ansi-regex is vulnerable to Inefficient Regular Expression Complexity",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.aarch64",
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.ppc64le",
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.s390x",
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.x86_64",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.aarch64",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.ppc64le",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.s390x",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.x86_64",
"openSUSE Leap 15.3:nodejs8-docs-8.17.0-10.19.2.noarch",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.aarch64",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.ppc64le",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.s390x",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-3807",
"url": "https://www.suse.com/security/cve/CVE-2021-3807"
},
{
"category": "external",
"summary": "SUSE Bug 1192154 for CVE-2021-3807",
"url": "https://bugzilla.suse.com/1192154"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.aarch64",
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.ppc64le",
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.s390x",
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.x86_64",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.aarch64",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.ppc64le",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.s390x",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.x86_64",
"openSUSE Leap 15.3:nodejs8-docs-8.17.0-10.19.2.noarch",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.aarch64",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.ppc64le",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.s390x",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.aarch64",
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.ppc64le",
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.s390x",
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.x86_64",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.aarch64",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.ppc64le",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.s390x",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.x86_64",
"openSUSE Leap 15.3:nodejs8-docs-8.17.0-10.19.2.noarch",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.aarch64",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.ppc64le",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.s390x",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2022-03-03T17:26:35Z",
"details": "important"
}
],
"title": "CVE-2021-3807"
},
{
"cve": "CVE-2021-3918",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-3918"
}
],
"notes": [
{
"category": "general",
"text": "json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.aarch64",
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.ppc64le",
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.s390x",
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.x86_64",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.aarch64",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.ppc64le",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.s390x",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.x86_64",
"openSUSE Leap 15.3:nodejs8-docs-8.17.0-10.19.2.noarch",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.aarch64",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.ppc64le",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.s390x",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-3918",
"url": "https://www.suse.com/security/cve/CVE-2021-3918"
},
{
"category": "external",
"summary": "SUSE Bug 1192696 for CVE-2021-3918",
"url": "https://bugzilla.suse.com/1192696"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.aarch64",
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.ppc64le",
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.s390x",
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.x86_64",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.aarch64",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.ppc64le",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.s390x",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.x86_64",
"openSUSE Leap 15.3:nodejs8-docs-8.17.0-10.19.2.noarch",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.aarch64",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.ppc64le",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.s390x",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.aarch64",
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.ppc64le",
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.s390x",
"openSUSE Leap 15.3:nodejs8-8.17.0-10.19.2.x86_64",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.aarch64",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.ppc64le",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.s390x",
"openSUSE Leap 15.3:nodejs8-devel-8.17.0-10.19.2.x86_64",
"openSUSE Leap 15.3:nodejs8-docs-8.17.0-10.19.2.noarch",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.aarch64",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.ppc64le",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.s390x",
"openSUSE Leap 15.3:npm8-8.17.0-10.19.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2022-03-03T17:26:35Z",
"details": "important"
}
],
"title": "CVE-2021-3918"
}
]
}
OPENSUSE-SU-2022:0715-1
Vulnerability from csaf_opensuse - Published: 2022-03-04 08:37 - Updated: 2022-03-04 08:37Summary
Security update for nodejs14
Severity
Important
Notes
Title of the patch: Security update for nodejs14
Description of the patch: This update for nodejs14 fixes the following issues:
- CVE-2021-23343: Fixed ReDoS via splitDeviceRe, splitTailRe and splitPathRe (bsc#1192153).
- CVE-2021-32803: Fixed insufficient symlink protection in node-tar allowing arbitrary file creation and overwrite (bsc#1191963).
- CVE-2021-32804: Fixed insufficient absolute path sanitization in node-tar allowing arbitrary file creation and overwrite (bsc#1191962).
- CVE-2021-3918: Fixed improper controlled modification of object prototype attributes in json-schema (bsc#1192696).
- CVE-2021-3807: Fixed regular expression denial of service (ReDoS) matching ANSI escape codes in node-ansi-regex (bsc#1192154).
Patchnames: openSUSE-SLE-15.3-2022-715,openSUSE-SLE-15.4-2022-715
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.3 (Medium)
Affected products
Recommended
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs14-docs-14.19.0-15.27.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm14-14.19.0-15.27.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm14-14.19.0-15.27.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm14-14.19.0-15.27.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm14-14.19.0-15.27.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
8.1 (High)
Affected products
Recommended
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs14-docs-14.19.0-15.27.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm14-14.19.0-15.27.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm14-14.19.0-15.27.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm14-14.19.0-15.27.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm14-14.19.0-15.27.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.1 (High)
Affected products
Recommended
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs14-docs-14.19.0-15.27.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm14-14.19.0-15.27.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm14-14.19.0-15.27.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm14-14.19.0-15.27.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm14-14.19.0-15.27.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs14-docs-14.19.0-15.27.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm14-14.19.0-15.27.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm14-14.19.0-15.27.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm14-14.19.0-15.27.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm14-14.19.0-15.27.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.1 (High)
Affected products
Recommended
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:nodejs14-docs-14.19.0-15.27.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm14-14.19.0-15.27.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm14-14.19.0-15.27.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm14-14.19.0-15.27.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:npm14-14.19.0-15.27.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
25 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for nodejs14",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for nodejs14 fixes the following issues:\n\n- CVE-2021-23343: Fixed ReDoS via splitDeviceRe, splitTailRe and splitPathRe (bsc#1192153).\n- CVE-2021-32803: Fixed insufficient symlink protection in node-tar allowing arbitrary file creation and overwrite (bsc#1191963).\n- CVE-2021-32804: Fixed insufficient absolute path sanitization in node-tar allowing arbitrary file creation and overwrite (bsc#1191962).\n- CVE-2021-3918: Fixed improper controlled modification of object prototype attributes in json-schema (bsc#1192696).\n- CVE-2021-3807: Fixed regular expression denial of service (ReDoS) matching ANSI escape codes in node-ansi-regex (bsc#1192154).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-SLE-15.3-2022-715,openSUSE-SLE-15.4-2022-715",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2022_0715-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2022:0715-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VAM6LOV2R24IH5PPUWLXB64PALLMBOTU/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2022:0715-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VAM6LOV2R24IH5PPUWLXB64PALLMBOTU/"
},
{
"category": "self",
"summary": "SUSE Bug 1191962",
"url": "https://bugzilla.suse.com/1191962"
},
{
"category": "self",
"summary": "SUSE Bug 1191963",
"url": "https://bugzilla.suse.com/1191963"
},
{
"category": "self",
"summary": "SUSE Bug 1192153",
"url": "https://bugzilla.suse.com/1192153"
},
{
"category": "self",
"summary": "SUSE Bug 1192154",
"url": "https://bugzilla.suse.com/1192154"
},
{
"category": "self",
"summary": "SUSE Bug 1192696",
"url": "https://bugzilla.suse.com/1192696"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-23343 page",
"url": "https://www.suse.com/security/cve/CVE-2021-23343/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-32803 page",
"url": "https://www.suse.com/security/cve/CVE-2021-32803/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-32804 page",
"url": "https://www.suse.com/security/cve/CVE-2021-32804/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-3807 page",
"url": "https://www.suse.com/security/cve/CVE-2021-3807/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-3918 page",
"url": "https://www.suse.com/security/cve/CVE-2021-3918/"
}
],
"title": "Security update for nodejs14",
"tracking": {
"current_release_date": "2022-03-04T08:37:55Z",
"generator": {
"date": "2022-03-04T08:37:55Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2022:0715-1",
"initial_release_date": "2022-03-04T08:37:55Z",
"revision_history": [
{
"date": "2022-03-04T08:37:55Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "nodejs14-14.19.0-15.27.1.aarch64",
"product": {
"name": "nodejs14-14.19.0-15.27.1.aarch64",
"product_id": "nodejs14-14.19.0-15.27.1.aarch64"
}
},
{
"category": "product_version",
"name": "nodejs14-devel-14.19.0-15.27.1.aarch64",
"product": {
"name": "nodejs14-devel-14.19.0-15.27.1.aarch64",
"product_id": "nodejs14-devel-14.19.0-15.27.1.aarch64"
}
},
{
"category": "product_version",
"name": "npm14-14.19.0-15.27.1.aarch64",
"product": {
"name": "npm14-14.19.0-15.27.1.aarch64",
"product_id": "npm14-14.19.0-15.27.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs14-docs-14.19.0-15.27.1.noarch",
"product": {
"name": "nodejs14-docs-14.19.0-15.27.1.noarch",
"product_id": "nodejs14-docs-14.19.0-15.27.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs14-14.19.0-15.27.1.ppc64le",
"product": {
"name": "nodejs14-14.19.0-15.27.1.ppc64le",
"product_id": "nodejs14-14.19.0-15.27.1.ppc64le"
}
},
{
"category": "product_version",
"name": "nodejs14-devel-14.19.0-15.27.1.ppc64le",
"product": {
"name": "nodejs14-devel-14.19.0-15.27.1.ppc64le",
"product_id": "nodejs14-devel-14.19.0-15.27.1.ppc64le"
}
},
{
"category": "product_version",
"name": "npm14-14.19.0-15.27.1.ppc64le",
"product": {
"name": "npm14-14.19.0-15.27.1.ppc64le",
"product_id": "npm14-14.19.0-15.27.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs14-14.19.0-15.27.1.s390x",
"product": {
"name": "nodejs14-14.19.0-15.27.1.s390x",
"product_id": "nodejs14-14.19.0-15.27.1.s390x"
}
},
{
"category": "product_version",
"name": "nodejs14-devel-14.19.0-15.27.1.s390x",
"product": {
"name": "nodejs14-devel-14.19.0-15.27.1.s390x",
"product_id": "nodejs14-devel-14.19.0-15.27.1.s390x"
}
},
{
"category": "product_version",
"name": "npm14-14.19.0-15.27.1.s390x",
"product": {
"name": "npm14-14.19.0-15.27.1.s390x",
"product_id": "npm14-14.19.0-15.27.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs14-14.19.0-15.27.1.x86_64",
"product": {
"name": "nodejs14-14.19.0-15.27.1.x86_64",
"product_id": "nodejs14-14.19.0-15.27.1.x86_64"
}
},
{
"category": "product_version",
"name": "nodejs14-devel-14.19.0-15.27.1.x86_64",
"product": {
"name": "nodejs14-devel-14.19.0-15.27.1.x86_64",
"product_id": "nodejs14-devel-14.19.0-15.27.1.x86_64"
}
},
{
"category": "product_version",
"name": "npm14-14.19.0-15.27.1.x86_64",
"product": {
"name": "npm14-14.19.0-15.27.1.x86_64",
"product_id": "npm14-14.19.0-15.27.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 15.3",
"product": {
"name": "openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.3"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs14-14.19.0-15.27.1.aarch64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.aarch64"
},
"product_reference": "nodejs14-14.19.0-15.27.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs14-14.19.0-15.27.1.ppc64le as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.ppc64le"
},
"product_reference": "nodejs14-14.19.0-15.27.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs14-14.19.0-15.27.1.s390x as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.s390x"
},
"product_reference": "nodejs14-14.19.0-15.27.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs14-14.19.0-15.27.1.x86_64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.x86_64"
},
"product_reference": "nodejs14-14.19.0-15.27.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs14-devel-14.19.0-15.27.1.aarch64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.aarch64"
},
"product_reference": "nodejs14-devel-14.19.0-15.27.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs14-devel-14.19.0-15.27.1.ppc64le as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.ppc64le"
},
"product_reference": "nodejs14-devel-14.19.0-15.27.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs14-devel-14.19.0-15.27.1.s390x as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.s390x"
},
"product_reference": "nodejs14-devel-14.19.0-15.27.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs14-devel-14.19.0-15.27.1.x86_64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.x86_64"
},
"product_reference": "nodejs14-devel-14.19.0-15.27.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs14-docs-14.19.0-15.27.1.noarch as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:nodejs14-docs-14.19.0-15.27.1.noarch"
},
"product_reference": "nodejs14-docs-14.19.0-15.27.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm14-14.19.0-15.27.1.aarch64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:npm14-14.19.0-15.27.1.aarch64"
},
"product_reference": "npm14-14.19.0-15.27.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm14-14.19.0-15.27.1.ppc64le as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:npm14-14.19.0-15.27.1.ppc64le"
},
"product_reference": "npm14-14.19.0-15.27.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm14-14.19.0-15.27.1.s390x as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:npm14-14.19.0-15.27.1.s390x"
},
"product_reference": "npm14-14.19.0-15.27.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm14-14.19.0-15.27.1.x86_64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:npm14-14.19.0-15.27.1.x86_64"
},
"product_reference": "npm14-14.19.0-15.27.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.3"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-23343",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-23343"
}
],
"notes": [
{
"category": "general",
"text": "All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.aarch64",
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.ppc64le",
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.s390x",
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.x86_64",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.aarch64",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.ppc64le",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.s390x",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.x86_64",
"openSUSE Leap 15.3:nodejs14-docs-14.19.0-15.27.1.noarch",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.aarch64",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.ppc64le",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.s390x",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-23343",
"url": "https://www.suse.com/security/cve/CVE-2021-23343"
},
{
"category": "external",
"summary": "SUSE Bug 1192153 for CVE-2021-23343",
"url": "https://bugzilla.suse.com/1192153"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.aarch64",
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.ppc64le",
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.s390x",
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.x86_64",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.aarch64",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.ppc64le",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.s390x",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.x86_64",
"openSUSE Leap 15.3:nodejs14-docs-14.19.0-15.27.1.noarch",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.aarch64",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.ppc64le",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.s390x",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.aarch64",
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.ppc64le",
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.s390x",
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.x86_64",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.aarch64",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.ppc64le",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.s390x",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.x86_64",
"openSUSE Leap 15.3:nodejs14-docs-14.19.0-15.27.1.noarch",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.aarch64",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.ppc64le",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.s390x",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2022-03-04T08:37:55Z",
"details": "moderate"
}
],
"title": "CVE-2021-23343"
},
{
"cve": "CVE-2021-32803",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-32803"
}
],
"notes": [
{
"category": "general",
"text": "The npm package \"tar\" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary `stat` calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the `node-tar` directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where `node-tar` checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass `node-tar` symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.aarch64",
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.ppc64le",
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.s390x",
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.x86_64",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.aarch64",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.ppc64le",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.s390x",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.x86_64",
"openSUSE Leap 15.3:nodejs14-docs-14.19.0-15.27.1.noarch",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.aarch64",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.ppc64le",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.s390x",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-32803",
"url": "https://www.suse.com/security/cve/CVE-2021-32803"
},
{
"category": "external",
"summary": "SUSE Bug 1191962 for CVE-2021-32803",
"url": "https://bugzilla.suse.com/1191962"
},
{
"category": "external",
"summary": "SUSE Bug 1191963 for CVE-2021-32803",
"url": "https://bugzilla.suse.com/1191963"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.aarch64",
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.ppc64le",
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.s390x",
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.x86_64",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.aarch64",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.ppc64le",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.s390x",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.x86_64",
"openSUSE Leap 15.3:nodejs14-docs-14.19.0-15.27.1.noarch",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.aarch64",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.ppc64le",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.s390x",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.aarch64",
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.ppc64le",
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.s390x",
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.x86_64",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.aarch64",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.ppc64le",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.s390x",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.x86_64",
"openSUSE Leap 15.3:nodejs14-docs-14.19.0-15.27.1.noarch",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.aarch64",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.ppc64le",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.s390x",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2022-03-04T08:37:55Z",
"details": "important"
}
],
"title": "CVE-2021-32803"
},
{
"cve": "CVE-2021-32804",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-32804"
}
],
"notes": [
{
"category": "general",
"text": "The npm package \"tar\" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom `onentry` method which sanitizes the `entry.path` or a `filter` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.aarch64",
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.ppc64le",
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.s390x",
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.x86_64",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.aarch64",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.ppc64le",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.s390x",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.x86_64",
"openSUSE Leap 15.3:nodejs14-docs-14.19.0-15.27.1.noarch",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.aarch64",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.ppc64le",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.s390x",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-32804",
"url": "https://www.suse.com/security/cve/CVE-2021-32804"
},
{
"category": "external",
"summary": "SUSE Bug 1191962 for CVE-2021-32804",
"url": "https://bugzilla.suse.com/1191962"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.aarch64",
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.ppc64le",
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.s390x",
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.x86_64",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.aarch64",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.ppc64le",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.s390x",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.x86_64",
"openSUSE Leap 15.3:nodejs14-docs-14.19.0-15.27.1.noarch",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.aarch64",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.ppc64le",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.s390x",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.aarch64",
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.ppc64le",
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.s390x",
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.x86_64",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.aarch64",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.ppc64le",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.s390x",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.x86_64",
"openSUSE Leap 15.3:nodejs14-docs-14.19.0-15.27.1.noarch",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.aarch64",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.ppc64le",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.s390x",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2022-03-04T08:37:55Z",
"details": "important"
}
],
"title": "CVE-2021-32804"
},
{
"cve": "CVE-2021-3807",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-3807"
}
],
"notes": [
{
"category": "general",
"text": "ansi-regex is vulnerable to Inefficient Regular Expression Complexity",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.aarch64",
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.ppc64le",
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.s390x",
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.x86_64",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.aarch64",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.ppc64le",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.s390x",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.x86_64",
"openSUSE Leap 15.3:nodejs14-docs-14.19.0-15.27.1.noarch",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.aarch64",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.ppc64le",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.s390x",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-3807",
"url": "https://www.suse.com/security/cve/CVE-2021-3807"
},
{
"category": "external",
"summary": "SUSE Bug 1192154 for CVE-2021-3807",
"url": "https://bugzilla.suse.com/1192154"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.aarch64",
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.ppc64le",
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.s390x",
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.x86_64",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.aarch64",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.ppc64le",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.s390x",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.x86_64",
"openSUSE Leap 15.3:nodejs14-docs-14.19.0-15.27.1.noarch",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.aarch64",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.ppc64le",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.s390x",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.aarch64",
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.ppc64le",
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.s390x",
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.x86_64",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.aarch64",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.ppc64le",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.s390x",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.x86_64",
"openSUSE Leap 15.3:nodejs14-docs-14.19.0-15.27.1.noarch",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.aarch64",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.ppc64le",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.s390x",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2022-03-04T08:37:55Z",
"details": "important"
}
],
"title": "CVE-2021-3807"
},
{
"cve": "CVE-2021-3918",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-3918"
}
],
"notes": [
{
"category": "general",
"text": "json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.aarch64",
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.ppc64le",
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.s390x",
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.x86_64",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.aarch64",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.ppc64le",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.s390x",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.x86_64",
"openSUSE Leap 15.3:nodejs14-docs-14.19.0-15.27.1.noarch",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.aarch64",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.ppc64le",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.s390x",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-3918",
"url": "https://www.suse.com/security/cve/CVE-2021-3918"
},
{
"category": "external",
"summary": "SUSE Bug 1192696 for CVE-2021-3918",
"url": "https://bugzilla.suse.com/1192696"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.aarch64",
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.ppc64le",
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.s390x",
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.x86_64",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.aarch64",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.ppc64le",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.s390x",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.x86_64",
"openSUSE Leap 15.3:nodejs14-docs-14.19.0-15.27.1.noarch",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.aarch64",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.ppc64le",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.s390x",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.aarch64",
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.ppc64le",
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.s390x",
"openSUSE Leap 15.3:nodejs14-14.19.0-15.27.1.x86_64",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.aarch64",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.ppc64le",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.s390x",
"openSUSE Leap 15.3:nodejs14-devel-14.19.0-15.27.1.x86_64",
"openSUSE Leap 15.3:nodejs14-docs-14.19.0-15.27.1.noarch",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.aarch64",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.ppc64le",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.s390x",
"openSUSE Leap 15.3:npm14-14.19.0-15.27.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2022-03-04T08:37:55Z",
"details": "important"
}
],
"title": "CVE-2021-3918"
}
]
}
OPENSUSE-SU-2024:12723-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
grafana-9.3.6-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: grafana-9.3.6-1.1 on GA media
Description of the patch: These are all security issues fixed in the grafana-9.3.6-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-12723
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:grafana-9.3.6-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-9.3.6-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-9.3.6-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-9.3.6-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:grafana-9.3.6-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-9.3.6-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-9.3.6-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-9.3.6-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.1 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:grafana-9.3.6-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-9.3.6-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-9.3.6-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-9.3.6-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.8 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:grafana-9.3.6-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-9.3.6-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-9.3.6-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-9.3.6-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
6.5 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:grafana-9.3.6-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-9.3.6-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-9.3.6-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-9.3.6-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:grafana-9.3.6-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-9.3.6-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-9.3.6-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-9.3.6-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:grafana-9.3.6-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-9.3.6-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-9.3.6-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-9.3.6-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
24 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "grafana-9.3.6-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the grafana-9.3.6-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-12723",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_12723-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-7753 page",
"url": "https://www.suse.com/security/cve/CVE-2020-7753/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-3807 page",
"url": "https://www.suse.com/security/cve/CVE-2021-3807/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-3918 page",
"url": "https://www.suse.com/security/cve/CVE-2021-3918/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-43138 page",
"url": "https://www.suse.com/security/cve/CVE-2021-43138/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-0155 page",
"url": "https://www.suse.com/security/cve/CVE-2022-0155/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-27664 page",
"url": "https://www.suse.com/security/cve/CVE-2022-27664/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-32149 page",
"url": "https://www.suse.com/security/cve/CVE-2022-32149/"
}
],
"title": "grafana-9.3.6-1.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:12723-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "grafana-9.3.6-1.1.aarch64",
"product": {
"name": "grafana-9.3.6-1.1.aarch64",
"product_id": "grafana-9.3.6-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-9.3.6-1.1.ppc64le",
"product": {
"name": "grafana-9.3.6-1.1.ppc64le",
"product_id": "grafana-9.3.6-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-9.3.6-1.1.s390x",
"product": {
"name": "grafana-9.3.6-1.1.s390x",
"product_id": "grafana-9.3.6-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-9.3.6-1.1.x86_64",
"product": {
"name": "grafana-9.3.6-1.1.x86_64",
"product_id": "grafana-9.3.6-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-9.3.6-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:grafana-9.3.6-1.1.aarch64"
},
"product_reference": "grafana-9.3.6-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-9.3.6-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:grafana-9.3.6-1.1.ppc64le"
},
"product_reference": "grafana-9.3.6-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-9.3.6-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:grafana-9.3.6-1.1.s390x"
},
"product_reference": "grafana-9.3.6-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-9.3.6-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:grafana-9.3.6-1.1.x86_64"
},
"product_reference": "grafana-9.3.6-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-7753",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-7753"
}
],
"notes": [
{
"category": "general",
"text": "All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) via trim().",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:grafana-9.3.6-1.1.aarch64",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.s390x",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-7753",
"url": "https://www.suse.com/security/cve/CVE-2020-7753"
},
{
"category": "external",
"summary": "SUSE Bug 1218843 for CVE-2020-7753",
"url": "https://bugzilla.suse.com/1218843"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:grafana-9.3.6-1.1.aarch64",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.s390x",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:grafana-9.3.6-1.1.aarch64",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.s390x",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2020-7753"
},
{
"cve": "CVE-2021-3807",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-3807"
}
],
"notes": [
{
"category": "general",
"text": "ansi-regex is vulnerable to Inefficient Regular Expression Complexity",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:grafana-9.3.6-1.1.aarch64",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.s390x",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-3807",
"url": "https://www.suse.com/security/cve/CVE-2021-3807"
},
{
"category": "external",
"summary": "SUSE Bug 1192154 for CVE-2021-3807",
"url": "https://bugzilla.suse.com/1192154"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:grafana-9.3.6-1.1.aarch64",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.s390x",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:grafana-9.3.6-1.1.aarch64",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.s390x",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2021-3807"
},
{
"cve": "CVE-2021-3918",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-3918"
}
],
"notes": [
{
"category": "general",
"text": "json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:grafana-9.3.6-1.1.aarch64",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.s390x",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-3918",
"url": "https://www.suse.com/security/cve/CVE-2021-3918"
},
{
"category": "external",
"summary": "SUSE Bug 1192696 for CVE-2021-3918",
"url": "https://bugzilla.suse.com/1192696"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:grafana-9.3.6-1.1.aarch64",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.s390x",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:grafana-9.3.6-1.1.aarch64",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.s390x",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2021-3918"
},
{
"cve": "CVE-2021-43138",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-43138"
}
],
"notes": [
{
"category": "general",
"text": "In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:grafana-9.3.6-1.1.aarch64",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.s390x",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-43138",
"url": "https://www.suse.com/security/cve/CVE-2021-43138"
},
{
"category": "external",
"summary": "SUSE Bug 1200480 for CVE-2021-43138",
"url": "https://bugzilla.suse.com/1200480"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:grafana-9.3.6-1.1.aarch64",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.s390x",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:grafana-9.3.6-1.1.aarch64",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.s390x",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2021-43138"
},
{
"cve": "CVE-2022-0155",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-0155"
}
],
"notes": [
{
"category": "general",
"text": "follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:grafana-9.3.6-1.1.aarch64",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.s390x",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-0155",
"url": "https://www.suse.com/security/cve/CVE-2022-0155"
},
{
"category": "external",
"summary": "SUSE Bug 1218844 for CVE-2022-0155",
"url": "https://bugzilla.suse.com/1218844"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:grafana-9.3.6-1.1.aarch64",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.s390x",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:grafana-9.3.6-1.1.aarch64",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.s390x",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2022-0155"
},
{
"cve": "CVE-2022-27664",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-27664"
}
],
"notes": [
{
"category": "general",
"text": "In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:grafana-9.3.6-1.1.aarch64",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.s390x",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-27664",
"url": "https://www.suse.com/security/cve/CVE-2022-27664"
},
{
"category": "external",
"summary": "SUSE Bug 1203185 for CVE-2022-27664",
"url": "https://bugzilla.suse.com/1203185"
},
{
"category": "external",
"summary": "SUSE Bug 1203293 for CVE-2022-27664",
"url": "https://bugzilla.suse.com/1203293"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:grafana-9.3.6-1.1.aarch64",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.s390x",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:grafana-9.3.6-1.1.aarch64",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.s390x",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2022-27664"
},
{
"cve": "CVE-2022-32149",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-32149"
}
],
"notes": [
{
"category": "general",
"text": "An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:grafana-9.3.6-1.1.aarch64",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.s390x",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-32149",
"url": "https://www.suse.com/security/cve/CVE-2022-32149"
},
{
"category": "external",
"summary": "SUSE Bug 1204501 for CVE-2022-32149",
"url": "https://bugzilla.suse.com/1204501"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:grafana-9.3.6-1.1.aarch64",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.s390x",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:grafana-9.3.6-1.1.aarch64",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.s390x",
"openSUSE Tumbleweed:grafana-9.3.6-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2022-32149"
}
]
}
RHEA-2022:4925
Vulnerability from csaf_redhat - Published: 2022-06-07 08:24 - Updated: 2026-06-02 17:36Summary
Red Hat Enhancement Advisory: nodejs:12 bug fix and enhancement update
Severity
Important
Notes
Topic: An update for the nodejs:12 module is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions.
Details: Node.js is a software development platform for building fast and scalable
network applications in the JavaScript programming language.
Bug Fix(es) and Enhancement(s):
* nodejs:12/nodejs: rebase to last upstream release (BZ#2084654)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
The json-schema Node.JS library was vulnerable to prototype pollution during the validation of a JSON object. An attacker, able to provide a specially crafted JSON file for validation, could use this flaw to modify the behavior of the node program, to, for example, execute arbitrary code.
9.8 (Critical)
Affected products
Fixed
18 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
Threats
Impact
Important
An HTTP Request Smuggling (HRS) vulnerability was found in the llhttp library, used by Node.JS. Spaces as part of the header names were accepted as valid. In situations where HTTP conversations are being proxied (such as proxy, reverse-proxy, load-balancer), an attacker can use this flaw to inject arbitrary messages through the proxy. The highest threat from this vulnerability is to confidentiality and integrity.
6.1 (Medium)
Affected products
Fixed
18 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
Threats
Impact
Low
An HTTP Request Smuggling (HRS) vulnerability was found in the llhttp library, used by Node.JS. During the parsing of chunked messages, the chunk size parameter was not validated properly. In situations where HTTP conversations are being proxied (such as proxy, reverse-proxy, load-balancer), an attacker can use this flaw to inject arbitrary messages through the proxy. The highest threat from this vulnerability is to confidentiality and integrity.
6.1 (Medium)
Affected products
Fixed
18 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in the npm package "tar" (aka node-tar). Extracting tar files that contain both a directory and a symlink with the same name, where the symlink and directory names in the archive entry used backslashes as a path separator, made it possible to bypass node-tar symlink checks on directories. This flaw allows an untrusted tar file to extract and overwrite files into an arbitrary location. A similar confusion can arise on case-insensitive filesystems. The highest threat from this vulnerability is to integrity and system availability.
8.1 (High)
Affected products
Fixed
18 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the npm package "tar" (aka node-tar). Extracting tar files that contain two directories and a symlink with names containing Unicode values that normalize to the same value on Windows systems made it possible to bypass node-tar symlink checks on directories. This allows an untrusted tar file to extract and overwrite files into an arbitrary location. The highest threat from this vulnerability is to integrity and system availability.
8.1 (High)
Affected products
Fixed
18 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in node.js where it accepted a certificate's Subject Alternative Names (SAN) entry, as opposed to what is specified by the HTTPS protocol. This flaw allows an active person-in-the-middle to forge a certificate and impersonate a trusted host.
7.4 (High)
Affected products
Fixed
18 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
It was found that node.js did not safely read the x509 certificate generalName format properly, resulting in data injection. A certificate could use a specially crafted extension in order to be successfully validated, permitting an attacker to impersonate a trusted host.
7.4 (High)
Affected products
Fixed
18 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in node.js, where it did not properly handle multi-value Relative Distinguished Names. This flaw allows a specially crafted x509 certificate to produce a false multi-value Relative Distinguished Name and to inject arbitrary data in node.js libraries.
7.4 (High)
Affected products
Fixed
18 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "__proto__". The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js >= 12.22.9, >= 14.18.3, >= 16.13.2, and >= 17.3.1 use a null protoype for the object these properties are being assigned to.
8.2 (High)
Affected products
Fixed
18 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
Threats
Impact
Low
References
45 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for the nodejs:12 module is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions.",
"title": "Topic"
},
{
"category": "general",
"text": "Node.js is a software development platform for building fast and scalable\nnetwork applications in the JavaScript programming language.\n\nBug Fix(es) and Enhancement(s):\n\n* nodejs:12/nodejs: rebase to last upstream release (BZ#2084654)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHEA-2022:4925",
"url": "https://access.redhat.com/errata/RHEA-2022:4925"
},
{
"category": "external",
"summary": "2084654",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2084654"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhea-2022_4925.json"
}
],
"title": "Red Hat Enhancement Advisory: nodejs:12 bug fix and enhancement update",
"tracking": {
"current_release_date": "2026-06-02T17:36:45+00:00",
"generator": {
"date": "2026-06-02T17:36:45+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHEA-2022:4925",
"initial_release_date": "2022-06-07T08:24:22+00:00",
"revision_history": [
{
"date": "2022-06-07T08:24:22+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2022-06-07T08:24:22+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-02T17:36:45+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream E4S (v. 8.1)",
"product": {
"name": "Red Hat Enterprise Linux AppStream E4S (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.E4S",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_e4s:8.1::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src::nodejs:12",
"product": {
"name": "nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src (nodejs:12)",
"product_id": "nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs@12.22.12-1.module%2Bel8.1.0%2B15296%2B87b2f6ad?arch=src\u0026epoch=1\u0026rpmmod=nodejs:12:8010020220518102644:c27ad7f8"
}
}
},
{
"category": "product_version",
"name": "nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"product": {
"name": "nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src (nodejs:12)",
"product_id": "nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-nodemon@1.18.3-1.module%2Bel8.1.0%2B3369%2B37ae6a45?arch=src\u0026rpmmod=nodejs:12:8010020220518102644:c27ad7f8"
}
}
},
{
"category": "product_version",
"name": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"product": {
"name": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src (nodejs:12)",
"product_id": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-packaging@17-3.module%2Bel8.1.0%2B3369%2B37ae6a45?arch=src\u0026rpmmod=nodejs:12:8010020220518102644:c27ad7f8"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch::nodejs:12",
"product": {
"name": "nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch (nodejs:12)",
"product_id": "nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-docs@12.22.12-1.module%2Bel8.1.0%2B15296%2B87b2f6ad?arch=noarch\u0026epoch=1\u0026rpmmod=nodejs:12:8010020220518102644:c27ad7f8"
}
}
},
{
"category": "product_version",
"name": "nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"product": {
"name": "nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch (nodejs:12)",
"product_id": "nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-nodemon@1.18.3-1.module%2Bel8.1.0%2B3369%2B37ae6a45?arch=noarch\u0026rpmmod=nodejs:12:8010020220518102644:c27ad7f8"
}
}
},
{
"category": "product_version",
"name": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"product": {
"name": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch (nodejs:12)",
"product_id": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-packaging@17-3.module%2Bel8.1.0%2B3369%2B37ae6a45?arch=noarch\u0026rpmmod=nodejs:12:8010020220518102644:c27ad7f8"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"product": {
"name": "nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le (nodejs:12)",
"product_id": "nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs@12.22.12-1.module%2Bel8.1.0%2B15296%2B87b2f6ad?arch=ppc64le\u0026epoch=1\u0026rpmmod=nodejs:12:8010020220518102644:c27ad7f8"
}
}
},
{
"category": "product_version",
"name": "nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"product": {
"name": "nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le (nodejs:12)",
"product_id": "nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debuginfo@12.22.12-1.module%2Bel8.1.0%2B15296%2B87b2f6ad?arch=ppc64le\u0026epoch=1\u0026rpmmod=nodejs:12:8010020220518102644:c27ad7f8"
}
}
},
{
"category": "product_version",
"name": "nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"product": {
"name": "nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le (nodejs:12)",
"product_id": "nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debugsource@12.22.12-1.module%2Bel8.1.0%2B15296%2B87b2f6ad?arch=ppc64le\u0026epoch=1\u0026rpmmod=nodejs:12:8010020220518102644:c27ad7f8"
}
}
},
{
"category": "product_version",
"name": "nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"product": {
"name": "nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le (nodejs:12)",
"product_id": "nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-devel@12.22.12-1.module%2Bel8.1.0%2B15296%2B87b2f6ad?arch=ppc64le\u0026epoch=1\u0026rpmmod=nodejs:12:8010020220518102644:c27ad7f8"
}
}
},
{
"category": "product_version",
"name": "nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"product": {
"name": "nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le (nodejs:12)",
"product_id": "nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-full-i18n@12.22.12-1.module%2Bel8.1.0%2B15296%2B87b2f6ad?arch=ppc64le\u0026epoch=1\u0026rpmmod=nodejs:12:8010020220518102644:c27ad7f8"
}
}
},
{
"category": "product_version",
"name": "npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"product": {
"name": "npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le (nodejs:12)",
"product_id": "npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/npm@6.14.16-1.12.22.12.1.module%2Bel8.1.0%2B15296%2B87b2f6ad?arch=ppc64le\u0026epoch=1\u0026rpmmod=nodejs:12:8010020220518102644:c27ad7f8"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"product": {
"name": "nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64 (nodejs:12)",
"product_id": "nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs@12.22.12-1.module%2Bel8.1.0%2B15296%2B87b2f6ad?arch=x86_64\u0026epoch=1\u0026rpmmod=nodejs:12:8010020220518102644:c27ad7f8"
}
}
},
{
"category": "product_version",
"name": "nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"product": {
"name": "nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64 (nodejs:12)",
"product_id": "nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debuginfo@12.22.12-1.module%2Bel8.1.0%2B15296%2B87b2f6ad?arch=x86_64\u0026epoch=1\u0026rpmmod=nodejs:12:8010020220518102644:c27ad7f8"
}
}
},
{
"category": "product_version",
"name": "nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"product": {
"name": "nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64 (nodejs:12)",
"product_id": "nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debugsource@12.22.12-1.module%2Bel8.1.0%2B15296%2B87b2f6ad?arch=x86_64\u0026epoch=1\u0026rpmmod=nodejs:12:8010020220518102644:c27ad7f8"
}
}
},
{
"category": "product_version",
"name": "nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"product": {
"name": "nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64 (nodejs:12)",
"product_id": "nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-devel@12.22.12-1.module%2Bel8.1.0%2B15296%2B87b2f6ad?arch=x86_64\u0026epoch=1\u0026rpmmod=nodejs:12:8010020220518102644:c27ad7f8"
}
}
},
{
"category": "product_version",
"name": "nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"product": {
"name": "nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64 (nodejs:12)",
"product_id": "nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-full-i18n@12.22.12-1.module%2Bel8.1.0%2B15296%2B87b2f6ad?arch=x86_64\u0026epoch=1\u0026rpmmod=nodejs:12:8010020220518102644:c27ad7f8"
}
}
},
{
"category": "product_version",
"name": "npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"product": {
"name": "npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64 (nodejs:12)",
"product_id": "npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/npm@6.14.16-1.12.22.12.1.module%2Bel8.1.0%2B15296%2B87b2f6ad?arch=x86_64\u0026epoch=1\u0026rpmmod=nodejs:12:8010020220518102644:c27ad7f8"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le (nodejs:12) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12"
},
"product_reference": "nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"relates_to_product_reference": "AppStream-8.1.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src (nodejs:12) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src::nodejs:12"
},
"product_reference": "nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src::nodejs:12",
"relates_to_product_reference": "AppStream-8.1.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64 (nodejs:12) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12"
},
"product_reference": "nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"relates_to_product_reference": "AppStream-8.1.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le (nodejs:12) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12"
},
"product_reference": "nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"relates_to_product_reference": "AppStream-8.1.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64 (nodejs:12) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12"
},
"product_reference": "nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"relates_to_product_reference": "AppStream-8.1.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le (nodejs:12) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12"
},
"product_reference": "nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"relates_to_product_reference": "AppStream-8.1.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64 (nodejs:12) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12"
},
"product_reference": "nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"relates_to_product_reference": "AppStream-8.1.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le (nodejs:12) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12"
},
"product_reference": "nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"relates_to_product_reference": "AppStream-8.1.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64 (nodejs:12) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12"
},
"product_reference": "nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"relates_to_product_reference": "AppStream-8.1.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch (nodejs:12) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.E4S:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch::nodejs:12"
},
"product_reference": "nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch::nodejs:12",
"relates_to_product_reference": "AppStream-8.1.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le (nodejs:12) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12"
},
"product_reference": "nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"relates_to_product_reference": "AppStream-8.1.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64 (nodejs:12) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12"
},
"product_reference": "nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"relates_to_product_reference": "AppStream-8.1.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch (nodejs:12) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12"
},
"product_reference": "nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"relates_to_product_reference": "AppStream-8.1.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src (nodejs:12) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12"
},
"product_reference": "nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"relates_to_product_reference": "AppStream-8.1.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch (nodejs:12) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12"
},
"product_reference": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"relates_to_product_reference": "AppStream-8.1.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src (nodejs:12) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12"
},
"product_reference": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"relates_to_product_reference": "AppStream-8.1.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le (nodejs:12) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12"
},
"product_reference": "npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"relates_to_product_reference": "AppStream-8.1.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64 (nodejs:12) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12"
},
"product_reference": "npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"relates_to_product_reference": "AppStream-8.1.0.Z.E4S"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-3918",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2021-11-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2024702"
}
],
"notes": [
{
"category": "description",
"text": "The json-schema Node.JS library was vulnerable to prototype pollution during the validation of a JSON object. An attacker, able to provide a specially crafted JSON file for validation, could use this flaw to modify the behavior of the node program, to, for example, execute arbitrary code.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs-json-schema: Prototype pollution vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "npm versions 8.0.0 and older provide a vulnerable version of the json-schema library. However, it is currently believed that in the context of npm, it is not possible to take advantage of the vulnerability.\n\nRed Hat Enterprise Linux version 8 and Software Collections provide a vulnerable version of the json-schema library only as embedded in the npm package. As a result, the severity of the incident has been lowered for these 2 products.\n\nRed Hat Quay includes json-schema as a development dependency of quay-registry-container. As a result, the impact rating has been lowered to Moderate.\n\nIn Red Hat OpenShift Container Platform (RHOCP), Red Hat Openshift Data Foundations (ODF), Red Hat distributed tracing, Migration Toolkit for Virtualization (MTV) and Red Hat Advanced Cluster Management for Kubernetes (RHACM) the affected components are behind OpenShift OAuth. This restricts access to the vulnerable json-schema library to authenticated users only, therefore the impact is reduced to Moderate.\n\nIn Red Hat Openshift Data Foundations (ODF) the odf4/mcg-core-rhel8 component has \"Will not fix status\", but starting from ODF 4.11 stream this component contains already patched version of the json-schema library. Earlier version of ODF are already under Maintenance Support phase, hence this vulnerability will not be fixed.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-3918"
},
{
"category": "external",
"summary": "RHBZ#2024702",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2024702"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-3918",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3918"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3918",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3918"
}
],
"release_date": "2021-10-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-06-07T08:24:22+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHEA-2022:4925"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "nodejs-json-schema: Prototype pollution vulnerability"
},
{
"cve": "CVE-2021-22959",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2021-10-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2014057"
}
],
"notes": [
{
"category": "description",
"text": "An HTTP Request Smuggling (HRS) vulnerability was found in the llhttp library, used by Node.JS. Spaces as part of the header names were accepted as valid. In situations where HTTP conversations are being proxied (such as proxy, reverse-proxy, load-balancer), an attacker can use this flaw to inject arbitrary messages through the proxy. The highest threat from this vulnerability is to confidentiality and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "llhttp: HTTP Request Smuggling due to spaces in headers",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\".",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-22959"
},
{
"category": "external",
"summary": "RHBZ#2014057",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2014057"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-22959",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22959"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-22959",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22959"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/",
"url": "https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/"
}
],
"release_date": "2021-10-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-06-07T08:24:22+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHEA-2022:4925"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "llhttp: HTTP Request Smuggling due to spaces in headers"
},
{
"cve": "CVE-2021-22960",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2021-10-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2014059"
}
],
"notes": [
{
"category": "description",
"text": "An HTTP Request Smuggling (HRS) vulnerability was found in the llhttp library, used by Node.JS. During the parsing of chunked messages, the chunk size parameter was not validated properly. In situations where HTTP conversations are being proxied (such as proxy, reverse-proxy, load-balancer), an attacker can use this flaw to inject arbitrary messages through the proxy. The highest threat from this vulnerability is to confidentiality and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "llhttp: HTTP Request Smuggling when parsing the body of chunked requests",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\".",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-22960"
},
{
"category": "external",
"summary": "RHBZ#2014059",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2014059"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-22960",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22960"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-22960",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22960"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/",
"url": "https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/"
}
],
"release_date": "2021-10-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-06-07T08:24:22+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHEA-2022:4925"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "llhttp: HTTP Request Smuggling when parsing the body of chunked requests"
},
{
"cve": "CVE-2021-37701",
"cwe": {
"id": "CWE-59",
"name": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)"
},
"discovery_date": "2021-08-31T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1999731"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the npm package \"tar\" (aka node-tar). Extracting tar files that contain both a directory and a symlink with the same name, where the symlink and directory names in the archive entry used backslashes as a path separator, made it possible to bypass node-tar symlink checks on directories. This flaw allows an untrusted tar file to extract and overwrite files into an arbitrary location. A similar confusion can arise on case-insensitive filesystems. The highest threat from this vulnerability is to integrity and system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Enterprise Linux version 8 and Red Hat Software Collection both embed `node-tar` in the npm command. However, npm explicitly prevents the extraction of symlink via a filter. npm might still be affected via node-gyp, if the attacker is able to control the target URL.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-37701"
},
{
"category": "external",
"summary": "RHBZ#1999731",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1999731"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-37701",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-37701"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-37701",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37701"
},
{
"category": "external",
"summary": "https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc",
"url": "https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc"
},
{
"category": "external",
"summary": "https://www.npmjs.com/advisories/1779",
"url": "https://www.npmjs.com/advisories/1779"
}
],
"release_date": "2021-08-31T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-06-07T08:24:22+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHEA-2022:4925"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite"
},
{
"cve": "CVE-2021-37712",
"cwe": {
"id": "CWE-59",
"name": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)"
},
"discovery_date": "2021-08-31T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1999739"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the npm package \"tar\" (aka node-tar). Extracting tar files that contain two directories and a symlink with names containing Unicode values that normalize to the same value on Windows systems made it possible to bypass node-tar symlink checks on directories. This allows an untrusted tar file to extract and overwrite files into an arbitrary location. The highest threat from this vulnerability is to integrity and system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Enterprise Linux version 8 and Red Hat Software Collection both embed `node-tar` in the npm command. However, npm explicitly prevents the extraction of symlink via a filter. npm might still be affected via node-gyp, if the attacker is able to control the target URL.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-37712"
},
{
"category": "external",
"summary": "RHBZ#1999739",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1999739"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-37712",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-37712"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-37712",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37712"
},
{
"category": "external",
"summary": "https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p",
"url": "https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p"
},
{
"category": "external",
"summary": "https://www.npmjs.com/advisories/1780",
"url": "https://www.npmjs.com/advisories/1780"
}
],
"release_date": "2021-08-31T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-06-07T08:24:22+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHEA-2022:4925"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite"
},
{
"cve": "CVE-2021-44531",
"cwe": {
"id": "CWE-295",
"name": "Improper Certificate Validation"
},
"discovery_date": "2022-01-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2040839"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in node.js where it accepted a certificate\u0027s Subject Alternative Names (SAN) entry, as opposed to what is specified by the HTTPS protocol. This flaw allows an active person-in-the-middle to forge a certificate and impersonate a trusted host.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Improper handling of URI Subject Alternative Names",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\" with impact LOW.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-44531"
},
{
"category": "external",
"summary": "RHBZ#2040839",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040839"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-44531",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44531"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44531",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44531"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/",
"url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/"
}
],
"release_date": "2022-01-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-06-07T08:24:22+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHEA-2022:4925"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Improper handling of URI Subject Alternative Names"
},
{
"cve": "CVE-2021-44532",
"cwe": {
"id": "CWE-295",
"name": "Improper Certificate Validation"
},
"discovery_date": "2022-01-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2040846"
}
],
"notes": [
{
"category": "description",
"text": "It was found that node.js did not safely read the x509 certificate generalName format properly, resulting in data injection. A certificate could use a specially crafted extension in order to be successfully validated, permitting an attacker to impersonate a trusted host.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Certificate Verification Bypass via String Injection",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\" with impact LOW.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-44532"
},
{
"category": "external",
"summary": "RHBZ#2040846",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040846"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-44532",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44532"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44532",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44532"
}
],
"release_date": "2022-01-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-06-07T08:24:22+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHEA-2022:4925"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Certificate Verification Bypass via String Injection"
},
{
"cve": "CVE-2021-44533",
"cwe": {
"id": "CWE-295",
"name": "Improper Certificate Validation"
},
"discovery_date": "2022-01-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2040856"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in node.js, where it did not properly handle multi-value Relative Distinguished Names. This flaw allows a specially crafted x509 certificate to produce a false multi-value Relative Distinguished Name and to inject arbitrary data in node.js libraries.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Incorrect handling of certificate subject and issuer fields",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally, there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore, the Quay component is marked as \"Will not fix\" with impact LOW.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-44533"
},
{
"category": "external",
"summary": "RHBZ#2040856",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040856"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-44533",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44533"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44533",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44533"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/",
"url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/"
}
],
"release_date": "2022-01-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-06-07T08:24:22+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHEA-2022:4925"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Incorrect handling of certificate subject and issuer fields"
},
{
"cve": "CVE-2022-21824",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2022-01-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2040862"
}
],
"notes": [
{
"category": "description",
"text": "Due to the formatting logic of the \"console.table()\" function it was not safe to allow user controlled input to be passed to the \"properties\" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be \"__proto__\". The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js \u003e= 12.22.9, \u003e= 14.18.3, \u003e= 16.13.2, and \u003e= 17.3.1 use a null protoype for the object these properties are being assigned to.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Prototype pollution via console.table properties",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\".",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-21824"
},
{
"category": "external",
"summary": "RHBZ#2040862",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040862"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-21824",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21824"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-21824",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21824"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/",
"url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/"
}
],
"release_date": "2022-01-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-06-07T08:24:22+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHEA-2022:4925"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"products": [
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.1.0.Z.E4S:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le::nodejs:12",
"AppStream-8.1.0.Z.E4S:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64::nodejs:12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "nodejs: Prototype pollution via console.table properties"
}
]
}
RHEA-2022:5139
Vulnerability from csaf_redhat - Published: 2022-06-21 12:40 - Updated: 2026-06-02 17:36Summary
Red Hat Enhancement Advisory: nodejs:12 bug fix and enhancement update
Severity
Moderate
Notes
Topic: An update for the nodejs:12 module is now available for Red Hat Enterprise Linux 8.
Details: Node.js is a software development platform for building fast and scalable
network applications in the JavaScript programming language.
Bug Fix(es) and Enhancement(s):
* nodejs:12/nodejs: rebase to last upstream release (BZ#2084651)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
The json-schema Node.JS library was vulnerable to prototype pollution during the validation of a JSON object. An attacker, able to provide a specially crafted JSON file for validation, could use this flaw to modify the behavior of the node program, to, for example, execute arbitrary code.
9.8 (Critical)
Affected products
Fixed
30 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
An HTTP Request Smuggling (HRS) vulnerability was found in the llhttp library, used by Node.JS. Spaces as part of the header names were accepted as valid. In situations where HTTP conversations are being proxied (such as proxy, reverse-proxy, load-balancer), an attacker can use this flaw to inject arbitrary messages through the proxy. The highest threat from this vulnerability is to confidentiality and integrity.
6.1 (Medium)
Affected products
Fixed
30 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
Threats
Impact
Low
An HTTP Request Smuggling (HRS) vulnerability was found in the llhttp library, used by Node.JS. During the parsing of chunked messages, the chunk size parameter was not validated properly. In situations where HTTP conversations are being proxied (such as proxy, reverse-proxy, load-balancer), an attacker can use this flaw to inject arbitrary messages through the proxy. The highest threat from this vulnerability is to confidentiality and integrity.
6.1 (Medium)
Affected products
Fixed
30 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in the npm package "tar" (aka node-tar). Extracting tar files that contain both a directory and a symlink with the same name, where the symlink and directory names in the archive entry used backslashes as a path separator, made it possible to bypass node-tar symlink checks on directories. This flaw allows an untrusted tar file to extract and overwrite files into an arbitrary location. A similar confusion can arise on case-insensitive filesystems. The highest threat from this vulnerability is to integrity and system availability.
8.1 (High)
Affected products
Fixed
30 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the npm package "tar" (aka node-tar). Extracting tar files that contain two directories and a symlink with names containing Unicode values that normalize to the same value on Windows systems made it possible to bypass node-tar symlink checks on directories. This allows an untrusted tar file to extract and overwrite files into an arbitrary location. The highest threat from this vulnerability is to integrity and system availability.
8.1 (High)
Affected products
Fixed
30 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in node.js where it accepted a certificate's Subject Alternative Names (SAN) entry, as opposed to what is specified by the HTTPS protocol. This flaw allows an active person-in-the-middle to forge a certificate and impersonate a trusted host.
7.4 (High)
Affected products
Fixed
30 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
It was found that node.js did not safely read the x509 certificate generalName format properly, resulting in data injection. A certificate could use a specially crafted extension in order to be successfully validated, permitting an attacker to impersonate a trusted host.
7.4 (High)
Affected products
Fixed
30 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in node.js, where it did not properly handle multi-value Relative Distinguished Names. This flaw allows a specially crafted x509 certificate to produce a false multi-value Relative Distinguished Name and to inject arbitrary data in node.js libraries.
7.4 (High)
Affected products
Fixed
30 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "__proto__". The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js >= 12.22.9, >= 14.18.3, >= 16.13.2, and >= 17.3.1 use a null protoype for the object these properties are being assigned to.
8.2 (High)
Affected products
Fixed
30 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
Threats
Impact
Low
References
45 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for the nodejs:12 module is now available for Red Hat Enterprise Linux 8.",
"title": "Topic"
},
{
"category": "general",
"text": "Node.js is a software development platform for building fast and scalable\nnetwork applications in the JavaScript programming language.\n\nBug Fix(es) and Enhancement(s):\n\n* nodejs:12/nodejs: rebase to last upstream release (BZ#2084651)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHEA-2022:5139",
"url": "https://access.redhat.com/errata/RHEA-2022:5139"
},
{
"category": "external",
"summary": "2084651",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2084651"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhea-2022_5139.json"
}
],
"title": "Red Hat Enhancement Advisory: nodejs:12 bug fix and enhancement update",
"tracking": {
"current_release_date": "2026-06-02T17:36:45+00:00",
"generator": {
"date": "2026-06-02T17:36:45+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHEA-2022:5139",
"initial_release_date": "2022-06-21T12:40:06+00:00",
"revision_history": [
{
"date": "2022-06-21T12:40:06+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2022-06-21T12:40:06+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-02T17:36:45+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 8)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:8::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"product": {
"name": "nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64 (nodejs:12)",
"product_id": "nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs@12.22.12-1.module%2Bel8.6.0%2B15324%2B1f2c5d8d?arch=aarch64\u0026epoch=1\u0026rpmmod=nodejs:12:8060020220523160029:ad008a3a"
}
}
},
{
"category": "product_version",
"name": "nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"product": {
"name": "nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64 (nodejs:12)",
"product_id": "nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debuginfo@12.22.12-1.module%2Bel8.6.0%2B15324%2B1f2c5d8d?arch=aarch64\u0026epoch=1\u0026rpmmod=nodejs:12:8060020220523160029:ad008a3a"
}
}
},
{
"category": "product_version",
"name": "nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"product": {
"name": "nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64 (nodejs:12)",
"product_id": "nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debugsource@12.22.12-1.module%2Bel8.6.0%2B15324%2B1f2c5d8d?arch=aarch64\u0026epoch=1\u0026rpmmod=nodejs:12:8060020220523160029:ad008a3a"
}
}
},
{
"category": "product_version",
"name": "nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"product": {
"name": "nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64 (nodejs:12)",
"product_id": "nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-devel@12.22.12-1.module%2Bel8.6.0%2B15324%2B1f2c5d8d?arch=aarch64\u0026epoch=1\u0026rpmmod=nodejs:12:8060020220523160029:ad008a3a"
}
}
},
{
"category": "product_version",
"name": "nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"product": {
"name": "nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64 (nodejs:12)",
"product_id": "nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-full-i18n@12.22.12-1.module%2Bel8.6.0%2B15324%2B1f2c5d8d?arch=aarch64\u0026epoch=1\u0026rpmmod=nodejs:12:8060020220523160029:ad008a3a"
}
}
},
{
"category": "product_version",
"name": "npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"product": {
"name": "npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64 (nodejs:12)",
"product_id": "npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/npm@6.14.16-1.12.22.12.1.module%2Bel8.6.0%2B15324%2B1f2c5d8d?arch=aarch64\u0026epoch=1\u0026rpmmod=nodejs:12:8060020220523160029:ad008a3a"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src::nodejs:12",
"product": {
"name": "nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src (nodejs:12)",
"product_id": "nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs@12.22.12-1.module%2Bel8.6.0%2B15324%2B1f2c5d8d?arch=src\u0026epoch=1\u0026rpmmod=nodejs:12:8060020220523160029:ad008a3a"
}
}
},
{
"category": "product_version",
"name": "nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"product": {
"name": "nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src (nodejs:12)",
"product_id": "nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-nodemon@2.0.3-1.module%2Bel8.4.0%2B11732%2Bc668cc9f?arch=src\u0026rpmmod=nodejs:12:8060020220523160029:ad008a3a"
}
}
},
{
"category": "product_version",
"name": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"product": {
"name": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src (nodejs:12)",
"product_id": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-packaging@17-3.module%2Bel8.1.0%2B3369%2B37ae6a45?arch=src\u0026rpmmod=nodejs:12:8060020220523160029:ad008a3a"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch::nodejs:12",
"product": {
"name": "nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch (nodejs:12)",
"product_id": "nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-docs@12.22.12-1.module%2Bel8.6.0%2B15324%2B1f2c5d8d?arch=noarch\u0026epoch=1\u0026rpmmod=nodejs:12:8060020220523160029:ad008a3a"
}
}
},
{
"category": "product_version",
"name": "nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"product": {
"name": "nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch (nodejs:12)",
"product_id": "nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-nodemon@2.0.3-1.module%2Bel8.4.0%2B11732%2Bc668cc9f?arch=noarch\u0026rpmmod=nodejs:12:8060020220523160029:ad008a3a"
}
}
},
{
"category": "product_version",
"name": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"product": {
"name": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch (nodejs:12)",
"product_id": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-packaging@17-3.module%2Bel8.1.0%2B3369%2B37ae6a45?arch=noarch\u0026rpmmod=nodejs:12:8060020220523160029:ad008a3a"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"product": {
"name": "nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le (nodejs:12)",
"product_id": "nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs@12.22.12-1.module%2Bel8.6.0%2B15324%2B1f2c5d8d?arch=ppc64le\u0026epoch=1\u0026rpmmod=nodejs:12:8060020220523160029:ad008a3a"
}
}
},
{
"category": "product_version",
"name": "nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"product": {
"name": "nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le (nodejs:12)",
"product_id": "nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debuginfo@12.22.12-1.module%2Bel8.6.0%2B15324%2B1f2c5d8d?arch=ppc64le\u0026epoch=1\u0026rpmmod=nodejs:12:8060020220523160029:ad008a3a"
}
}
},
{
"category": "product_version",
"name": "nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"product": {
"name": "nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le (nodejs:12)",
"product_id": "nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debugsource@12.22.12-1.module%2Bel8.6.0%2B15324%2B1f2c5d8d?arch=ppc64le\u0026epoch=1\u0026rpmmod=nodejs:12:8060020220523160029:ad008a3a"
}
}
},
{
"category": "product_version",
"name": "nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"product": {
"name": "nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le (nodejs:12)",
"product_id": "nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-devel@12.22.12-1.module%2Bel8.6.0%2B15324%2B1f2c5d8d?arch=ppc64le\u0026epoch=1\u0026rpmmod=nodejs:12:8060020220523160029:ad008a3a"
}
}
},
{
"category": "product_version",
"name": "nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"product": {
"name": "nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le (nodejs:12)",
"product_id": "nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-full-i18n@12.22.12-1.module%2Bel8.6.0%2B15324%2B1f2c5d8d?arch=ppc64le\u0026epoch=1\u0026rpmmod=nodejs:12:8060020220523160029:ad008a3a"
}
}
},
{
"category": "product_version",
"name": "npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"product": {
"name": "npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le (nodejs:12)",
"product_id": "npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/npm@6.14.16-1.12.22.12.1.module%2Bel8.6.0%2B15324%2B1f2c5d8d?arch=ppc64le\u0026epoch=1\u0026rpmmod=nodejs:12:8060020220523160029:ad008a3a"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"product": {
"name": "nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x (nodejs:12)",
"product_id": "nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs@12.22.12-1.module%2Bel8.6.0%2B15324%2B1f2c5d8d?arch=s390x\u0026epoch=1\u0026rpmmod=nodejs:12:8060020220523160029:ad008a3a"
}
}
},
{
"category": "product_version",
"name": "nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"product": {
"name": "nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x (nodejs:12)",
"product_id": "nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debuginfo@12.22.12-1.module%2Bel8.6.0%2B15324%2B1f2c5d8d?arch=s390x\u0026epoch=1\u0026rpmmod=nodejs:12:8060020220523160029:ad008a3a"
}
}
},
{
"category": "product_version",
"name": "nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"product": {
"name": "nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x (nodejs:12)",
"product_id": "nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debugsource@12.22.12-1.module%2Bel8.6.0%2B15324%2B1f2c5d8d?arch=s390x\u0026epoch=1\u0026rpmmod=nodejs:12:8060020220523160029:ad008a3a"
}
}
},
{
"category": "product_version",
"name": "nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"product": {
"name": "nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x (nodejs:12)",
"product_id": "nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-devel@12.22.12-1.module%2Bel8.6.0%2B15324%2B1f2c5d8d?arch=s390x\u0026epoch=1\u0026rpmmod=nodejs:12:8060020220523160029:ad008a3a"
}
}
},
{
"category": "product_version",
"name": "nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"product": {
"name": "nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x (nodejs:12)",
"product_id": "nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-full-i18n@12.22.12-1.module%2Bel8.6.0%2B15324%2B1f2c5d8d?arch=s390x\u0026epoch=1\u0026rpmmod=nodejs:12:8060020220523160029:ad008a3a"
}
}
},
{
"category": "product_version",
"name": "npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"product": {
"name": "npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x (nodejs:12)",
"product_id": "npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/npm@6.14.16-1.12.22.12.1.module%2Bel8.6.0%2B15324%2B1f2c5d8d?arch=s390x\u0026epoch=1\u0026rpmmod=nodejs:12:8060020220523160029:ad008a3a"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"product": {
"name": "nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64 (nodejs:12)",
"product_id": "nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs@12.22.12-1.module%2Bel8.6.0%2B15324%2B1f2c5d8d?arch=x86_64\u0026epoch=1\u0026rpmmod=nodejs:12:8060020220523160029:ad008a3a"
}
}
},
{
"category": "product_version",
"name": "nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"product": {
"name": "nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64 (nodejs:12)",
"product_id": "nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debuginfo@12.22.12-1.module%2Bel8.6.0%2B15324%2B1f2c5d8d?arch=x86_64\u0026epoch=1\u0026rpmmod=nodejs:12:8060020220523160029:ad008a3a"
}
}
},
{
"category": "product_version",
"name": "nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"product": {
"name": "nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64 (nodejs:12)",
"product_id": "nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debugsource@12.22.12-1.module%2Bel8.6.0%2B15324%2B1f2c5d8d?arch=x86_64\u0026epoch=1\u0026rpmmod=nodejs:12:8060020220523160029:ad008a3a"
}
}
},
{
"category": "product_version",
"name": "nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"product": {
"name": "nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64 (nodejs:12)",
"product_id": "nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-devel@12.22.12-1.module%2Bel8.6.0%2B15324%2B1f2c5d8d?arch=x86_64\u0026epoch=1\u0026rpmmod=nodejs:12:8060020220523160029:ad008a3a"
}
}
},
{
"category": "product_version",
"name": "nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"product": {
"name": "nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64 (nodejs:12)",
"product_id": "nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-full-i18n@12.22.12-1.module%2Bel8.6.0%2B15324%2B1f2c5d8d?arch=x86_64\u0026epoch=1\u0026rpmmod=nodejs:12:8060020220523160029:ad008a3a"
}
}
},
{
"category": "product_version",
"name": "npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"product": {
"name": "npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64 (nodejs:12)",
"product_id": "npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/npm@6.14.16-1.12.22.12.1.module%2Bel8.6.0%2B15324%2B1f2c5d8d?arch=x86_64\u0026epoch=1\u0026rpmmod=nodejs:12:8060020220523160029:ad008a3a"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64 (nodejs:12) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12"
},
"product_reference": "nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le (nodejs:12) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12"
},
"product_reference": "nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x (nodejs:12) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12"
},
"product_reference": "nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src (nodejs:12) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src::nodejs:12"
},
"product_reference": "nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src::nodejs:12",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64 (nodejs:12) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12"
},
"product_reference": "nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64 (nodejs:12) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12"
},
"product_reference": "nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le (nodejs:12) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12"
},
"product_reference": "nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x (nodejs:12) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12"
},
"product_reference": "nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64 (nodejs:12) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12"
},
"product_reference": "nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64 (nodejs:12) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12"
},
"product_reference": "nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le (nodejs:12) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12"
},
"product_reference": "nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x (nodejs:12) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12"
},
"product_reference": "nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64 (nodejs:12) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12"
},
"product_reference": "nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64 (nodejs:12) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12"
},
"product_reference": "nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le (nodejs:12) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12"
},
"product_reference": "nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x (nodejs:12) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12"
},
"product_reference": "nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64 (nodejs:12) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12"
},
"product_reference": "nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch (nodejs:12) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch::nodejs:12"
},
"product_reference": "nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch::nodejs:12",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64 (nodejs:12) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12"
},
"product_reference": "nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le (nodejs:12) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12"
},
"product_reference": "nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x (nodejs:12) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12"
},
"product_reference": "nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64 (nodejs:12) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12"
},
"product_reference": "nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch (nodejs:12) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12"
},
"product_reference": "nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src (nodejs:12) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12"
},
"product_reference": "nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch (nodejs:12) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12"
},
"product_reference": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src (nodejs:12) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12"
},
"product_reference": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64 (nodejs:12) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12"
},
"product_reference": "npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le (nodejs:12) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12"
},
"product_reference": "npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x (nodejs:12) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12"
},
"product_reference": "npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64 (nodejs:12) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12"
},
"product_reference": "npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-3918",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2021-11-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2024702"
}
],
"notes": [
{
"category": "description",
"text": "The json-schema Node.JS library was vulnerable to prototype pollution during the validation of a JSON object. An attacker, able to provide a specially crafted JSON file for validation, could use this flaw to modify the behavior of the node program, to, for example, execute arbitrary code.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs-json-schema: Prototype pollution vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "npm versions 8.0.0 and older provide a vulnerable version of the json-schema library. However, it is currently believed that in the context of npm, it is not possible to take advantage of the vulnerability.\n\nRed Hat Enterprise Linux version 8 and Software Collections provide a vulnerable version of the json-schema library only as embedded in the npm package. As a result, the severity of the incident has been lowered for these 2 products.\n\nRed Hat Quay includes json-schema as a development dependency of quay-registry-container. As a result, the impact rating has been lowered to Moderate.\n\nIn Red Hat OpenShift Container Platform (RHOCP), Red Hat Openshift Data Foundations (ODF), Red Hat distributed tracing, Migration Toolkit for Virtualization (MTV) and Red Hat Advanced Cluster Management for Kubernetes (RHACM) the affected components are behind OpenShift OAuth. This restricts access to the vulnerable json-schema library to authenticated users only, therefore the impact is reduced to Moderate.\n\nIn Red Hat Openshift Data Foundations (ODF) the odf4/mcg-core-rhel8 component has \"Will not fix status\", but starting from ODF 4.11 stream this component contains already patched version of the json-schema library. Earlier version of ODF are already under Maintenance Support phase, hence this vulnerability will not be fixed.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-3918"
},
{
"category": "external",
"summary": "RHBZ#2024702",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2024702"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-3918",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3918"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3918",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3918"
}
],
"release_date": "2021-10-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-06-21T12:40:06+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHEA-2022:5139"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs-json-schema: Prototype pollution vulnerability"
},
{
"cve": "CVE-2021-22959",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2021-10-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2014057"
}
],
"notes": [
{
"category": "description",
"text": "An HTTP Request Smuggling (HRS) vulnerability was found in the llhttp library, used by Node.JS. Spaces as part of the header names were accepted as valid. In situations where HTTP conversations are being proxied (such as proxy, reverse-proxy, load-balancer), an attacker can use this flaw to inject arbitrary messages through the proxy. The highest threat from this vulnerability is to confidentiality and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "llhttp: HTTP Request Smuggling due to spaces in headers",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\".",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-22959"
},
{
"category": "external",
"summary": "RHBZ#2014057",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2014057"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-22959",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22959"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-22959",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22959"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/",
"url": "https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/"
}
],
"release_date": "2021-10-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-06-21T12:40:06+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHEA-2022:5139"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "llhttp: HTTP Request Smuggling due to spaces in headers"
},
{
"cve": "CVE-2021-22960",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2021-10-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2014059"
}
],
"notes": [
{
"category": "description",
"text": "An HTTP Request Smuggling (HRS) vulnerability was found in the llhttp library, used by Node.JS. During the parsing of chunked messages, the chunk size parameter was not validated properly. In situations where HTTP conversations are being proxied (such as proxy, reverse-proxy, load-balancer), an attacker can use this flaw to inject arbitrary messages through the proxy. The highest threat from this vulnerability is to confidentiality and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "llhttp: HTTP Request Smuggling when parsing the body of chunked requests",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\".",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-22960"
},
{
"category": "external",
"summary": "RHBZ#2014059",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2014059"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-22960",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22960"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-22960",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22960"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/",
"url": "https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/"
}
],
"release_date": "2021-10-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-06-21T12:40:06+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHEA-2022:5139"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "llhttp: HTTP Request Smuggling when parsing the body of chunked requests"
},
{
"cve": "CVE-2021-37701",
"cwe": {
"id": "CWE-59",
"name": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)"
},
"discovery_date": "2021-08-31T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1999731"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the npm package \"tar\" (aka node-tar). Extracting tar files that contain both a directory and a symlink with the same name, where the symlink and directory names in the archive entry used backslashes as a path separator, made it possible to bypass node-tar symlink checks on directories. This flaw allows an untrusted tar file to extract and overwrite files into an arbitrary location. A similar confusion can arise on case-insensitive filesystems. The highest threat from this vulnerability is to integrity and system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Enterprise Linux version 8 and Red Hat Software Collection both embed `node-tar` in the npm command. However, npm explicitly prevents the extraction of symlink via a filter. npm might still be affected via node-gyp, if the attacker is able to control the target URL.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-37701"
},
{
"category": "external",
"summary": "RHBZ#1999731",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1999731"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-37701",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-37701"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-37701",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37701"
},
{
"category": "external",
"summary": "https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc",
"url": "https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc"
},
{
"category": "external",
"summary": "https://www.npmjs.com/advisories/1779",
"url": "https://www.npmjs.com/advisories/1779"
}
],
"release_date": "2021-08-31T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-06-21T12:40:06+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHEA-2022:5139"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite"
},
{
"cve": "CVE-2021-37712",
"cwe": {
"id": "CWE-59",
"name": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)"
},
"discovery_date": "2021-08-31T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1999739"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the npm package \"tar\" (aka node-tar). Extracting tar files that contain two directories and a symlink with names containing Unicode values that normalize to the same value on Windows systems made it possible to bypass node-tar symlink checks on directories. This allows an untrusted tar file to extract and overwrite files into an arbitrary location. The highest threat from this vulnerability is to integrity and system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Enterprise Linux version 8 and Red Hat Software Collection both embed `node-tar` in the npm command. However, npm explicitly prevents the extraction of symlink via a filter. npm might still be affected via node-gyp, if the attacker is able to control the target URL.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-37712"
},
{
"category": "external",
"summary": "RHBZ#1999739",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1999739"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-37712",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-37712"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-37712",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37712"
},
{
"category": "external",
"summary": "https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p",
"url": "https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p"
},
{
"category": "external",
"summary": "https://www.npmjs.com/advisories/1780",
"url": "https://www.npmjs.com/advisories/1780"
}
],
"release_date": "2021-08-31T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-06-21T12:40:06+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHEA-2022:5139"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite"
},
{
"cve": "CVE-2021-44531",
"cwe": {
"id": "CWE-295",
"name": "Improper Certificate Validation"
},
"discovery_date": "2022-01-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2040839"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in node.js where it accepted a certificate\u0027s Subject Alternative Names (SAN) entry, as opposed to what is specified by the HTTPS protocol. This flaw allows an active person-in-the-middle to forge a certificate and impersonate a trusted host.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Improper handling of URI Subject Alternative Names",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\" with impact LOW.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-44531"
},
{
"category": "external",
"summary": "RHBZ#2040839",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040839"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-44531",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44531"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44531",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44531"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/",
"url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/"
}
],
"release_date": "2022-01-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-06-21T12:40:06+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHEA-2022:5139"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Improper handling of URI Subject Alternative Names"
},
{
"cve": "CVE-2021-44532",
"cwe": {
"id": "CWE-295",
"name": "Improper Certificate Validation"
},
"discovery_date": "2022-01-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2040846"
}
],
"notes": [
{
"category": "description",
"text": "It was found that node.js did not safely read the x509 certificate generalName format properly, resulting in data injection. A certificate could use a specially crafted extension in order to be successfully validated, permitting an attacker to impersonate a trusted host.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Certificate Verification Bypass via String Injection",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\" with impact LOW.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-44532"
},
{
"category": "external",
"summary": "RHBZ#2040846",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040846"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-44532",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44532"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44532",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44532"
}
],
"release_date": "2022-01-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-06-21T12:40:06+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHEA-2022:5139"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Certificate Verification Bypass via String Injection"
},
{
"cve": "CVE-2021-44533",
"cwe": {
"id": "CWE-295",
"name": "Improper Certificate Validation"
},
"discovery_date": "2022-01-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2040856"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in node.js, where it did not properly handle multi-value Relative Distinguished Names. This flaw allows a specially crafted x509 certificate to produce a false multi-value Relative Distinguished Name and to inject arbitrary data in node.js libraries.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Incorrect handling of certificate subject and issuer fields",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally, there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore, the Quay component is marked as \"Will not fix\" with impact LOW.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-44533"
},
{
"category": "external",
"summary": "RHBZ#2040856",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040856"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-44533",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44533"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44533",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44533"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/",
"url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/"
}
],
"release_date": "2022-01-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-06-21T12:40:06+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHEA-2022:5139"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Incorrect handling of certificate subject and issuer fields"
},
{
"cve": "CVE-2022-21824",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2022-01-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2040862"
}
],
"notes": [
{
"category": "description",
"text": "Due to the formatting logic of the \"console.table()\" function it was not safe to allow user controlled input to be passed to the \"properties\" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be \"__proto__\". The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js \u003e= 12.22.9, \u003e= 14.18.3, \u003e= 16.13.2, and \u003e= 17.3.1 use a null protoype for the object these properties are being assigned to.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Prototype pollution via console.table properties",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\".",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-21824"
},
{
"category": "external",
"summary": "RHBZ#2040862",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040862"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-21824",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21824"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-21824",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21824"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/",
"url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/"
}
],
"release_date": "2022-01-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-06-21T12:40:06+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHEA-2022:5139"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"products": [
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x::nodejs:12",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64::nodejs:12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "nodejs: Prototype pollution via console.table properties"
}
]
}
RHEA-2022:5221
Vulnerability from csaf_redhat - Published: 2022-06-28 07:58 - Updated: 2026-06-02 17:36Summary
Red Hat Enhancement Advisory: nodejs:12 bug fix and enhancement update
Severity
Important
Notes
Topic: An update for the nodejs:12 module is now available for Red Hat Enterprise Linux 8.2 Extended Update Support.
Details: Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.
Bug Fix(es) and Enhancement(s):
* nodejs:12/nodejs: rebase to last upstream release (BZ#2084653)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
The json-schema Node.JS library was vulnerable to prototype pollution during the validation of a JSON object. An attacker, able to provide a specially crafted JSON file for validation, could use this flaw to modify the behavior of the node program, to, for example, execute arbitrary code.
9.8 (Critical)
Affected products
Fixed
30 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
Threats
Impact
Important
An HTTP Request Smuggling (HRS) vulnerability was found in the llhttp library, used by Node.JS. Spaces as part of the header names were accepted as valid. In situations where HTTP conversations are being proxied (such as proxy, reverse-proxy, load-balancer), an attacker can use this flaw to inject arbitrary messages through the proxy. The highest threat from this vulnerability is to confidentiality and integrity.
6.1 (Medium)
Affected products
Fixed
30 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
Threats
Impact
Low
An HTTP Request Smuggling (HRS) vulnerability was found in the llhttp library, used by Node.JS. During the parsing of chunked messages, the chunk size parameter was not validated properly. In situations where HTTP conversations are being proxied (such as proxy, reverse-proxy, load-balancer), an attacker can use this flaw to inject arbitrary messages through the proxy. The highest threat from this vulnerability is to confidentiality and integrity.
6.1 (Medium)
Affected products
Fixed
30 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in the npm package "tar" (aka node-tar). Extracting tar files that contain both a directory and a symlink with the same name, where the symlink and directory names in the archive entry used backslashes as a path separator, made it possible to bypass node-tar symlink checks on directories. This flaw allows an untrusted tar file to extract and overwrite files into an arbitrary location. A similar confusion can arise on case-insensitive filesystems. The highest threat from this vulnerability is to integrity and system availability.
8.1 (High)
Affected products
Fixed
30 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the npm package "tar" (aka node-tar). Extracting tar files that contain two directories and a symlink with names containing Unicode values that normalize to the same value on Windows systems made it possible to bypass node-tar symlink checks on directories. This allows an untrusted tar file to extract and overwrite files into an arbitrary location. The highest threat from this vulnerability is to integrity and system availability.
8.1 (High)
Affected products
Fixed
30 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in node.js where it accepted a certificate's Subject Alternative Names (SAN) entry, as opposed to what is specified by the HTTPS protocol. This flaw allows an active person-in-the-middle to forge a certificate and impersonate a trusted host.
7.4 (High)
Affected products
Fixed
30 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
It was found that node.js did not safely read the x509 certificate generalName format properly, resulting in data injection. A certificate could use a specially crafted extension in order to be successfully validated, permitting an attacker to impersonate a trusted host.
7.4 (High)
Affected products
Fixed
30 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in node.js, where it did not properly handle multi-value Relative Distinguished Names. This flaw allows a specially crafted x509 certificate to produce a false multi-value Relative Distinguished Name and to inject arbitrary data in node.js libraries.
7.4 (High)
Affected products
Fixed
30 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "__proto__". The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js >= 12.22.9, >= 14.18.3, >= 16.13.2, and >= 17.3.1 use a null protoype for the object these properties are being assigned to.
8.2 (High)
Affected products
Fixed
30 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
Threats
Impact
Low
References
45 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for the nodejs:12 module is now available for Red Hat Enterprise Linux 8.2 Extended Update Support.",
"title": "Topic"
},
{
"category": "general",
"text": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.\n\nBug Fix(es) and Enhancement(s):\n\n* nodejs:12/nodejs: rebase to last upstream release (BZ#2084653)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHEA-2022:5221",
"url": "https://access.redhat.com/errata/RHEA-2022:5221"
},
{
"category": "external",
"summary": "2084653",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2084653"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhea-2022_5221.json"
}
],
"title": "Red Hat Enhancement Advisory: nodejs:12 bug fix and enhancement update",
"tracking": {
"current_release_date": "2026-06-02T17:36:46+00:00",
"generator": {
"date": "2026-06-02T17:36:46+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHEA-2022:5221",
"initial_release_date": "2022-06-28T07:58:19+00:00",
"revision_history": [
{
"date": "2022-06-28T07:58:19+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2022-06-28T07:58:19+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-02T17:36:46+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product": {
"name": "Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_eus:8.2::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"product": {
"name": "nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64 (nodejs:12)",
"product_id": "nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs@12.22.12-1.module%2Bel8.2.0%2B15322%2Ba70ca0ab?arch=aarch64\u0026epoch=1\u0026rpmmod=nodejs:12:8020020220523154454:4cda2c84"
}
}
},
{
"category": "product_version",
"name": "nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"product": {
"name": "nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64 (nodejs:12)",
"product_id": "nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debuginfo@12.22.12-1.module%2Bel8.2.0%2B15322%2Ba70ca0ab?arch=aarch64\u0026epoch=1\u0026rpmmod=nodejs:12:8020020220523154454:4cda2c84"
}
}
},
{
"category": "product_version",
"name": "nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"product": {
"name": "nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64 (nodejs:12)",
"product_id": "nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debugsource@12.22.12-1.module%2Bel8.2.0%2B15322%2Ba70ca0ab?arch=aarch64\u0026epoch=1\u0026rpmmod=nodejs:12:8020020220523154454:4cda2c84"
}
}
},
{
"category": "product_version",
"name": "nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"product": {
"name": "nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64 (nodejs:12)",
"product_id": "nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-devel@12.22.12-1.module%2Bel8.2.0%2B15322%2Ba70ca0ab?arch=aarch64\u0026epoch=1\u0026rpmmod=nodejs:12:8020020220523154454:4cda2c84"
}
}
},
{
"category": "product_version",
"name": "nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"product": {
"name": "nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64 (nodejs:12)",
"product_id": "nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-full-i18n@12.22.12-1.module%2Bel8.2.0%2B15322%2Ba70ca0ab?arch=aarch64\u0026epoch=1\u0026rpmmod=nodejs:12:8020020220523154454:4cda2c84"
}
}
},
{
"category": "product_version",
"name": "npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"product": {
"name": "npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64 (nodejs:12)",
"product_id": "npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/npm@6.14.16-1.12.22.12.1.module%2Bel8.2.0%2B15322%2Ba70ca0ab?arch=aarch64\u0026epoch=1\u0026rpmmod=nodejs:12:8020020220523154454:4cda2c84"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src::nodejs:12",
"product": {
"name": "nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src (nodejs:12)",
"product_id": "nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs@12.22.12-1.module%2Bel8.2.0%2B15322%2Ba70ca0ab?arch=src\u0026epoch=1\u0026rpmmod=nodejs:12:8020020220523154454:4cda2c84"
}
}
},
{
"category": "product_version",
"name": "nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"product": {
"name": "nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src (nodejs:12)",
"product_id": "nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-nodemon@1.18.3-1.module%2Bel8.1.0%2B3369%2B37ae6a45?arch=src\u0026rpmmod=nodejs:12:8020020220523154454:4cda2c84"
}
}
},
{
"category": "product_version",
"name": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"product": {
"name": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src (nodejs:12)",
"product_id": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-packaging@17-3.module%2Bel8.1.0%2B3369%2B37ae6a45?arch=src\u0026rpmmod=nodejs:12:8020020220523154454:4cda2c84"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch::nodejs:12",
"product": {
"name": "nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch (nodejs:12)",
"product_id": "nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-docs@12.22.12-1.module%2Bel8.2.0%2B15322%2Ba70ca0ab?arch=noarch\u0026epoch=1\u0026rpmmod=nodejs:12:8020020220523154454:4cda2c84"
}
}
},
{
"category": "product_version",
"name": "nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"product": {
"name": "nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch (nodejs:12)",
"product_id": "nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-nodemon@1.18.3-1.module%2Bel8.1.0%2B3369%2B37ae6a45?arch=noarch\u0026rpmmod=nodejs:12:8020020220523154454:4cda2c84"
}
}
},
{
"category": "product_version",
"name": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"product": {
"name": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch (nodejs:12)",
"product_id": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-packaging@17-3.module%2Bel8.1.0%2B3369%2B37ae6a45?arch=noarch\u0026rpmmod=nodejs:12:8020020220523154454:4cda2c84"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"product": {
"name": "nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le (nodejs:12)",
"product_id": "nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs@12.22.12-1.module%2Bel8.2.0%2B15322%2Ba70ca0ab?arch=ppc64le\u0026epoch=1\u0026rpmmod=nodejs:12:8020020220523154454:4cda2c84"
}
}
},
{
"category": "product_version",
"name": "nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"product": {
"name": "nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le (nodejs:12)",
"product_id": "nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debuginfo@12.22.12-1.module%2Bel8.2.0%2B15322%2Ba70ca0ab?arch=ppc64le\u0026epoch=1\u0026rpmmod=nodejs:12:8020020220523154454:4cda2c84"
}
}
},
{
"category": "product_version",
"name": "nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"product": {
"name": "nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le (nodejs:12)",
"product_id": "nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debugsource@12.22.12-1.module%2Bel8.2.0%2B15322%2Ba70ca0ab?arch=ppc64le\u0026epoch=1\u0026rpmmod=nodejs:12:8020020220523154454:4cda2c84"
}
}
},
{
"category": "product_version",
"name": "nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"product": {
"name": "nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le (nodejs:12)",
"product_id": "nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-devel@12.22.12-1.module%2Bel8.2.0%2B15322%2Ba70ca0ab?arch=ppc64le\u0026epoch=1\u0026rpmmod=nodejs:12:8020020220523154454:4cda2c84"
}
}
},
{
"category": "product_version",
"name": "nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"product": {
"name": "nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le (nodejs:12)",
"product_id": "nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-full-i18n@12.22.12-1.module%2Bel8.2.0%2B15322%2Ba70ca0ab?arch=ppc64le\u0026epoch=1\u0026rpmmod=nodejs:12:8020020220523154454:4cda2c84"
}
}
},
{
"category": "product_version",
"name": "npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"product": {
"name": "npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le (nodejs:12)",
"product_id": "npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/npm@6.14.16-1.12.22.12.1.module%2Bel8.2.0%2B15322%2Ba70ca0ab?arch=ppc64le\u0026epoch=1\u0026rpmmod=nodejs:12:8020020220523154454:4cda2c84"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"product": {
"name": "nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x (nodejs:12)",
"product_id": "nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs@12.22.12-1.module%2Bel8.2.0%2B15322%2Ba70ca0ab?arch=s390x\u0026epoch=1\u0026rpmmod=nodejs:12:8020020220523154454:4cda2c84"
}
}
},
{
"category": "product_version",
"name": "nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"product": {
"name": "nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x (nodejs:12)",
"product_id": "nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debuginfo@12.22.12-1.module%2Bel8.2.0%2B15322%2Ba70ca0ab?arch=s390x\u0026epoch=1\u0026rpmmod=nodejs:12:8020020220523154454:4cda2c84"
}
}
},
{
"category": "product_version",
"name": "nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"product": {
"name": "nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x (nodejs:12)",
"product_id": "nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debugsource@12.22.12-1.module%2Bel8.2.0%2B15322%2Ba70ca0ab?arch=s390x\u0026epoch=1\u0026rpmmod=nodejs:12:8020020220523154454:4cda2c84"
}
}
},
{
"category": "product_version",
"name": "nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"product": {
"name": "nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x (nodejs:12)",
"product_id": "nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-devel@12.22.12-1.module%2Bel8.2.0%2B15322%2Ba70ca0ab?arch=s390x\u0026epoch=1\u0026rpmmod=nodejs:12:8020020220523154454:4cda2c84"
}
}
},
{
"category": "product_version",
"name": "nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"product": {
"name": "nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x (nodejs:12)",
"product_id": "nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-full-i18n@12.22.12-1.module%2Bel8.2.0%2B15322%2Ba70ca0ab?arch=s390x\u0026epoch=1\u0026rpmmod=nodejs:12:8020020220523154454:4cda2c84"
}
}
},
{
"category": "product_version",
"name": "npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"product": {
"name": "npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x (nodejs:12)",
"product_id": "npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/npm@6.14.16-1.12.22.12.1.module%2Bel8.2.0%2B15322%2Ba70ca0ab?arch=s390x\u0026epoch=1\u0026rpmmod=nodejs:12:8020020220523154454:4cda2c84"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"product": {
"name": "nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64 (nodejs:12)",
"product_id": "nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs@12.22.12-1.module%2Bel8.2.0%2B15322%2Ba70ca0ab?arch=x86_64\u0026epoch=1\u0026rpmmod=nodejs:12:8020020220523154454:4cda2c84"
}
}
},
{
"category": "product_version",
"name": "nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"product": {
"name": "nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64 (nodejs:12)",
"product_id": "nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debuginfo@12.22.12-1.module%2Bel8.2.0%2B15322%2Ba70ca0ab?arch=x86_64\u0026epoch=1\u0026rpmmod=nodejs:12:8020020220523154454:4cda2c84"
}
}
},
{
"category": "product_version",
"name": "nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"product": {
"name": "nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64 (nodejs:12)",
"product_id": "nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debugsource@12.22.12-1.module%2Bel8.2.0%2B15322%2Ba70ca0ab?arch=x86_64\u0026epoch=1\u0026rpmmod=nodejs:12:8020020220523154454:4cda2c84"
}
}
},
{
"category": "product_version",
"name": "nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"product": {
"name": "nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64 (nodejs:12)",
"product_id": "nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-devel@12.22.12-1.module%2Bel8.2.0%2B15322%2Ba70ca0ab?arch=x86_64\u0026epoch=1\u0026rpmmod=nodejs:12:8020020220523154454:4cda2c84"
}
}
},
{
"category": "product_version",
"name": "nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"product": {
"name": "nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64 (nodejs:12)",
"product_id": "nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-full-i18n@12.22.12-1.module%2Bel8.2.0%2B15322%2Ba70ca0ab?arch=x86_64\u0026epoch=1\u0026rpmmod=nodejs:12:8020020220523154454:4cda2c84"
}
}
},
{
"category": "product_version",
"name": "npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"product": {
"name": "npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64 (nodejs:12)",
"product_id": "npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/npm@6.14.16-1.12.22.12.1.module%2Bel8.2.0%2B15322%2Ba70ca0ab?arch=x86_64\u0026epoch=1\u0026rpmmod=nodejs:12:8020020220523154454:4cda2c84"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64 (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12"
},
"product_reference": "nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12"
},
"product_reference": "nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12"
},
"product_reference": "nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src::nodejs:12"
},
"product_reference": "nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src::nodejs:12",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64 (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12"
},
"product_reference": "nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64 (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12"
},
"product_reference": "nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12"
},
"product_reference": "nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12"
},
"product_reference": "nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64 (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12"
},
"product_reference": "nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64 (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12"
},
"product_reference": "nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12"
},
"product_reference": "nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12"
},
"product_reference": "nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64 (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12"
},
"product_reference": "nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64 (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12"
},
"product_reference": "nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12"
},
"product_reference": "nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12"
},
"product_reference": "nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64 (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12"
},
"product_reference": "nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch::nodejs:12"
},
"product_reference": "nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch::nodejs:12",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64 (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12"
},
"product_reference": "nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12"
},
"product_reference": "nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12"
},
"product_reference": "nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64 (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12"
},
"product_reference": "nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12"
},
"product_reference": "nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12"
},
"product_reference": "nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12"
},
"product_reference": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12"
},
"product_reference": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64 (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12"
},
"product_reference": "npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12"
},
"product_reference": "npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12"
},
"product_reference": "npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64 (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12"
},
"product_reference": "npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-3918",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2021-11-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2024702"
}
],
"notes": [
{
"category": "description",
"text": "The json-schema Node.JS library was vulnerable to prototype pollution during the validation of a JSON object. An attacker, able to provide a specially crafted JSON file for validation, could use this flaw to modify the behavior of the node program, to, for example, execute arbitrary code.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs-json-schema: Prototype pollution vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "npm versions 8.0.0 and older provide a vulnerable version of the json-schema library. However, it is currently believed that in the context of npm, it is not possible to take advantage of the vulnerability.\n\nRed Hat Enterprise Linux version 8 and Software Collections provide a vulnerable version of the json-schema library only as embedded in the npm package. As a result, the severity of the incident has been lowered for these 2 products.\n\nRed Hat Quay includes json-schema as a development dependency of quay-registry-container. As a result, the impact rating has been lowered to Moderate.\n\nIn Red Hat OpenShift Container Platform (RHOCP), Red Hat Openshift Data Foundations (ODF), Red Hat distributed tracing, Migration Toolkit for Virtualization (MTV) and Red Hat Advanced Cluster Management for Kubernetes (RHACM) the affected components are behind OpenShift OAuth. This restricts access to the vulnerable json-schema library to authenticated users only, therefore the impact is reduced to Moderate.\n\nIn Red Hat Openshift Data Foundations (ODF) the odf4/mcg-core-rhel8 component has \"Will not fix status\", but starting from ODF 4.11 stream this component contains already patched version of the json-schema library. Earlier version of ODF are already under Maintenance Support phase, hence this vulnerability will not be fixed.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-3918"
},
{
"category": "external",
"summary": "RHBZ#2024702",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2024702"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-3918",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3918"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3918",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3918"
}
],
"release_date": "2021-10-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-06-28T07:58:19+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHEA-2022:5221"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "nodejs-json-schema: Prototype pollution vulnerability"
},
{
"cve": "CVE-2021-22959",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2021-10-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2014057"
}
],
"notes": [
{
"category": "description",
"text": "An HTTP Request Smuggling (HRS) vulnerability was found in the llhttp library, used by Node.JS. Spaces as part of the header names were accepted as valid. In situations where HTTP conversations are being proxied (such as proxy, reverse-proxy, load-balancer), an attacker can use this flaw to inject arbitrary messages through the proxy. The highest threat from this vulnerability is to confidentiality and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "llhttp: HTTP Request Smuggling due to spaces in headers",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\".",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-22959"
},
{
"category": "external",
"summary": "RHBZ#2014057",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2014057"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-22959",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22959"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-22959",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22959"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/",
"url": "https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/"
}
],
"release_date": "2021-10-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-06-28T07:58:19+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHEA-2022:5221"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "llhttp: HTTP Request Smuggling due to spaces in headers"
},
{
"cve": "CVE-2021-22960",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2021-10-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2014059"
}
],
"notes": [
{
"category": "description",
"text": "An HTTP Request Smuggling (HRS) vulnerability was found in the llhttp library, used by Node.JS. During the parsing of chunked messages, the chunk size parameter was not validated properly. In situations where HTTP conversations are being proxied (such as proxy, reverse-proxy, load-balancer), an attacker can use this flaw to inject arbitrary messages through the proxy. The highest threat from this vulnerability is to confidentiality and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "llhttp: HTTP Request Smuggling when parsing the body of chunked requests",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\".",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-22960"
},
{
"category": "external",
"summary": "RHBZ#2014059",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2014059"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-22960",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22960"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-22960",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22960"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/",
"url": "https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/"
}
],
"release_date": "2021-10-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-06-28T07:58:19+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHEA-2022:5221"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "llhttp: HTTP Request Smuggling when parsing the body of chunked requests"
},
{
"cve": "CVE-2021-37701",
"cwe": {
"id": "CWE-59",
"name": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)"
},
"discovery_date": "2021-08-31T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1999731"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the npm package \"tar\" (aka node-tar). Extracting tar files that contain both a directory and a symlink with the same name, where the symlink and directory names in the archive entry used backslashes as a path separator, made it possible to bypass node-tar symlink checks on directories. This flaw allows an untrusted tar file to extract and overwrite files into an arbitrary location. A similar confusion can arise on case-insensitive filesystems. The highest threat from this vulnerability is to integrity and system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Enterprise Linux version 8 and Red Hat Software Collection both embed `node-tar` in the npm command. However, npm explicitly prevents the extraction of symlink via a filter. npm might still be affected via node-gyp, if the attacker is able to control the target URL.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-37701"
},
{
"category": "external",
"summary": "RHBZ#1999731",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1999731"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-37701",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-37701"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-37701",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37701"
},
{
"category": "external",
"summary": "https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc",
"url": "https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc"
},
{
"category": "external",
"summary": "https://www.npmjs.com/advisories/1779",
"url": "https://www.npmjs.com/advisories/1779"
}
],
"release_date": "2021-08-31T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-06-28T07:58:19+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHEA-2022:5221"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite"
},
{
"cve": "CVE-2021-37712",
"cwe": {
"id": "CWE-59",
"name": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)"
},
"discovery_date": "2021-08-31T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1999739"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the npm package \"tar\" (aka node-tar). Extracting tar files that contain two directories and a symlink with names containing Unicode values that normalize to the same value on Windows systems made it possible to bypass node-tar symlink checks on directories. This allows an untrusted tar file to extract and overwrite files into an arbitrary location. The highest threat from this vulnerability is to integrity and system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Enterprise Linux version 8 and Red Hat Software Collection both embed `node-tar` in the npm command. However, npm explicitly prevents the extraction of symlink via a filter. npm might still be affected via node-gyp, if the attacker is able to control the target URL.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-37712"
},
{
"category": "external",
"summary": "RHBZ#1999739",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1999739"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-37712",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-37712"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-37712",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37712"
},
{
"category": "external",
"summary": "https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p",
"url": "https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p"
},
{
"category": "external",
"summary": "https://www.npmjs.com/advisories/1780",
"url": "https://www.npmjs.com/advisories/1780"
}
],
"release_date": "2021-08-31T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-06-28T07:58:19+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHEA-2022:5221"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite"
},
{
"cve": "CVE-2021-44531",
"cwe": {
"id": "CWE-295",
"name": "Improper Certificate Validation"
},
"discovery_date": "2022-01-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2040839"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in node.js where it accepted a certificate\u0027s Subject Alternative Names (SAN) entry, as opposed to what is specified by the HTTPS protocol. This flaw allows an active person-in-the-middle to forge a certificate and impersonate a trusted host.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Improper handling of URI Subject Alternative Names",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\" with impact LOW.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-44531"
},
{
"category": "external",
"summary": "RHBZ#2040839",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040839"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-44531",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44531"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44531",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44531"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/",
"url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/"
}
],
"release_date": "2022-01-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-06-28T07:58:19+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHEA-2022:5221"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Improper handling of URI Subject Alternative Names"
},
{
"cve": "CVE-2021-44532",
"cwe": {
"id": "CWE-295",
"name": "Improper Certificate Validation"
},
"discovery_date": "2022-01-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2040846"
}
],
"notes": [
{
"category": "description",
"text": "It was found that node.js did not safely read the x509 certificate generalName format properly, resulting in data injection. A certificate could use a specially crafted extension in order to be successfully validated, permitting an attacker to impersonate a trusted host.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Certificate Verification Bypass via String Injection",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\" with impact LOW.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-44532"
},
{
"category": "external",
"summary": "RHBZ#2040846",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040846"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-44532",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44532"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44532",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44532"
}
],
"release_date": "2022-01-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-06-28T07:58:19+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHEA-2022:5221"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Certificate Verification Bypass via String Injection"
},
{
"cve": "CVE-2021-44533",
"cwe": {
"id": "CWE-295",
"name": "Improper Certificate Validation"
},
"discovery_date": "2022-01-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2040856"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in node.js, where it did not properly handle multi-value Relative Distinguished Names. This flaw allows a specially crafted x509 certificate to produce a false multi-value Relative Distinguished Name and to inject arbitrary data in node.js libraries.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Incorrect handling of certificate subject and issuer fields",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally, there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore, the Quay component is marked as \"Will not fix\" with impact LOW.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-44533"
},
{
"category": "external",
"summary": "RHBZ#2040856",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040856"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-44533",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44533"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44533",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44533"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/",
"url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/"
}
],
"release_date": "2022-01-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-06-28T07:58:19+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHEA-2022:5221"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Incorrect handling of certificate subject and issuer fields"
},
{
"cve": "CVE-2022-21824",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2022-01-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2040862"
}
],
"notes": [
{
"category": "description",
"text": "Due to the formatting logic of the \"console.table()\" function it was not safe to allow user controlled input to be passed to the \"properties\" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be \"__proto__\". The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js \u003e= 12.22.9, \u003e= 14.18.3, \u003e= 16.13.2, and \u003e= 17.3.1 use a null protoype for the object these properties are being assigned to.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Prototype pollution via console.table properties",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\".",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-21824"
},
{
"category": "external",
"summary": "RHBZ#2040862",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040862"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-21824",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21824"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-21824",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21824"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/",
"url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/"
}
],
"release_date": "2022-01-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-06-28T07:58:19+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHEA-2022:5221"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"products": [
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.2.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x::nodejs:12",
"AppStream-8.2.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64::nodejs:12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "nodejs: Prototype pollution via console.table properties"
}
]
}
RHEA-2022:5615
Vulnerability from csaf_redhat - Published: 2022-07-19 21:07 - Updated: 2026-06-02 17:36Summary
Red Hat Enhancement Advisory: nodejs:12 bug fix and enhancement update
Severity
Important
Notes
Topic: An update for the nodejs:12 module is now available for Red Hat Enterprise Linux 8.4 Extended Update Support.
Details: Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.
Bug Fix(es) and Enhancement(s):
* nodejs:12/nodejs: rebase to last upstream release (BZ#2084652)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
The json-schema Node.JS library was vulnerable to prototype pollution during the validation of a JSON object. An attacker, able to provide a specially crafted JSON file for validation, could use this flaw to modify the behavior of the node program, to, for example, execute arbitrary code.
9.8 (Critical)
Affected products
Fixed
30 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
Threats
Impact
Important
An HTTP Request Smuggling (HRS) vulnerability was found in the llhttp library, used by Node.JS. Spaces as part of the header names were accepted as valid. In situations where HTTP conversations are being proxied (such as proxy, reverse-proxy, load-balancer), an attacker can use this flaw to inject arbitrary messages through the proxy. The highest threat from this vulnerability is to confidentiality and integrity.
6.1 (Medium)
Affected products
Fixed
30 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
Threats
Impact
Low
An HTTP Request Smuggling (HRS) vulnerability was found in the llhttp library, used by Node.JS. During the parsing of chunked messages, the chunk size parameter was not validated properly. In situations where HTTP conversations are being proxied (such as proxy, reverse-proxy, load-balancer), an attacker can use this flaw to inject arbitrary messages through the proxy. The highest threat from this vulnerability is to confidentiality and integrity.
6.1 (Medium)
Affected products
Fixed
30 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in the npm package "tar" (aka node-tar). Extracting tar files that contain both a directory and a symlink with the same name, where the symlink and directory names in the archive entry used backslashes as a path separator, made it possible to bypass node-tar symlink checks on directories. This flaw allows an untrusted tar file to extract and overwrite files into an arbitrary location. A similar confusion can arise on case-insensitive filesystems. The highest threat from this vulnerability is to integrity and system availability.
8.1 (High)
Affected products
Fixed
30 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the npm package "tar" (aka node-tar). Extracting tar files that contain two directories and a symlink with names containing Unicode values that normalize to the same value on Windows systems made it possible to bypass node-tar symlink checks on directories. This allows an untrusted tar file to extract and overwrite files into an arbitrary location. The highest threat from this vulnerability is to integrity and system availability.
8.1 (High)
Affected products
Fixed
30 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in node.js where it accepted a certificate's Subject Alternative Names (SAN) entry, as opposed to what is specified by the HTTPS protocol. This flaw allows an active person-in-the-middle to forge a certificate and impersonate a trusted host.
7.4 (High)
Affected products
Fixed
30 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
It was found that node.js did not safely read the x509 certificate generalName format properly, resulting in data injection. A certificate could use a specially crafted extension in order to be successfully validated, permitting an attacker to impersonate a trusted host.
7.4 (High)
Affected products
Fixed
30 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in node.js, where it did not properly handle multi-value Relative Distinguished Names. This flaw allows a specially crafted x509 certificate to produce a false multi-value Relative Distinguished Name and to inject arbitrary data in node.js libraries.
7.4 (High)
Affected products
Fixed
30 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "__proto__". The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js >= 12.22.9, >= 14.18.3, >= 16.13.2, and >= 17.3.1 use a null protoype for the object these properties are being assigned to.
8.2 (High)
Affected products
Fixed
30 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12 | — |
Vendor Fix
fix
|
Threats
Impact
Low
References
45 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for the nodejs:12 module is now available for Red Hat Enterprise Linux 8.4 Extended Update Support.",
"title": "Topic"
},
{
"category": "general",
"text": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.\n\nBug Fix(es) and Enhancement(s):\n\n* nodejs:12/nodejs: rebase to last upstream release (BZ#2084652)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHEA-2022:5615",
"url": "https://access.redhat.com/errata/RHEA-2022:5615"
},
{
"category": "external",
"summary": "2084652",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2084652"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhea-2022_5615.json"
}
],
"title": "Red Hat Enhancement Advisory: nodejs:12 bug fix and enhancement update",
"tracking": {
"current_release_date": "2026-06-02T17:36:51+00:00",
"generator": {
"date": "2026-06-02T17:36:51+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHEA-2022:5615",
"initial_release_date": "2022-07-19T21:07:21+00:00",
"revision_history": [
{
"date": "2022-07-19T21:07:21+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2022-07-19T21:07:21+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-02T17:36:51+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream EUS (v.8.4)",
"product": {
"name": "Red Hat Enterprise Linux AppStream EUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_eus:8.4::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"product": {
"name": "nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64 (nodejs:12)",
"product_id": "nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs@12.22.12-1.module%2Bel8.4.0%2B15323%2B4d1cc445?arch=aarch64\u0026epoch=1\u0026rpmmod=nodejs:12:8040020220523155137:522a0ee4"
}
}
},
{
"category": "product_version",
"name": "nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"product": {
"name": "nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64 (nodejs:12)",
"product_id": "nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debuginfo@12.22.12-1.module%2Bel8.4.0%2B15323%2B4d1cc445?arch=aarch64\u0026epoch=1\u0026rpmmod=nodejs:12:8040020220523155137:522a0ee4"
}
}
},
{
"category": "product_version",
"name": "nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"product": {
"name": "nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64 (nodejs:12)",
"product_id": "nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debugsource@12.22.12-1.module%2Bel8.4.0%2B15323%2B4d1cc445?arch=aarch64\u0026epoch=1\u0026rpmmod=nodejs:12:8040020220523155137:522a0ee4"
}
}
},
{
"category": "product_version",
"name": "nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"product": {
"name": "nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64 (nodejs:12)",
"product_id": "nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-devel@12.22.12-1.module%2Bel8.4.0%2B15323%2B4d1cc445?arch=aarch64\u0026epoch=1\u0026rpmmod=nodejs:12:8040020220523155137:522a0ee4"
}
}
},
{
"category": "product_version",
"name": "nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"product": {
"name": "nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64 (nodejs:12)",
"product_id": "nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-full-i18n@12.22.12-1.module%2Bel8.4.0%2B15323%2B4d1cc445?arch=aarch64\u0026epoch=1\u0026rpmmod=nodejs:12:8040020220523155137:522a0ee4"
}
}
},
{
"category": "product_version",
"name": "npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"product": {
"name": "npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64 (nodejs:12)",
"product_id": "npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/npm@6.14.16-1.12.22.12.1.module%2Bel8.4.0%2B15323%2B4d1cc445?arch=aarch64\u0026epoch=1\u0026rpmmod=nodejs:12:8040020220523155137:522a0ee4"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src::nodejs:12",
"product": {
"name": "nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src (nodejs:12)",
"product_id": "nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs@12.22.12-1.module%2Bel8.4.0%2B15323%2B4d1cc445?arch=src\u0026epoch=1\u0026rpmmod=nodejs:12:8040020220523155137:522a0ee4"
}
}
},
{
"category": "product_version",
"name": "nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"product": {
"name": "nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src (nodejs:12)",
"product_id": "nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-nodemon@2.0.3-1.module%2Bel8.4.0%2B11732%2Bc668cc9f?arch=src\u0026rpmmod=nodejs:12:8040020220523155137:522a0ee4"
}
}
},
{
"category": "product_version",
"name": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"product": {
"name": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src (nodejs:12)",
"product_id": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-packaging@17-3.module%2Bel8.1.0%2B3369%2B37ae6a45?arch=src\u0026rpmmod=nodejs:12:8040020220523155137:522a0ee4"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch::nodejs:12",
"product": {
"name": "nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch (nodejs:12)",
"product_id": "nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-docs@12.22.12-1.module%2Bel8.4.0%2B15323%2B4d1cc445?arch=noarch\u0026epoch=1\u0026rpmmod=nodejs:12:8040020220523155137:522a0ee4"
}
}
},
{
"category": "product_version",
"name": "nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"product": {
"name": "nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch (nodejs:12)",
"product_id": "nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-nodemon@2.0.3-1.module%2Bel8.4.0%2B11732%2Bc668cc9f?arch=noarch\u0026rpmmod=nodejs:12:8040020220523155137:522a0ee4"
}
}
},
{
"category": "product_version",
"name": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"product": {
"name": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch (nodejs:12)",
"product_id": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-packaging@17-3.module%2Bel8.1.0%2B3369%2B37ae6a45?arch=noarch\u0026rpmmod=nodejs:12:8040020220523155137:522a0ee4"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"product": {
"name": "nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le (nodejs:12)",
"product_id": "nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs@12.22.12-1.module%2Bel8.4.0%2B15323%2B4d1cc445?arch=ppc64le\u0026epoch=1\u0026rpmmod=nodejs:12:8040020220523155137:522a0ee4"
}
}
},
{
"category": "product_version",
"name": "nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"product": {
"name": "nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le (nodejs:12)",
"product_id": "nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debuginfo@12.22.12-1.module%2Bel8.4.0%2B15323%2B4d1cc445?arch=ppc64le\u0026epoch=1\u0026rpmmod=nodejs:12:8040020220523155137:522a0ee4"
}
}
},
{
"category": "product_version",
"name": "nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"product": {
"name": "nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le (nodejs:12)",
"product_id": "nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debugsource@12.22.12-1.module%2Bel8.4.0%2B15323%2B4d1cc445?arch=ppc64le\u0026epoch=1\u0026rpmmod=nodejs:12:8040020220523155137:522a0ee4"
}
}
},
{
"category": "product_version",
"name": "nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"product": {
"name": "nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le (nodejs:12)",
"product_id": "nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-devel@12.22.12-1.module%2Bel8.4.0%2B15323%2B4d1cc445?arch=ppc64le\u0026epoch=1\u0026rpmmod=nodejs:12:8040020220523155137:522a0ee4"
}
}
},
{
"category": "product_version",
"name": "nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"product": {
"name": "nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le (nodejs:12)",
"product_id": "nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-full-i18n@12.22.12-1.module%2Bel8.4.0%2B15323%2B4d1cc445?arch=ppc64le\u0026epoch=1\u0026rpmmod=nodejs:12:8040020220523155137:522a0ee4"
}
}
},
{
"category": "product_version",
"name": "npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"product": {
"name": "npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le (nodejs:12)",
"product_id": "npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/npm@6.14.16-1.12.22.12.1.module%2Bel8.4.0%2B15323%2B4d1cc445?arch=ppc64le\u0026epoch=1\u0026rpmmod=nodejs:12:8040020220523155137:522a0ee4"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"product": {
"name": "nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x (nodejs:12)",
"product_id": "nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs@12.22.12-1.module%2Bel8.4.0%2B15323%2B4d1cc445?arch=s390x\u0026epoch=1\u0026rpmmod=nodejs:12:8040020220523155137:522a0ee4"
}
}
},
{
"category": "product_version",
"name": "nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"product": {
"name": "nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x (nodejs:12)",
"product_id": "nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debuginfo@12.22.12-1.module%2Bel8.4.0%2B15323%2B4d1cc445?arch=s390x\u0026epoch=1\u0026rpmmod=nodejs:12:8040020220523155137:522a0ee4"
}
}
},
{
"category": "product_version",
"name": "nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"product": {
"name": "nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x (nodejs:12)",
"product_id": "nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debugsource@12.22.12-1.module%2Bel8.4.0%2B15323%2B4d1cc445?arch=s390x\u0026epoch=1\u0026rpmmod=nodejs:12:8040020220523155137:522a0ee4"
}
}
},
{
"category": "product_version",
"name": "nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"product": {
"name": "nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x (nodejs:12)",
"product_id": "nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-devel@12.22.12-1.module%2Bel8.4.0%2B15323%2B4d1cc445?arch=s390x\u0026epoch=1\u0026rpmmod=nodejs:12:8040020220523155137:522a0ee4"
}
}
},
{
"category": "product_version",
"name": "nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"product": {
"name": "nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x (nodejs:12)",
"product_id": "nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-full-i18n@12.22.12-1.module%2Bel8.4.0%2B15323%2B4d1cc445?arch=s390x\u0026epoch=1\u0026rpmmod=nodejs:12:8040020220523155137:522a0ee4"
}
}
},
{
"category": "product_version",
"name": "npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"product": {
"name": "npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x (nodejs:12)",
"product_id": "npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/npm@6.14.16-1.12.22.12.1.module%2Bel8.4.0%2B15323%2B4d1cc445?arch=s390x\u0026epoch=1\u0026rpmmod=nodejs:12:8040020220523155137:522a0ee4"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"product": {
"name": "nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64 (nodejs:12)",
"product_id": "nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs@12.22.12-1.module%2Bel8.4.0%2B15323%2B4d1cc445?arch=x86_64\u0026epoch=1\u0026rpmmod=nodejs:12:8040020220523155137:522a0ee4"
}
}
},
{
"category": "product_version",
"name": "nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"product": {
"name": "nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64 (nodejs:12)",
"product_id": "nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debuginfo@12.22.12-1.module%2Bel8.4.0%2B15323%2B4d1cc445?arch=x86_64\u0026epoch=1\u0026rpmmod=nodejs:12:8040020220523155137:522a0ee4"
}
}
},
{
"category": "product_version",
"name": "nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"product": {
"name": "nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64 (nodejs:12)",
"product_id": "nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debugsource@12.22.12-1.module%2Bel8.4.0%2B15323%2B4d1cc445?arch=x86_64\u0026epoch=1\u0026rpmmod=nodejs:12:8040020220523155137:522a0ee4"
}
}
},
{
"category": "product_version",
"name": "nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"product": {
"name": "nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64 (nodejs:12)",
"product_id": "nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-devel@12.22.12-1.module%2Bel8.4.0%2B15323%2B4d1cc445?arch=x86_64\u0026epoch=1\u0026rpmmod=nodejs:12:8040020220523155137:522a0ee4"
}
}
},
{
"category": "product_version",
"name": "nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"product": {
"name": "nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64 (nodejs:12)",
"product_id": "nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-full-i18n@12.22.12-1.module%2Bel8.4.0%2B15323%2B4d1cc445?arch=x86_64\u0026epoch=1\u0026rpmmod=nodejs:12:8040020220523155137:522a0ee4"
}
}
},
{
"category": "product_version",
"name": "npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"product": {
"name": "npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64 (nodejs:12)",
"product_id": "npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/npm@6.14.16-1.12.22.12.1.module%2Bel8.4.0%2B15323%2B4d1cc445?arch=x86_64\u0026epoch=1\u0026rpmmod=nodejs:12:8040020220523155137:522a0ee4"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64 (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12"
},
"product_reference": "nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12"
},
"product_reference": "nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12"
},
"product_reference": "nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src::nodejs:12"
},
"product_reference": "nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src::nodejs:12",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64 (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12"
},
"product_reference": "nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64 (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12"
},
"product_reference": "nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12"
},
"product_reference": "nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12"
},
"product_reference": "nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64 (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12"
},
"product_reference": "nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64 (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12"
},
"product_reference": "nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12"
},
"product_reference": "nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12"
},
"product_reference": "nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64 (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12"
},
"product_reference": "nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64 (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12"
},
"product_reference": "nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12"
},
"product_reference": "nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12"
},
"product_reference": "nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64 (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12"
},
"product_reference": "nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch::nodejs:12"
},
"product_reference": "nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch::nodejs:12",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64 (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12"
},
"product_reference": "nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12"
},
"product_reference": "nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12"
},
"product_reference": "nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64 (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12"
},
"product_reference": "nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12"
},
"product_reference": "nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12"
},
"product_reference": "nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12"
},
"product_reference": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12"
},
"product_reference": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64 (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12"
},
"product_reference": "npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12"
},
"product_reference": "npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12"
},
"product_reference": "npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64 (nodejs:12) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12"
},
"product_reference": "npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-3918",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2021-11-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2024702"
}
],
"notes": [
{
"category": "description",
"text": "The json-schema Node.JS library was vulnerable to prototype pollution during the validation of a JSON object. An attacker, able to provide a specially crafted JSON file for validation, could use this flaw to modify the behavior of the node program, to, for example, execute arbitrary code.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs-json-schema: Prototype pollution vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "npm versions 8.0.0 and older provide a vulnerable version of the json-schema library. However, it is currently believed that in the context of npm, it is not possible to take advantage of the vulnerability.\n\nRed Hat Enterprise Linux version 8 and Software Collections provide a vulnerable version of the json-schema library only as embedded in the npm package. As a result, the severity of the incident has been lowered for these 2 products.\n\nRed Hat Quay includes json-schema as a development dependency of quay-registry-container. As a result, the impact rating has been lowered to Moderate.\n\nIn Red Hat OpenShift Container Platform (RHOCP), Red Hat Openshift Data Foundations (ODF), Red Hat distributed tracing, Migration Toolkit for Virtualization (MTV) and Red Hat Advanced Cluster Management for Kubernetes (RHACM) the affected components are behind OpenShift OAuth. This restricts access to the vulnerable json-schema library to authenticated users only, therefore the impact is reduced to Moderate.\n\nIn Red Hat Openshift Data Foundations (ODF) the odf4/mcg-core-rhel8 component has \"Will not fix status\", but starting from ODF 4.11 stream this component contains already patched version of the json-schema library. Earlier version of ODF are already under Maintenance Support phase, hence this vulnerability will not be fixed.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-3918"
},
{
"category": "external",
"summary": "RHBZ#2024702",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2024702"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-3918",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3918"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3918",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3918"
}
],
"release_date": "2021-10-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-07-19T21:07:21+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHEA-2022:5615"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "nodejs-json-schema: Prototype pollution vulnerability"
},
{
"cve": "CVE-2021-22959",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2021-10-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2014057"
}
],
"notes": [
{
"category": "description",
"text": "An HTTP Request Smuggling (HRS) vulnerability was found in the llhttp library, used by Node.JS. Spaces as part of the header names were accepted as valid. In situations where HTTP conversations are being proxied (such as proxy, reverse-proxy, load-balancer), an attacker can use this flaw to inject arbitrary messages through the proxy. The highest threat from this vulnerability is to confidentiality and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "llhttp: HTTP Request Smuggling due to spaces in headers",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\".",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-22959"
},
{
"category": "external",
"summary": "RHBZ#2014057",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2014057"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-22959",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22959"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-22959",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22959"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/",
"url": "https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/"
}
],
"release_date": "2021-10-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-07-19T21:07:21+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHEA-2022:5615"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "llhttp: HTTP Request Smuggling due to spaces in headers"
},
{
"cve": "CVE-2021-22960",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2021-10-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2014059"
}
],
"notes": [
{
"category": "description",
"text": "An HTTP Request Smuggling (HRS) vulnerability was found in the llhttp library, used by Node.JS. During the parsing of chunked messages, the chunk size parameter was not validated properly. In situations where HTTP conversations are being proxied (such as proxy, reverse-proxy, load-balancer), an attacker can use this flaw to inject arbitrary messages through the proxy. The highest threat from this vulnerability is to confidentiality and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "llhttp: HTTP Request Smuggling when parsing the body of chunked requests",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\".",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-22960"
},
{
"category": "external",
"summary": "RHBZ#2014059",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2014059"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-22960",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22960"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-22960",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22960"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/",
"url": "https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/"
}
],
"release_date": "2021-10-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-07-19T21:07:21+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHEA-2022:5615"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "llhttp: HTTP Request Smuggling when parsing the body of chunked requests"
},
{
"cve": "CVE-2021-37701",
"cwe": {
"id": "CWE-59",
"name": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)"
},
"discovery_date": "2021-08-31T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1999731"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the npm package \"tar\" (aka node-tar). Extracting tar files that contain both a directory and a symlink with the same name, where the symlink and directory names in the archive entry used backslashes as a path separator, made it possible to bypass node-tar symlink checks on directories. This flaw allows an untrusted tar file to extract and overwrite files into an arbitrary location. A similar confusion can arise on case-insensitive filesystems. The highest threat from this vulnerability is to integrity and system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Enterprise Linux version 8 and Red Hat Software Collection both embed `node-tar` in the npm command. However, npm explicitly prevents the extraction of symlink via a filter. npm might still be affected via node-gyp, if the attacker is able to control the target URL.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-37701"
},
{
"category": "external",
"summary": "RHBZ#1999731",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1999731"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-37701",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-37701"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-37701",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37701"
},
{
"category": "external",
"summary": "https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc",
"url": "https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc"
},
{
"category": "external",
"summary": "https://www.npmjs.com/advisories/1779",
"url": "https://www.npmjs.com/advisories/1779"
}
],
"release_date": "2021-08-31T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-07-19T21:07:21+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHEA-2022:5615"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite"
},
{
"cve": "CVE-2021-37712",
"cwe": {
"id": "CWE-59",
"name": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)"
},
"discovery_date": "2021-08-31T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1999739"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the npm package \"tar\" (aka node-tar). Extracting tar files that contain two directories and a symlink with names containing Unicode values that normalize to the same value on Windows systems made it possible to bypass node-tar symlink checks on directories. This allows an untrusted tar file to extract and overwrite files into an arbitrary location. The highest threat from this vulnerability is to integrity and system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Enterprise Linux version 8 and Red Hat Software Collection both embed `node-tar` in the npm command. However, npm explicitly prevents the extraction of symlink via a filter. npm might still be affected via node-gyp, if the attacker is able to control the target URL.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-37712"
},
{
"category": "external",
"summary": "RHBZ#1999739",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1999739"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-37712",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-37712"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-37712",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37712"
},
{
"category": "external",
"summary": "https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p",
"url": "https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p"
},
{
"category": "external",
"summary": "https://www.npmjs.com/advisories/1780",
"url": "https://www.npmjs.com/advisories/1780"
}
],
"release_date": "2021-08-31T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-07-19T21:07:21+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHEA-2022:5615"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite"
},
{
"cve": "CVE-2021-44531",
"cwe": {
"id": "CWE-295",
"name": "Improper Certificate Validation"
},
"discovery_date": "2022-01-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2040839"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in node.js where it accepted a certificate\u0027s Subject Alternative Names (SAN) entry, as opposed to what is specified by the HTTPS protocol. This flaw allows an active person-in-the-middle to forge a certificate and impersonate a trusted host.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Improper handling of URI Subject Alternative Names",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\" with impact LOW.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-44531"
},
{
"category": "external",
"summary": "RHBZ#2040839",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040839"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-44531",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44531"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44531",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44531"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/",
"url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/"
}
],
"release_date": "2022-01-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-07-19T21:07:21+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHEA-2022:5615"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Improper handling of URI Subject Alternative Names"
},
{
"cve": "CVE-2021-44532",
"cwe": {
"id": "CWE-295",
"name": "Improper Certificate Validation"
},
"discovery_date": "2022-01-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2040846"
}
],
"notes": [
{
"category": "description",
"text": "It was found that node.js did not safely read the x509 certificate generalName format properly, resulting in data injection. A certificate could use a specially crafted extension in order to be successfully validated, permitting an attacker to impersonate a trusted host.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Certificate Verification Bypass via String Injection",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\" with impact LOW.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-44532"
},
{
"category": "external",
"summary": "RHBZ#2040846",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040846"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-44532",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44532"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44532",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44532"
}
],
"release_date": "2022-01-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-07-19T21:07:21+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHEA-2022:5615"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Certificate Verification Bypass via String Injection"
},
{
"cve": "CVE-2021-44533",
"cwe": {
"id": "CWE-295",
"name": "Improper Certificate Validation"
},
"discovery_date": "2022-01-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2040856"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in node.js, where it did not properly handle multi-value Relative Distinguished Names. This flaw allows a specially crafted x509 certificate to produce a false multi-value Relative Distinguished Name and to inject arbitrary data in node.js libraries.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Incorrect handling of certificate subject and issuer fields",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally, there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore, the Quay component is marked as \"Will not fix\" with impact LOW.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-44533"
},
{
"category": "external",
"summary": "RHBZ#2040856",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040856"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-44533",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44533"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44533",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44533"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/",
"url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/"
}
],
"release_date": "2022-01-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-07-19T21:07:21+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHEA-2022:5615"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Incorrect handling of certificate subject and issuer fields"
},
{
"cve": "CVE-2022-21824",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2022-01-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2040862"
}
],
"notes": [
{
"category": "description",
"text": "Due to the formatting logic of the \"console.table()\" function it was not safe to allow user controlled input to be passed to the \"properties\" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be \"__proto__\". The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js \u003e= 12.22.9, \u003e= 14.18.3, \u003e= 16.13.2, and \u003e= 17.3.1 use a null protoype for the object these properties are being assigned to.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Prototype pollution via console.table properties",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\".",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-21824"
},
{
"category": "external",
"summary": "RHBZ#2040862",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040862"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-21824",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21824"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-21824",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21824"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/",
"url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/"
}
],
"release_date": "2022-01-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-07-19T21:07:21+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHEA-2022:5615"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"products": [
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch::nodejs:12",
"AppStream-8.4.0.Z.EUS:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x::nodejs:12",
"AppStream-8.4.0.Z.EUS:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64::nodejs:12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "nodejs: Prototype pollution via console.table properties"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…