Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2022-35256 (GCVE-0-2022-35256)
Vulnerability from cvelistv5 – Published: 2022-12-05 00:00 – Updated: 2025-04-30 22:24
VLAI
EPSS
Summary
The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.
Severity
6.5 (Medium)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-444 - HTTP Request Smuggling (CWE-444)
Assigner
References
3 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| NodeJS | Node |
Affected:
4.0 , < 4.*
(semver)
Affected: 5.0 , < 5.* (semver) Affected: 6.0 , < 6.* (semver) Affected: 7.0 , < 7.* (semver) Affected: 8.0 , < 8.* (semver) Affected: 9.0 , < 9.* (semver) Affected: 10.0 , < 10.* (semver) Affected: 11.0 , < 11.* (semver) Affected: 12.0 , < 12.* (semver) Affected: 13.0 , < 13.* (semver) Affected: 14.0 , < 14.20.1 (semver) Affected: 15.0 , < 15.* (semver) Affected: 16.0 , < 16.17.1 (semver) Affected: 17.0 , < 17.* (semver) Affected: 18.0 , < 18.9.1 (semver) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:29:17.444Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://hackerone.com/reports/1675191"
},
{
"tags": [
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf"
},
{
"name": "DSA-5326",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5326"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-35256",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-24T13:21:44.276405Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-24T13:22:44.702Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Node",
"vendor": "NodeJS",
"versions": [
{
"lessThan": "4.*",
"status": "affected",
"version": "4.0",
"versionType": "semver"
},
{
"lessThan": "5.*",
"status": "affected",
"version": "5.0",
"versionType": "semver"
},
{
"lessThan": "6.*",
"status": "affected",
"version": "6.0",
"versionType": "semver"
},
{
"lessThan": "7.*",
"status": "affected",
"version": "7.0",
"versionType": "semver"
},
{
"lessThan": "8.*",
"status": "affected",
"version": "8.0",
"versionType": "semver"
},
{
"lessThan": "9.*",
"status": "affected",
"version": "9.0",
"versionType": "semver"
},
{
"lessThan": "10.*",
"status": "affected",
"version": "10.0",
"versionType": "semver"
},
{
"lessThan": "11.*",
"status": "affected",
"version": "11.0",
"versionType": "semver"
},
{
"lessThan": "12.*",
"status": "affected",
"version": "12.0",
"versionType": "semver"
},
{
"lessThan": "13.*",
"status": "affected",
"version": "13.0",
"versionType": "semver"
},
{
"lessThan": "14.20.1",
"status": "affected",
"version": "14.0",
"versionType": "semver"
},
{
"lessThan": "15.*",
"status": "affected",
"version": "15.0",
"versionType": "semver"
},
{
"lessThan": "16.17.1",
"status": "affected",
"version": "16.0",
"versionType": "semver"
},
{
"lessThan": "17.*",
"status": "affected",
"version": "17.0",
"versionType": "semver"
},
{
"lessThan": "18.9.1",
"status": "affected",
"version": "18.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-444",
"description": "HTTP Request Smuggling (CWE-444)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-30T22:24:47.709Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://hackerone.com/reports/1675191"
},
{
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf"
},
{
"name": "DSA-5326",
"tags": [
"vendor-advisory"
],
"url": "https://www.debian.org/security/2023/dsa-5326"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2022-35256",
"datePublished": "2022-12-05T00:00:00.000Z",
"dateReserved": "2022-07-06T00:00:00.000Z",
"dateUpdated": "2025-04-30T22:24:47.709Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2022-35256",
"date": "2026-06-04",
"epss": "0.03694",
"percentile": "0.88151"
},
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*\", \"versionStartIncluding\": \"14.0.0\", \"versionEndIncluding\": \"14.14.0\", \"matchCriteriaId\": \"428DCD7B-6F66-4F18-B780-5BD80143D482\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*\", \"versionStartIncluding\": \"14.15.0\", \"versionEndExcluding\": \"14.20.1\", \"matchCriteriaId\": \"1D907C43-56F3-4FB8-8F20-C90C65EE5A08\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*\", \"versionStartIncluding\": \"16.0.0\", \"versionEndIncluding\": \"16.12.0\", \"matchCriteriaId\": \"1D1D0CEC-62E5-4368-B8F2-1DA5DD0B88FA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*\", \"versionStartIncluding\": \"16.13.0\", \"versionEndExcluding\": \"16.17.1\", \"matchCriteriaId\": \"09BD0FC2-5AA1-4A22-8432-A2EEA314FE09\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*\", \"versionStartIncluding\": \"18.0.0\", \"versionEndExcluding\": \"18.9.1\", \"matchCriteriaId\": \"DA8C00DD-A6E5-4E3D-8DD4-F4B51F5C208A\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:llhttp:llhttp:*:*:*:*:*:node.js:*:*\", \"versionEndExcluding\": \"6.0.10\", \"matchCriteriaId\": \"1D7F3488-19BB-4E97-AC9F-23F847F53774\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:siemens:sinec_ins:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"1.0\", \"matchCriteriaId\": \"C89891C1-DFD7-4E1F-80A9-7485D86A15B5\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:siemens:sinec_ins:1.0:-:*:*:*:*:*:*\", \"matchCriteriaId\": \"4664B195-AF14-4834-82B3-0B2C98020EB6\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:siemens:sinec_ins:1.0:sp1:*:*:*:*:*:*\", \"matchCriteriaId\": \"75BC588E-CDF0-404E-AD61-02093A1DF343\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:siemens:sinec_ins:1.0:sp2:*:*:*:*:*:*\", \"matchCriteriaId\": \"A334F7B4-7283-4453-BAED-D2E01B7F8A6E\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"FA6FEEC2-9F11-4643-8827-749718254FED\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.\"}, {\"lang\": \"es\", \"value\": \"El analizador llhttp en el m\\u00f3dulo http en Node v18.7.0 no maneja correctamente los campos de encabezado que no terminan con CLRF. Esto puede resultar en tr\\u00e1fico ilegal de solicitudes HTTP.\"}]",
"id": "CVE-2022-35256",
"lastModified": "2024-11-21T07:10:59.073",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 2.5}]}",
"published": "2022-12-05T22:15:10.570",
"references": "[{\"url\": \"https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf\", \"source\": \"support@hackerone.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://hackerone.com/reports/1675191\", \"source\": \"support@hackerone.com\", \"tags\": [\"Exploit\", \"Issue Tracking\", \"Third Party Advisory\"]}, {\"url\": \"https://www.debian.org/security/2023/dsa-5326\", \"source\": \"support@hackerone.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://hackerone.com/reports/1675191\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Issue Tracking\", \"Third Party Advisory\"]}, {\"url\": \"https://www.debian.org/security/2023/dsa-5326\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
"sourceIdentifier": "support@hackerone.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"support@hackerone.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-444\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-444\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2022-35256\",\"sourceIdentifier\":\"support@hackerone.com\",\"published\":\"2022-12-05T22:15:10.570\",\"lastModified\":\"2025-04-24T14:15:32.277\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.\"},{\"lang\":\"es\",\"value\":\"El analizador llhttp en el m\u00f3dulo http en Node v18.7.0 no maneja correctamente los campos de encabezado que no terminan con CLRF. Esto puede resultar en tr\u00e1fico ilegal de solicitudes HTTP.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":2.5},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"support@hackerone.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-444\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-444\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*\",\"versionStartIncluding\":\"14.0.0\",\"versionEndIncluding\":\"14.14.0\",\"matchCriteriaId\":\"428DCD7B-6F66-4F18-B780-5BD80143D482\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*\",\"versionStartIncluding\":\"14.15.0\",\"versionEndExcluding\":\"14.20.1\",\"matchCriteriaId\":\"1D907C43-56F3-4FB8-8F20-C90C65EE5A08\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*\",\"versionStartIncluding\":\"16.0.0\",\"versionEndIncluding\":\"16.12.0\",\"matchCriteriaId\":\"1D1D0CEC-62E5-4368-B8F2-1DA5DD0B88FA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*\",\"versionStartIncluding\":\"16.13.0\",\"versionEndExcluding\":\"16.17.1\",\"matchCriteriaId\":\"09BD0FC2-5AA1-4A22-8432-A2EEA314FE09\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*\",\"versionStartIncluding\":\"18.0.0\",\"versionEndExcluding\":\"18.9.1\",\"matchCriteriaId\":\"DA8C00DD-A6E5-4E3D-8DD4-F4B51F5C208A\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:llhttp:llhttp:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"6.0.10\",\"matchCriteriaId\":\"1D7F3488-19BB-4E97-AC9F-23F847F53774\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:sinec_ins:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.0\",\"matchCriteriaId\":\"C89891C1-DFD7-4E1F-80A9-7485D86A15B5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:sinec_ins:1.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"4664B195-AF14-4834-82B3-0B2C98020EB6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:sinec_ins:1.0:sp1:*:*:*:*:*:*\",\"matchCriteriaId\":\"75BC588E-CDF0-404E-AD61-02093A1DF343\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:sinec_ins:1.0:sp2:*:*:*:*:*:*\",\"matchCriteriaId\":\"A334F7B4-7283-4453-BAED-D2E01B7F8A6E\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FA6FEEC2-9F11-4643-8827-749718254FED\"}]}]}],\"references\":[{\"url\":\"https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf\",\"source\":\"support@hackerone.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://hackerone.com/reports/1675191\",\"source\":\"support@hackerone.com\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2023/dsa-5326\",\"source\":\"support@hackerone.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://hackerone.com/reports/1675191\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2023/dsa-5326\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://hackerone.com/reports/1675191\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://www.debian.org/security/2023/dsa-5326\", \"name\": \"DSA-5326\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T09:29:17.444Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-35256\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-24T13:21:44.276405Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-24T13:22:35.447Z\"}}], \"cna\": {\"affected\": [{\"vendor\": \"NodeJS\", \"product\": \"Node\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.0\", \"lessThan\": \"4.*\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"5.0\", \"lessThan\": \"5.*\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"6.0\", \"lessThan\": \"6.*\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"7.0\", \"lessThan\": \"7.*\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"8.0\", \"lessThan\": \"8.*\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"9.0\", \"lessThan\": \"9.*\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"10.0\", \"lessThan\": \"10.*\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"11.0\", \"lessThan\": \"11.*\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"12.0\", \"lessThan\": \"12.*\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"13.0\", \"lessThan\": \"13.*\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"14.0\", \"lessThan\": \"14.20.1\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"15.0\", \"lessThan\": \"15.*\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"16.0\", \"lessThan\": \"16.17.1\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"17.0\", \"lessThan\": \"17.*\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"18.0\", \"lessThan\": \"18.9.1\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://hackerone.com/reports/1675191\"}, {\"url\": \"https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf\"}, {\"url\": \"https://www.debian.org/security/2023/dsa-5326\", \"name\": \"DSA-5326\", \"tags\": [\"vendor-advisory\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-444\", \"description\": \"HTTP Request Smuggling (CWE-444)\"}]}], \"providerMetadata\": {\"orgId\": \"36234546-b8fa-4601-9d6f-f4e334aa8ea1\", \"shortName\": \"hackerone\", \"dateUpdated\": \"2025-04-30T22:24:47.709Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2022-35256\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-30T22:24:47.709Z\", \"dateReserved\": \"2022-07-06T00:00:00.000Z\", \"assignerOrgId\": \"36234546-b8fa-4601-9d6f-f4e334aa8ea1\", \"datePublished\": \"2022-12-05T00:00:00.000Z\", \"assignerShortName\": \"hackerone\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
MSRC_CVE-2022-35256
Vulnerability from csaf_microsoft - Published: 2022-12-02 00:00 - Updated: 2026-02-18 01:54Summary
The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.
Notes
Additional Resources: To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle
Disclaimer: The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
6.5 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 18530-16820 | — | ||
| Unresolved product id: 17269-17086 | — | ||
| Unresolved product id: 17735-17084 | — |
Known affected
3 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 17084-2 | — | ||
| Unresolved product id: 17084-1 | — |
References
4 references
| URL | Category |
|---|---|
| https://msrc.microsoft.com/csaf/vex/2022/msrc_cve… | self |
| https://support.microsoft.com/lifecycle | external |
| https://www.first.org/cvss | external |
| https://msrc.microsoft.com/csaf/vex/2022/msrc_cve… | self |
{
"document": {
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"text": "Public",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
"title": "Additional Resources"
},
{
"category": "legal_disclaimer",
"text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
"title": "Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "secure@microsoft.com",
"name": "Microsoft Security Response Center",
"namespace": "https://msrc.microsoft.com"
},
"references": [
{
"category": "self",
"summary": "CVE-2022-35256 The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling. - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2022/msrc_cve-2022-35256.json"
},
{
"category": "external",
"summary": "Microsoft Support Lifecycle",
"url": "https://support.microsoft.com/lifecycle"
},
{
"category": "external",
"summary": "Common Vulnerability Scoring System",
"url": "https://www.first.org/cvss"
}
],
"title": "The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.",
"tracking": {
"current_release_date": "2026-02-18T01:54:19.000Z",
"generator": {
"date": "2026-02-18T13:43:13.127Z",
"engine": {
"name": "MSRC Generator",
"version": "1.0"
}
},
"id": "msrc_CVE-2022-35256",
"initial_release_date": "2022-12-02T00:00:00.000Z",
"revision_history": [
{
"date": "2022-12-09T00:00:00.000Z",
"legacy_version": "1",
"number": "1",
"summary": "Information published."
},
{
"date": "2023-04-25T00:00:00.000Z",
"legacy_version": "1.1",
"number": "2",
"summary": "Added nghttp2 to CBL-Mariner 2.0"
},
{
"date": "2026-02-18T01:54:19.000Z",
"legacy_version": "1.2",
"number": "3",
"summary": "Information published."
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "1.0",
"product": {
"name": "CBL Mariner 1.0",
"product_id": "16820"
}
},
{
"category": "product_version",
"name": "2.0",
"product": {
"name": "CBL Mariner 2.0",
"product_id": "17086"
}
},
{
"category": "product_version",
"name": "3.0",
"product": {
"name": "Azure Linux 3.0",
"product_id": "17084"
}
}
],
"category": "product_name",
"name": "Azure Linux"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003ccm1 nodejs 14.21.1-1",
"product": {
"name": "\u003ccm1 nodejs 14.21.1-1",
"product_id": "3"
}
},
{
"category": "product_version",
"name": "cm1 nodejs 14.21.1-1",
"product": {
"name": "cm1 nodejs 14.21.1-1",
"product_id": "18530"
}
}
],
"category": "product_name",
"name": "nodejs"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003ccbl2 rust 1.68.0-1",
"product": {
"name": "\u003ccbl2 rust 1.68.0-1",
"product_id": "5"
}
},
{
"category": "product_version",
"name": "cbl2 rust 1.68.0-1",
"product": {
"name": "cbl2 rust 1.68.0-1",
"product_id": "17269"
}
},
{
"category": "product_version_range",
"name": "\u003cazl3 rust 1.75.0-1",
"product": {
"name": "\u003cazl3 rust 1.75.0-1",
"product_id": "4"
}
},
{
"category": "product_version",
"name": "azl3 rust 1.75.0-1",
"product": {
"name": "azl3 rust 1.75.0-1",
"product_id": "17735"
}
}
],
"category": "product_name",
"name": "rust"
},
{
"category": "product_name",
"name": "azl3 rust 1.75.0-14",
"product": {
"name": "azl3 rust 1.75.0-14",
"product_id": "2"
}
},
{
"category": "product_name",
"name": "azl3 rust 1.86.0-1",
"product": {
"name": "azl3 rust 1.86.0-1",
"product_id": "1"
}
}
],
"category": "vendor",
"name": "Microsoft"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003ccm1 nodejs 14.21.1-1 as a component of CBL Mariner 1.0",
"product_id": "16820-3"
},
"product_reference": "3",
"relates_to_product_reference": "16820"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cm1 nodejs 14.21.1-1 as a component of CBL Mariner 1.0",
"product_id": "18530-16820"
},
"product_reference": "18530",
"relates_to_product_reference": "16820"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003ccbl2 rust 1.68.0-1 as a component of CBL Mariner 2.0",
"product_id": "17086-5"
},
"product_reference": "5",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cbl2 rust 1.68.0-1 as a component of CBL Mariner 2.0",
"product_id": "17269-17086"
},
"product_reference": "17269",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cazl3 rust 1.75.0-1 as a component of Azure Linux 3.0",
"product_id": "17084-4"
},
"product_reference": "4",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 rust 1.75.0-1 as a component of Azure Linux 3.0",
"product_id": "17735-17084"
},
"product_reference": "17735",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 rust 1.75.0-14 as a component of Azure Linux 3.0",
"product_id": "17084-2"
},
"product_reference": "2",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 rust 1.86.0-1 as a component of Azure Linux 3.0",
"product_id": "17084-1"
},
"product_reference": "1",
"relates_to_product_reference": "17084"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-35256",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"flags": [
{
"label": "vulnerable_code_not_in_execute_path",
"product_ids": [
"17084-2",
"17084-1"
]
}
],
"notes": [
{
"category": "general",
"text": "hackerone",
"title": "Assigning CNA"
}
],
"product_status": {
"fixed": [
"18530-16820",
"17269-17086",
"17735-17084"
],
"known_affected": [
"16820-3",
"17086-5",
"17084-4"
],
"known_not_affected": [
"17084-2",
"17084-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2022-35256 The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling. - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2022/msrc_cve-2022-35256.json"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2022-12-09T00:00:00.000Z",
"details": "14.21.1-1:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"16820-3"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
},
{
"category": "vendor_fix",
"date": "2022-12-09T00:00:00.000Z",
"details": "1.68.0-1:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"17086-5"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
},
{
"category": "vendor_fix",
"date": "2022-12-09T00:00:00.000Z",
"details": "1.75.0-1:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"17084-4"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"environmentalsScore": 0.0,
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 6.5,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"16820-3",
"17086-5",
"17084-4"
]
}
],
"title": "The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling."
}
]
}
OPENSUSE-SU-2024:12370-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
corepack16-16.17.1-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: corepack16-16.17.1-1.1 on GA media
Description of the patch: These are all security issues fixed in the corepack16-16.17.1-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-12370
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
6.8 (Medium)
Affected products
Recommended
20 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:corepack16-16.17.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack16-16.17.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack16-16.17.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack16-16.17.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs16-16.17.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs16-16.17.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs16-16.17.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs16-16.17.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs16-devel-16.17.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs16-devel-16.17.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs16-devel-16.17.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs16-devel-16.17.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs16-docs-16.17.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs16-docs-16.17.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs16-docs-16.17.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs16-docs-16.17.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm16-16.17.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm16-16.17.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm16-16.17.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm16-16.17.1-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
8.2 (High)
Affected products
Recommended
20 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:corepack16-16.17.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack16-16.17.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack16-16.17.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack16-16.17.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs16-16.17.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs16-16.17.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs16-16.17.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs16-16.17.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs16-devel-16.17.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs16-devel-16.17.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs16-devel-16.17.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs16-devel-16.17.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs16-docs-16.17.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs16-docs-16.17.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs16-docs-16.17.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs16-docs-16.17.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm16-16.17.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm16-16.17.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm16-16.17.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm16-16.17.1-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
6.5 (Medium)
Affected products
Recommended
20 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:corepack16-16.17.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack16-16.17.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack16-16.17.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack16-16.17.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs16-16.17.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs16-16.17.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs16-16.17.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs16-16.17.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs16-devel-16.17.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs16-devel-16.17.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs16-devel-16.17.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs16-devel-16.17.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs16-docs-16.17.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs16-docs-16.17.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs16-docs-16.17.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs16-docs-16.17.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm16-16.17.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm16-16.17.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm16-16.17.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm16-16.17.1-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
11 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "corepack16-16.17.1-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the corepack16-16.17.1-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-12370",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_12370-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-32215 page",
"url": "https://www.suse.com/security/cve/CVE-2022-32215/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-35255 page",
"url": "https://www.suse.com/security/cve/CVE-2022-35255/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-35256 page",
"url": "https://www.suse.com/security/cve/CVE-2022-35256/"
}
],
"title": "corepack16-16.17.1-1.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:12370-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "corepack16-16.17.1-1.1.aarch64",
"product": {
"name": "corepack16-16.17.1-1.1.aarch64",
"product_id": "corepack16-16.17.1-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "nodejs16-16.17.1-1.1.aarch64",
"product": {
"name": "nodejs16-16.17.1-1.1.aarch64",
"product_id": "nodejs16-16.17.1-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "nodejs16-devel-16.17.1-1.1.aarch64",
"product": {
"name": "nodejs16-devel-16.17.1-1.1.aarch64",
"product_id": "nodejs16-devel-16.17.1-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "nodejs16-docs-16.17.1-1.1.aarch64",
"product": {
"name": "nodejs16-docs-16.17.1-1.1.aarch64",
"product_id": "nodejs16-docs-16.17.1-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "npm16-16.17.1-1.1.aarch64",
"product": {
"name": "npm16-16.17.1-1.1.aarch64",
"product_id": "npm16-16.17.1-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "corepack16-16.17.1-1.1.ppc64le",
"product": {
"name": "corepack16-16.17.1-1.1.ppc64le",
"product_id": "corepack16-16.17.1-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "nodejs16-16.17.1-1.1.ppc64le",
"product": {
"name": "nodejs16-16.17.1-1.1.ppc64le",
"product_id": "nodejs16-16.17.1-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "nodejs16-devel-16.17.1-1.1.ppc64le",
"product": {
"name": "nodejs16-devel-16.17.1-1.1.ppc64le",
"product_id": "nodejs16-devel-16.17.1-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "nodejs16-docs-16.17.1-1.1.ppc64le",
"product": {
"name": "nodejs16-docs-16.17.1-1.1.ppc64le",
"product_id": "nodejs16-docs-16.17.1-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "npm16-16.17.1-1.1.ppc64le",
"product": {
"name": "npm16-16.17.1-1.1.ppc64le",
"product_id": "npm16-16.17.1-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "corepack16-16.17.1-1.1.s390x",
"product": {
"name": "corepack16-16.17.1-1.1.s390x",
"product_id": "corepack16-16.17.1-1.1.s390x"
}
},
{
"category": "product_version",
"name": "nodejs16-16.17.1-1.1.s390x",
"product": {
"name": "nodejs16-16.17.1-1.1.s390x",
"product_id": "nodejs16-16.17.1-1.1.s390x"
}
},
{
"category": "product_version",
"name": "nodejs16-devel-16.17.1-1.1.s390x",
"product": {
"name": "nodejs16-devel-16.17.1-1.1.s390x",
"product_id": "nodejs16-devel-16.17.1-1.1.s390x"
}
},
{
"category": "product_version",
"name": "nodejs16-docs-16.17.1-1.1.s390x",
"product": {
"name": "nodejs16-docs-16.17.1-1.1.s390x",
"product_id": "nodejs16-docs-16.17.1-1.1.s390x"
}
},
{
"category": "product_version",
"name": "npm16-16.17.1-1.1.s390x",
"product": {
"name": "npm16-16.17.1-1.1.s390x",
"product_id": "npm16-16.17.1-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "corepack16-16.17.1-1.1.x86_64",
"product": {
"name": "corepack16-16.17.1-1.1.x86_64",
"product_id": "corepack16-16.17.1-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "nodejs16-16.17.1-1.1.x86_64",
"product": {
"name": "nodejs16-16.17.1-1.1.x86_64",
"product_id": "nodejs16-16.17.1-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "nodejs16-devel-16.17.1-1.1.x86_64",
"product": {
"name": "nodejs16-devel-16.17.1-1.1.x86_64",
"product_id": "nodejs16-devel-16.17.1-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "nodejs16-docs-16.17.1-1.1.x86_64",
"product": {
"name": "nodejs16-docs-16.17.1-1.1.x86_64",
"product_id": "nodejs16-docs-16.17.1-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "npm16-16.17.1-1.1.x86_64",
"product": {
"name": "npm16-16.17.1-1.1.x86_64",
"product_id": "npm16-16.17.1-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "corepack16-16.17.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:corepack16-16.17.1-1.1.aarch64"
},
"product_reference": "corepack16-16.17.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "corepack16-16.17.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:corepack16-16.17.1-1.1.ppc64le"
},
"product_reference": "corepack16-16.17.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "corepack16-16.17.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:corepack16-16.17.1-1.1.s390x"
},
"product_reference": "corepack16-16.17.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "corepack16-16.17.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:corepack16-16.17.1-1.1.x86_64"
},
"product_reference": "corepack16-16.17.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs16-16.17.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs16-16.17.1-1.1.aarch64"
},
"product_reference": "nodejs16-16.17.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs16-16.17.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs16-16.17.1-1.1.ppc64le"
},
"product_reference": "nodejs16-16.17.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs16-16.17.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs16-16.17.1-1.1.s390x"
},
"product_reference": "nodejs16-16.17.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs16-16.17.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs16-16.17.1-1.1.x86_64"
},
"product_reference": "nodejs16-16.17.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs16-devel-16.17.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs16-devel-16.17.1-1.1.aarch64"
},
"product_reference": "nodejs16-devel-16.17.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs16-devel-16.17.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs16-devel-16.17.1-1.1.ppc64le"
},
"product_reference": "nodejs16-devel-16.17.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs16-devel-16.17.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs16-devel-16.17.1-1.1.s390x"
},
"product_reference": "nodejs16-devel-16.17.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs16-devel-16.17.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs16-devel-16.17.1-1.1.x86_64"
},
"product_reference": "nodejs16-devel-16.17.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs16-docs-16.17.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs16-docs-16.17.1-1.1.aarch64"
},
"product_reference": "nodejs16-docs-16.17.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs16-docs-16.17.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs16-docs-16.17.1-1.1.ppc64le"
},
"product_reference": "nodejs16-docs-16.17.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs16-docs-16.17.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs16-docs-16.17.1-1.1.s390x"
},
"product_reference": "nodejs16-docs-16.17.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs16-docs-16.17.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs16-docs-16.17.1-1.1.x86_64"
},
"product_reference": "nodejs16-docs-16.17.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm16-16.17.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:npm16-16.17.1-1.1.aarch64"
},
"product_reference": "npm16-16.17.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm16-16.17.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:npm16-16.17.1-1.1.ppc64le"
},
"product_reference": "npm16-16.17.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm16-16.17.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:npm16-16.17.1-1.1.s390x"
},
"product_reference": "npm16-16.17.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm16-16.17.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:npm16-16.17.1-1.1.x86_64"
},
"product_reference": "npm16-16.17.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-32215",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-32215"
}
],
"notes": [
{
"category": "general",
"text": "The llhttp parser \u003cv14.20.1, \u003cv16.17.1 and \u003cv18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:corepack16-16.17.1-1.1.aarch64",
"openSUSE Tumbleweed:corepack16-16.17.1-1.1.ppc64le",
"openSUSE Tumbleweed:corepack16-16.17.1-1.1.s390x",
"openSUSE Tumbleweed:corepack16-16.17.1-1.1.x86_64",
"openSUSE Tumbleweed:nodejs16-16.17.1-1.1.aarch64",
"openSUSE Tumbleweed:nodejs16-16.17.1-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs16-16.17.1-1.1.s390x",
"openSUSE Tumbleweed:nodejs16-16.17.1-1.1.x86_64",
"openSUSE Tumbleweed:nodejs16-devel-16.17.1-1.1.aarch64",
"openSUSE Tumbleweed:nodejs16-devel-16.17.1-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs16-devel-16.17.1-1.1.s390x",
"openSUSE Tumbleweed:nodejs16-devel-16.17.1-1.1.x86_64",
"openSUSE Tumbleweed:nodejs16-docs-16.17.1-1.1.aarch64",
"openSUSE Tumbleweed:nodejs16-docs-16.17.1-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs16-docs-16.17.1-1.1.s390x",
"openSUSE Tumbleweed:nodejs16-docs-16.17.1-1.1.x86_64",
"openSUSE Tumbleweed:npm16-16.17.1-1.1.aarch64",
"openSUSE Tumbleweed:npm16-16.17.1-1.1.ppc64le",
"openSUSE Tumbleweed:npm16-16.17.1-1.1.s390x",
"openSUSE Tumbleweed:npm16-16.17.1-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-32215",
"url": "https://www.suse.com/security/cve/CVE-2022-32215"
},
{
"category": "external",
"summary": "SUSE Bug 1201327 for CVE-2022-32215",
"url": "https://bugzilla.suse.com/1201327"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:corepack16-16.17.1-1.1.aarch64",
"openSUSE Tumbleweed:corepack16-16.17.1-1.1.ppc64le",
"openSUSE Tumbleweed:corepack16-16.17.1-1.1.s390x",
"openSUSE Tumbleweed:corepack16-16.17.1-1.1.x86_64",
"openSUSE Tumbleweed:nodejs16-16.17.1-1.1.aarch64",
"openSUSE Tumbleweed:nodejs16-16.17.1-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs16-16.17.1-1.1.s390x",
"openSUSE Tumbleweed:nodejs16-16.17.1-1.1.x86_64",
"openSUSE Tumbleweed:nodejs16-devel-16.17.1-1.1.aarch64",
"openSUSE Tumbleweed:nodejs16-devel-16.17.1-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs16-devel-16.17.1-1.1.s390x",
"openSUSE Tumbleweed:nodejs16-devel-16.17.1-1.1.x86_64",
"openSUSE Tumbleweed:nodejs16-docs-16.17.1-1.1.aarch64",
"openSUSE Tumbleweed:nodejs16-docs-16.17.1-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs16-docs-16.17.1-1.1.s390x",
"openSUSE Tumbleweed:nodejs16-docs-16.17.1-1.1.x86_64",
"openSUSE Tumbleweed:npm16-16.17.1-1.1.aarch64",
"openSUSE Tumbleweed:npm16-16.17.1-1.1.ppc64le",
"openSUSE Tumbleweed:npm16-16.17.1-1.1.s390x",
"openSUSE Tumbleweed:npm16-16.17.1-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:corepack16-16.17.1-1.1.aarch64",
"openSUSE Tumbleweed:corepack16-16.17.1-1.1.ppc64le",
"openSUSE Tumbleweed:corepack16-16.17.1-1.1.s390x",
"openSUSE Tumbleweed:corepack16-16.17.1-1.1.x86_64",
"openSUSE Tumbleweed:nodejs16-16.17.1-1.1.aarch64",
"openSUSE Tumbleweed:nodejs16-16.17.1-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs16-16.17.1-1.1.s390x",
"openSUSE Tumbleweed:nodejs16-16.17.1-1.1.x86_64",
"openSUSE Tumbleweed:nodejs16-devel-16.17.1-1.1.aarch64",
"openSUSE Tumbleweed:nodejs16-devel-16.17.1-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs16-devel-16.17.1-1.1.s390x",
"openSUSE Tumbleweed:nodejs16-devel-16.17.1-1.1.x86_64",
"openSUSE Tumbleweed:nodejs16-docs-16.17.1-1.1.aarch64",
"openSUSE Tumbleweed:nodejs16-docs-16.17.1-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs16-docs-16.17.1-1.1.s390x",
"openSUSE Tumbleweed:nodejs16-docs-16.17.1-1.1.x86_64",
"openSUSE Tumbleweed:npm16-16.17.1-1.1.aarch64",
"openSUSE Tumbleweed:npm16-16.17.1-1.1.ppc64le",
"openSUSE Tumbleweed:npm16-16.17.1-1.1.s390x",
"openSUSE Tumbleweed:npm16-16.17.1-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2022-32215"
},
{
"cve": "CVE-2022-35255",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-35255"
}
],
"notes": [
{
"category": "general",
"text": "A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with this: 1) It does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail. 2) The random data returned byEntropySource() may not be cryptographically strong and therefore not suitable as keying material.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:corepack16-16.17.1-1.1.aarch64",
"openSUSE Tumbleweed:corepack16-16.17.1-1.1.ppc64le",
"openSUSE Tumbleweed:corepack16-16.17.1-1.1.s390x",
"openSUSE Tumbleweed:corepack16-16.17.1-1.1.x86_64",
"openSUSE Tumbleweed:nodejs16-16.17.1-1.1.aarch64",
"openSUSE Tumbleweed:nodejs16-16.17.1-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs16-16.17.1-1.1.s390x",
"openSUSE Tumbleweed:nodejs16-16.17.1-1.1.x86_64",
"openSUSE Tumbleweed:nodejs16-devel-16.17.1-1.1.aarch64",
"openSUSE Tumbleweed:nodejs16-devel-16.17.1-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs16-devel-16.17.1-1.1.s390x",
"openSUSE Tumbleweed:nodejs16-devel-16.17.1-1.1.x86_64",
"openSUSE Tumbleweed:nodejs16-docs-16.17.1-1.1.aarch64",
"openSUSE Tumbleweed:nodejs16-docs-16.17.1-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs16-docs-16.17.1-1.1.s390x",
"openSUSE Tumbleweed:nodejs16-docs-16.17.1-1.1.x86_64",
"openSUSE Tumbleweed:npm16-16.17.1-1.1.aarch64",
"openSUSE Tumbleweed:npm16-16.17.1-1.1.ppc64le",
"openSUSE Tumbleweed:npm16-16.17.1-1.1.s390x",
"openSUSE Tumbleweed:npm16-16.17.1-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-35255",
"url": "https://www.suse.com/security/cve/CVE-2022-35255"
},
{
"category": "external",
"summary": "SUSE Bug 1203831 for CVE-2022-35255",
"url": "https://bugzilla.suse.com/1203831"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:corepack16-16.17.1-1.1.aarch64",
"openSUSE Tumbleweed:corepack16-16.17.1-1.1.ppc64le",
"openSUSE Tumbleweed:corepack16-16.17.1-1.1.s390x",
"openSUSE Tumbleweed:corepack16-16.17.1-1.1.x86_64",
"openSUSE Tumbleweed:nodejs16-16.17.1-1.1.aarch64",
"openSUSE Tumbleweed:nodejs16-16.17.1-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs16-16.17.1-1.1.s390x",
"openSUSE Tumbleweed:nodejs16-16.17.1-1.1.x86_64",
"openSUSE Tumbleweed:nodejs16-devel-16.17.1-1.1.aarch64",
"openSUSE Tumbleweed:nodejs16-devel-16.17.1-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs16-devel-16.17.1-1.1.s390x",
"openSUSE Tumbleweed:nodejs16-devel-16.17.1-1.1.x86_64",
"openSUSE Tumbleweed:nodejs16-docs-16.17.1-1.1.aarch64",
"openSUSE Tumbleweed:nodejs16-docs-16.17.1-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs16-docs-16.17.1-1.1.s390x",
"openSUSE Tumbleweed:nodejs16-docs-16.17.1-1.1.x86_64",
"openSUSE Tumbleweed:npm16-16.17.1-1.1.aarch64",
"openSUSE Tumbleweed:npm16-16.17.1-1.1.ppc64le",
"openSUSE Tumbleweed:npm16-16.17.1-1.1.s390x",
"openSUSE Tumbleweed:npm16-16.17.1-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:corepack16-16.17.1-1.1.aarch64",
"openSUSE Tumbleweed:corepack16-16.17.1-1.1.ppc64le",
"openSUSE Tumbleweed:corepack16-16.17.1-1.1.s390x",
"openSUSE Tumbleweed:corepack16-16.17.1-1.1.x86_64",
"openSUSE Tumbleweed:nodejs16-16.17.1-1.1.aarch64",
"openSUSE Tumbleweed:nodejs16-16.17.1-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs16-16.17.1-1.1.s390x",
"openSUSE Tumbleweed:nodejs16-16.17.1-1.1.x86_64",
"openSUSE Tumbleweed:nodejs16-devel-16.17.1-1.1.aarch64",
"openSUSE Tumbleweed:nodejs16-devel-16.17.1-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs16-devel-16.17.1-1.1.s390x",
"openSUSE Tumbleweed:nodejs16-devel-16.17.1-1.1.x86_64",
"openSUSE Tumbleweed:nodejs16-docs-16.17.1-1.1.aarch64",
"openSUSE Tumbleweed:nodejs16-docs-16.17.1-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs16-docs-16.17.1-1.1.s390x",
"openSUSE Tumbleweed:nodejs16-docs-16.17.1-1.1.x86_64",
"openSUSE Tumbleweed:npm16-16.17.1-1.1.aarch64",
"openSUSE Tumbleweed:npm16-16.17.1-1.1.ppc64le",
"openSUSE Tumbleweed:npm16-16.17.1-1.1.s390x",
"openSUSE Tumbleweed:npm16-16.17.1-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2022-35255"
},
{
"cve": "CVE-2022-35256",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-35256"
}
],
"notes": [
{
"category": "general",
"text": "The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:corepack16-16.17.1-1.1.aarch64",
"openSUSE Tumbleweed:corepack16-16.17.1-1.1.ppc64le",
"openSUSE Tumbleweed:corepack16-16.17.1-1.1.s390x",
"openSUSE Tumbleweed:corepack16-16.17.1-1.1.x86_64",
"openSUSE Tumbleweed:nodejs16-16.17.1-1.1.aarch64",
"openSUSE Tumbleweed:nodejs16-16.17.1-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs16-16.17.1-1.1.s390x",
"openSUSE Tumbleweed:nodejs16-16.17.1-1.1.x86_64",
"openSUSE Tumbleweed:nodejs16-devel-16.17.1-1.1.aarch64",
"openSUSE Tumbleweed:nodejs16-devel-16.17.1-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs16-devel-16.17.1-1.1.s390x",
"openSUSE Tumbleweed:nodejs16-devel-16.17.1-1.1.x86_64",
"openSUSE Tumbleweed:nodejs16-docs-16.17.1-1.1.aarch64",
"openSUSE Tumbleweed:nodejs16-docs-16.17.1-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs16-docs-16.17.1-1.1.s390x",
"openSUSE Tumbleweed:nodejs16-docs-16.17.1-1.1.x86_64",
"openSUSE Tumbleweed:npm16-16.17.1-1.1.aarch64",
"openSUSE Tumbleweed:npm16-16.17.1-1.1.ppc64le",
"openSUSE Tumbleweed:npm16-16.17.1-1.1.s390x",
"openSUSE Tumbleweed:npm16-16.17.1-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-35256",
"url": "https://www.suse.com/security/cve/CVE-2022-35256"
},
{
"category": "external",
"summary": "SUSE Bug 1203832 for CVE-2022-35256",
"url": "https://bugzilla.suse.com/1203832"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:corepack16-16.17.1-1.1.aarch64",
"openSUSE Tumbleweed:corepack16-16.17.1-1.1.ppc64le",
"openSUSE Tumbleweed:corepack16-16.17.1-1.1.s390x",
"openSUSE Tumbleweed:corepack16-16.17.1-1.1.x86_64",
"openSUSE Tumbleweed:nodejs16-16.17.1-1.1.aarch64",
"openSUSE Tumbleweed:nodejs16-16.17.1-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs16-16.17.1-1.1.s390x",
"openSUSE Tumbleweed:nodejs16-16.17.1-1.1.x86_64",
"openSUSE Tumbleweed:nodejs16-devel-16.17.1-1.1.aarch64",
"openSUSE Tumbleweed:nodejs16-devel-16.17.1-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs16-devel-16.17.1-1.1.s390x",
"openSUSE Tumbleweed:nodejs16-devel-16.17.1-1.1.x86_64",
"openSUSE Tumbleweed:nodejs16-docs-16.17.1-1.1.aarch64",
"openSUSE Tumbleweed:nodejs16-docs-16.17.1-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs16-docs-16.17.1-1.1.s390x",
"openSUSE Tumbleweed:nodejs16-docs-16.17.1-1.1.x86_64",
"openSUSE Tumbleweed:npm16-16.17.1-1.1.aarch64",
"openSUSE Tumbleweed:npm16-16.17.1-1.1.ppc64le",
"openSUSE Tumbleweed:npm16-16.17.1-1.1.s390x",
"openSUSE Tumbleweed:npm16-16.17.1-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:corepack16-16.17.1-1.1.aarch64",
"openSUSE Tumbleweed:corepack16-16.17.1-1.1.ppc64le",
"openSUSE Tumbleweed:corepack16-16.17.1-1.1.s390x",
"openSUSE Tumbleweed:corepack16-16.17.1-1.1.x86_64",
"openSUSE Tumbleweed:nodejs16-16.17.1-1.1.aarch64",
"openSUSE Tumbleweed:nodejs16-16.17.1-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs16-16.17.1-1.1.s390x",
"openSUSE Tumbleweed:nodejs16-16.17.1-1.1.x86_64",
"openSUSE Tumbleweed:nodejs16-devel-16.17.1-1.1.aarch64",
"openSUSE Tumbleweed:nodejs16-devel-16.17.1-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs16-devel-16.17.1-1.1.s390x",
"openSUSE Tumbleweed:nodejs16-devel-16.17.1-1.1.x86_64",
"openSUSE Tumbleweed:nodejs16-docs-16.17.1-1.1.aarch64",
"openSUSE Tumbleweed:nodejs16-docs-16.17.1-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs16-docs-16.17.1-1.1.s390x",
"openSUSE Tumbleweed:nodejs16-docs-16.17.1-1.1.x86_64",
"openSUSE Tumbleweed:npm16-16.17.1-1.1.aarch64",
"openSUSE Tumbleweed:npm16-16.17.1-1.1.ppc64le",
"openSUSE Tumbleweed:npm16-16.17.1-1.1.s390x",
"openSUSE Tumbleweed:npm16-16.17.1-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2022-35256"
}
]
}
OPENSUSE-SU-2024:12376-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
corepack18-18.10.0-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: corepack18-18.10.0-1.1 on GA media
Description of the patch: These are all security issues fixed in the corepack18-18.10.0-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-12376
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
6.8 (Medium)
Affected products
Recommended
20 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:corepack18-18.10.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack18-18.10.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack18-18.10.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack18-18.10.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs18-18.10.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs18-18.10.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs18-18.10.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs18-18.10.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs18-devel-18.10.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs18-devel-18.10.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs18-devel-18.10.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs18-devel-18.10.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs18-docs-18.10.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs18-docs-18.10.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs18-docs-18.10.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs18-docs-18.10.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm18-18.10.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm18-18.10.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm18-18.10.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm18-18.10.0-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
8.2 (High)
Affected products
Recommended
20 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:corepack18-18.10.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack18-18.10.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack18-18.10.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack18-18.10.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs18-18.10.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs18-18.10.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs18-18.10.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs18-18.10.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs18-devel-18.10.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs18-devel-18.10.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs18-devel-18.10.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs18-devel-18.10.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs18-docs-18.10.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs18-docs-18.10.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs18-docs-18.10.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs18-docs-18.10.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm18-18.10.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm18-18.10.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm18-18.10.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm18-18.10.0-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
6.5 (Medium)
Affected products
Recommended
20 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:corepack18-18.10.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack18-18.10.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack18-18.10.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack18-18.10.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs18-18.10.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs18-18.10.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs18-18.10.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs18-18.10.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs18-devel-18.10.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs18-devel-18.10.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs18-devel-18.10.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs18-devel-18.10.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs18-docs-18.10.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs18-docs-18.10.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs18-docs-18.10.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs18-docs-18.10.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm18-18.10.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm18-18.10.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm18-18.10.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm18-18.10.0-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
11 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "corepack18-18.10.0-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the corepack18-18.10.0-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-12376",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_12376-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-32215 page",
"url": "https://www.suse.com/security/cve/CVE-2022-32215/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-35255 page",
"url": "https://www.suse.com/security/cve/CVE-2022-35255/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-35256 page",
"url": "https://www.suse.com/security/cve/CVE-2022-35256/"
}
],
"title": "corepack18-18.10.0-1.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:12376-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "corepack18-18.10.0-1.1.aarch64",
"product": {
"name": "corepack18-18.10.0-1.1.aarch64",
"product_id": "corepack18-18.10.0-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "nodejs18-18.10.0-1.1.aarch64",
"product": {
"name": "nodejs18-18.10.0-1.1.aarch64",
"product_id": "nodejs18-18.10.0-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "nodejs18-devel-18.10.0-1.1.aarch64",
"product": {
"name": "nodejs18-devel-18.10.0-1.1.aarch64",
"product_id": "nodejs18-devel-18.10.0-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "nodejs18-docs-18.10.0-1.1.aarch64",
"product": {
"name": "nodejs18-docs-18.10.0-1.1.aarch64",
"product_id": "nodejs18-docs-18.10.0-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "npm18-18.10.0-1.1.aarch64",
"product": {
"name": "npm18-18.10.0-1.1.aarch64",
"product_id": "npm18-18.10.0-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "corepack18-18.10.0-1.1.ppc64le",
"product": {
"name": "corepack18-18.10.0-1.1.ppc64le",
"product_id": "corepack18-18.10.0-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "nodejs18-18.10.0-1.1.ppc64le",
"product": {
"name": "nodejs18-18.10.0-1.1.ppc64le",
"product_id": "nodejs18-18.10.0-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "nodejs18-devel-18.10.0-1.1.ppc64le",
"product": {
"name": "nodejs18-devel-18.10.0-1.1.ppc64le",
"product_id": "nodejs18-devel-18.10.0-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "nodejs18-docs-18.10.0-1.1.ppc64le",
"product": {
"name": "nodejs18-docs-18.10.0-1.1.ppc64le",
"product_id": "nodejs18-docs-18.10.0-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "npm18-18.10.0-1.1.ppc64le",
"product": {
"name": "npm18-18.10.0-1.1.ppc64le",
"product_id": "npm18-18.10.0-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "corepack18-18.10.0-1.1.s390x",
"product": {
"name": "corepack18-18.10.0-1.1.s390x",
"product_id": "corepack18-18.10.0-1.1.s390x"
}
},
{
"category": "product_version",
"name": "nodejs18-18.10.0-1.1.s390x",
"product": {
"name": "nodejs18-18.10.0-1.1.s390x",
"product_id": "nodejs18-18.10.0-1.1.s390x"
}
},
{
"category": "product_version",
"name": "nodejs18-devel-18.10.0-1.1.s390x",
"product": {
"name": "nodejs18-devel-18.10.0-1.1.s390x",
"product_id": "nodejs18-devel-18.10.0-1.1.s390x"
}
},
{
"category": "product_version",
"name": "nodejs18-docs-18.10.0-1.1.s390x",
"product": {
"name": "nodejs18-docs-18.10.0-1.1.s390x",
"product_id": "nodejs18-docs-18.10.0-1.1.s390x"
}
},
{
"category": "product_version",
"name": "npm18-18.10.0-1.1.s390x",
"product": {
"name": "npm18-18.10.0-1.1.s390x",
"product_id": "npm18-18.10.0-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "corepack18-18.10.0-1.1.x86_64",
"product": {
"name": "corepack18-18.10.0-1.1.x86_64",
"product_id": "corepack18-18.10.0-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "nodejs18-18.10.0-1.1.x86_64",
"product": {
"name": "nodejs18-18.10.0-1.1.x86_64",
"product_id": "nodejs18-18.10.0-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "nodejs18-devel-18.10.0-1.1.x86_64",
"product": {
"name": "nodejs18-devel-18.10.0-1.1.x86_64",
"product_id": "nodejs18-devel-18.10.0-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "nodejs18-docs-18.10.0-1.1.x86_64",
"product": {
"name": "nodejs18-docs-18.10.0-1.1.x86_64",
"product_id": "nodejs18-docs-18.10.0-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "npm18-18.10.0-1.1.x86_64",
"product": {
"name": "npm18-18.10.0-1.1.x86_64",
"product_id": "npm18-18.10.0-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "corepack18-18.10.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:corepack18-18.10.0-1.1.aarch64"
},
"product_reference": "corepack18-18.10.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "corepack18-18.10.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:corepack18-18.10.0-1.1.ppc64le"
},
"product_reference": "corepack18-18.10.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "corepack18-18.10.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:corepack18-18.10.0-1.1.s390x"
},
"product_reference": "corepack18-18.10.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "corepack18-18.10.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:corepack18-18.10.0-1.1.x86_64"
},
"product_reference": "corepack18-18.10.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs18-18.10.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs18-18.10.0-1.1.aarch64"
},
"product_reference": "nodejs18-18.10.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs18-18.10.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs18-18.10.0-1.1.ppc64le"
},
"product_reference": "nodejs18-18.10.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs18-18.10.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs18-18.10.0-1.1.s390x"
},
"product_reference": "nodejs18-18.10.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs18-18.10.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs18-18.10.0-1.1.x86_64"
},
"product_reference": "nodejs18-18.10.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs18-devel-18.10.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs18-devel-18.10.0-1.1.aarch64"
},
"product_reference": "nodejs18-devel-18.10.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs18-devel-18.10.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs18-devel-18.10.0-1.1.ppc64le"
},
"product_reference": "nodejs18-devel-18.10.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs18-devel-18.10.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs18-devel-18.10.0-1.1.s390x"
},
"product_reference": "nodejs18-devel-18.10.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs18-devel-18.10.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs18-devel-18.10.0-1.1.x86_64"
},
"product_reference": "nodejs18-devel-18.10.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs18-docs-18.10.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs18-docs-18.10.0-1.1.aarch64"
},
"product_reference": "nodejs18-docs-18.10.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs18-docs-18.10.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs18-docs-18.10.0-1.1.ppc64le"
},
"product_reference": "nodejs18-docs-18.10.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs18-docs-18.10.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs18-docs-18.10.0-1.1.s390x"
},
"product_reference": "nodejs18-docs-18.10.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs18-docs-18.10.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs18-docs-18.10.0-1.1.x86_64"
},
"product_reference": "nodejs18-docs-18.10.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm18-18.10.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:npm18-18.10.0-1.1.aarch64"
},
"product_reference": "npm18-18.10.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm18-18.10.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:npm18-18.10.0-1.1.ppc64le"
},
"product_reference": "npm18-18.10.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm18-18.10.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:npm18-18.10.0-1.1.s390x"
},
"product_reference": "npm18-18.10.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm18-18.10.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:npm18-18.10.0-1.1.x86_64"
},
"product_reference": "npm18-18.10.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-32215",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-32215"
}
],
"notes": [
{
"category": "general",
"text": "The llhttp parser \u003cv14.20.1, \u003cv16.17.1 and \u003cv18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:corepack18-18.10.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack18-18.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack18-18.10.0-1.1.s390x",
"openSUSE Tumbleweed:corepack18-18.10.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs18-18.10.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs18-18.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs18-18.10.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs18-18.10.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs18-devel-18.10.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs18-devel-18.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs18-devel-18.10.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs18-devel-18.10.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs18-docs-18.10.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs18-docs-18.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs18-docs-18.10.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs18-docs-18.10.0-1.1.x86_64",
"openSUSE Tumbleweed:npm18-18.10.0-1.1.aarch64",
"openSUSE Tumbleweed:npm18-18.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm18-18.10.0-1.1.s390x",
"openSUSE Tumbleweed:npm18-18.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-32215",
"url": "https://www.suse.com/security/cve/CVE-2022-32215"
},
{
"category": "external",
"summary": "SUSE Bug 1201327 for CVE-2022-32215",
"url": "https://bugzilla.suse.com/1201327"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:corepack18-18.10.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack18-18.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack18-18.10.0-1.1.s390x",
"openSUSE Tumbleweed:corepack18-18.10.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs18-18.10.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs18-18.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs18-18.10.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs18-18.10.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs18-devel-18.10.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs18-devel-18.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs18-devel-18.10.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs18-devel-18.10.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs18-docs-18.10.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs18-docs-18.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs18-docs-18.10.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs18-docs-18.10.0-1.1.x86_64",
"openSUSE Tumbleweed:npm18-18.10.0-1.1.aarch64",
"openSUSE Tumbleweed:npm18-18.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm18-18.10.0-1.1.s390x",
"openSUSE Tumbleweed:npm18-18.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:corepack18-18.10.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack18-18.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack18-18.10.0-1.1.s390x",
"openSUSE Tumbleweed:corepack18-18.10.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs18-18.10.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs18-18.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs18-18.10.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs18-18.10.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs18-devel-18.10.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs18-devel-18.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs18-devel-18.10.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs18-devel-18.10.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs18-docs-18.10.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs18-docs-18.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs18-docs-18.10.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs18-docs-18.10.0-1.1.x86_64",
"openSUSE Tumbleweed:npm18-18.10.0-1.1.aarch64",
"openSUSE Tumbleweed:npm18-18.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm18-18.10.0-1.1.s390x",
"openSUSE Tumbleweed:npm18-18.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2022-32215"
},
{
"cve": "CVE-2022-35255",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-35255"
}
],
"notes": [
{
"category": "general",
"text": "A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with this: 1) It does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail. 2) The random data returned byEntropySource() may not be cryptographically strong and therefore not suitable as keying material.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:corepack18-18.10.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack18-18.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack18-18.10.0-1.1.s390x",
"openSUSE Tumbleweed:corepack18-18.10.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs18-18.10.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs18-18.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs18-18.10.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs18-18.10.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs18-devel-18.10.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs18-devel-18.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs18-devel-18.10.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs18-devel-18.10.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs18-docs-18.10.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs18-docs-18.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs18-docs-18.10.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs18-docs-18.10.0-1.1.x86_64",
"openSUSE Tumbleweed:npm18-18.10.0-1.1.aarch64",
"openSUSE Tumbleweed:npm18-18.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm18-18.10.0-1.1.s390x",
"openSUSE Tumbleweed:npm18-18.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-35255",
"url": "https://www.suse.com/security/cve/CVE-2022-35255"
},
{
"category": "external",
"summary": "SUSE Bug 1203831 for CVE-2022-35255",
"url": "https://bugzilla.suse.com/1203831"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:corepack18-18.10.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack18-18.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack18-18.10.0-1.1.s390x",
"openSUSE Tumbleweed:corepack18-18.10.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs18-18.10.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs18-18.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs18-18.10.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs18-18.10.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs18-devel-18.10.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs18-devel-18.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs18-devel-18.10.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs18-devel-18.10.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs18-docs-18.10.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs18-docs-18.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs18-docs-18.10.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs18-docs-18.10.0-1.1.x86_64",
"openSUSE Tumbleweed:npm18-18.10.0-1.1.aarch64",
"openSUSE Tumbleweed:npm18-18.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm18-18.10.0-1.1.s390x",
"openSUSE Tumbleweed:npm18-18.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:corepack18-18.10.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack18-18.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack18-18.10.0-1.1.s390x",
"openSUSE Tumbleweed:corepack18-18.10.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs18-18.10.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs18-18.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs18-18.10.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs18-18.10.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs18-devel-18.10.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs18-devel-18.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs18-devel-18.10.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs18-devel-18.10.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs18-docs-18.10.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs18-docs-18.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs18-docs-18.10.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs18-docs-18.10.0-1.1.x86_64",
"openSUSE Tumbleweed:npm18-18.10.0-1.1.aarch64",
"openSUSE Tumbleweed:npm18-18.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm18-18.10.0-1.1.s390x",
"openSUSE Tumbleweed:npm18-18.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2022-35255"
},
{
"cve": "CVE-2022-35256",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-35256"
}
],
"notes": [
{
"category": "general",
"text": "The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:corepack18-18.10.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack18-18.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack18-18.10.0-1.1.s390x",
"openSUSE Tumbleweed:corepack18-18.10.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs18-18.10.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs18-18.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs18-18.10.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs18-18.10.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs18-devel-18.10.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs18-devel-18.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs18-devel-18.10.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs18-devel-18.10.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs18-docs-18.10.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs18-docs-18.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs18-docs-18.10.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs18-docs-18.10.0-1.1.x86_64",
"openSUSE Tumbleweed:npm18-18.10.0-1.1.aarch64",
"openSUSE Tumbleweed:npm18-18.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm18-18.10.0-1.1.s390x",
"openSUSE Tumbleweed:npm18-18.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-35256",
"url": "https://www.suse.com/security/cve/CVE-2022-35256"
},
{
"category": "external",
"summary": "SUSE Bug 1203832 for CVE-2022-35256",
"url": "https://bugzilla.suse.com/1203832"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:corepack18-18.10.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack18-18.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack18-18.10.0-1.1.s390x",
"openSUSE Tumbleweed:corepack18-18.10.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs18-18.10.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs18-18.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs18-18.10.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs18-18.10.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs18-devel-18.10.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs18-devel-18.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs18-devel-18.10.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs18-devel-18.10.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs18-docs-18.10.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs18-docs-18.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs18-docs-18.10.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs18-docs-18.10.0-1.1.x86_64",
"openSUSE Tumbleweed:npm18-18.10.0-1.1.aarch64",
"openSUSE Tumbleweed:npm18-18.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm18-18.10.0-1.1.s390x",
"openSUSE Tumbleweed:npm18-18.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:corepack18-18.10.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack18-18.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack18-18.10.0-1.1.s390x",
"openSUSE Tumbleweed:corepack18-18.10.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs18-18.10.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs18-18.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs18-18.10.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs18-18.10.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs18-devel-18.10.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs18-devel-18.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs18-devel-18.10.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs18-devel-18.10.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs18-docs-18.10.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs18-docs-18.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs18-docs-18.10.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs18-docs-18.10.0-1.1.x86_64",
"openSUSE Tumbleweed:npm18-18.10.0-1.1.aarch64",
"openSUSE Tumbleweed:npm18-18.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm18-18.10.0-1.1.s390x",
"openSUSE Tumbleweed:npm18-18.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2022-35256"
}
]
}
RHSA-2022:6963
Vulnerability from csaf_redhat - Published: 2022-10-18 09:27 - Updated: 2025-11-21 18:33Summary
Red Hat Security Advisory: nodejs security update
Severity
Important
Notes
Topic: An update for nodejs is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.
The following packages have been upgraded to a later upstream version: nodejs (16.17.1).
Security Fix(es):
* nodejs: weak randomness in WebCrypto keygen (CVE-2022-35255)
* nodejs: HTTP Request Smuggling due to incorrect parsing of header fields (CVE-2022-35256)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A vulnerability was found in NodeJS due to weak randomness in the WebCrypto keygen within the SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. Node.js made calls to EntropySource() in SecretKeyGenTraits::DoKeyGen(). However, it does not check the return value and assumes the EntropySource() always succeeds, but it can and sometimes will fail. This flaw allows a remote attacker to decrypt sensitive information.
8.2 (High)
Affected products
Fixed
34 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.i686 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.i686 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-docs-1:16.17.1-1.el9_0.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.i686 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.i686 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Important
A vulnerability was found in NodeJS due to improper validation of HTTP requests. The llhttp parser in the HTTP module in Node.js does not correctly handle header fields that are not terminated with CLRF. This issue may result in HTTP Request Smuggling. This flaw allows a remote attacker to send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.
6.5 (Medium)
Affected products
Fixed
34 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.i686 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.i686 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-docs-1:16.17.1-1.el9_0.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.i686 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.i686 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
16 references
Acknowledgments
Ben Noordhuis
VVX7
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for nodejs is now available for Red Hat Enterprise Linux 9.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. \n\nThe following packages have been upgraded to a later upstream version: nodejs (16.17.1).\n\nSecurity Fix(es):\n\n* nodejs: weak randomness in WebCrypto keygen (CVE-2022-35255)\n\n* nodejs: HTTP Request Smuggling due to incorrect parsing of header fields (CVE-2022-35256)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2022:6963",
"url": "https://access.redhat.com/errata/RHSA-2022:6963"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2130517",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2130517"
},
{
"category": "external",
"summary": "2130518",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2130518"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_6963.json"
}
],
"title": "Red Hat Security Advisory: nodejs security update",
"tracking": {
"current_release_date": "2025-11-21T18:33:57+00:00",
"generator": {
"date": "2025-11-21T18:33:57+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2022:6963",
"initial_release_date": "2022-10-18T09:27:13+00:00",
"revision_history": [
{
"date": "2022-10-18T09:27:13+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2022-10-18T09:27:13+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T18:33:57+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 9)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:9::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-1:16.17.1-1.el9_0.src",
"product": {
"name": "nodejs-1:16.17.1-1.el9_0.src",
"product_id": "nodejs-1:16.17.1-1.el9_0.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs@16.17.1-1.el9_0?arch=src\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-1:16.17.1-1.el9_0.aarch64",
"product": {
"name": "nodejs-1:16.17.1-1.el9_0.aarch64",
"product_id": "nodejs-1:16.17.1-1.el9_0.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs@16.17.1-1.el9_0?arch=aarch64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-full-i18n-1:16.17.1-1.el9_0.aarch64",
"product": {
"name": "nodejs-full-i18n-1:16.17.1-1.el9_0.aarch64",
"product_id": "nodejs-full-i18n-1:16.17.1-1.el9_0.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-full-i18n@16.17.1-1.el9_0?arch=aarch64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-libs-1:16.17.1-1.el9_0.aarch64",
"product": {
"name": "nodejs-libs-1:16.17.1-1.el9_0.aarch64",
"product_id": "nodejs-libs-1:16.17.1-1.el9_0.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-libs@16.17.1-1.el9_0?arch=aarch64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "npm-1:8.15.0-1.16.17.1.1.el9_0.aarch64",
"product": {
"name": "npm-1:8.15.0-1.16.17.1.1.el9_0.aarch64",
"product_id": "npm-1:8.15.0-1.16.17.1.1.el9_0.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/npm@8.15.0-1.16.17.1.1.el9_0?arch=aarch64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-debugsource-1:16.17.1-1.el9_0.aarch64",
"product": {
"name": "nodejs-debugsource-1:16.17.1-1.el9_0.aarch64",
"product_id": "nodejs-debugsource-1:16.17.1-1.el9_0.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debugsource@16.17.1-1.el9_0?arch=aarch64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-debuginfo-1:16.17.1-1.el9_0.aarch64",
"product": {
"name": "nodejs-debuginfo-1:16.17.1-1.el9_0.aarch64",
"product_id": "nodejs-debuginfo-1:16.17.1-1.el9_0.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debuginfo@16.17.1-1.el9_0?arch=aarch64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-libs-debuginfo-1:16.17.1-1.el9_0.aarch64",
"product": {
"name": "nodejs-libs-debuginfo-1:16.17.1-1.el9_0.aarch64",
"product_id": "nodejs-libs-debuginfo-1:16.17.1-1.el9_0.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-libs-debuginfo@16.17.1-1.el9_0?arch=aarch64\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-1:16.17.1-1.el9_0.ppc64le",
"product": {
"name": "nodejs-1:16.17.1-1.el9_0.ppc64le",
"product_id": "nodejs-1:16.17.1-1.el9_0.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs@16.17.1-1.el9_0?arch=ppc64le\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-full-i18n-1:16.17.1-1.el9_0.ppc64le",
"product": {
"name": "nodejs-full-i18n-1:16.17.1-1.el9_0.ppc64le",
"product_id": "nodejs-full-i18n-1:16.17.1-1.el9_0.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-full-i18n@16.17.1-1.el9_0?arch=ppc64le\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-libs-1:16.17.1-1.el9_0.ppc64le",
"product": {
"name": "nodejs-libs-1:16.17.1-1.el9_0.ppc64le",
"product_id": "nodejs-libs-1:16.17.1-1.el9_0.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-libs@16.17.1-1.el9_0?arch=ppc64le\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "npm-1:8.15.0-1.16.17.1.1.el9_0.ppc64le",
"product": {
"name": "npm-1:8.15.0-1.16.17.1.1.el9_0.ppc64le",
"product_id": "npm-1:8.15.0-1.16.17.1.1.el9_0.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/npm@8.15.0-1.16.17.1.1.el9_0?arch=ppc64le\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-debugsource-1:16.17.1-1.el9_0.ppc64le",
"product": {
"name": "nodejs-debugsource-1:16.17.1-1.el9_0.ppc64le",
"product_id": "nodejs-debugsource-1:16.17.1-1.el9_0.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debugsource@16.17.1-1.el9_0?arch=ppc64le\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-debuginfo-1:16.17.1-1.el9_0.ppc64le",
"product": {
"name": "nodejs-debuginfo-1:16.17.1-1.el9_0.ppc64le",
"product_id": "nodejs-debuginfo-1:16.17.1-1.el9_0.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debuginfo@16.17.1-1.el9_0?arch=ppc64le\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-libs-debuginfo-1:16.17.1-1.el9_0.ppc64le",
"product": {
"name": "nodejs-libs-debuginfo-1:16.17.1-1.el9_0.ppc64le",
"product_id": "nodejs-libs-debuginfo-1:16.17.1-1.el9_0.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-libs-debuginfo@16.17.1-1.el9_0?arch=ppc64le\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-1:16.17.1-1.el9_0.x86_64",
"product": {
"name": "nodejs-1:16.17.1-1.el9_0.x86_64",
"product_id": "nodejs-1:16.17.1-1.el9_0.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs@16.17.1-1.el9_0?arch=x86_64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-full-i18n-1:16.17.1-1.el9_0.x86_64",
"product": {
"name": "nodejs-full-i18n-1:16.17.1-1.el9_0.x86_64",
"product_id": "nodejs-full-i18n-1:16.17.1-1.el9_0.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-full-i18n@16.17.1-1.el9_0?arch=x86_64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-libs-1:16.17.1-1.el9_0.x86_64",
"product": {
"name": "nodejs-libs-1:16.17.1-1.el9_0.x86_64",
"product_id": "nodejs-libs-1:16.17.1-1.el9_0.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-libs@16.17.1-1.el9_0?arch=x86_64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "npm-1:8.15.0-1.16.17.1.1.el9_0.x86_64",
"product": {
"name": "npm-1:8.15.0-1.16.17.1.1.el9_0.x86_64",
"product_id": "npm-1:8.15.0-1.16.17.1.1.el9_0.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/npm@8.15.0-1.16.17.1.1.el9_0?arch=x86_64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-debugsource-1:16.17.1-1.el9_0.x86_64",
"product": {
"name": "nodejs-debugsource-1:16.17.1-1.el9_0.x86_64",
"product_id": "nodejs-debugsource-1:16.17.1-1.el9_0.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debugsource@16.17.1-1.el9_0?arch=x86_64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-debuginfo-1:16.17.1-1.el9_0.x86_64",
"product": {
"name": "nodejs-debuginfo-1:16.17.1-1.el9_0.x86_64",
"product_id": "nodejs-debuginfo-1:16.17.1-1.el9_0.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debuginfo@16.17.1-1.el9_0?arch=x86_64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-libs-debuginfo-1:16.17.1-1.el9_0.x86_64",
"product": {
"name": "nodejs-libs-debuginfo-1:16.17.1-1.el9_0.x86_64",
"product_id": "nodejs-libs-debuginfo-1:16.17.1-1.el9_0.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-libs-debuginfo@16.17.1-1.el9_0?arch=x86_64\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-libs-1:16.17.1-1.el9_0.i686",
"product": {
"name": "nodejs-libs-1:16.17.1-1.el9_0.i686",
"product_id": "nodejs-libs-1:16.17.1-1.el9_0.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-libs@16.17.1-1.el9_0?arch=i686\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-debugsource-1:16.17.1-1.el9_0.i686",
"product": {
"name": "nodejs-debugsource-1:16.17.1-1.el9_0.i686",
"product_id": "nodejs-debugsource-1:16.17.1-1.el9_0.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debugsource@16.17.1-1.el9_0?arch=i686\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-debuginfo-1:16.17.1-1.el9_0.i686",
"product": {
"name": "nodejs-debuginfo-1:16.17.1-1.el9_0.i686",
"product_id": "nodejs-debuginfo-1:16.17.1-1.el9_0.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debuginfo@16.17.1-1.el9_0?arch=i686\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-libs-debuginfo-1:16.17.1-1.el9_0.i686",
"product": {
"name": "nodejs-libs-debuginfo-1:16.17.1-1.el9_0.i686",
"product_id": "nodejs-libs-debuginfo-1:16.17.1-1.el9_0.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-libs-debuginfo@16.17.1-1.el9_0?arch=i686\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "i686"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-1:16.17.1-1.el9_0.s390x",
"product": {
"name": "nodejs-1:16.17.1-1.el9_0.s390x",
"product_id": "nodejs-1:16.17.1-1.el9_0.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs@16.17.1-1.el9_0?arch=s390x\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-full-i18n-1:16.17.1-1.el9_0.s390x",
"product": {
"name": "nodejs-full-i18n-1:16.17.1-1.el9_0.s390x",
"product_id": "nodejs-full-i18n-1:16.17.1-1.el9_0.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-full-i18n@16.17.1-1.el9_0?arch=s390x\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-libs-1:16.17.1-1.el9_0.s390x",
"product": {
"name": "nodejs-libs-1:16.17.1-1.el9_0.s390x",
"product_id": "nodejs-libs-1:16.17.1-1.el9_0.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-libs@16.17.1-1.el9_0?arch=s390x\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "npm-1:8.15.0-1.16.17.1.1.el9_0.s390x",
"product": {
"name": "npm-1:8.15.0-1.16.17.1.1.el9_0.s390x",
"product_id": "npm-1:8.15.0-1.16.17.1.1.el9_0.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/npm@8.15.0-1.16.17.1.1.el9_0?arch=s390x\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-debugsource-1:16.17.1-1.el9_0.s390x",
"product": {
"name": "nodejs-debugsource-1:16.17.1-1.el9_0.s390x",
"product_id": "nodejs-debugsource-1:16.17.1-1.el9_0.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debugsource@16.17.1-1.el9_0?arch=s390x\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-debuginfo-1:16.17.1-1.el9_0.s390x",
"product": {
"name": "nodejs-debuginfo-1:16.17.1-1.el9_0.s390x",
"product_id": "nodejs-debuginfo-1:16.17.1-1.el9_0.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debuginfo@16.17.1-1.el9_0?arch=s390x\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-libs-debuginfo-1:16.17.1-1.el9_0.s390x",
"product": {
"name": "nodejs-libs-debuginfo-1:16.17.1-1.el9_0.s390x",
"product_id": "nodejs-libs-debuginfo-1:16.17.1-1.el9_0.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-libs-debuginfo@16.17.1-1.el9_0?arch=s390x\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-docs-1:16.17.1-1.el9_0.noarch",
"product": {
"name": "nodejs-docs-1:16.17.1-1.el9_0.noarch",
"product_id": "nodejs-docs-1:16.17.1-1.el9_0.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-docs@16.17.1-1.el9_0?arch=noarch\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-1:16.17.1-1.el9_0.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.aarch64"
},
"product_reference": "nodejs-1:16.17.1-1.el9_0.aarch64",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-1:16.17.1-1.el9_0.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.ppc64le"
},
"product_reference": "nodejs-1:16.17.1-1.el9_0.ppc64le",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-1:16.17.1-1.el9_0.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.s390x"
},
"product_reference": "nodejs-1:16.17.1-1.el9_0.s390x",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-1:16.17.1-1.el9_0.src as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.src"
},
"product_reference": "nodejs-1:16.17.1-1.el9_0.src",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-1:16.17.1-1.el9_0.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.x86_64"
},
"product_reference": "nodejs-1:16.17.1-1.el9_0.x86_64",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debuginfo-1:16.17.1-1.el9_0.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.aarch64"
},
"product_reference": "nodejs-debuginfo-1:16.17.1-1.el9_0.aarch64",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debuginfo-1:16.17.1-1.el9_0.i686 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.i686"
},
"product_reference": "nodejs-debuginfo-1:16.17.1-1.el9_0.i686",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debuginfo-1:16.17.1-1.el9_0.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.ppc64le"
},
"product_reference": "nodejs-debuginfo-1:16.17.1-1.el9_0.ppc64le",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debuginfo-1:16.17.1-1.el9_0.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.s390x"
},
"product_reference": "nodejs-debuginfo-1:16.17.1-1.el9_0.s390x",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debuginfo-1:16.17.1-1.el9_0.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.x86_64"
},
"product_reference": "nodejs-debuginfo-1:16.17.1-1.el9_0.x86_64",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debugsource-1:16.17.1-1.el9_0.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.aarch64"
},
"product_reference": "nodejs-debugsource-1:16.17.1-1.el9_0.aarch64",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debugsource-1:16.17.1-1.el9_0.i686 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.i686"
},
"product_reference": "nodejs-debugsource-1:16.17.1-1.el9_0.i686",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debugsource-1:16.17.1-1.el9_0.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.ppc64le"
},
"product_reference": "nodejs-debugsource-1:16.17.1-1.el9_0.ppc64le",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debugsource-1:16.17.1-1.el9_0.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.s390x"
},
"product_reference": "nodejs-debugsource-1:16.17.1-1.el9_0.s390x",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debugsource-1:16.17.1-1.el9_0.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.x86_64"
},
"product_reference": "nodejs-debugsource-1:16.17.1-1.el9_0.x86_64",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-docs-1:16.17.1-1.el9_0.noarch as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-docs-1:16.17.1-1.el9_0.noarch"
},
"product_reference": "nodejs-docs-1:16.17.1-1.el9_0.noarch",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-full-i18n-1:16.17.1-1.el9_0.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.aarch64"
},
"product_reference": "nodejs-full-i18n-1:16.17.1-1.el9_0.aarch64",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-full-i18n-1:16.17.1-1.el9_0.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.ppc64le"
},
"product_reference": "nodejs-full-i18n-1:16.17.1-1.el9_0.ppc64le",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-full-i18n-1:16.17.1-1.el9_0.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.s390x"
},
"product_reference": "nodejs-full-i18n-1:16.17.1-1.el9_0.s390x",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-full-i18n-1:16.17.1-1.el9_0.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.x86_64"
},
"product_reference": "nodejs-full-i18n-1:16.17.1-1.el9_0.x86_64",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-libs-1:16.17.1-1.el9_0.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.aarch64"
},
"product_reference": "nodejs-libs-1:16.17.1-1.el9_0.aarch64",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-libs-1:16.17.1-1.el9_0.i686 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.i686"
},
"product_reference": "nodejs-libs-1:16.17.1-1.el9_0.i686",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-libs-1:16.17.1-1.el9_0.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.ppc64le"
},
"product_reference": "nodejs-libs-1:16.17.1-1.el9_0.ppc64le",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-libs-1:16.17.1-1.el9_0.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.s390x"
},
"product_reference": "nodejs-libs-1:16.17.1-1.el9_0.s390x",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-libs-1:16.17.1-1.el9_0.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.x86_64"
},
"product_reference": "nodejs-libs-1:16.17.1-1.el9_0.x86_64",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-libs-debuginfo-1:16.17.1-1.el9_0.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.aarch64"
},
"product_reference": "nodejs-libs-debuginfo-1:16.17.1-1.el9_0.aarch64",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-libs-debuginfo-1:16.17.1-1.el9_0.i686 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.i686"
},
"product_reference": "nodejs-libs-debuginfo-1:16.17.1-1.el9_0.i686",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-libs-debuginfo-1:16.17.1-1.el9_0.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.ppc64le"
},
"product_reference": "nodejs-libs-debuginfo-1:16.17.1-1.el9_0.ppc64le",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-libs-debuginfo-1:16.17.1-1.el9_0.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.s390x"
},
"product_reference": "nodejs-libs-debuginfo-1:16.17.1-1.el9_0.s390x",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-libs-debuginfo-1:16.17.1-1.el9_0.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.x86_64"
},
"product_reference": "nodejs-libs-debuginfo-1:16.17.1-1.el9_0.x86_64",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm-1:8.15.0-1.16.17.1.1.el9_0.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.aarch64"
},
"product_reference": "npm-1:8.15.0-1.16.17.1.1.el9_0.aarch64",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm-1:8.15.0-1.16.17.1.1.el9_0.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.ppc64le"
},
"product_reference": "npm-1:8.15.0-1.16.17.1.1.el9_0.ppc64le",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm-1:8.15.0-1.16.17.1.1.el9_0.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.s390x"
},
"product_reference": "npm-1:8.15.0-1.16.17.1.1.el9_0.s390x",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm-1:8.15.0-1.16.17.1.1.el9_0.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.x86_64"
},
"product_reference": "npm-1:8.15.0-1.16.17.1.1.el9_0.x86_64",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Ben Noordhuis"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2022-35255",
"cwe": {
"id": "CWE-338",
"name": "Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)"
},
"discovery_date": "2022-09-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2130517"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in NodeJS due to weak randomness in the WebCrypto keygen within the SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. Node.js made calls to EntropySource() in SecretKeyGenTraits::DoKeyGen(). However, it does not check the return value and assumes the EntropySource() always succeeds, but it can and sometimes will fail. This flaw allows a remote attacker to decrypt sensitive information.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: weak randomness in WebCrypto keygen",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The vulnerability was introduced in NodeJS v15.0.0, Hence, NodeJS:14 package in RHEL-8 and RHSCL-3 are not affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.src",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.i686",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.i686",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-docs-1:16.17.1-1.el9_0.noarch",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.i686",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.i686",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-35255"
},
{
"category": "external",
"summary": "RHBZ#2130517",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2130517"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-35255",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-35255"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-35255",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35255"
},
{
"category": "external",
"summary": "https://hackerone.com/bugs?report_id=1690000",
"url": "https://hackerone.com/bugs?report_id=1690000"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#weak-randomness-in-webcrypto-keygen-high-cve-2022-35255",
"url": "https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#weak-randomness-in-webcrypto-keygen-high-cve-2022-35255"
}
],
"release_date": "2022-09-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-10-18T09:27:13+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.src",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.i686",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.i686",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-docs-1:16.17.1-1.el9_0.noarch",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.i686",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.i686",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:6963"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"products": [
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.src",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.i686",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.i686",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-docs-1:16.17.1-1.el9_0.noarch",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.i686",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.i686",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "nodejs: weak randomness in WebCrypto keygen"
},
{
"acknowledgments": [
{
"names": [
"VVX7"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2022-35256",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2022-09-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2130518"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in NodeJS due to improper validation of HTTP requests. The llhttp parser in the HTTP module in Node.js does not correctly handle header fields that are not terminated with CLRF. This issue may result in HTTP Request Smuggling. This flaw allows a remote attacker to send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: HTTP Request Smuggling due to incorrect parsing of header fields",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.src",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.i686",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.i686",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-docs-1:16.17.1-1.el9_0.noarch",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.i686",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.i686",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-35256"
},
{
"category": "external",
"summary": "RHBZ#2130518",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2130518"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-35256",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-35256"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-35256",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35256"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#http-request-smuggling-due-to-incorrect-parsing-of-header-fields-medium-cve-2022-35256",
"url": "https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#http-request-smuggling-due-to-incorrect-parsing-of-header-fields-medium-cve-2022-35256"
}
],
"release_date": "2022-09-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-10-18T09:27:13+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.src",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.i686",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.i686",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-docs-1:16.17.1-1.el9_0.noarch",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.i686",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.i686",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:6963"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.src",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.i686",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.i686",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-docs-1:16.17.1-1.el9_0.noarch",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.i686",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.i686",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: HTTP Request Smuggling due to incorrect parsing of header fields"
}
]
}
RHSA-2022:6964
Vulnerability from csaf_redhat - Published: 2022-10-17 10:42 - Updated: 2025-11-21 18:33Summary
Red Hat Security Advisory: nodejs:16 security update
Severity
Important
Notes
Topic: An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.
The following packages have been upgraded to a later upstream version: nodejs 16.
Security Fix(es):
* nodejs: weak randomness in WebCrypto keygen (CVE-2022-35255)
* nodejs: HTTP Request Smuggling due to incorrect parsing of header fields (CVE-2022-35256)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A vulnerability was found in NodeJS due to weak randomness in the WebCrypto keygen within the SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. Node.js made calls to EntropySource() in SecretKeyGenTraits::DoKeyGen(). However, it does not check the return value and assumes the EntropySource() always succeeds, but it can and sometimes will fail. This flaw allows a remote attacker to decrypt sensitive information.
8.2 (High)
Affected products
Fixed
30 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.src::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-docs-1:16.17.1-1.module+el8.6.0+16848+a483195a.noarch::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.19-2.module+el8.6.0+16240+7ca51420.noarch::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.19-2.module+el8.6.0+16240+7ca51420.src::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:25-1.module+el8.5.0+10992+fac5fe06.noarch::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:25-1.module+el8.5.0+10992+fac5fe06.src::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.s390x::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16 | — |
Vendor Fix
fix
|
Threats
Impact
Important
A vulnerability was found in NodeJS due to improper validation of HTTP requests. The llhttp parser in the HTTP module in Node.js does not correctly handle header fields that are not terminated with CLRF. This issue may result in HTTP Request Smuggling. This flaw allows a remote attacker to send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.
6.5 (Medium)
Affected products
Fixed
30 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.src::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-docs-1:16.17.1-1.module+el8.6.0+16848+a483195a.noarch::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.19-2.module+el8.6.0+16240+7ca51420.noarch::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.19-2.module+el8.6.0+16240+7ca51420.src::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:25-1.module+el8.5.0+10992+fac5fe06.noarch::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:25-1.module+el8.5.0+10992+fac5fe06.src::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.s390x::nodejs:16 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
16 references
Acknowledgments
Ben Noordhuis
VVX7
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. \n\nThe following packages have been upgraded to a later upstream version: nodejs 16.\n\nSecurity Fix(es):\n\n* nodejs: weak randomness in WebCrypto keygen (CVE-2022-35255)\n\n* nodejs: HTTP Request Smuggling due to incorrect parsing of header fields (CVE-2022-35256)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2022:6964",
"url": "https://access.redhat.com/errata/RHSA-2022:6964"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2130517",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2130517"
},
{
"category": "external",
"summary": "2130518",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2130518"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_6964.json"
}
],
"title": "Red Hat Security Advisory: nodejs:16 security update",
"tracking": {
"current_release_date": "2025-11-21T18:33:57+00:00",
"generator": {
"date": "2025-11-21T18:33:57+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2022:6964",
"initial_release_date": "2022-10-17T10:42:44+00:00",
"revision_history": [
{
"date": "2022-10-17T10:42:44+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2022-10-17T10:42:44+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T18:33:57+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 8)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:8::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16",
"product": {
"name": "nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64 (nodejs:16)",
"product_id": "nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs@16.17.1-1.module%2Bel8.6.0%2B16848%2Ba483195a?arch=aarch64\u0026epoch=1\u0026rpmmod=nodejs:16:8060020221007164523:ad008a3a"
}
}
},
{
"category": "product_version",
"name": "nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16",
"product": {
"name": "nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64 (nodejs:16)",
"product_id": "nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debuginfo@16.17.1-1.module%2Bel8.6.0%2B16848%2Ba483195a?arch=aarch64\u0026epoch=1\u0026rpmmod=nodejs:16:8060020221007164523:ad008a3a"
}
}
},
{
"category": "product_version",
"name": "nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16",
"product": {
"name": "nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64 (nodejs:16)",
"product_id": "nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debugsource@16.17.1-1.module%2Bel8.6.0%2B16848%2Ba483195a?arch=aarch64\u0026epoch=1\u0026rpmmod=nodejs:16:8060020221007164523:ad008a3a"
}
}
},
{
"category": "product_version",
"name": "nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16",
"product": {
"name": "nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64 (nodejs:16)",
"product_id": "nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-devel@16.17.1-1.module%2Bel8.6.0%2B16848%2Ba483195a?arch=aarch64\u0026epoch=1\u0026rpmmod=nodejs:16:8060020221007164523:ad008a3a"
}
}
},
{
"category": "product_version",
"name": "nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16",
"product": {
"name": "nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64 (nodejs:16)",
"product_id": "nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-full-i18n@16.17.1-1.module%2Bel8.6.0%2B16848%2Ba483195a?arch=aarch64\u0026epoch=1\u0026rpmmod=nodejs:16:8060020221007164523:ad008a3a"
}
}
},
{
"category": "product_version",
"name": "npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16",
"product": {
"name": "npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.aarch64 (nodejs:16)",
"product_id": "npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/npm@8.15.0-1.16.17.1.1.module%2Bel8.6.0%2B16848%2Ba483195a?arch=aarch64\u0026epoch=1\u0026rpmmod=nodejs:16:8060020221007164523:ad008a3a"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.src::nodejs:16",
"product": {
"name": "nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.src (nodejs:16)",
"product_id": "nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.src::nodejs:16",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs@16.17.1-1.module%2Bel8.6.0%2B16848%2Ba483195a?arch=src\u0026epoch=1\u0026rpmmod=nodejs:16:8060020221007164523:ad008a3a"
}
}
},
{
"category": "product_version",
"name": "nodejs-nodemon-0:2.0.19-2.module+el8.6.0+16240+7ca51420.src::nodejs:16",
"product": {
"name": "nodejs-nodemon-0:2.0.19-2.module+el8.6.0+16240+7ca51420.src (nodejs:16)",
"product_id": "nodejs-nodemon-0:2.0.19-2.module+el8.6.0+16240+7ca51420.src::nodejs:16",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-nodemon@2.0.19-2.module%2Bel8.6.0%2B16240%2B7ca51420?arch=src\u0026rpmmod=nodejs:16:8060020221007164523:ad008a3a"
}
}
},
{
"category": "product_version",
"name": "nodejs-packaging-0:25-1.module+el8.5.0+10992+fac5fe06.src::nodejs:16",
"product": {
"name": "nodejs-packaging-0:25-1.module+el8.5.0+10992+fac5fe06.src (nodejs:16)",
"product_id": "nodejs-packaging-0:25-1.module+el8.5.0+10992+fac5fe06.src::nodejs:16",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-packaging@25-1.module%2Bel8.5.0%2B10992%2Bfac5fe06?arch=src\u0026rpmmod=nodejs:16:8060020221007164523:ad008a3a"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-docs-1:16.17.1-1.module+el8.6.0+16848+a483195a.noarch::nodejs:16",
"product": {
"name": "nodejs-docs-1:16.17.1-1.module+el8.6.0+16848+a483195a.noarch (nodejs:16)",
"product_id": "nodejs-docs-1:16.17.1-1.module+el8.6.0+16848+a483195a.noarch::nodejs:16",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-docs@16.17.1-1.module%2Bel8.6.0%2B16848%2Ba483195a?arch=noarch\u0026epoch=1\u0026rpmmod=nodejs:16:8060020221007164523:ad008a3a"
}
}
},
{
"category": "product_version",
"name": "nodejs-nodemon-0:2.0.19-2.module+el8.6.0+16240+7ca51420.noarch::nodejs:16",
"product": {
"name": "nodejs-nodemon-0:2.0.19-2.module+el8.6.0+16240+7ca51420.noarch (nodejs:16)",
"product_id": "nodejs-nodemon-0:2.0.19-2.module+el8.6.0+16240+7ca51420.noarch::nodejs:16",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-nodemon@2.0.19-2.module%2Bel8.6.0%2B16240%2B7ca51420?arch=noarch\u0026rpmmod=nodejs:16:8060020221007164523:ad008a3a"
}
}
},
{
"category": "product_version",
"name": "nodejs-packaging-0:25-1.module+el8.5.0+10992+fac5fe06.noarch::nodejs:16",
"product": {
"name": "nodejs-packaging-0:25-1.module+el8.5.0+10992+fac5fe06.noarch (nodejs:16)",
"product_id": "nodejs-packaging-0:25-1.module+el8.5.0+10992+fac5fe06.noarch::nodejs:16",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-packaging@25-1.module%2Bel8.5.0%2B10992%2Bfac5fe06?arch=noarch\u0026rpmmod=nodejs:16:8060020221007164523:ad008a3a"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16",
"product": {
"name": "nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le (nodejs:16)",
"product_id": "nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs@16.17.1-1.module%2Bel8.6.0%2B16848%2Ba483195a?arch=ppc64le\u0026epoch=1\u0026rpmmod=nodejs:16:8060020221007164523:ad008a3a"
}
}
},
{
"category": "product_version",
"name": "nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16",
"product": {
"name": "nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le (nodejs:16)",
"product_id": "nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debuginfo@16.17.1-1.module%2Bel8.6.0%2B16848%2Ba483195a?arch=ppc64le\u0026epoch=1\u0026rpmmod=nodejs:16:8060020221007164523:ad008a3a"
}
}
},
{
"category": "product_version",
"name": "nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16",
"product": {
"name": "nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le (nodejs:16)",
"product_id": "nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debugsource@16.17.1-1.module%2Bel8.6.0%2B16848%2Ba483195a?arch=ppc64le\u0026epoch=1\u0026rpmmod=nodejs:16:8060020221007164523:ad008a3a"
}
}
},
{
"category": "product_version",
"name": "nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16",
"product": {
"name": "nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le (nodejs:16)",
"product_id": "nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-devel@16.17.1-1.module%2Bel8.6.0%2B16848%2Ba483195a?arch=ppc64le\u0026epoch=1\u0026rpmmod=nodejs:16:8060020221007164523:ad008a3a"
}
}
},
{
"category": "product_version",
"name": "nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16",
"product": {
"name": "nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le (nodejs:16)",
"product_id": "nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-full-i18n@16.17.1-1.module%2Bel8.6.0%2B16848%2Ba483195a?arch=ppc64le\u0026epoch=1\u0026rpmmod=nodejs:16:8060020221007164523:ad008a3a"
}
}
},
{
"category": "product_version",
"name": "npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16",
"product": {
"name": "npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.ppc64le (nodejs:16)",
"product_id": "npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/npm@8.15.0-1.16.17.1.1.module%2Bel8.6.0%2B16848%2Ba483195a?arch=ppc64le\u0026epoch=1\u0026rpmmod=nodejs:16:8060020221007164523:ad008a3a"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16",
"product": {
"name": "nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x (nodejs:16)",
"product_id": "nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs@16.17.1-1.module%2Bel8.6.0%2B16848%2Ba483195a?arch=s390x\u0026epoch=1\u0026rpmmod=nodejs:16:8060020221007164523:ad008a3a"
}
}
},
{
"category": "product_version",
"name": "nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16",
"product": {
"name": "nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x (nodejs:16)",
"product_id": "nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debuginfo@16.17.1-1.module%2Bel8.6.0%2B16848%2Ba483195a?arch=s390x\u0026epoch=1\u0026rpmmod=nodejs:16:8060020221007164523:ad008a3a"
}
}
},
{
"category": "product_version",
"name": "nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16",
"product": {
"name": "nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x (nodejs:16)",
"product_id": "nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debugsource@16.17.1-1.module%2Bel8.6.0%2B16848%2Ba483195a?arch=s390x\u0026epoch=1\u0026rpmmod=nodejs:16:8060020221007164523:ad008a3a"
}
}
},
{
"category": "product_version",
"name": "nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16",
"product": {
"name": "nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x (nodejs:16)",
"product_id": "nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-devel@16.17.1-1.module%2Bel8.6.0%2B16848%2Ba483195a?arch=s390x\u0026epoch=1\u0026rpmmod=nodejs:16:8060020221007164523:ad008a3a"
}
}
},
{
"category": "product_version",
"name": "nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16",
"product": {
"name": "nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x (nodejs:16)",
"product_id": "nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-full-i18n@16.17.1-1.module%2Bel8.6.0%2B16848%2Ba483195a?arch=s390x\u0026epoch=1\u0026rpmmod=nodejs:16:8060020221007164523:ad008a3a"
}
}
},
{
"category": "product_version",
"name": "npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.s390x::nodejs:16",
"product": {
"name": "npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.s390x (nodejs:16)",
"product_id": "npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.s390x::nodejs:16",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/npm@8.15.0-1.16.17.1.1.module%2Bel8.6.0%2B16848%2Ba483195a?arch=s390x\u0026epoch=1\u0026rpmmod=nodejs:16:8060020221007164523:ad008a3a"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16",
"product": {
"name": "nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64 (nodejs:16)",
"product_id": "nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs@16.17.1-1.module%2Bel8.6.0%2B16848%2Ba483195a?arch=x86_64\u0026epoch=1\u0026rpmmod=nodejs:16:8060020221007164523:ad008a3a"
}
}
},
{
"category": "product_version",
"name": "nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16",
"product": {
"name": "nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64 (nodejs:16)",
"product_id": "nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debuginfo@16.17.1-1.module%2Bel8.6.0%2B16848%2Ba483195a?arch=x86_64\u0026epoch=1\u0026rpmmod=nodejs:16:8060020221007164523:ad008a3a"
}
}
},
{
"category": "product_version",
"name": "nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16",
"product": {
"name": "nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64 (nodejs:16)",
"product_id": "nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debugsource@16.17.1-1.module%2Bel8.6.0%2B16848%2Ba483195a?arch=x86_64\u0026epoch=1\u0026rpmmod=nodejs:16:8060020221007164523:ad008a3a"
}
}
},
{
"category": "product_version",
"name": "nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16",
"product": {
"name": "nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64 (nodejs:16)",
"product_id": "nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-devel@16.17.1-1.module%2Bel8.6.0%2B16848%2Ba483195a?arch=x86_64\u0026epoch=1\u0026rpmmod=nodejs:16:8060020221007164523:ad008a3a"
}
}
},
{
"category": "product_version",
"name": "nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16",
"product": {
"name": "nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64 (nodejs:16)",
"product_id": "nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-full-i18n@16.17.1-1.module%2Bel8.6.0%2B16848%2Ba483195a?arch=x86_64\u0026epoch=1\u0026rpmmod=nodejs:16:8060020221007164523:ad008a3a"
}
}
},
{
"category": "product_version",
"name": "npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16",
"product": {
"name": "npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.x86_64 (nodejs:16)",
"product_id": "npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/npm@8.15.0-1.16.17.1.1.module%2Bel8.6.0%2B16848%2Ba483195a?arch=x86_64\u0026epoch=1\u0026rpmmod=nodejs:16:8060020221007164523:ad008a3a"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64 (nodejs:16) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16"
},
"product_reference": "nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le (nodejs:16) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16"
},
"product_reference": "nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x (nodejs:16) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16"
},
"product_reference": "nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.src (nodejs:16) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.src::nodejs:16"
},
"product_reference": "nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.src::nodejs:16",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64 (nodejs:16) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16"
},
"product_reference": "nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64 (nodejs:16) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16"
},
"product_reference": "nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le (nodejs:16) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16"
},
"product_reference": "nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x (nodejs:16) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16"
},
"product_reference": "nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64 (nodejs:16) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16"
},
"product_reference": "nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64 (nodejs:16) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16"
},
"product_reference": "nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le (nodejs:16) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16"
},
"product_reference": "nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x (nodejs:16) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16"
},
"product_reference": "nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64 (nodejs:16) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16"
},
"product_reference": "nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64 (nodejs:16) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16"
},
"product_reference": "nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le (nodejs:16) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16"
},
"product_reference": "nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x (nodejs:16) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16"
},
"product_reference": "nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64 (nodejs:16) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16"
},
"product_reference": "nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-docs-1:16.17.1-1.module+el8.6.0+16848+a483195a.noarch (nodejs:16) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs-docs-1:16.17.1-1.module+el8.6.0+16848+a483195a.noarch::nodejs:16"
},
"product_reference": "nodejs-docs-1:16.17.1-1.module+el8.6.0+16848+a483195a.noarch::nodejs:16",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64 (nodejs:16) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16"
},
"product_reference": "nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le (nodejs:16) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16"
},
"product_reference": "nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x (nodejs:16) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16"
},
"product_reference": "nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64 (nodejs:16) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16"
},
"product_reference": "nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-nodemon-0:2.0.19-2.module+el8.6.0+16240+7ca51420.noarch (nodejs:16) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.19-2.module+el8.6.0+16240+7ca51420.noarch::nodejs:16"
},
"product_reference": "nodejs-nodemon-0:2.0.19-2.module+el8.6.0+16240+7ca51420.noarch::nodejs:16",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-nodemon-0:2.0.19-2.module+el8.6.0+16240+7ca51420.src (nodejs:16) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.19-2.module+el8.6.0+16240+7ca51420.src::nodejs:16"
},
"product_reference": "nodejs-nodemon-0:2.0.19-2.module+el8.6.0+16240+7ca51420.src::nodejs:16",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-packaging-0:25-1.module+el8.5.0+10992+fac5fe06.noarch (nodejs:16) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:25-1.module+el8.5.0+10992+fac5fe06.noarch::nodejs:16"
},
"product_reference": "nodejs-packaging-0:25-1.module+el8.5.0+10992+fac5fe06.noarch::nodejs:16",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-packaging-0:25-1.module+el8.5.0+10992+fac5fe06.src (nodejs:16) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:25-1.module+el8.5.0+10992+fac5fe06.src::nodejs:16"
},
"product_reference": "nodejs-packaging-0:25-1.module+el8.5.0+10992+fac5fe06.src::nodejs:16",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.aarch64 (nodejs:16) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16"
},
"product_reference": "npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.ppc64le (nodejs:16) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16"
},
"product_reference": "npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.s390x (nodejs:16) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.s390x::nodejs:16"
},
"product_reference": "npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.s390x::nodejs:16",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.x86_64 (nodejs:16) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16"
},
"product_reference": "npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Ben Noordhuis"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2022-35255",
"cwe": {
"id": "CWE-338",
"name": "Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)"
},
"discovery_date": "2022-09-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2130517"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in NodeJS due to weak randomness in the WebCrypto keygen within the SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. Node.js made calls to EntropySource() in SecretKeyGenTraits::DoKeyGen(). However, it does not check the return value and assumes the EntropySource() always succeeds, but it can and sometimes will fail. This flaw allows a remote attacker to decrypt sensitive information.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: weak randomness in WebCrypto keygen",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The vulnerability was introduced in NodeJS v15.0.0, Hence, NodeJS:14 package in RHEL-8 and RHSCL-3 are not affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.src::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-docs-1:16.17.1-1.module+el8.6.0+16848+a483195a.noarch::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.19-2.module+el8.6.0+16240+7ca51420.noarch::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.19-2.module+el8.6.0+16240+7ca51420.src::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:25-1.module+el8.5.0+10992+fac5fe06.noarch::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:25-1.module+el8.5.0+10992+fac5fe06.src::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.s390x::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-35255"
},
{
"category": "external",
"summary": "RHBZ#2130517",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2130517"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-35255",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-35255"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-35255",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35255"
},
{
"category": "external",
"summary": "https://hackerone.com/bugs?report_id=1690000",
"url": "https://hackerone.com/bugs?report_id=1690000"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#weak-randomness-in-webcrypto-keygen-high-cve-2022-35255",
"url": "https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#weak-randomness-in-webcrypto-keygen-high-cve-2022-35255"
}
],
"release_date": "2022-09-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-10-17T10:42:44+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.src::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-docs-1:16.17.1-1.module+el8.6.0+16848+a483195a.noarch::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.19-2.module+el8.6.0+16240+7ca51420.noarch::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.19-2.module+el8.6.0+16240+7ca51420.src::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:25-1.module+el8.5.0+10992+fac5fe06.noarch::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:25-1.module+el8.5.0+10992+fac5fe06.src::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.s390x::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:6964"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"products": [
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.src::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-docs-1:16.17.1-1.module+el8.6.0+16848+a483195a.noarch::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.19-2.module+el8.6.0+16240+7ca51420.noarch::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.19-2.module+el8.6.0+16240+7ca51420.src::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:25-1.module+el8.5.0+10992+fac5fe06.noarch::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:25-1.module+el8.5.0+10992+fac5fe06.src::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.s390x::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "nodejs: weak randomness in WebCrypto keygen"
},
{
"acknowledgments": [
{
"names": [
"VVX7"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2022-35256",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2022-09-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2130518"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in NodeJS due to improper validation of HTTP requests. The llhttp parser in the HTTP module in Node.js does not correctly handle header fields that are not terminated with CLRF. This issue may result in HTTP Request Smuggling. This flaw allows a remote attacker to send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: HTTP Request Smuggling due to incorrect parsing of header fields",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.src::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-docs-1:16.17.1-1.module+el8.6.0+16848+a483195a.noarch::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.19-2.module+el8.6.0+16240+7ca51420.noarch::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.19-2.module+el8.6.0+16240+7ca51420.src::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:25-1.module+el8.5.0+10992+fac5fe06.noarch::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:25-1.module+el8.5.0+10992+fac5fe06.src::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.s390x::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-35256"
},
{
"category": "external",
"summary": "RHBZ#2130518",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2130518"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-35256",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-35256"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-35256",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35256"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#http-request-smuggling-due-to-incorrect-parsing-of-header-fields-medium-cve-2022-35256",
"url": "https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#http-request-smuggling-due-to-incorrect-parsing-of-header-fields-medium-cve-2022-35256"
}
],
"release_date": "2022-09-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-10-17T10:42:44+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.src::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-docs-1:16.17.1-1.module+el8.6.0+16848+a483195a.noarch::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.19-2.module+el8.6.0+16240+7ca51420.noarch::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.19-2.module+el8.6.0+16240+7ca51420.src::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:25-1.module+el8.5.0+10992+fac5fe06.noarch::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:25-1.module+el8.5.0+10992+fac5fe06.src::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.s390x::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:6964"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.src::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-docs-1:16.17.1-1.module+el8.6.0+16848+a483195a.noarch::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.19-2.module+el8.6.0+16240+7ca51420.noarch::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-nodemon-0:2.0.19-2.module+el8.6.0+16240+7ca51420.src::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:25-1.module+el8.5.0+10992+fac5fe06.noarch::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs-packaging-0:25-1.module+el8.5.0+10992+fac5fe06.src::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.aarch64::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.ppc64le::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.s390x::nodejs:16",
"AppStream-8.6.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.x86_64::nodejs:16"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: HTTP Request Smuggling due to incorrect parsing of header fields"
}
]
}
RHSA-2022:7044
Vulnerability from csaf_redhat - Published: 2022-10-19 10:12 - Updated: 2026-06-02 17:37Summary
Red Hat Security Advisory: rh-nodejs14-nodejs security update
Severity
Moderate
Notes
Topic: An update for rh-nodejs14-nodejs is now available for Red Hat Software Collections.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.
Security Fix(es):
* nodejs: Improper handling of URI Subject Alternative Names (CVE-2021-44531)
* nodejs: Certificate Verification Bypass via String Injection (CVE-2021-44532)
* nodejs: Incorrect handling of certificate subject and issuer fields (CVE-2021-44533)
* minimist: prototype pollution (CVE-2021-44906)
* nodejs: HTTP Request Smuggling due to incorrect parsing of header fields (CVE-2022-35256)
* nodejs: Prototype pollution via console.table properties (CVE-2022-21824)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in node.js where it accepted a certificate's Subject Alternative Names (SAN) entry, as opposed to what is specified by the HTTPS protocol. This flaw allows an active person-in-the-middle to forge a certificate and impersonate a trusted host.
7.4 (High)
Affected products
Fixed
28 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
It was found that node.js did not safely read the x509 certificate generalName format properly, resulting in data injection. A certificate could use a specially crafted extension in order to be successfully validated, permitting an attacker to impersonate a trusted host.
7.4 (High)
Affected products
Fixed
28 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in node.js, where it did not properly handle multi-value Relative Distinguished Names. This flaw allows a specially crafted x509 certificate to produce a false multi-value Relative Distinguished Name and to inject arbitrary data in node.js libraries.
7.4 (High)
Affected products
Fixed
28 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
An Uncontrolled Resource Consumption flaw was found in minimist. The original fix for CVE-2020-7598 was incomplete as it was still possible to bypass in some cases. This flaw (CVE-2021-44906) allows an attacker to trick the library into adding or modifying the properties of Object.prototype, using a constructor or __proto__ payload, resulting in prototype pollution and loss of confidentiality, availability, and integrity.
CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')Affected products
Fixed
28 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "__proto__". The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js >= 12.22.9, >= 14.18.3, >= 16.13.2, and >= 17.3.1 use a null protoype for the object these properties are being assigned to.
8.2 (High)
Affected products
Fixed
28 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Low
A vulnerability was found in NodeJS due to improper validation of HTTP requests. The llhttp parser in the HTTP module in Node.js does not correctly handle header fields that are not terminated with CLRF. This issue may result in HTTP Request Smuggling. This flaw allows a remote attacker to send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.
6.5 (Medium)
Affected products
Fixed
28 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
36 references
Acknowledgments
VVX7
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for rh-nodejs14-nodejs is now available for Red Hat Software Collections.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. \n\nSecurity Fix(es):\n\n* nodejs: Improper handling of URI Subject Alternative Names (CVE-2021-44531)\n\n* nodejs: Certificate Verification Bypass via String Injection (CVE-2021-44532)\n\n* nodejs: Incorrect handling of certificate subject and issuer fields (CVE-2021-44533)\n\n* minimist: prototype pollution (CVE-2021-44906)\n\n* nodejs: HTTP Request Smuggling due to incorrect parsing of header fields (CVE-2022-35256)\n\n* nodejs: Prototype pollution via console.table properties (CVE-2022-21824)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2022:7044",
"url": "https://access.redhat.com/errata/RHSA-2022:7044"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "2040839",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040839"
},
{
"category": "external",
"summary": "2040846",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040846"
},
{
"category": "external",
"summary": "2040856",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040856"
},
{
"category": "external",
"summary": "2040862",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040862"
},
{
"category": "external",
"summary": "2066009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009"
},
{
"category": "external",
"summary": "2130518",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2130518"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_7044.json"
}
],
"title": "Red Hat Security Advisory: rh-nodejs14-nodejs security update",
"tracking": {
"current_release_date": "2026-06-02T17:37:49+00:00",
"generator": {
"date": "2026-06-02T17:37:49+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2022:7044",
"initial_release_date": "2022-10-19T10:12:45+00:00",
"revision_history": [
{
"date": "2022-10-19T10:12:45+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2022-10-19T10:12:45+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-02T17:37:49+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Software Collections for RHEL Workstation(v. 7)",
"product": {
"name": "Red Hat Software Collections for RHEL Workstation(v. 7)",
"product_id": "7Server-RHSCL-3.8",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:3::el7"
}
}
},
{
"category": "product_name",
"name": "Red Hat Software Collections for RHEL(v. 7)",
"product": {
"name": "Red Hat Software Collections for RHEL(v. 7)",
"product_id": "7Workstation-RHSCL-3.8",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:3::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat Software Collections"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-nodejs14-nodejs-0:14.20.1-2.el7.src",
"product": {
"name": "rh-nodejs14-nodejs-0:14.20.1-2.el7.src",
"product_id": "rh-nodejs14-nodejs-0:14.20.1-2.el7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-nodejs14-nodejs@14.20.1-2.el7?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64",
"product": {
"name": "rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64",
"product_id": "rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-nodejs14-nodejs@14.20.1-2.el7?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64",
"product": {
"name": "rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64",
"product_id": "rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-nodejs14-nodejs-devel@14.20.1-2.el7?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64",
"product": {
"name": "rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64",
"product_id": "rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-nodejs14-npm@6.14.17-14.20.1.2.el7?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64",
"product": {
"name": "rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64",
"product_id": "rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-nodejs14-nodejs-debuginfo@14.20.1-2.el7?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch",
"product": {
"name": "rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch",
"product_id": "rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-nodejs14-nodejs-docs@14.20.1-2.el7?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x",
"product": {
"name": "rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x",
"product_id": "rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-nodejs14-nodejs@14.20.1-2.el7?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x",
"product": {
"name": "rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x",
"product_id": "rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-nodejs14-nodejs-devel@14.20.1-2.el7?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x",
"product": {
"name": "rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x",
"product_id": "rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-nodejs14-npm@6.14.17-14.20.1.2.el7?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x",
"product": {
"name": "rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x",
"product_id": "rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-nodejs14-nodejs-debuginfo@14.20.1-2.el7?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le",
"product": {
"name": "rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le",
"product_id": "rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-nodejs14-nodejs@14.20.1-2.el7?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le",
"product": {
"name": "rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le",
"product_id": "rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-nodejs14-nodejs-devel@14.20.1-2.el7?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le",
"product": {
"name": "rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le",
"product_id": "rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-nodejs14-npm@6.14.17-14.20.1.2.el7?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le",
"product": {
"name": "rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le",
"product_id": "rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-nodejs14-nodejs-debuginfo@14.20.1-2.el7?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le as a component of Red Hat Software Collections for RHEL Workstation(v. 7)",
"product_id": "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le"
},
"product_reference": "rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le",
"relates_to_product_reference": "7Server-RHSCL-3.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x as a component of Red Hat Software Collections for RHEL Workstation(v. 7)",
"product_id": "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x"
},
"product_reference": "rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x",
"relates_to_product_reference": "7Server-RHSCL-3.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-nodejs14-nodejs-0:14.20.1-2.el7.src as a component of Red Hat Software Collections for RHEL Workstation(v. 7)",
"product_id": "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.src"
},
"product_reference": "rh-nodejs14-nodejs-0:14.20.1-2.el7.src",
"relates_to_product_reference": "7Server-RHSCL-3.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64 as a component of Red Hat Software Collections for RHEL Workstation(v. 7)",
"product_id": "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64"
},
"product_reference": "rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64",
"relates_to_product_reference": "7Server-RHSCL-3.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le as a component of Red Hat Software Collections for RHEL Workstation(v. 7)",
"product_id": "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le"
},
"product_reference": "rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le",
"relates_to_product_reference": "7Server-RHSCL-3.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x as a component of Red Hat Software Collections for RHEL Workstation(v. 7)",
"product_id": "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x"
},
"product_reference": "rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x",
"relates_to_product_reference": "7Server-RHSCL-3.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64 as a component of Red Hat Software Collections for RHEL Workstation(v. 7)",
"product_id": "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64"
},
"product_reference": "rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64",
"relates_to_product_reference": "7Server-RHSCL-3.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le as a component of Red Hat Software Collections for RHEL Workstation(v. 7)",
"product_id": "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le"
},
"product_reference": "rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le",
"relates_to_product_reference": "7Server-RHSCL-3.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x as a component of Red Hat Software Collections for RHEL Workstation(v. 7)",
"product_id": "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x"
},
"product_reference": "rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x",
"relates_to_product_reference": "7Server-RHSCL-3.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64 as a component of Red Hat Software Collections for RHEL Workstation(v. 7)",
"product_id": "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64"
},
"product_reference": "rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64",
"relates_to_product_reference": "7Server-RHSCL-3.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch as a component of Red Hat Software Collections for RHEL Workstation(v. 7)",
"product_id": "7Server-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch"
},
"product_reference": "rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-3.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le as a component of Red Hat Software Collections for RHEL Workstation(v. 7)",
"product_id": "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le"
},
"product_reference": "rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le",
"relates_to_product_reference": "7Server-RHSCL-3.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x as a component of Red Hat Software Collections for RHEL Workstation(v. 7)",
"product_id": "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x"
},
"product_reference": "rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x",
"relates_to_product_reference": "7Server-RHSCL-3.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64 as a component of Red Hat Software Collections for RHEL Workstation(v. 7)",
"product_id": "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64"
},
"product_reference": "rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64",
"relates_to_product_reference": "7Server-RHSCL-3.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le as a component of Red Hat Software Collections for RHEL(v. 7)",
"product_id": "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le"
},
"product_reference": "rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le",
"relates_to_product_reference": "7Workstation-RHSCL-3.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x as a component of Red Hat Software Collections for RHEL(v. 7)",
"product_id": "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x"
},
"product_reference": "rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x",
"relates_to_product_reference": "7Workstation-RHSCL-3.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-nodejs14-nodejs-0:14.20.1-2.el7.src as a component of Red Hat Software Collections for RHEL(v. 7)",
"product_id": "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.src"
},
"product_reference": "rh-nodejs14-nodejs-0:14.20.1-2.el7.src",
"relates_to_product_reference": "7Workstation-RHSCL-3.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64 as a component of Red Hat Software Collections for RHEL(v. 7)",
"product_id": "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64"
},
"product_reference": "rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64",
"relates_to_product_reference": "7Workstation-RHSCL-3.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le as a component of Red Hat Software Collections for RHEL(v. 7)",
"product_id": "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le"
},
"product_reference": "rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le",
"relates_to_product_reference": "7Workstation-RHSCL-3.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x as a component of Red Hat Software Collections for RHEL(v. 7)",
"product_id": "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x"
},
"product_reference": "rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x",
"relates_to_product_reference": "7Workstation-RHSCL-3.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64 as a component of Red Hat Software Collections for RHEL(v. 7)",
"product_id": "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64"
},
"product_reference": "rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64",
"relates_to_product_reference": "7Workstation-RHSCL-3.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le as a component of Red Hat Software Collections for RHEL(v. 7)",
"product_id": "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le"
},
"product_reference": "rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le",
"relates_to_product_reference": "7Workstation-RHSCL-3.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x as a component of Red Hat Software Collections for RHEL(v. 7)",
"product_id": "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x"
},
"product_reference": "rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x",
"relates_to_product_reference": "7Workstation-RHSCL-3.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64 as a component of Red Hat Software Collections for RHEL(v. 7)",
"product_id": "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64"
},
"product_reference": "rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64",
"relates_to_product_reference": "7Workstation-RHSCL-3.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch as a component of Red Hat Software Collections for RHEL(v. 7)",
"product_id": "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch"
},
"product_reference": "rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch",
"relates_to_product_reference": "7Workstation-RHSCL-3.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le as a component of Red Hat Software Collections for RHEL(v. 7)",
"product_id": "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le"
},
"product_reference": "rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le",
"relates_to_product_reference": "7Workstation-RHSCL-3.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x as a component of Red Hat Software Collections for RHEL(v. 7)",
"product_id": "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x"
},
"product_reference": "rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x",
"relates_to_product_reference": "7Workstation-RHSCL-3.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64 as a component of Red Hat Software Collections for RHEL(v. 7)",
"product_id": "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64"
},
"product_reference": "rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64",
"relates_to_product_reference": "7Workstation-RHSCL-3.8"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-44531",
"cwe": {
"id": "CWE-295",
"name": "Improper Certificate Validation"
},
"discovery_date": "2022-01-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2040839"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in node.js where it accepted a certificate\u0027s Subject Alternative Names (SAN) entry, as opposed to what is specified by the HTTPS protocol. This flaw allows an active person-in-the-middle to forge a certificate and impersonate a trusted host.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Improper handling of URI Subject Alternative Names",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\" with impact LOW.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.src",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch",
"7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.src",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch",
"7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-44531"
},
{
"category": "external",
"summary": "RHBZ#2040839",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040839"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-44531",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44531"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44531",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44531"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/",
"url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/"
}
],
"release_date": "2022-01-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-10-19T10:12:45+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.src",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch",
"7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.src",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch",
"7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.src",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch",
"7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.src",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch",
"7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Improper handling of URI Subject Alternative Names"
},
{
"cve": "CVE-2021-44532",
"cwe": {
"id": "CWE-295",
"name": "Improper Certificate Validation"
},
"discovery_date": "2022-01-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2040846"
}
],
"notes": [
{
"category": "description",
"text": "It was found that node.js did not safely read the x509 certificate generalName format properly, resulting in data injection. A certificate could use a specially crafted extension in order to be successfully validated, permitting an attacker to impersonate a trusted host.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Certificate Verification Bypass via String Injection",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\" with impact LOW.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.src",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch",
"7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.src",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch",
"7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-44532"
},
{
"category": "external",
"summary": "RHBZ#2040846",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040846"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-44532",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44532"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44532",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44532"
}
],
"release_date": "2022-01-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-10-19T10:12:45+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.src",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch",
"7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.src",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch",
"7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.src",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch",
"7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.src",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch",
"7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Certificate Verification Bypass via String Injection"
},
{
"cve": "CVE-2021-44533",
"cwe": {
"id": "CWE-295",
"name": "Improper Certificate Validation"
},
"discovery_date": "2022-01-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2040856"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in node.js, where it did not properly handle multi-value Relative Distinguished Names. This flaw allows a specially crafted x509 certificate to produce a false multi-value Relative Distinguished Name and to inject arbitrary data in node.js libraries.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Incorrect handling of certificate subject and issuer fields",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally, there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore, the Quay component is marked as \"Will not fix\" with impact LOW.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.src",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch",
"7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.src",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch",
"7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-44533"
},
{
"category": "external",
"summary": "RHBZ#2040856",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040856"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-44533",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44533"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44533",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44533"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/",
"url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/"
}
],
"release_date": "2022-01-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-10-19T10:12:45+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.src",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch",
"7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.src",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch",
"7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.src",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch",
"7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.src",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch",
"7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Incorrect handling of certificate subject and issuer fields"
},
{
"cve": "CVE-2021-44906",
"cwe": {
"id": "CWE-1321",
"name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
},
"discovery_date": "2022-03-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2066009"
}
],
"notes": [
{
"category": "description",
"text": "An Uncontrolled Resource Consumption flaw was found in minimist. The original fix for CVE-2020-7598 was incomplete as it was still possible to bypass in some cases. This flaw (CVE-2021-44906) allows an attacker to trick the library into adding or modifying the properties of Object.prototype, using a constructor or __proto__ payload, resulting in prototype pollution and loss of confidentiality, availability, and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "minimist: prototype pollution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "As minimist is an argument parsing module for nodejs, exploitation of this vulnerability requires an attacker to influence which arguments are passed to nodejs when running a script. Red Hat products and services are designed in such a way that gaining this ability is not trivial. Additionally, the impact is limited by only enabling the pollution of functions, and not all generic objects.\n\nWithin Red Hat Satellite 6 this flaw has been rated as having a security impact of Low. It is not currently planned to be addressed there, as the minimist library is only included in the -doc subpackage and is part of test fixtures that are not in the execution path used by the rabl gem.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.src",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch",
"7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.src",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch",
"7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-44906"
},
{
"category": "external",
"summary": "RHBZ#2066009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-44906",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44906"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-xvch-5gv4-984h",
"url": "https://github.com/advisories/GHSA-xvch-5gv4-984h"
}
],
"release_date": "2022-03-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-10-19T10:12:45+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.src",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch",
"7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.src",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch",
"7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.src",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch",
"7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.src",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch",
"7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "minimist: prototype pollution"
},
{
"cve": "CVE-2022-21824",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2022-01-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2040862"
}
],
"notes": [
{
"category": "description",
"text": "Due to the formatting logic of the \"console.table()\" function it was not safe to allow user controlled input to be passed to the \"properties\" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be \"__proto__\". The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js \u003e= 12.22.9, \u003e= 14.18.3, \u003e= 16.13.2, and \u003e= 17.3.1 use a null protoype for the object these properties are being assigned to.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Prototype pollution via console.table properties",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\".",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.src",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch",
"7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.src",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch",
"7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-21824"
},
{
"category": "external",
"summary": "RHBZ#2040862",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040862"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-21824",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21824"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-21824",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21824"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/",
"url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/"
}
],
"release_date": "2022-01-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-10-19T10:12:45+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.src",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch",
"7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.src",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch",
"7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.src",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch",
"7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.src",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch",
"7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "nodejs: Prototype pollution via console.table properties"
},
{
"acknowledgments": [
{
"names": [
"VVX7"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2022-35256",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2022-09-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2130518"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in NodeJS due to improper validation of HTTP requests. The llhttp parser in the HTTP module in Node.js does not correctly handle header fields that are not terminated with CLRF. This issue may result in HTTP Request Smuggling. This flaw allows a remote attacker to send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: HTTP Request Smuggling due to incorrect parsing of header fields",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.src",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch",
"7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.src",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch",
"7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-35256"
},
{
"category": "external",
"summary": "RHBZ#2130518",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2130518"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-35256",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-35256"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-35256",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35256"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#http-request-smuggling-due-to-incorrect-parsing-of-header-fields-medium-cve-2022-35256",
"url": "https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#http-request-smuggling-due-to-incorrect-parsing-of-header-fields-medium-cve-2022-35256"
}
],
"release_date": "2022-09-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-10-19T10:12:45+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.src",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch",
"7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.src",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch",
"7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.src",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64",
"7Server-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch",
"7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le",
"7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x",
"7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.src",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.20.1-2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.20.1-2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.20.1-2.el7.x86_64",
"7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.20.1-2.el7.noarch",
"7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.ppc64le",
"7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.s390x",
"7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.17-14.20.1.2.el7.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: HTTP Request Smuggling due to incorrect parsing of header fields"
}
]
}
RHSA-2022:7821
Vulnerability from csaf_redhat - Published: 2022-11-08 11:35 - Updated: 2025-11-21 18:34Summary
Red Hat Security Advisory: nodejs:18 security update
Severity
Important
Notes
Topic: An update for the nodejs:18 module is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.
The following packages have been upgraded to a later upstream version: nodejs (18.9.1). (BZ#2130559, BZ#2131750)
Security Fix(es):
* nodejs: weak randomness in WebCrypto keygen (CVE-2022-35255)
* nodejs: HTTP Request Smuggling due to incorrect parsing of header fields (CVE-2022-35256)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A vulnerability was found in NodeJS due to weak randomness in the WebCrypto keygen within the SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. Node.js made calls to EntropySource() in SecretKeyGenTraits::DoKeyGen(). However, it does not check the return value and assumes the EntropySource() always succeeds, but it can and sometimes will fail. This flaw allows a remote attacker to decrypt sensitive information.
8.2 (High)
Affected products
Fixed
31 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.src::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-devel-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-devel-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-devel-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-devel-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-docs-1:18.9.1-1.module+el8.7.0+16806+4109802b.noarch::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-1.module+el8.7.0+16061+0a247725.noarch::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-1.module+el8.7.0+16061+0a247725.src::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:2021.06-4.module+el8.7.0+15582+19c314fa.noarch::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:2021.06-4.module+el8.7.0+15582+19c314fa.src::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-packaging-bundler-0:2021.06-4.module+el8.7.0+15582+19c314fa.noarch::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:npm-1:8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:npm-1:8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:npm-1:8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.s390x::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:npm-1:8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18 | — |
Vendor Fix
fix
|
Threats
Impact
Important
A vulnerability was found in NodeJS due to improper validation of HTTP requests. The llhttp parser in the HTTP module in Node.js does not correctly handle header fields that are not terminated with CLRF. This issue may result in HTTP Request Smuggling. This flaw allows a remote attacker to send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.
6.5 (Medium)
Affected products
Fixed
31 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.src::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-devel-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-devel-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-devel-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-devel-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-docs-1:18.9.1-1.module+el8.7.0+16806+4109802b.noarch::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-1.module+el8.7.0+16061+0a247725.noarch::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-1.module+el8.7.0+16061+0a247725.src::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:2021.06-4.module+el8.7.0+15582+19c314fa.noarch::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:2021.06-4.module+el8.7.0+15582+19c314fa.src::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-packaging-bundler-0:2021.06-4.module+el8.7.0+15582+19c314fa.noarch::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:npm-1:8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:npm-1:8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:npm-1:8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.s390x::nodejs:18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:npm-1:8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
16 references
Acknowledgments
Ben Noordhuis
VVX7
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for the nodejs:18 module is now available for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. \n\nThe following packages have been upgraded to a later upstream version: nodejs (18.9.1). (BZ#2130559, BZ#2131750)\n\nSecurity Fix(es):\n\n* nodejs: weak randomness in WebCrypto keygen (CVE-2022-35255)\n\n* nodejs: HTTP Request Smuggling due to incorrect parsing of header fields (CVE-2022-35256)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2022:7821",
"url": "https://access.redhat.com/errata/RHSA-2022:7821"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2130517",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2130517"
},
{
"category": "external",
"summary": "2130518",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2130518"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_7821.json"
}
],
"title": "Red Hat Security Advisory: nodejs:18 security update",
"tracking": {
"current_release_date": "2025-11-21T18:34:44+00:00",
"generator": {
"date": "2025-11-21T18:34:44+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2022:7821",
"initial_release_date": "2022-11-08T11:35:47+00:00",
"revision_history": [
{
"date": "2022-11-08T11:35:47+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2022-11-08T11:35:47+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T18:34:44+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 8)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:8::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18",
"product": {
"name": "nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64 (nodejs:18)",
"product_id": "nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs@18.9.1-1.module%2Bel8.7.0%2B16806%2B4109802b?arch=aarch64\u0026epoch=1\u0026rpmmod=nodejs:18:8070020221004121421:bd1311ed"
}
}
},
{
"category": "product_version",
"name": "nodejs-debuginfo-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18",
"product": {
"name": "nodejs-debuginfo-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64 (nodejs:18)",
"product_id": "nodejs-debuginfo-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debuginfo@18.9.1-1.module%2Bel8.7.0%2B16806%2B4109802b?arch=aarch64\u0026epoch=1\u0026rpmmod=nodejs:18:8070020221004121421:bd1311ed"
}
}
},
{
"category": "product_version",
"name": "nodejs-debugsource-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18",
"product": {
"name": "nodejs-debugsource-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64 (nodejs:18)",
"product_id": "nodejs-debugsource-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debugsource@18.9.1-1.module%2Bel8.7.0%2B16806%2B4109802b?arch=aarch64\u0026epoch=1\u0026rpmmod=nodejs:18:8070020221004121421:bd1311ed"
}
}
},
{
"category": "product_version",
"name": "nodejs-devel-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18",
"product": {
"name": "nodejs-devel-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64 (nodejs:18)",
"product_id": "nodejs-devel-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-devel@18.9.1-1.module%2Bel8.7.0%2B16806%2B4109802b?arch=aarch64\u0026epoch=1\u0026rpmmod=nodejs:18:8070020221004121421:bd1311ed"
}
}
},
{
"category": "product_version",
"name": "nodejs-full-i18n-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18",
"product": {
"name": "nodejs-full-i18n-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64 (nodejs:18)",
"product_id": "nodejs-full-i18n-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-full-i18n@18.9.1-1.module%2Bel8.7.0%2B16806%2B4109802b?arch=aarch64\u0026epoch=1\u0026rpmmod=nodejs:18:8070020221004121421:bd1311ed"
}
}
},
{
"category": "product_version",
"name": "npm-1:8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18",
"product": {
"name": "npm-1:8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.aarch64 (nodejs:18)",
"product_id": "npm-1:8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/npm@8.19.1-1.18.9.1.1.module%2Bel8.7.0%2B16806%2B4109802b?arch=aarch64\u0026epoch=1\u0026rpmmod=nodejs:18:8070020221004121421:bd1311ed"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.src::nodejs:18",
"product": {
"name": "nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.src (nodejs:18)",
"product_id": "nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.src::nodejs:18",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs@18.9.1-1.module%2Bel8.7.0%2B16806%2B4109802b?arch=src\u0026epoch=1\u0026rpmmod=nodejs:18:8070020221004121421:bd1311ed"
}
}
},
{
"category": "product_version",
"name": "nodejs-nodemon-0:2.0.19-1.module+el8.7.0+16061+0a247725.src::nodejs:18",
"product": {
"name": "nodejs-nodemon-0:2.0.19-1.module+el8.7.0+16061+0a247725.src (nodejs:18)",
"product_id": "nodejs-nodemon-0:2.0.19-1.module+el8.7.0+16061+0a247725.src::nodejs:18",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-nodemon@2.0.19-1.module%2Bel8.7.0%2B16061%2B0a247725?arch=src\u0026rpmmod=nodejs:18:8070020221004121421:bd1311ed"
}
}
},
{
"category": "product_version",
"name": "nodejs-packaging-0:2021.06-4.module+el8.7.0+15582+19c314fa.src::nodejs:18",
"product": {
"name": "nodejs-packaging-0:2021.06-4.module+el8.7.0+15582+19c314fa.src (nodejs:18)",
"product_id": "nodejs-packaging-0:2021.06-4.module+el8.7.0+15582+19c314fa.src::nodejs:18",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-packaging@2021.06-4.module%2Bel8.7.0%2B15582%2B19c314fa?arch=src\u0026rpmmod=nodejs:18:8070020221004121421:bd1311ed"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-docs-1:18.9.1-1.module+el8.7.0+16806+4109802b.noarch::nodejs:18",
"product": {
"name": "nodejs-docs-1:18.9.1-1.module+el8.7.0+16806+4109802b.noarch (nodejs:18)",
"product_id": "nodejs-docs-1:18.9.1-1.module+el8.7.0+16806+4109802b.noarch::nodejs:18",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-docs@18.9.1-1.module%2Bel8.7.0%2B16806%2B4109802b?arch=noarch\u0026epoch=1\u0026rpmmod=nodejs:18:8070020221004121421:bd1311ed"
}
}
},
{
"category": "product_version",
"name": "nodejs-nodemon-0:2.0.19-1.module+el8.7.0+16061+0a247725.noarch::nodejs:18",
"product": {
"name": "nodejs-nodemon-0:2.0.19-1.module+el8.7.0+16061+0a247725.noarch (nodejs:18)",
"product_id": "nodejs-nodemon-0:2.0.19-1.module+el8.7.0+16061+0a247725.noarch::nodejs:18",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-nodemon@2.0.19-1.module%2Bel8.7.0%2B16061%2B0a247725?arch=noarch\u0026rpmmod=nodejs:18:8070020221004121421:bd1311ed"
}
}
},
{
"category": "product_version",
"name": "nodejs-packaging-0:2021.06-4.module+el8.7.0+15582+19c314fa.noarch::nodejs:18",
"product": {
"name": "nodejs-packaging-0:2021.06-4.module+el8.7.0+15582+19c314fa.noarch (nodejs:18)",
"product_id": "nodejs-packaging-0:2021.06-4.module+el8.7.0+15582+19c314fa.noarch::nodejs:18",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-packaging@2021.06-4.module%2Bel8.7.0%2B15582%2B19c314fa?arch=noarch\u0026rpmmod=nodejs:18:8070020221004121421:bd1311ed"
}
}
},
{
"category": "product_version",
"name": "nodejs-packaging-bundler-0:2021.06-4.module+el8.7.0+15582+19c314fa.noarch::nodejs:18",
"product": {
"name": "nodejs-packaging-bundler-0:2021.06-4.module+el8.7.0+15582+19c314fa.noarch (nodejs:18)",
"product_id": "nodejs-packaging-bundler-0:2021.06-4.module+el8.7.0+15582+19c314fa.noarch::nodejs:18",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-packaging-bundler@2021.06-4.module%2Bel8.7.0%2B15582%2B19c314fa?arch=noarch\u0026rpmmod=nodejs:18:8070020221004121421:bd1311ed"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18",
"product": {
"name": "nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le (nodejs:18)",
"product_id": "nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs@18.9.1-1.module%2Bel8.7.0%2B16806%2B4109802b?arch=ppc64le\u0026epoch=1\u0026rpmmod=nodejs:18:8070020221004121421:bd1311ed"
}
}
},
{
"category": "product_version",
"name": "nodejs-debuginfo-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18",
"product": {
"name": "nodejs-debuginfo-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le (nodejs:18)",
"product_id": "nodejs-debuginfo-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debuginfo@18.9.1-1.module%2Bel8.7.0%2B16806%2B4109802b?arch=ppc64le\u0026epoch=1\u0026rpmmod=nodejs:18:8070020221004121421:bd1311ed"
}
}
},
{
"category": "product_version",
"name": "nodejs-debugsource-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18",
"product": {
"name": "nodejs-debugsource-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le (nodejs:18)",
"product_id": "nodejs-debugsource-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debugsource@18.9.1-1.module%2Bel8.7.0%2B16806%2B4109802b?arch=ppc64le\u0026epoch=1\u0026rpmmod=nodejs:18:8070020221004121421:bd1311ed"
}
}
},
{
"category": "product_version",
"name": "nodejs-devel-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18",
"product": {
"name": "nodejs-devel-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le (nodejs:18)",
"product_id": "nodejs-devel-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-devel@18.9.1-1.module%2Bel8.7.0%2B16806%2B4109802b?arch=ppc64le\u0026epoch=1\u0026rpmmod=nodejs:18:8070020221004121421:bd1311ed"
}
}
},
{
"category": "product_version",
"name": "nodejs-full-i18n-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18",
"product": {
"name": "nodejs-full-i18n-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le (nodejs:18)",
"product_id": "nodejs-full-i18n-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-full-i18n@18.9.1-1.module%2Bel8.7.0%2B16806%2B4109802b?arch=ppc64le\u0026epoch=1\u0026rpmmod=nodejs:18:8070020221004121421:bd1311ed"
}
}
},
{
"category": "product_version",
"name": "npm-1:8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18",
"product": {
"name": "npm-1:8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.ppc64le (nodejs:18)",
"product_id": "npm-1:8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/npm@8.19.1-1.18.9.1.1.module%2Bel8.7.0%2B16806%2B4109802b?arch=ppc64le\u0026epoch=1\u0026rpmmod=nodejs:18:8070020221004121421:bd1311ed"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18",
"product": {
"name": "nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x (nodejs:18)",
"product_id": "nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs@18.9.1-1.module%2Bel8.7.0%2B16806%2B4109802b?arch=s390x\u0026epoch=1\u0026rpmmod=nodejs:18:8070020221004121421:bd1311ed"
}
}
},
{
"category": "product_version",
"name": "nodejs-debuginfo-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18",
"product": {
"name": "nodejs-debuginfo-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x (nodejs:18)",
"product_id": "nodejs-debuginfo-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debuginfo@18.9.1-1.module%2Bel8.7.0%2B16806%2B4109802b?arch=s390x\u0026epoch=1\u0026rpmmod=nodejs:18:8070020221004121421:bd1311ed"
}
}
},
{
"category": "product_version",
"name": "nodejs-debugsource-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18",
"product": {
"name": "nodejs-debugsource-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x (nodejs:18)",
"product_id": "nodejs-debugsource-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debugsource@18.9.1-1.module%2Bel8.7.0%2B16806%2B4109802b?arch=s390x\u0026epoch=1\u0026rpmmod=nodejs:18:8070020221004121421:bd1311ed"
}
}
},
{
"category": "product_version",
"name": "nodejs-devel-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18",
"product": {
"name": "nodejs-devel-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x (nodejs:18)",
"product_id": "nodejs-devel-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-devel@18.9.1-1.module%2Bel8.7.0%2B16806%2B4109802b?arch=s390x\u0026epoch=1\u0026rpmmod=nodejs:18:8070020221004121421:bd1311ed"
}
}
},
{
"category": "product_version",
"name": "nodejs-full-i18n-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18",
"product": {
"name": "nodejs-full-i18n-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x (nodejs:18)",
"product_id": "nodejs-full-i18n-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-full-i18n@18.9.1-1.module%2Bel8.7.0%2B16806%2B4109802b?arch=s390x\u0026epoch=1\u0026rpmmod=nodejs:18:8070020221004121421:bd1311ed"
}
}
},
{
"category": "product_version",
"name": "npm-1:8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.s390x::nodejs:18",
"product": {
"name": "npm-1:8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.s390x (nodejs:18)",
"product_id": "npm-1:8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.s390x::nodejs:18",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/npm@8.19.1-1.18.9.1.1.module%2Bel8.7.0%2B16806%2B4109802b?arch=s390x\u0026epoch=1\u0026rpmmod=nodejs:18:8070020221004121421:bd1311ed"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18",
"product": {
"name": "nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64 (nodejs:18)",
"product_id": "nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs@18.9.1-1.module%2Bel8.7.0%2B16806%2B4109802b?arch=x86_64\u0026epoch=1\u0026rpmmod=nodejs:18:8070020221004121421:bd1311ed"
}
}
},
{
"category": "product_version",
"name": "nodejs-debuginfo-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18",
"product": {
"name": "nodejs-debuginfo-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64 (nodejs:18)",
"product_id": "nodejs-debuginfo-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debuginfo@18.9.1-1.module%2Bel8.7.0%2B16806%2B4109802b?arch=x86_64\u0026epoch=1\u0026rpmmod=nodejs:18:8070020221004121421:bd1311ed"
}
}
},
{
"category": "product_version",
"name": "nodejs-debugsource-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18",
"product": {
"name": "nodejs-debugsource-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64 (nodejs:18)",
"product_id": "nodejs-debugsource-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debugsource@18.9.1-1.module%2Bel8.7.0%2B16806%2B4109802b?arch=x86_64\u0026epoch=1\u0026rpmmod=nodejs:18:8070020221004121421:bd1311ed"
}
}
},
{
"category": "product_version",
"name": "nodejs-devel-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18",
"product": {
"name": "nodejs-devel-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64 (nodejs:18)",
"product_id": "nodejs-devel-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-devel@18.9.1-1.module%2Bel8.7.0%2B16806%2B4109802b?arch=x86_64\u0026epoch=1\u0026rpmmod=nodejs:18:8070020221004121421:bd1311ed"
}
}
},
{
"category": "product_version",
"name": "nodejs-full-i18n-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18",
"product": {
"name": "nodejs-full-i18n-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64 (nodejs:18)",
"product_id": "nodejs-full-i18n-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-full-i18n@18.9.1-1.module%2Bel8.7.0%2B16806%2B4109802b?arch=x86_64\u0026epoch=1\u0026rpmmod=nodejs:18:8070020221004121421:bd1311ed"
}
}
},
{
"category": "product_version",
"name": "npm-1:8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18",
"product": {
"name": "npm-1:8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.x86_64 (nodejs:18)",
"product_id": "npm-1:8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/npm@8.19.1-1.18.9.1.1.module%2Bel8.7.0%2B16806%2B4109802b?arch=x86_64\u0026epoch=1\u0026rpmmod=nodejs:18:8070020221004121421:bd1311ed"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64 (nodejs:18) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18"
},
"product_reference": "nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le (nodejs:18) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18"
},
"product_reference": "nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x (nodejs:18) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18"
},
"product_reference": "nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.src (nodejs:18) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.src::nodejs:18"
},
"product_reference": "nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.src::nodejs:18",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64 (nodejs:18) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18"
},
"product_reference": "nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debuginfo-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64 (nodejs:18) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18"
},
"product_reference": "nodejs-debuginfo-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debuginfo-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le (nodejs:18) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18"
},
"product_reference": "nodejs-debuginfo-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debuginfo-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x (nodejs:18) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18"
},
"product_reference": "nodejs-debuginfo-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debuginfo-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64 (nodejs:18) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18"
},
"product_reference": "nodejs-debuginfo-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debugsource-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64 (nodejs:18) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18"
},
"product_reference": "nodejs-debugsource-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debugsource-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le (nodejs:18) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18"
},
"product_reference": "nodejs-debugsource-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debugsource-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x (nodejs:18) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18"
},
"product_reference": "nodejs-debugsource-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debugsource-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64 (nodejs:18) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18"
},
"product_reference": "nodejs-debugsource-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-devel-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64 (nodejs:18) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:nodejs-devel-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18"
},
"product_reference": "nodejs-devel-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-devel-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le (nodejs:18) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:nodejs-devel-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18"
},
"product_reference": "nodejs-devel-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-devel-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x (nodejs:18) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:nodejs-devel-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18"
},
"product_reference": "nodejs-devel-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-devel-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64 (nodejs:18) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:nodejs-devel-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18"
},
"product_reference": "nodejs-devel-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-docs-1:18.9.1-1.module+el8.7.0+16806+4109802b.noarch (nodejs:18) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:nodejs-docs-1:18.9.1-1.module+el8.7.0+16806+4109802b.noarch::nodejs:18"
},
"product_reference": "nodejs-docs-1:18.9.1-1.module+el8.7.0+16806+4109802b.noarch::nodejs:18",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-full-i18n-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64 (nodejs:18) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18"
},
"product_reference": "nodejs-full-i18n-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-full-i18n-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le (nodejs:18) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18"
},
"product_reference": "nodejs-full-i18n-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-full-i18n-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x (nodejs:18) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18"
},
"product_reference": "nodejs-full-i18n-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-full-i18n-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64 (nodejs:18) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18"
},
"product_reference": "nodejs-full-i18n-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-nodemon-0:2.0.19-1.module+el8.7.0+16061+0a247725.noarch (nodejs:18) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-1.module+el8.7.0+16061+0a247725.noarch::nodejs:18"
},
"product_reference": "nodejs-nodemon-0:2.0.19-1.module+el8.7.0+16061+0a247725.noarch::nodejs:18",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-nodemon-0:2.0.19-1.module+el8.7.0+16061+0a247725.src (nodejs:18) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-1.module+el8.7.0+16061+0a247725.src::nodejs:18"
},
"product_reference": "nodejs-nodemon-0:2.0.19-1.module+el8.7.0+16061+0a247725.src::nodejs:18",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-packaging-0:2021.06-4.module+el8.7.0+15582+19c314fa.noarch (nodejs:18) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:2021.06-4.module+el8.7.0+15582+19c314fa.noarch::nodejs:18"
},
"product_reference": "nodejs-packaging-0:2021.06-4.module+el8.7.0+15582+19c314fa.noarch::nodejs:18",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-packaging-0:2021.06-4.module+el8.7.0+15582+19c314fa.src (nodejs:18) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:2021.06-4.module+el8.7.0+15582+19c314fa.src::nodejs:18"
},
"product_reference": "nodejs-packaging-0:2021.06-4.module+el8.7.0+15582+19c314fa.src::nodejs:18",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-packaging-bundler-0:2021.06-4.module+el8.7.0+15582+19c314fa.noarch (nodejs:18) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:nodejs-packaging-bundler-0:2021.06-4.module+el8.7.0+15582+19c314fa.noarch::nodejs:18"
},
"product_reference": "nodejs-packaging-bundler-0:2021.06-4.module+el8.7.0+15582+19c314fa.noarch::nodejs:18",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm-1:8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.aarch64 (nodejs:18) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:npm-1:8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18"
},
"product_reference": "npm-1:8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm-1:8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.ppc64le (nodejs:18) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:npm-1:8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18"
},
"product_reference": "npm-1:8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm-1:8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.s390x (nodejs:18) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:npm-1:8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.s390x::nodejs:18"
},
"product_reference": "npm-1:8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.s390x::nodejs:18",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm-1:8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.x86_64 (nodejs:18) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:npm-1:8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18"
},
"product_reference": "npm-1:8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Ben Noordhuis"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2022-35255",
"cwe": {
"id": "CWE-338",
"name": "Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)"
},
"discovery_date": "2022-09-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2130517"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in NodeJS due to weak randomness in the WebCrypto keygen within the SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. Node.js made calls to EntropySource() in SecretKeyGenTraits::DoKeyGen(). However, it does not check the return value and assumes the EntropySource() always succeeds, but it can and sometimes will fail. This flaw allows a remote attacker to decrypt sensitive information.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: weak randomness in WebCrypto keygen",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The vulnerability was introduced in NodeJS v15.0.0, Hence, NodeJS:14 package in RHEL-8 and RHSCL-3 are not affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.7.0.Z.MAIN:nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.src::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-docs-1:18.9.1-1.module+el8.7.0+16806+4109802b.noarch::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-1.module+el8.7.0+16061+0a247725.noarch::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-1.module+el8.7.0+16061+0a247725.src::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:2021.06-4.module+el8.7.0+15582+19c314fa.noarch::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:2021.06-4.module+el8.7.0+15582+19c314fa.src::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-packaging-bundler-0:2021.06-4.module+el8.7.0+15582+19c314fa.noarch::nodejs:18",
"AppStream-8.7.0.Z.MAIN:npm-1:8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:npm-1:8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18",
"AppStream-8.7.0.Z.MAIN:npm-1:8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.s390x::nodejs:18",
"AppStream-8.7.0.Z.MAIN:npm-1:8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-35255"
},
{
"category": "external",
"summary": "RHBZ#2130517",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2130517"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-35255",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-35255"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-35255",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35255"
},
{
"category": "external",
"summary": "https://hackerone.com/bugs?report_id=1690000",
"url": "https://hackerone.com/bugs?report_id=1690000"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#weak-randomness-in-webcrypto-keygen-high-cve-2022-35255",
"url": "https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#weak-randomness-in-webcrypto-keygen-high-cve-2022-35255"
}
],
"release_date": "2022-09-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-11-08T11:35:47+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.7.0.Z.MAIN:nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.src::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-docs-1:18.9.1-1.module+el8.7.0+16806+4109802b.noarch::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-1.module+el8.7.0+16061+0a247725.noarch::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-1.module+el8.7.0+16061+0a247725.src::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:2021.06-4.module+el8.7.0+15582+19c314fa.noarch::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:2021.06-4.module+el8.7.0+15582+19c314fa.src::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-packaging-bundler-0:2021.06-4.module+el8.7.0+15582+19c314fa.noarch::nodejs:18",
"AppStream-8.7.0.Z.MAIN:npm-1:8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:npm-1:8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18",
"AppStream-8.7.0.Z.MAIN:npm-1:8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.s390x::nodejs:18",
"AppStream-8.7.0.Z.MAIN:npm-1:8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7821"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"products": [
"AppStream-8.7.0.Z.MAIN:nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.src::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-docs-1:18.9.1-1.module+el8.7.0+16806+4109802b.noarch::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-1.module+el8.7.0+16061+0a247725.noarch::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-1.module+el8.7.0+16061+0a247725.src::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:2021.06-4.module+el8.7.0+15582+19c314fa.noarch::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:2021.06-4.module+el8.7.0+15582+19c314fa.src::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-packaging-bundler-0:2021.06-4.module+el8.7.0+15582+19c314fa.noarch::nodejs:18",
"AppStream-8.7.0.Z.MAIN:npm-1:8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:npm-1:8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18",
"AppStream-8.7.0.Z.MAIN:npm-1:8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.s390x::nodejs:18",
"AppStream-8.7.0.Z.MAIN:npm-1:8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "nodejs: weak randomness in WebCrypto keygen"
},
{
"acknowledgments": [
{
"names": [
"VVX7"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2022-35256",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2022-09-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2130518"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in NodeJS due to improper validation of HTTP requests. The llhttp parser in the HTTP module in Node.js does not correctly handle header fields that are not terminated with CLRF. This issue may result in HTTP Request Smuggling. This flaw allows a remote attacker to send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: HTTP Request Smuggling due to incorrect parsing of header fields",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.7.0.Z.MAIN:nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.src::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-docs-1:18.9.1-1.module+el8.7.0+16806+4109802b.noarch::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-1.module+el8.7.0+16061+0a247725.noarch::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-1.module+el8.7.0+16061+0a247725.src::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:2021.06-4.module+el8.7.0+15582+19c314fa.noarch::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:2021.06-4.module+el8.7.0+15582+19c314fa.src::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-packaging-bundler-0:2021.06-4.module+el8.7.0+15582+19c314fa.noarch::nodejs:18",
"AppStream-8.7.0.Z.MAIN:npm-1:8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:npm-1:8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18",
"AppStream-8.7.0.Z.MAIN:npm-1:8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.s390x::nodejs:18",
"AppStream-8.7.0.Z.MAIN:npm-1:8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-35256"
},
{
"category": "external",
"summary": "RHBZ#2130518",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2130518"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-35256",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-35256"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-35256",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35256"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#http-request-smuggling-due-to-incorrect-parsing-of-header-fields-medium-cve-2022-35256",
"url": "https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#http-request-smuggling-due-to-incorrect-parsing-of-header-fields-medium-cve-2022-35256"
}
],
"release_date": "2022-09-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-11-08T11:35:47+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.7.0.Z.MAIN:nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.src::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-docs-1:18.9.1-1.module+el8.7.0+16806+4109802b.noarch::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-1.module+el8.7.0+16061+0a247725.noarch::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-1.module+el8.7.0+16061+0a247725.src::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:2021.06-4.module+el8.7.0+15582+19c314fa.noarch::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:2021.06-4.module+el8.7.0+15582+19c314fa.src::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-packaging-bundler-0:2021.06-4.module+el8.7.0+15582+19c314fa.noarch::nodejs:18",
"AppStream-8.7.0.Z.MAIN:npm-1:8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:npm-1:8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18",
"AppStream-8.7.0.Z.MAIN:npm-1:8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.s390x::nodejs:18",
"AppStream-8.7.0.Z.MAIN:npm-1:8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7821"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"AppStream-8.7.0.Z.MAIN:nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.src::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-docs-1:18.9.1-1.module+el8.7.0+16806+4109802b.noarch::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:18.9.1-1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:18.9.1-1.module+el8.7.0+16806+4109802b.s390x::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:18.9.1-1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-1.module+el8.7.0+16061+0a247725.noarch::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-1.module+el8.7.0+16061+0a247725.src::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:2021.06-4.module+el8.7.0+15582+19c314fa.noarch::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:2021.06-4.module+el8.7.0+15582+19c314fa.src::nodejs:18",
"AppStream-8.7.0.Z.MAIN:nodejs-packaging-bundler-0:2021.06-4.module+el8.7.0+15582+19c314fa.noarch::nodejs:18",
"AppStream-8.7.0.Z.MAIN:npm-1:8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.aarch64::nodejs:18",
"AppStream-8.7.0.Z.MAIN:npm-1:8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.ppc64le::nodejs:18",
"AppStream-8.7.0.Z.MAIN:npm-1:8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.s390x::nodejs:18",
"AppStream-8.7.0.Z.MAIN:npm-1:8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.x86_64::nodejs:18"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: HTTP Request Smuggling due to incorrect parsing of header fields"
}
]
}
RHSA-2022:7830
Vulnerability from csaf_redhat - Published: 2022-11-08 11:39 - Updated: 2026-01-27 09:14Summary
Red Hat Security Advisory: nodejs:14 security update
Severity
Moderate
Notes
Topic: An update for the nodejs:14 module is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.
Security Fix(es):
* nodejs: Improper handling of URI Subject Alternative Names (CVE-2021-44531)
* nodejs: Certificate Verification Bypass via String Injection (CVE-2021-44532)
* nodejs: Incorrect handling of certificate subject and issuer fields (CVE-2021-44533)
* nodejs: HTTP Request Smuggling due to incorrect parsing of header fields (CVE-2022-35256)
* nodejs: Prototype pollution via console.table properties (CVE-2022-21824)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in node.js where it accepted a certificate's Subject Alternative Names (SAN) entry, as opposed to what is specified by the HTTPS protocol. This flaw allows an active person-in-the-middle to forge a certificate and impersonate a trusted host.
7.4 (High)
Affected products
Fixed
30 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.src::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-docs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.noarch::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-2.module+el8.7.0+16991+b0a68a3e.noarch::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-2.module+el8.7.0+16991+b0a68a3e.src::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
It was found that node.js did not safely read the x509 certificate generalName format properly, resulting in data injection. A certificate could use a specially crafted extension in order to be successfully validated, permitting an attacker to impersonate a trusted host.
7.4 (High)
Affected products
Fixed
30 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.src::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-docs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.noarch::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-2.module+el8.7.0+16991+b0a68a3e.noarch::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-2.module+el8.7.0+16991+b0a68a3e.src::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in node.js, where it did not properly handle multi-value Relative Distinguished Names. This flaw allows a specially crafted x509 certificate to produce a false multi-value Relative Distinguished Name and to inject arbitrary data in node.js libraries.
7.4 (High)
Affected products
Fixed
30 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.src::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-docs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.noarch::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-2.module+el8.7.0+16991+b0a68a3e.noarch::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-2.module+el8.7.0+16991+b0a68a3e.src::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "__proto__". The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js >= 12.22.9, >= 14.18.3, >= 16.13.2, and >= 17.3.1 use a null protoype for the object these properties are being assigned to.
8.2 (High)
Affected products
Fixed
30 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.src::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-docs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.noarch::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-2.module+el8.7.0+16991+b0a68a3e.noarch::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-2.module+el8.7.0+16991+b0a68a3e.src::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14 | — |
Vendor Fix
fix
|
Threats
Impact
Low
A vulnerability was found in NodeJS due to improper validation of HTTP requests. The llhttp parser in the HTTP module in Node.js does not correctly handle header fields that are not terminated with CLRF. This issue may result in HTTP Request Smuggling. This flaw allows a remote attacker to send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.
6.5 (Medium)
Affected products
Fixed
30 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.src::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-docs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.noarch::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-2.module+el8.7.0+16991+b0a68a3e.noarch::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-2.module+el8.7.0+16991+b0a68a3e.src::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
30 references
Acknowledgments
VVX7
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for the nodejs:14 module is now available for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. \n\nSecurity Fix(es):\n\n* nodejs: Improper handling of URI Subject Alternative Names (CVE-2021-44531)\n\n* nodejs: Certificate Verification Bypass via String Injection (CVE-2021-44532)\n\n* nodejs: Incorrect handling of certificate subject and issuer fields (CVE-2021-44533)\n\n* nodejs: HTTP Request Smuggling due to incorrect parsing of header fields (CVE-2022-35256)\n\n* nodejs: Prototype pollution via console.table properties (CVE-2022-21824)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2022:7830",
"url": "https://access.redhat.com/errata/RHSA-2022:7830"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "2040839",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040839"
},
{
"category": "external",
"summary": "2040846",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040846"
},
{
"category": "external",
"summary": "2040856",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040856"
},
{
"category": "external",
"summary": "2040862",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040862"
},
{
"category": "external",
"summary": "2130518",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2130518"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_7830.json"
}
],
"title": "Red Hat Security Advisory: nodejs:14 security update",
"tracking": {
"current_release_date": "2026-01-27T09:14:15+00:00",
"generator": {
"date": "2026-01-27T09:14:15+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.16"
}
},
"id": "RHSA-2022:7830",
"initial_release_date": "2022-11-08T11:39:20+00:00",
"revision_history": [
{
"date": "2022-11-08T11:39:20+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2022-11-08T11:39:20+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-01-27T09:14:15+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 8)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:8::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"product": {
"name": "nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64 (nodejs:14)",
"product_id": "nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs@14.20.1-2.module%2Bel8.7.0%2B16991%2Bb0a68a3e?arch=aarch64\u0026epoch=1\u0026rpmmod=nodejs:14:8070020221020110846:bd1311ed"
}
}
},
{
"category": "product_version",
"name": "nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"product": {
"name": "nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64 (nodejs:14)",
"product_id": "nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debuginfo@14.20.1-2.module%2Bel8.7.0%2B16991%2Bb0a68a3e?arch=aarch64\u0026epoch=1\u0026rpmmod=nodejs:14:8070020221020110846:bd1311ed"
}
}
},
{
"category": "product_version",
"name": "nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"product": {
"name": "nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64 (nodejs:14)",
"product_id": "nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debugsource@14.20.1-2.module%2Bel8.7.0%2B16991%2Bb0a68a3e?arch=aarch64\u0026epoch=1\u0026rpmmod=nodejs:14:8070020221020110846:bd1311ed"
}
}
},
{
"category": "product_version",
"name": "nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"product": {
"name": "nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64 (nodejs:14)",
"product_id": "nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-devel@14.20.1-2.module%2Bel8.7.0%2B16991%2Bb0a68a3e?arch=aarch64\u0026epoch=1\u0026rpmmod=nodejs:14:8070020221020110846:bd1311ed"
}
}
},
{
"category": "product_version",
"name": "nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"product": {
"name": "nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64 (nodejs:14)",
"product_id": "nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-full-i18n@14.20.1-2.module%2Bel8.7.0%2B16991%2Bb0a68a3e?arch=aarch64\u0026epoch=1\u0026rpmmod=nodejs:14:8070020221020110846:bd1311ed"
}
}
},
{
"category": "product_version",
"name": "npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"product": {
"name": "npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.aarch64 (nodejs:14)",
"product_id": "npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/npm@6.14.17-1.14.20.1.2.module%2Bel8.7.0%2B16991%2Bb0a68a3e?arch=aarch64\u0026epoch=1\u0026rpmmod=nodejs:14:8070020221020110846:bd1311ed"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.src::nodejs:14",
"product": {
"name": "nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.src (nodejs:14)",
"product_id": "nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.src::nodejs:14",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs@14.20.1-2.module%2Bel8.7.0%2B16991%2Bb0a68a3e?arch=src\u0026epoch=1\u0026rpmmod=nodejs:14:8070020221020110846:bd1311ed"
}
}
},
{
"category": "product_version",
"name": "nodejs-nodemon-0:2.0.19-2.module+el8.7.0+16991+b0a68a3e.src::nodejs:14",
"product": {
"name": "nodejs-nodemon-0:2.0.19-2.module+el8.7.0+16991+b0a68a3e.src (nodejs:14)",
"product_id": "nodejs-nodemon-0:2.0.19-2.module+el8.7.0+16991+b0a68a3e.src::nodejs:14",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-nodemon@2.0.19-2.module%2Bel8.7.0%2B16991%2Bb0a68a3e?arch=src\u0026rpmmod=nodejs:14:8070020221020110846:bd1311ed"
}
}
},
{
"category": "product_version",
"name": "nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src::nodejs:14",
"product": {
"name": "nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src (nodejs:14)",
"product_id": "nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src::nodejs:14",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-packaging@23-3.module%2Bel8.3.0%2B6519%2B9f98ed83?arch=src\u0026rpmmod=nodejs:14:8070020221020110846:bd1311ed"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-docs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.noarch::nodejs:14",
"product": {
"name": "nodejs-docs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.noarch (nodejs:14)",
"product_id": "nodejs-docs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.noarch::nodejs:14",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-docs@14.20.1-2.module%2Bel8.7.0%2B16991%2Bb0a68a3e?arch=noarch\u0026epoch=1\u0026rpmmod=nodejs:14:8070020221020110846:bd1311ed"
}
}
},
{
"category": "product_version",
"name": "nodejs-nodemon-0:2.0.19-2.module+el8.7.0+16991+b0a68a3e.noarch::nodejs:14",
"product": {
"name": "nodejs-nodemon-0:2.0.19-2.module+el8.7.0+16991+b0a68a3e.noarch (nodejs:14)",
"product_id": "nodejs-nodemon-0:2.0.19-2.module+el8.7.0+16991+b0a68a3e.noarch::nodejs:14",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-nodemon@2.0.19-2.module%2Bel8.7.0%2B16991%2Bb0a68a3e?arch=noarch\u0026rpmmod=nodejs:14:8070020221020110846:bd1311ed"
}
}
},
{
"category": "product_version",
"name": "nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch::nodejs:14",
"product": {
"name": "nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch (nodejs:14)",
"product_id": "nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch::nodejs:14",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-packaging@23-3.module%2Bel8.3.0%2B6519%2B9f98ed83?arch=noarch\u0026rpmmod=nodejs:14:8070020221020110846:bd1311ed"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"product": {
"name": "nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le (nodejs:14)",
"product_id": "nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs@14.20.1-2.module%2Bel8.7.0%2B16991%2Bb0a68a3e?arch=ppc64le\u0026epoch=1\u0026rpmmod=nodejs:14:8070020221020110846:bd1311ed"
}
}
},
{
"category": "product_version",
"name": "nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"product": {
"name": "nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le (nodejs:14)",
"product_id": "nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debuginfo@14.20.1-2.module%2Bel8.7.0%2B16991%2Bb0a68a3e?arch=ppc64le\u0026epoch=1\u0026rpmmod=nodejs:14:8070020221020110846:bd1311ed"
}
}
},
{
"category": "product_version",
"name": "nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"product": {
"name": "nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le (nodejs:14)",
"product_id": "nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debugsource@14.20.1-2.module%2Bel8.7.0%2B16991%2Bb0a68a3e?arch=ppc64le\u0026epoch=1\u0026rpmmod=nodejs:14:8070020221020110846:bd1311ed"
}
}
},
{
"category": "product_version",
"name": "nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"product": {
"name": "nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le (nodejs:14)",
"product_id": "nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-devel@14.20.1-2.module%2Bel8.7.0%2B16991%2Bb0a68a3e?arch=ppc64le\u0026epoch=1\u0026rpmmod=nodejs:14:8070020221020110846:bd1311ed"
}
}
},
{
"category": "product_version",
"name": "nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"product": {
"name": "nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le (nodejs:14)",
"product_id": "nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-full-i18n@14.20.1-2.module%2Bel8.7.0%2B16991%2Bb0a68a3e?arch=ppc64le\u0026epoch=1\u0026rpmmod=nodejs:14:8070020221020110846:bd1311ed"
}
}
},
{
"category": "product_version",
"name": "npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"product": {
"name": "npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.ppc64le (nodejs:14)",
"product_id": "npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/npm@6.14.17-1.14.20.1.2.module%2Bel8.7.0%2B16991%2Bb0a68a3e?arch=ppc64le\u0026epoch=1\u0026rpmmod=nodejs:14:8070020221020110846:bd1311ed"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"product": {
"name": "nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x (nodejs:14)",
"product_id": "nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs@14.20.1-2.module%2Bel8.7.0%2B16991%2Bb0a68a3e?arch=s390x\u0026epoch=1\u0026rpmmod=nodejs:14:8070020221020110846:bd1311ed"
}
}
},
{
"category": "product_version",
"name": "nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"product": {
"name": "nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x (nodejs:14)",
"product_id": "nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debuginfo@14.20.1-2.module%2Bel8.7.0%2B16991%2Bb0a68a3e?arch=s390x\u0026epoch=1\u0026rpmmod=nodejs:14:8070020221020110846:bd1311ed"
}
}
},
{
"category": "product_version",
"name": "nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"product": {
"name": "nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x (nodejs:14)",
"product_id": "nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debugsource@14.20.1-2.module%2Bel8.7.0%2B16991%2Bb0a68a3e?arch=s390x\u0026epoch=1\u0026rpmmod=nodejs:14:8070020221020110846:bd1311ed"
}
}
},
{
"category": "product_version",
"name": "nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"product": {
"name": "nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x (nodejs:14)",
"product_id": "nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-devel@14.20.1-2.module%2Bel8.7.0%2B16991%2Bb0a68a3e?arch=s390x\u0026epoch=1\u0026rpmmod=nodejs:14:8070020221020110846:bd1311ed"
}
}
},
{
"category": "product_version",
"name": "nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"product": {
"name": "nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x (nodejs:14)",
"product_id": "nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-full-i18n@14.20.1-2.module%2Bel8.7.0%2B16991%2Bb0a68a3e?arch=s390x\u0026epoch=1\u0026rpmmod=nodejs:14:8070020221020110846:bd1311ed"
}
}
},
{
"category": "product_version",
"name": "npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"product": {
"name": "npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.s390x (nodejs:14)",
"product_id": "npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/npm@6.14.17-1.14.20.1.2.module%2Bel8.7.0%2B16991%2Bb0a68a3e?arch=s390x\u0026epoch=1\u0026rpmmod=nodejs:14:8070020221020110846:bd1311ed"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"product": {
"name": "nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64 (nodejs:14)",
"product_id": "nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs@14.20.1-2.module%2Bel8.7.0%2B16991%2Bb0a68a3e?arch=x86_64\u0026epoch=1\u0026rpmmod=nodejs:14:8070020221020110846:bd1311ed"
}
}
},
{
"category": "product_version",
"name": "nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"product": {
"name": "nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64 (nodejs:14)",
"product_id": "nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debuginfo@14.20.1-2.module%2Bel8.7.0%2B16991%2Bb0a68a3e?arch=x86_64\u0026epoch=1\u0026rpmmod=nodejs:14:8070020221020110846:bd1311ed"
}
}
},
{
"category": "product_version",
"name": "nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"product": {
"name": "nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64 (nodejs:14)",
"product_id": "nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debugsource@14.20.1-2.module%2Bel8.7.0%2B16991%2Bb0a68a3e?arch=x86_64\u0026epoch=1\u0026rpmmod=nodejs:14:8070020221020110846:bd1311ed"
}
}
},
{
"category": "product_version",
"name": "nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"product": {
"name": "nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64 (nodejs:14)",
"product_id": "nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-devel@14.20.1-2.module%2Bel8.7.0%2B16991%2Bb0a68a3e?arch=x86_64\u0026epoch=1\u0026rpmmod=nodejs:14:8070020221020110846:bd1311ed"
}
}
},
{
"category": "product_version",
"name": "nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"product": {
"name": "nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64 (nodejs:14)",
"product_id": "nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-full-i18n@14.20.1-2.module%2Bel8.7.0%2B16991%2Bb0a68a3e?arch=x86_64\u0026epoch=1\u0026rpmmod=nodejs:14:8070020221020110846:bd1311ed"
}
}
},
{
"category": "product_version",
"name": "npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"product": {
"name": "npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.x86_64 (nodejs:14)",
"product_id": "npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/npm@6.14.17-1.14.20.1.2.module%2Bel8.7.0%2B16991%2Bb0a68a3e?arch=x86_64\u0026epoch=1\u0026rpmmod=nodejs:14:8070020221020110846:bd1311ed"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64 (nodejs:14) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14"
},
"product_reference": "nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le (nodejs:14) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14"
},
"product_reference": "nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x (nodejs:14) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14"
},
"product_reference": "nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.src (nodejs:14) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.src::nodejs:14"
},
"product_reference": "nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.src::nodejs:14",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64 (nodejs:14) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14"
},
"product_reference": "nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64 (nodejs:14) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14"
},
"product_reference": "nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le (nodejs:14) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14"
},
"product_reference": "nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x (nodejs:14) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14"
},
"product_reference": "nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64 (nodejs:14) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14"
},
"product_reference": "nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64 (nodejs:14) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14"
},
"product_reference": "nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le (nodejs:14) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14"
},
"product_reference": "nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x (nodejs:14) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14"
},
"product_reference": "nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64 (nodejs:14) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14"
},
"product_reference": "nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64 (nodejs:14) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14"
},
"product_reference": "nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le (nodejs:14) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14"
},
"product_reference": "nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x (nodejs:14) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14"
},
"product_reference": "nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64 (nodejs:14) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14"
},
"product_reference": "nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-docs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.noarch (nodejs:14) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:nodejs-docs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.noarch::nodejs:14"
},
"product_reference": "nodejs-docs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.noarch::nodejs:14",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64 (nodejs:14) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14"
},
"product_reference": "nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le (nodejs:14) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14"
},
"product_reference": "nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x (nodejs:14) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14"
},
"product_reference": "nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64 (nodejs:14) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14"
},
"product_reference": "nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-nodemon-0:2.0.19-2.module+el8.7.0+16991+b0a68a3e.noarch (nodejs:14) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-2.module+el8.7.0+16991+b0a68a3e.noarch::nodejs:14"
},
"product_reference": "nodejs-nodemon-0:2.0.19-2.module+el8.7.0+16991+b0a68a3e.noarch::nodejs:14",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-nodemon-0:2.0.19-2.module+el8.7.0+16991+b0a68a3e.src (nodejs:14) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-2.module+el8.7.0+16991+b0a68a3e.src::nodejs:14"
},
"product_reference": "nodejs-nodemon-0:2.0.19-2.module+el8.7.0+16991+b0a68a3e.src::nodejs:14",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch (nodejs:14) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch::nodejs:14"
},
"product_reference": "nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch::nodejs:14",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src (nodejs:14) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src::nodejs:14"
},
"product_reference": "nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src::nodejs:14",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.aarch64 (nodejs:14) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14"
},
"product_reference": "npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.ppc64le (nodejs:14) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14"
},
"product_reference": "npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.s390x (nodejs:14) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14"
},
"product_reference": "npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.x86_64 (nodejs:14) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14"
},
"product_reference": "npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"relates_to_product_reference": "AppStream-8.7.0.Z.MAIN"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-44531",
"cwe": {
"id": "CWE-295",
"name": "Improper Certificate Validation"
},
"discovery_date": "2022-01-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2040839"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in node.js where it accepted a certificate\u0027s Subject Alternative Names (SAN) entry, as opposed to what is specified by the HTTPS protocol. This flaw allows an active person-in-the-middle to forge a certificate and impersonate a trusted host.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Improper handling of URI Subject Alternative Names",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\" with impact LOW.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.src::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-docs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.noarch::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-2.module+el8.7.0+16991+b0a68a3e.noarch::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-2.module+el8.7.0+16991+b0a68a3e.src::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-44531"
},
{
"category": "external",
"summary": "RHBZ#2040839",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040839"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-44531",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44531"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44531",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44531"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/",
"url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/"
}
],
"release_date": "2022-01-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-11-08T11:39:20+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.src::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-docs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.noarch::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-2.module+el8.7.0+16991+b0a68a3e.noarch::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-2.module+el8.7.0+16991+b0a68a3e.src::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7830"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.src::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-docs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.noarch::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-2.module+el8.7.0+16991+b0a68a3e.noarch::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-2.module+el8.7.0+16991+b0a68a3e.src::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Improper handling of URI Subject Alternative Names"
},
{
"cve": "CVE-2021-44532",
"cwe": {
"id": "CWE-295",
"name": "Improper Certificate Validation"
},
"discovery_date": "2022-01-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2040846"
}
],
"notes": [
{
"category": "description",
"text": "It was found that node.js did not safely read the x509 certificate generalName format properly, resulting in data injection. A certificate could use a specially crafted extension in order to be successfully validated, permitting an attacker to impersonate a trusted host.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Certificate Verification Bypass via String Injection",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\" with impact LOW.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.src::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-docs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.noarch::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-2.module+el8.7.0+16991+b0a68a3e.noarch::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-2.module+el8.7.0+16991+b0a68a3e.src::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-44532"
},
{
"category": "external",
"summary": "RHBZ#2040846",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040846"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-44532",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44532"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44532",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44532"
}
],
"release_date": "2022-01-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-11-08T11:39:20+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.src::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-docs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.noarch::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-2.module+el8.7.0+16991+b0a68a3e.noarch::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-2.module+el8.7.0+16991+b0a68a3e.src::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7830"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.src::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-docs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.noarch::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-2.module+el8.7.0+16991+b0a68a3e.noarch::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-2.module+el8.7.0+16991+b0a68a3e.src::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Certificate Verification Bypass via String Injection"
},
{
"cve": "CVE-2021-44533",
"cwe": {
"id": "CWE-295",
"name": "Improper Certificate Validation"
},
"discovery_date": "2022-01-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2040856"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in node.js, where it did not properly handle multi-value Relative Distinguished Names. This flaw allows a specially crafted x509 certificate to produce a false multi-value Relative Distinguished Name and to inject arbitrary data in node.js libraries.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Incorrect handling of certificate subject and issuer fields",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally, there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore, the Quay component is marked as \"Will not fix\" with impact LOW.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.src::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-docs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.noarch::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-2.module+el8.7.0+16991+b0a68a3e.noarch::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-2.module+el8.7.0+16991+b0a68a3e.src::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-44533"
},
{
"category": "external",
"summary": "RHBZ#2040856",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040856"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-44533",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44533"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44533",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44533"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/",
"url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/"
}
],
"release_date": "2022-01-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-11-08T11:39:20+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.src::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-docs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.noarch::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-2.module+el8.7.0+16991+b0a68a3e.noarch::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-2.module+el8.7.0+16991+b0a68a3e.src::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7830"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.src::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-docs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.noarch::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-2.module+el8.7.0+16991+b0a68a3e.noarch::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-2.module+el8.7.0+16991+b0a68a3e.src::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Incorrect handling of certificate subject and issuer fields"
},
{
"cve": "CVE-2022-21824",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2022-01-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2040862"
}
],
"notes": [
{
"category": "description",
"text": "Due to the formatting logic of the \"console.table()\" function it was not safe to allow user controlled input to be passed to the \"properties\" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be \"__proto__\". The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js \u003e= 12.22.9, \u003e= 14.18.3, \u003e= 16.13.2, and \u003e= 17.3.1 use a null protoype for the object these properties are being assigned to.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Prototype pollution via console.table properties",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\".",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.src::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-docs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.noarch::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-2.module+el8.7.0+16991+b0a68a3e.noarch::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-2.module+el8.7.0+16991+b0a68a3e.src::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-21824"
},
{
"category": "external",
"summary": "RHBZ#2040862",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040862"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-21824",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21824"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-21824",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21824"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/",
"url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/"
}
],
"release_date": "2022-01-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-11-08T11:39:20+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.src::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-docs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.noarch::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-2.module+el8.7.0+16991+b0a68a3e.noarch::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-2.module+el8.7.0+16991+b0a68a3e.src::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7830"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"products": [
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.src::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-docs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.noarch::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-2.module+el8.7.0+16991+b0a68a3e.noarch::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-2.module+el8.7.0+16991+b0a68a3e.src::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "nodejs: Prototype pollution via console.table properties"
},
{
"acknowledgments": [
{
"names": [
"VVX7"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2022-35256",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2022-09-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2130518"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in NodeJS due to improper validation of HTTP requests. The llhttp parser in the HTTP module in Node.js does not correctly handle header fields that are not terminated with CLRF. This issue may result in HTTP Request Smuggling. This flaw allows a remote attacker to send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: HTTP Request Smuggling due to incorrect parsing of header fields",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.src::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-docs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.noarch::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-2.module+el8.7.0+16991+b0a68a3e.noarch::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-2.module+el8.7.0+16991+b0a68a3e.src::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-35256"
},
{
"category": "external",
"summary": "RHBZ#2130518",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2130518"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-35256",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-35256"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-35256",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35256"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#http-request-smuggling-due-to-incorrect-parsing-of-header-fields-medium-cve-2022-35256",
"url": "https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#http-request-smuggling-due-to-incorrect-parsing-of-header-fields-medium-cve-2022-35256"
}
],
"release_date": "2022-09-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-11-08T11:39:20+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.src::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-docs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.noarch::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-2.module+el8.7.0+16991+b0a68a3e.noarch::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-2.module+el8.7.0+16991+b0a68a3e.src::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7830"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.src::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debuginfo-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-debugsource-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-devel-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-docs-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.noarch::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-full-i18n-1:14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-2.module+el8.7.0+16991+b0a68a3e.noarch::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-nodemon-0:2.0.19-2.module+el8.7.0+16991+b0a68a3e.src::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch::nodejs:14",
"AppStream-8.7.0.Z.MAIN:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.aarch64::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.ppc64le::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.s390x::nodejs:14",
"AppStream-8.7.0.Z.MAIN:npm-1:6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.x86_64::nodejs:14"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: HTTP Request Smuggling due to incorrect parsing of header fields"
}
]
}
RHSA-2022_6963
Vulnerability from csaf_redhat - Published: 2022-10-18 09:27 - Updated: 2024-11-22 20:25Summary
Red Hat Security Advisory: nodejs security update
Severity
Important
Notes
Topic: An update for nodejs is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.
The following packages have been upgraded to a later upstream version: nodejs (16.17.1).
Security Fix(es):
* nodejs: weak randomness in WebCrypto keygen (CVE-2022-35255)
* nodejs: HTTP Request Smuggling due to incorrect parsing of header fields (CVE-2022-35256)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A vulnerability was found in NodeJS due to weak randomness in the WebCrypto keygen within the SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. Node.js made calls to EntropySource() in SecretKeyGenTraits::DoKeyGen(). However, it does not check the return value and assumes the EntropySource() always succeeds, but it can and sometimes will fail. This flaw allows a remote attacker to decrypt sensitive information.
8.2 (High)
Affected products
Fixed
34 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.i686 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.i686 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-docs-1:16.17.1-1.el9_0.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.i686 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.i686 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Important
A vulnerability was found in NodeJS due to improper validation of HTTP requests. The llhttp parser in the HTTP module in Node.js does not correctly handle header fields that are not terminated with CLRF. This issue may result in HTTP Request Smuggling. This flaw allows a remote attacker to send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.
6.5 (Medium)
Affected products
Fixed
34 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.i686 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.i686 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-docs-1:16.17.1-1.el9_0.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.i686 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.i686 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
16 references
Acknowledgments
Ben Noordhuis
VVX7
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for nodejs is now available for Red Hat Enterprise Linux 9.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. \n\nThe following packages have been upgraded to a later upstream version: nodejs (16.17.1).\n\nSecurity Fix(es):\n\n* nodejs: weak randomness in WebCrypto keygen (CVE-2022-35255)\n\n* nodejs: HTTP Request Smuggling due to incorrect parsing of header fields (CVE-2022-35256)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2022:6963",
"url": "https://access.redhat.com/errata/RHSA-2022:6963"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2130517",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2130517"
},
{
"category": "external",
"summary": "2130518",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2130518"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_6963.json"
}
],
"title": "Red Hat Security Advisory: nodejs security update",
"tracking": {
"current_release_date": "2024-11-22T20:25:20+00:00",
"generator": {
"date": "2024-11-22T20:25:20+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2022:6963",
"initial_release_date": "2022-10-18T09:27:13+00:00",
"revision_history": [
{
"date": "2022-10-18T09:27:13+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2022-10-18T09:27:13+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T20:25:20+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 9)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:9::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-1:16.17.1-1.el9_0.src",
"product": {
"name": "nodejs-1:16.17.1-1.el9_0.src",
"product_id": "nodejs-1:16.17.1-1.el9_0.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs@16.17.1-1.el9_0?arch=src\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-1:16.17.1-1.el9_0.aarch64",
"product": {
"name": "nodejs-1:16.17.1-1.el9_0.aarch64",
"product_id": "nodejs-1:16.17.1-1.el9_0.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs@16.17.1-1.el9_0?arch=aarch64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-full-i18n-1:16.17.1-1.el9_0.aarch64",
"product": {
"name": "nodejs-full-i18n-1:16.17.1-1.el9_0.aarch64",
"product_id": "nodejs-full-i18n-1:16.17.1-1.el9_0.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-full-i18n@16.17.1-1.el9_0?arch=aarch64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-libs-1:16.17.1-1.el9_0.aarch64",
"product": {
"name": "nodejs-libs-1:16.17.1-1.el9_0.aarch64",
"product_id": "nodejs-libs-1:16.17.1-1.el9_0.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-libs@16.17.1-1.el9_0?arch=aarch64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "npm-1:8.15.0-1.16.17.1.1.el9_0.aarch64",
"product": {
"name": "npm-1:8.15.0-1.16.17.1.1.el9_0.aarch64",
"product_id": "npm-1:8.15.0-1.16.17.1.1.el9_0.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/npm@8.15.0-1.16.17.1.1.el9_0?arch=aarch64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-debugsource-1:16.17.1-1.el9_0.aarch64",
"product": {
"name": "nodejs-debugsource-1:16.17.1-1.el9_0.aarch64",
"product_id": "nodejs-debugsource-1:16.17.1-1.el9_0.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debugsource@16.17.1-1.el9_0?arch=aarch64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-debuginfo-1:16.17.1-1.el9_0.aarch64",
"product": {
"name": "nodejs-debuginfo-1:16.17.1-1.el9_0.aarch64",
"product_id": "nodejs-debuginfo-1:16.17.1-1.el9_0.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debuginfo@16.17.1-1.el9_0?arch=aarch64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-libs-debuginfo-1:16.17.1-1.el9_0.aarch64",
"product": {
"name": "nodejs-libs-debuginfo-1:16.17.1-1.el9_0.aarch64",
"product_id": "nodejs-libs-debuginfo-1:16.17.1-1.el9_0.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-libs-debuginfo@16.17.1-1.el9_0?arch=aarch64\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-1:16.17.1-1.el9_0.ppc64le",
"product": {
"name": "nodejs-1:16.17.1-1.el9_0.ppc64le",
"product_id": "nodejs-1:16.17.1-1.el9_0.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs@16.17.1-1.el9_0?arch=ppc64le\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-full-i18n-1:16.17.1-1.el9_0.ppc64le",
"product": {
"name": "nodejs-full-i18n-1:16.17.1-1.el9_0.ppc64le",
"product_id": "nodejs-full-i18n-1:16.17.1-1.el9_0.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-full-i18n@16.17.1-1.el9_0?arch=ppc64le\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-libs-1:16.17.1-1.el9_0.ppc64le",
"product": {
"name": "nodejs-libs-1:16.17.1-1.el9_0.ppc64le",
"product_id": "nodejs-libs-1:16.17.1-1.el9_0.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-libs@16.17.1-1.el9_0?arch=ppc64le\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "npm-1:8.15.0-1.16.17.1.1.el9_0.ppc64le",
"product": {
"name": "npm-1:8.15.0-1.16.17.1.1.el9_0.ppc64le",
"product_id": "npm-1:8.15.0-1.16.17.1.1.el9_0.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/npm@8.15.0-1.16.17.1.1.el9_0?arch=ppc64le\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-debugsource-1:16.17.1-1.el9_0.ppc64le",
"product": {
"name": "nodejs-debugsource-1:16.17.1-1.el9_0.ppc64le",
"product_id": "nodejs-debugsource-1:16.17.1-1.el9_0.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debugsource@16.17.1-1.el9_0?arch=ppc64le\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-debuginfo-1:16.17.1-1.el9_0.ppc64le",
"product": {
"name": "nodejs-debuginfo-1:16.17.1-1.el9_0.ppc64le",
"product_id": "nodejs-debuginfo-1:16.17.1-1.el9_0.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debuginfo@16.17.1-1.el9_0?arch=ppc64le\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-libs-debuginfo-1:16.17.1-1.el9_0.ppc64le",
"product": {
"name": "nodejs-libs-debuginfo-1:16.17.1-1.el9_0.ppc64le",
"product_id": "nodejs-libs-debuginfo-1:16.17.1-1.el9_0.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-libs-debuginfo@16.17.1-1.el9_0?arch=ppc64le\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-1:16.17.1-1.el9_0.x86_64",
"product": {
"name": "nodejs-1:16.17.1-1.el9_0.x86_64",
"product_id": "nodejs-1:16.17.1-1.el9_0.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs@16.17.1-1.el9_0?arch=x86_64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-full-i18n-1:16.17.1-1.el9_0.x86_64",
"product": {
"name": "nodejs-full-i18n-1:16.17.1-1.el9_0.x86_64",
"product_id": "nodejs-full-i18n-1:16.17.1-1.el9_0.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-full-i18n@16.17.1-1.el9_0?arch=x86_64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-libs-1:16.17.1-1.el9_0.x86_64",
"product": {
"name": "nodejs-libs-1:16.17.1-1.el9_0.x86_64",
"product_id": "nodejs-libs-1:16.17.1-1.el9_0.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-libs@16.17.1-1.el9_0?arch=x86_64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "npm-1:8.15.0-1.16.17.1.1.el9_0.x86_64",
"product": {
"name": "npm-1:8.15.0-1.16.17.1.1.el9_0.x86_64",
"product_id": "npm-1:8.15.0-1.16.17.1.1.el9_0.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/npm@8.15.0-1.16.17.1.1.el9_0?arch=x86_64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-debugsource-1:16.17.1-1.el9_0.x86_64",
"product": {
"name": "nodejs-debugsource-1:16.17.1-1.el9_0.x86_64",
"product_id": "nodejs-debugsource-1:16.17.1-1.el9_0.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debugsource@16.17.1-1.el9_0?arch=x86_64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-debuginfo-1:16.17.1-1.el9_0.x86_64",
"product": {
"name": "nodejs-debuginfo-1:16.17.1-1.el9_0.x86_64",
"product_id": "nodejs-debuginfo-1:16.17.1-1.el9_0.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debuginfo@16.17.1-1.el9_0?arch=x86_64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-libs-debuginfo-1:16.17.1-1.el9_0.x86_64",
"product": {
"name": "nodejs-libs-debuginfo-1:16.17.1-1.el9_0.x86_64",
"product_id": "nodejs-libs-debuginfo-1:16.17.1-1.el9_0.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-libs-debuginfo@16.17.1-1.el9_0?arch=x86_64\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-libs-1:16.17.1-1.el9_0.i686",
"product": {
"name": "nodejs-libs-1:16.17.1-1.el9_0.i686",
"product_id": "nodejs-libs-1:16.17.1-1.el9_0.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-libs@16.17.1-1.el9_0?arch=i686\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-debugsource-1:16.17.1-1.el9_0.i686",
"product": {
"name": "nodejs-debugsource-1:16.17.1-1.el9_0.i686",
"product_id": "nodejs-debugsource-1:16.17.1-1.el9_0.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debugsource@16.17.1-1.el9_0?arch=i686\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-debuginfo-1:16.17.1-1.el9_0.i686",
"product": {
"name": "nodejs-debuginfo-1:16.17.1-1.el9_0.i686",
"product_id": "nodejs-debuginfo-1:16.17.1-1.el9_0.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debuginfo@16.17.1-1.el9_0?arch=i686\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-libs-debuginfo-1:16.17.1-1.el9_0.i686",
"product": {
"name": "nodejs-libs-debuginfo-1:16.17.1-1.el9_0.i686",
"product_id": "nodejs-libs-debuginfo-1:16.17.1-1.el9_0.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-libs-debuginfo@16.17.1-1.el9_0?arch=i686\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "i686"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-1:16.17.1-1.el9_0.s390x",
"product": {
"name": "nodejs-1:16.17.1-1.el9_0.s390x",
"product_id": "nodejs-1:16.17.1-1.el9_0.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs@16.17.1-1.el9_0?arch=s390x\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-full-i18n-1:16.17.1-1.el9_0.s390x",
"product": {
"name": "nodejs-full-i18n-1:16.17.1-1.el9_0.s390x",
"product_id": "nodejs-full-i18n-1:16.17.1-1.el9_0.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-full-i18n@16.17.1-1.el9_0?arch=s390x\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-libs-1:16.17.1-1.el9_0.s390x",
"product": {
"name": "nodejs-libs-1:16.17.1-1.el9_0.s390x",
"product_id": "nodejs-libs-1:16.17.1-1.el9_0.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-libs@16.17.1-1.el9_0?arch=s390x\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "npm-1:8.15.0-1.16.17.1.1.el9_0.s390x",
"product": {
"name": "npm-1:8.15.0-1.16.17.1.1.el9_0.s390x",
"product_id": "npm-1:8.15.0-1.16.17.1.1.el9_0.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/npm@8.15.0-1.16.17.1.1.el9_0?arch=s390x\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-debugsource-1:16.17.1-1.el9_0.s390x",
"product": {
"name": "nodejs-debugsource-1:16.17.1-1.el9_0.s390x",
"product_id": "nodejs-debugsource-1:16.17.1-1.el9_0.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debugsource@16.17.1-1.el9_0?arch=s390x\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-debuginfo-1:16.17.1-1.el9_0.s390x",
"product": {
"name": "nodejs-debuginfo-1:16.17.1-1.el9_0.s390x",
"product_id": "nodejs-debuginfo-1:16.17.1-1.el9_0.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debuginfo@16.17.1-1.el9_0?arch=s390x\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-libs-debuginfo-1:16.17.1-1.el9_0.s390x",
"product": {
"name": "nodejs-libs-debuginfo-1:16.17.1-1.el9_0.s390x",
"product_id": "nodejs-libs-debuginfo-1:16.17.1-1.el9_0.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-libs-debuginfo@16.17.1-1.el9_0?arch=s390x\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-docs-1:16.17.1-1.el9_0.noarch",
"product": {
"name": "nodejs-docs-1:16.17.1-1.el9_0.noarch",
"product_id": "nodejs-docs-1:16.17.1-1.el9_0.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-docs@16.17.1-1.el9_0?arch=noarch\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-1:16.17.1-1.el9_0.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.aarch64"
},
"product_reference": "nodejs-1:16.17.1-1.el9_0.aarch64",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-1:16.17.1-1.el9_0.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.ppc64le"
},
"product_reference": "nodejs-1:16.17.1-1.el9_0.ppc64le",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-1:16.17.1-1.el9_0.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.s390x"
},
"product_reference": "nodejs-1:16.17.1-1.el9_0.s390x",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-1:16.17.1-1.el9_0.src as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.src"
},
"product_reference": "nodejs-1:16.17.1-1.el9_0.src",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-1:16.17.1-1.el9_0.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.x86_64"
},
"product_reference": "nodejs-1:16.17.1-1.el9_0.x86_64",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debuginfo-1:16.17.1-1.el9_0.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.aarch64"
},
"product_reference": "nodejs-debuginfo-1:16.17.1-1.el9_0.aarch64",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debuginfo-1:16.17.1-1.el9_0.i686 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.i686"
},
"product_reference": "nodejs-debuginfo-1:16.17.1-1.el9_0.i686",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debuginfo-1:16.17.1-1.el9_0.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.ppc64le"
},
"product_reference": "nodejs-debuginfo-1:16.17.1-1.el9_0.ppc64le",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debuginfo-1:16.17.1-1.el9_0.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.s390x"
},
"product_reference": "nodejs-debuginfo-1:16.17.1-1.el9_0.s390x",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debuginfo-1:16.17.1-1.el9_0.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.x86_64"
},
"product_reference": "nodejs-debuginfo-1:16.17.1-1.el9_0.x86_64",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debugsource-1:16.17.1-1.el9_0.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.aarch64"
},
"product_reference": "nodejs-debugsource-1:16.17.1-1.el9_0.aarch64",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debugsource-1:16.17.1-1.el9_0.i686 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.i686"
},
"product_reference": "nodejs-debugsource-1:16.17.1-1.el9_0.i686",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debugsource-1:16.17.1-1.el9_0.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.ppc64le"
},
"product_reference": "nodejs-debugsource-1:16.17.1-1.el9_0.ppc64le",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debugsource-1:16.17.1-1.el9_0.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.s390x"
},
"product_reference": "nodejs-debugsource-1:16.17.1-1.el9_0.s390x",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debugsource-1:16.17.1-1.el9_0.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.x86_64"
},
"product_reference": "nodejs-debugsource-1:16.17.1-1.el9_0.x86_64",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-docs-1:16.17.1-1.el9_0.noarch as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-docs-1:16.17.1-1.el9_0.noarch"
},
"product_reference": "nodejs-docs-1:16.17.1-1.el9_0.noarch",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-full-i18n-1:16.17.1-1.el9_0.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.aarch64"
},
"product_reference": "nodejs-full-i18n-1:16.17.1-1.el9_0.aarch64",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-full-i18n-1:16.17.1-1.el9_0.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.ppc64le"
},
"product_reference": "nodejs-full-i18n-1:16.17.1-1.el9_0.ppc64le",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-full-i18n-1:16.17.1-1.el9_0.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.s390x"
},
"product_reference": "nodejs-full-i18n-1:16.17.1-1.el9_0.s390x",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-full-i18n-1:16.17.1-1.el9_0.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.x86_64"
},
"product_reference": "nodejs-full-i18n-1:16.17.1-1.el9_0.x86_64",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-libs-1:16.17.1-1.el9_0.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.aarch64"
},
"product_reference": "nodejs-libs-1:16.17.1-1.el9_0.aarch64",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-libs-1:16.17.1-1.el9_0.i686 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.i686"
},
"product_reference": "nodejs-libs-1:16.17.1-1.el9_0.i686",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-libs-1:16.17.1-1.el9_0.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.ppc64le"
},
"product_reference": "nodejs-libs-1:16.17.1-1.el9_0.ppc64le",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-libs-1:16.17.1-1.el9_0.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.s390x"
},
"product_reference": "nodejs-libs-1:16.17.1-1.el9_0.s390x",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-libs-1:16.17.1-1.el9_0.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.x86_64"
},
"product_reference": "nodejs-libs-1:16.17.1-1.el9_0.x86_64",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-libs-debuginfo-1:16.17.1-1.el9_0.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.aarch64"
},
"product_reference": "nodejs-libs-debuginfo-1:16.17.1-1.el9_0.aarch64",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-libs-debuginfo-1:16.17.1-1.el9_0.i686 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.i686"
},
"product_reference": "nodejs-libs-debuginfo-1:16.17.1-1.el9_0.i686",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-libs-debuginfo-1:16.17.1-1.el9_0.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.ppc64le"
},
"product_reference": "nodejs-libs-debuginfo-1:16.17.1-1.el9_0.ppc64le",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-libs-debuginfo-1:16.17.1-1.el9_0.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.s390x"
},
"product_reference": "nodejs-libs-debuginfo-1:16.17.1-1.el9_0.s390x",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-libs-debuginfo-1:16.17.1-1.el9_0.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.x86_64"
},
"product_reference": "nodejs-libs-debuginfo-1:16.17.1-1.el9_0.x86_64",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm-1:8.15.0-1.16.17.1.1.el9_0.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.aarch64"
},
"product_reference": "npm-1:8.15.0-1.16.17.1.1.el9_0.aarch64",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm-1:8.15.0-1.16.17.1.1.el9_0.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.ppc64le"
},
"product_reference": "npm-1:8.15.0-1.16.17.1.1.el9_0.ppc64le",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm-1:8.15.0-1.16.17.1.1.el9_0.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.s390x"
},
"product_reference": "npm-1:8.15.0-1.16.17.1.1.el9_0.s390x",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm-1:8.15.0-1.16.17.1.1.el9_0.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.x86_64"
},
"product_reference": "npm-1:8.15.0-1.16.17.1.1.el9_0.x86_64",
"relates_to_product_reference": "AppStream-9.0.0.Z.MAIN.EUS"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Ben Noordhuis"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2022-35255",
"cwe": {
"id": "CWE-338",
"name": "Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)"
},
"discovery_date": "2022-09-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2130517"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in NodeJS due to weak randomness in the WebCrypto keygen within the SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. Node.js made calls to EntropySource() in SecretKeyGenTraits::DoKeyGen(). However, it does not check the return value and assumes the EntropySource() always succeeds, but it can and sometimes will fail. This flaw allows a remote attacker to decrypt sensitive information.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: weak randomness in WebCrypto keygen",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The vulnerability was introduced in NodeJS v15.0.0, Hence, NodeJS:14 package in RHEL-8 and RHSCL-3 are not affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.src",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.i686",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.i686",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-docs-1:16.17.1-1.el9_0.noarch",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.i686",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.i686",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-35255"
},
{
"category": "external",
"summary": "RHBZ#2130517",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2130517"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-35255",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-35255"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-35255",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35255"
},
{
"category": "external",
"summary": "https://hackerone.com/bugs?report_id=1690000",
"url": "https://hackerone.com/bugs?report_id=1690000"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#weak-randomness-in-webcrypto-keygen-high-cve-2022-35255",
"url": "https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#weak-randomness-in-webcrypto-keygen-high-cve-2022-35255"
}
],
"release_date": "2022-09-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-10-18T09:27:13+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.src",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.i686",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.i686",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-docs-1:16.17.1-1.el9_0.noarch",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.i686",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.i686",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:6963"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"products": [
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.src",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.i686",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.i686",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-docs-1:16.17.1-1.el9_0.noarch",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.i686",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.i686",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "nodejs: weak randomness in WebCrypto keygen"
},
{
"acknowledgments": [
{
"names": [
"VVX7"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2022-35256",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2022-09-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2130518"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in NodeJS due to improper validation of HTTP requests. The llhttp parser in the HTTP module in Node.js does not correctly handle header fields that are not terminated with CLRF. This issue may result in HTTP Request Smuggling. This flaw allows a remote attacker to send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: HTTP Request Smuggling due to incorrect parsing of header fields",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.src",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.i686",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.i686",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-docs-1:16.17.1-1.el9_0.noarch",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.i686",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.i686",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-35256"
},
{
"category": "external",
"summary": "RHBZ#2130518",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2130518"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-35256",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-35256"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-35256",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35256"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#http-request-smuggling-due-to-incorrect-parsing-of-header-fields-medium-cve-2022-35256",
"url": "https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#http-request-smuggling-due-to-incorrect-parsing-of-header-fields-medium-cve-2022-35256"
}
],
"release_date": "2022-09-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-10-18T09:27:13+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.src",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.i686",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.i686",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-docs-1:16.17.1-1.el9_0.noarch",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.i686",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.i686",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:6963"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.src",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.i686",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debuginfo-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.i686",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-debugsource-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-docs-1:16.17.1-1.el9_0.noarch",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-full-i18n-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.i686",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.i686",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:nodejs-libs-debuginfo-1:16.17.1-1.el9_0.x86_64",
"AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.aarch64",
"AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.ppc64le",
"AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.s390x",
"AppStream-9.0.0.Z.MAIN.EUS:npm-1:8.15.0-1.16.17.1.1.el9_0.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: HTTP Request Smuggling due to incorrect parsing of header fields"
}
]
}
RHSA-2022_6964
Vulnerability from csaf_redhat - Published: 2022-10-17 10:42 - Updated: 2024-11-22 20:25Summary
Red Hat Security Advisory: nodejs:16 security update
Severity
Important
Notes
Topic: An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.
The following packages have been upgraded to a later upstream version: nodejs 16.
Security Fix(es):
* nodejs: weak randomness in WebCrypto keygen (CVE-2022-35255)
* nodejs: HTTP Request Smuggling due to incorrect parsing of header fields (CVE-2022-35256)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A vulnerability was found in NodeJS due to weak randomness in the WebCrypto keygen within the SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. Node.js made calls to EntropySource() in SecretKeyGenTraits::DoKeyGen(). However, it does not check the return value and assumes the EntropySource() always succeeds, but it can and sometimes will fail. This flaw allows a remote attacker to decrypt sensitive information.
8.2 (High)
Affected products
Fixed
31 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-docs-1:16.17.1-1.module+el8.6.0+16848+a483195a.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-nodemon-0:2.0.19-2.module+el8.6.0+16240+7ca51420.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-nodemon-0:2.0.19-2.module+el8.6.0+16240+7ca51420.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-packaging-0:25-1.module+el8.5.0+10992+fac5fe06.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-packaging-0:25-1.module+el8.5.0+10992+fac5fe06.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Important
A vulnerability was found in NodeJS due to improper validation of HTTP requests. The llhttp parser in the HTTP module in Node.js does not correctly handle header fields that are not terminated with CLRF. This issue may result in HTTP Request Smuggling. This flaw allows a remote attacker to send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.
6.5 (Medium)
Affected products
Fixed
31 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-docs-1:16.17.1-1.module+el8.6.0+16848+a483195a.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-nodemon-0:2.0.19-2.module+el8.6.0+16240+7ca51420.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-nodemon-0:2.0.19-2.module+el8.6.0+16240+7ca51420.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-packaging-0:25-1.module+el8.5.0+10992+fac5fe06.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-packaging-0:25-1.module+el8.5.0+10992+fac5fe06.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
16 references
Acknowledgments
Ben Noordhuis
VVX7
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. \n\nThe following packages have been upgraded to a later upstream version: nodejs 16.\n\nSecurity Fix(es):\n\n* nodejs: weak randomness in WebCrypto keygen (CVE-2022-35255)\n\n* nodejs: HTTP Request Smuggling due to incorrect parsing of header fields (CVE-2022-35256)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2022:6964",
"url": "https://access.redhat.com/errata/RHSA-2022:6964"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2130517",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2130517"
},
{
"category": "external",
"summary": "2130518",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2130518"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_6964.json"
}
],
"title": "Red Hat Security Advisory: nodejs:16 security update",
"tracking": {
"current_release_date": "2024-11-22T20:25:13+00:00",
"generator": {
"date": "2024-11-22T20:25:13+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2022:6964",
"initial_release_date": "2022-10-17T10:42:44+00:00",
"revision_history": [
{
"date": "2022-10-17T10:42:44+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2022-10-17T10:42:44+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T20:25:13+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 8)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:8::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs:16:8060020221007164523:ad008a3a",
"product": {
"name": "nodejs:16:8060020221007164523:ad008a3a",
"product_id": "nodejs:16:8060020221007164523:ad008a3a",
"product_identification_helper": {
"purl": "pkg:rpmmod/redhat/nodejs@16:8060020221007164523:ad008a3a"
}
}
},
{
"category": "product_version",
"name": "nodejs-docs-1:16.17.1-1.module+el8.6.0+16848+a483195a.noarch",
"product": {
"name": "nodejs-docs-1:16.17.1-1.module+el8.6.0+16848+a483195a.noarch",
"product_id": "nodejs-docs-1:16.17.1-1.module+el8.6.0+16848+a483195a.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-docs@16.17.1-1.module%2Bel8.6.0%2B16848%2Ba483195a?arch=noarch\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-nodemon-0:2.0.19-2.module+el8.6.0+16240+7ca51420.noarch",
"product": {
"name": "nodejs-nodemon-0:2.0.19-2.module+el8.6.0+16240+7ca51420.noarch",
"product_id": "nodejs-nodemon-0:2.0.19-2.module+el8.6.0+16240+7ca51420.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-nodemon@2.0.19-2.module%2Bel8.6.0%2B16240%2B7ca51420?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "nodejs-packaging-0:25-1.module+el8.5.0+10992+fac5fe06.noarch",
"product": {
"name": "nodejs-packaging-0:25-1.module+el8.5.0+10992+fac5fe06.noarch",
"product_id": "nodejs-packaging-0:25-1.module+el8.5.0+10992+fac5fe06.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-packaging@25-1.module%2Bel8.5.0%2B10992%2Bfac5fe06?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64",
"product": {
"name": "nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64",
"product_id": "nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs@16.17.1-1.module%2Bel8.6.0%2B16848%2Ba483195a?arch=aarch64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64",
"product": {
"name": "nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64",
"product_id": "nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debuginfo@16.17.1-1.module%2Bel8.6.0%2B16848%2Ba483195a?arch=aarch64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64",
"product": {
"name": "nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64",
"product_id": "nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debugsource@16.17.1-1.module%2Bel8.6.0%2B16848%2Ba483195a?arch=aarch64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64",
"product": {
"name": "nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64",
"product_id": "nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-devel@16.17.1-1.module%2Bel8.6.0%2B16848%2Ba483195a?arch=aarch64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64",
"product": {
"name": "nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64",
"product_id": "nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-full-i18n@16.17.1-1.module%2Bel8.6.0%2B16848%2Ba483195a?arch=aarch64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.aarch64",
"product": {
"name": "npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.aarch64",
"product_id": "npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/npm@8.15.0-1.16.17.1.1.module%2Bel8.6.0%2B16848%2Ba483195a?arch=aarch64\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.src",
"product": {
"name": "nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.src",
"product_id": "nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs@16.17.1-1.module%2Bel8.6.0%2B16848%2Ba483195a?arch=src\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-nodemon-0:2.0.19-2.module+el8.6.0+16240+7ca51420.src",
"product": {
"name": "nodejs-nodemon-0:2.0.19-2.module+el8.6.0+16240+7ca51420.src",
"product_id": "nodejs-nodemon-0:2.0.19-2.module+el8.6.0+16240+7ca51420.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-nodemon@2.0.19-2.module%2Bel8.6.0%2B16240%2B7ca51420?arch=src"
}
}
},
{
"category": "product_version",
"name": "nodejs-packaging-0:25-1.module+el8.5.0+10992+fac5fe06.src",
"product": {
"name": "nodejs-packaging-0:25-1.module+el8.5.0+10992+fac5fe06.src",
"product_id": "nodejs-packaging-0:25-1.module+el8.5.0+10992+fac5fe06.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-packaging@25-1.module%2Bel8.5.0%2B10992%2Bfac5fe06?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le",
"product": {
"name": "nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le",
"product_id": "nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs@16.17.1-1.module%2Bel8.6.0%2B16848%2Ba483195a?arch=ppc64le\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le",
"product": {
"name": "nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le",
"product_id": "nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debuginfo@16.17.1-1.module%2Bel8.6.0%2B16848%2Ba483195a?arch=ppc64le\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le",
"product": {
"name": "nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le",
"product_id": "nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debugsource@16.17.1-1.module%2Bel8.6.0%2B16848%2Ba483195a?arch=ppc64le\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le",
"product": {
"name": "nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le",
"product_id": "nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-devel@16.17.1-1.module%2Bel8.6.0%2B16848%2Ba483195a?arch=ppc64le\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le",
"product": {
"name": "nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le",
"product_id": "nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-full-i18n@16.17.1-1.module%2Bel8.6.0%2B16848%2Ba483195a?arch=ppc64le\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.ppc64le",
"product": {
"name": "npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.ppc64le",
"product_id": "npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/npm@8.15.0-1.16.17.1.1.module%2Bel8.6.0%2B16848%2Ba483195a?arch=ppc64le\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x",
"product": {
"name": "nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x",
"product_id": "nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs@16.17.1-1.module%2Bel8.6.0%2B16848%2Ba483195a?arch=s390x\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x",
"product": {
"name": "nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x",
"product_id": "nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debuginfo@16.17.1-1.module%2Bel8.6.0%2B16848%2Ba483195a?arch=s390x\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x",
"product": {
"name": "nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x",
"product_id": "nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debugsource@16.17.1-1.module%2Bel8.6.0%2B16848%2Ba483195a?arch=s390x\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x",
"product": {
"name": "nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x",
"product_id": "nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-devel@16.17.1-1.module%2Bel8.6.0%2B16848%2Ba483195a?arch=s390x\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x",
"product": {
"name": "nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x",
"product_id": "nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-full-i18n@16.17.1-1.module%2Bel8.6.0%2B16848%2Ba483195a?arch=s390x\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.s390x",
"product": {
"name": "npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.s390x",
"product_id": "npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/npm@8.15.0-1.16.17.1.1.module%2Bel8.6.0%2B16848%2Ba483195a?arch=s390x\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64",
"product": {
"name": "nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64",
"product_id": "nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs@16.17.1-1.module%2Bel8.6.0%2B16848%2Ba483195a?arch=x86_64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64",
"product": {
"name": "nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64",
"product_id": "nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debuginfo@16.17.1-1.module%2Bel8.6.0%2B16848%2Ba483195a?arch=x86_64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64",
"product": {
"name": "nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64",
"product_id": "nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debugsource@16.17.1-1.module%2Bel8.6.0%2B16848%2Ba483195a?arch=x86_64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64",
"product": {
"name": "nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64",
"product_id": "nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-devel@16.17.1-1.module%2Bel8.6.0%2B16848%2Ba483195a?arch=x86_64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64",
"product": {
"name": "nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64",
"product_id": "nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-full-i18n@16.17.1-1.module%2Bel8.6.0%2B16848%2Ba483195a?arch=x86_64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.x86_64",
"product": {
"name": "npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.x86_64",
"product_id": "npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/npm@8.15.0-1.16.17.1.1.module%2Bel8.6.0%2B16848%2Ba483195a?arch=x86_64\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs:16:8060020221007164523:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a"
},
"product_reference": "nodejs:16:8060020221007164523:ad008a3a",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64 as a component of nodejs:16:8060020221007164523:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64"
},
"product_reference": "nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le as a component of nodejs:16:8060020221007164523:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le"
},
"product_reference": "nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x as a component of nodejs:16:8060020221007164523:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x"
},
"product_reference": "nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.src as a component of nodejs:16:8060020221007164523:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.src"
},
"product_reference": "nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.src",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64 as a component of nodejs:16:8060020221007164523:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64"
},
"product_reference": "nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64 as a component of nodejs:16:8060020221007164523:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64"
},
"product_reference": "nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le as a component of nodejs:16:8060020221007164523:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le"
},
"product_reference": "nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x as a component of nodejs:16:8060020221007164523:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x"
},
"product_reference": "nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64 as a component of nodejs:16:8060020221007164523:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64"
},
"product_reference": "nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64 as a component of nodejs:16:8060020221007164523:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64"
},
"product_reference": "nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le as a component of nodejs:16:8060020221007164523:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le"
},
"product_reference": "nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x as a component of nodejs:16:8060020221007164523:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x"
},
"product_reference": "nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64 as a component of nodejs:16:8060020221007164523:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64"
},
"product_reference": "nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64 as a component of nodejs:16:8060020221007164523:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64"
},
"product_reference": "nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le as a component of nodejs:16:8060020221007164523:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le"
},
"product_reference": "nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x as a component of nodejs:16:8060020221007164523:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x"
},
"product_reference": "nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64 as a component of nodejs:16:8060020221007164523:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64"
},
"product_reference": "nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-docs-1:16.17.1-1.module+el8.6.0+16848+a483195a.noarch as a component of nodejs:16:8060020221007164523:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-docs-1:16.17.1-1.module+el8.6.0+16848+a483195a.noarch"
},
"product_reference": "nodejs-docs-1:16.17.1-1.module+el8.6.0+16848+a483195a.noarch",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64 as a component of nodejs:16:8060020221007164523:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64"
},
"product_reference": "nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le as a component of nodejs:16:8060020221007164523:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le"
},
"product_reference": "nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x as a component of nodejs:16:8060020221007164523:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x"
},
"product_reference": "nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64 as a component of nodejs:16:8060020221007164523:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64"
},
"product_reference": "nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-nodemon-0:2.0.19-2.module+el8.6.0+16240+7ca51420.noarch as a component of nodejs:16:8060020221007164523:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-nodemon-0:2.0.19-2.module+el8.6.0+16240+7ca51420.noarch"
},
"product_reference": "nodejs-nodemon-0:2.0.19-2.module+el8.6.0+16240+7ca51420.noarch",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-nodemon-0:2.0.19-2.module+el8.6.0+16240+7ca51420.src as a component of nodejs:16:8060020221007164523:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-nodemon-0:2.0.19-2.module+el8.6.0+16240+7ca51420.src"
},
"product_reference": "nodejs-nodemon-0:2.0.19-2.module+el8.6.0+16240+7ca51420.src",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-packaging-0:25-1.module+el8.5.0+10992+fac5fe06.noarch as a component of nodejs:16:8060020221007164523:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-packaging-0:25-1.module+el8.5.0+10992+fac5fe06.noarch"
},
"product_reference": "nodejs-packaging-0:25-1.module+el8.5.0+10992+fac5fe06.noarch",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-packaging-0:25-1.module+el8.5.0+10992+fac5fe06.src as a component of nodejs:16:8060020221007164523:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-packaging-0:25-1.module+el8.5.0+10992+fac5fe06.src"
},
"product_reference": "nodejs-packaging-0:25-1.module+el8.5.0+10992+fac5fe06.src",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.aarch64 as a component of nodejs:16:8060020221007164523:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.aarch64"
},
"product_reference": "npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.aarch64",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.ppc64le as a component of nodejs:16:8060020221007164523:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.ppc64le"
},
"product_reference": "npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.ppc64le",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.s390x as a component of nodejs:16:8060020221007164523:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.s390x"
},
"product_reference": "npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.s390x",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.x86_64 as a component of nodejs:16:8060020221007164523:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.x86_64"
},
"product_reference": "npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.x86_64",
"relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Ben Noordhuis"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2022-35255",
"cwe": {
"id": "CWE-338",
"name": "Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)"
},
"discovery_date": "2022-09-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2130517"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in NodeJS due to weak randomness in the WebCrypto keygen within the SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. Node.js made calls to EntropySource() in SecretKeyGenTraits::DoKeyGen(). However, it does not check the return value and assumes the EntropySource() always succeeds, but it can and sometimes will fail. This flaw allows a remote attacker to decrypt sensitive information.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: weak randomness in WebCrypto keygen",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The vulnerability was introduced in NodeJS v15.0.0, Hence, NodeJS:14 package in RHEL-8 and RHSCL-3 are not affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.src",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-docs-1:16.17.1-1.module+el8.6.0+16848+a483195a.noarch",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-nodemon-0:2.0.19-2.module+el8.6.0+16240+7ca51420.noarch",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-nodemon-0:2.0.19-2.module+el8.6.0+16240+7ca51420.src",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-packaging-0:25-1.module+el8.5.0+10992+fac5fe06.noarch",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-packaging-0:25-1.module+el8.5.0+10992+fac5fe06.src",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.aarch64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.ppc64le",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.s390x",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-35255"
},
{
"category": "external",
"summary": "RHBZ#2130517",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2130517"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-35255",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-35255"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-35255",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35255"
},
{
"category": "external",
"summary": "https://hackerone.com/bugs?report_id=1690000",
"url": "https://hackerone.com/bugs?report_id=1690000"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#weak-randomness-in-webcrypto-keygen-high-cve-2022-35255",
"url": "https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#weak-randomness-in-webcrypto-keygen-high-cve-2022-35255"
}
],
"release_date": "2022-09-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-10-17T10:42:44+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.src",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-docs-1:16.17.1-1.module+el8.6.0+16848+a483195a.noarch",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-nodemon-0:2.0.19-2.module+el8.6.0+16240+7ca51420.noarch",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-nodemon-0:2.0.19-2.module+el8.6.0+16240+7ca51420.src",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-packaging-0:25-1.module+el8.5.0+10992+fac5fe06.noarch",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-packaging-0:25-1.module+el8.5.0+10992+fac5fe06.src",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.aarch64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.ppc64le",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.s390x",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:6964"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"products": [
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.src",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-docs-1:16.17.1-1.module+el8.6.0+16848+a483195a.noarch",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-nodemon-0:2.0.19-2.module+el8.6.0+16240+7ca51420.noarch",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-nodemon-0:2.0.19-2.module+el8.6.0+16240+7ca51420.src",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-packaging-0:25-1.module+el8.5.0+10992+fac5fe06.noarch",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-packaging-0:25-1.module+el8.5.0+10992+fac5fe06.src",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.aarch64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.ppc64le",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.s390x",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "nodejs: weak randomness in WebCrypto keygen"
},
{
"acknowledgments": [
{
"names": [
"VVX7"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2022-35256",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2022-09-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2130518"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in NodeJS due to improper validation of HTTP requests. The llhttp parser in the HTTP module in Node.js does not correctly handle header fields that are not terminated with CLRF. This issue may result in HTTP Request Smuggling. This flaw allows a remote attacker to send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: HTTP Request Smuggling due to incorrect parsing of header fields",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.src",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-docs-1:16.17.1-1.module+el8.6.0+16848+a483195a.noarch",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-nodemon-0:2.0.19-2.module+el8.6.0+16240+7ca51420.noarch",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-nodemon-0:2.0.19-2.module+el8.6.0+16240+7ca51420.src",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-packaging-0:25-1.module+el8.5.0+10992+fac5fe06.noarch",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-packaging-0:25-1.module+el8.5.0+10992+fac5fe06.src",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.aarch64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.ppc64le",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.s390x",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-35256"
},
{
"category": "external",
"summary": "RHBZ#2130518",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2130518"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-35256",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-35256"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-35256",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35256"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#http-request-smuggling-due-to-incorrect-parsing-of-header-fields-medium-cve-2022-35256",
"url": "https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#http-request-smuggling-due-to-incorrect-parsing-of-header-fields-medium-cve-2022-35256"
}
],
"release_date": "2022-09-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-10-17T10:42:44+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.src",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-docs-1:16.17.1-1.module+el8.6.0+16848+a483195a.noarch",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-nodemon-0:2.0.19-2.module+el8.6.0+16240+7ca51420.noarch",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-nodemon-0:2.0.19-2.module+el8.6.0+16240+7ca51420.src",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-packaging-0:25-1.module+el8.5.0+10992+fac5fe06.noarch",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-packaging-0:25-1.module+el8.5.0+10992+fac5fe06.src",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.aarch64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.ppc64le",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.s390x",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:6964"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.src",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debuginfo-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-debugsource-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-devel-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-docs-1:16.17.1-1.module+el8.6.0+16848+a483195a.noarch",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.aarch64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.ppc64le",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.s390x",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-full-i18n-1:16.17.1-1.module+el8.6.0+16848+a483195a.x86_64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-nodemon-0:2.0.19-2.module+el8.6.0+16240+7ca51420.noarch",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-nodemon-0:2.0.19-2.module+el8.6.0+16240+7ca51420.src",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-packaging-0:25-1.module+el8.5.0+10992+fac5fe06.noarch",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:nodejs-packaging-0:25-1.module+el8.5.0+10992+fac5fe06.src",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.aarch64",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.ppc64le",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.s390x",
"AppStream-8.6.0.Z.MAIN.EUS:nodejs:16:8060020221007164523:ad008a3a:npm-1:8.15.0-1.16.17.1.1.module+el8.6.0+16848+a483195a.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: HTTP Request Smuggling due to incorrect parsing of header fields"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…