csaf_suse - suse-su-2018:1183-1

Vulnerability from csaf_suse

Published

2018-05-09 14:18

Modified

2018-05-09 14:18

Summary

Security update for nodejs6

Notes

Title of the patch

Security update for nodejs6

Description of the patch

This update for nodejs6 fixes the following issues: - Fix some node-gyp permissions - New upstream LTS release 6.14.1: * Security fixes: + CVE-2018-7160: Fix for inspector DNS rebinding vulnerability (bsc#1087463) + CVE-2018-7158: Fix for 'path' module regular expression denial of service (bsc#1087459) + CVE-2018-7159: Reject spaces in HTTP Content-Length header values (bsc#1087453) - New upstream LTS release 6.13.1: * http,tls: better support for IPv6 addresses * console: added console.count() and console.clear() * crypto: + expose ECDH class + added cypto.randomFill() and crypto.randomFillSync() + warn on invalid authentication tag length * deps: upgrade libuv to 1.16.1 * dgram: added socket.setMulticastInterface() * http: add agent.keepSocketAlive and agent.reuseSocket as to allow overridable keep-alive behavior of Agent * lib: return this from net.Socket.end() * module: add builtinModules api that provides list of all builtin modules in Node * net: return this from getConnections() * promises: more robust stringification for unhandled rejections * repl: improve require() autocompletion * src: + add openssl-system-ca-path configure option + add --use-bundled-ca --use-openssl-ca check + add process.ppid * tls: accept lookup option for tls.connect() * tools,build: a new macOS installer! * url: WHATWG URL api support * util: add %i and %f formatting specifiers - remove any old manpage files in %pre from before update-alternatives were used to manage symlinks to these manpages. - Add Recommends and BuildRequire on python2 for npm. node-gyp requires this old version of python for now. This is only needed for binary modules. - even on recent codestreams there is no binutils gold on s390 only on s390x - New upstream LTS release 6.12.3: * v8: profiler-related fixes * mostly documentation and test related changes - Enable CI tests in %check target

Patchnames

SUSE-OpenStack-Cloud-7-2018-825,SUSE-SLE-Module-Web-Scripting-12-2018-825,SUSE-Storage-4-2018-825

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
   document: {
      aggregate_severity: {
         namespace: "https://www.suse.com/support/security/rating/",
         text: "moderate",
      },
      category: "csaf_security_advisory",
      csaf_version: "2.0",
      distribution: {
         text: "Copyright 2024 SUSE LLC. All rights reserved.",
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "en",
      notes: [
         {
            category: "summary",
            text: "Security update for nodejs6",
            title: "Title of the patch",
         },
         {
            category: "description",
            text: "This update for nodejs6 fixes the following issues:\n\n- Fix some node-gyp permissions\n\n- New upstream LTS release 6.14.1:\n  * Security fixes:\n    + CVE-2018-7160: Fix for inspector DNS rebinding vulnerability (bsc#1087463)\n    + CVE-2018-7158: Fix for 'path' module regular expression denial of service (bsc#1087459)\n    + CVE-2018-7159: Reject spaces in HTTP Content-Length header values\n      (bsc#1087453)\n\n- New upstream LTS release 6.13.1:\n  * http,tls: better support for IPv6 addresses\n  * console: added console.count() and console.clear()\n  * crypto:\n    + expose ECDH class\n    + added cypto.randomFill() and crypto.randomFillSync()\n    + warn on invalid authentication tag length\n  * deps: upgrade libuv to 1.16.1\n  * dgram: added socket.setMulticastInterface()\n  * http: add agent.keepSocketAlive and agent.reuseSocket as to\n    allow overridable keep-alive behavior of Agent\n  * lib: return this from net.Socket.end()\n  * module: add builtinModules api that provides list of all\n    builtin modules in Node\n  * net: return this from getConnections()\n  * promises: more robust stringification for unhandled rejections\n  * repl: improve require() autocompletion\n  * src:\n    + add openssl-system-ca-path configure option\n    + add --use-bundled-ca --use-openssl-ca check\n    + add process.ppid\n  * tls: accept lookup option for tls.connect()\n  * tools,build: a new macOS installer!\n  * url: WHATWG URL api support\n  * util: add %i and %f formatting specifiers\n- remove any old manpage files in %pre from before update-alternatives\n  were used to manage symlinks to these manpages.\n\n- Add Recommends and BuildRequire on python2 for npm. node-gyp\n  requires this old version of python for now. This is only needed\n  for binary modules.\n\n- even on recent codestreams there is no binutils gold on s390\n  only on s390x\n\n- New upstream LTS release 6.12.3:\n  * v8: profiler-related fixes\n  * mostly documentation and test related changes\n\n- Enable CI tests in %check target\n",
            title: "Description of the patch",
         },
         {
            category: "details",
            text: "SUSE-OpenStack-Cloud-7-2018-825,SUSE-SLE-Module-Web-Scripting-12-2018-825,SUSE-Storage-4-2018-825",
            title: "Patchnames",
         },
         {
            category: "legal_disclaimer",
            text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
            title: "Terms of use",
         },
      ],
      publisher: {
         category: "vendor",
         contact_details: "https://www.suse.com/support/security/contact/",
         name: "SUSE Product Security Team",
         namespace: "https://www.suse.com/",
      },
      references: [
         {
            category: "external",
            summary: "SUSE ratings",
            url: "https://www.suse.com/support/security/rating/",
         },
         {
            category: "self",
            summary: "URL of this CSAF notice",
            url: "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2018_1183-1.json",
         },
         {
            category: "self",
            summary: "URL for SUSE-SU-2018:1183-1",
            url: "https://www.suse.com/support/update/announcement/2018/suse-su-20181183-1/",
         },
         {
            category: "self",
            summary: "E-Mail link for SUSE-SU-2018:1183-1",
            url: "https://lists.suse.com/pipermail/sle-security-updates/2018-May/003987.html",
         },
         {
            category: "self",
            summary: "SUSE Bug 1087453",
            url: "https://bugzilla.suse.com/1087453",
         },
         {
            category: "self",
            summary: "SUSE Bug 1087459",
            url: "https://bugzilla.suse.com/1087459",
         },
         {
            category: "self",
            summary: "SUSE Bug 1087463",
            url: "https://bugzilla.suse.com/1087463",
         },
         {
            category: "self",
            summary: "SUSE CVE CVE-2018-7158 page",
            url: "https://www.suse.com/security/cve/CVE-2018-7158/",
         },
         {
            category: "self",
            summary: "SUSE CVE CVE-2018-7159 page",
            url: "https://www.suse.com/security/cve/CVE-2018-7159/",
         },
         {
            category: "self",
            summary: "SUSE CVE CVE-2018-7160 page",
            url: "https://www.suse.com/security/cve/CVE-2018-7160/",
         },
      ],
      title: "Security update for nodejs6",
      tracking: {
         current_release_date: "2018-05-09T14:18:51Z",
         generator: {
            date: "2018-05-09T14:18:51Z",
            engine: {
               name: "cve-database.git:bin/generate-csaf.pl",
               version: "1",
            },
         },
         id: "SUSE-SU-2018:1183-1",
         initial_release_date: "2018-05-09T14:18:51Z",
         revision_history: [
            {
               date: "2018-05-09T14:18:51Z",
               number: "1",
               summary: "Current version",
            },
         ],
         status: "final",
         version: "1",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "nodejs6-6.14.1-11.12.1.aarch64",
                        product: {
                           name: "nodejs6-6.14.1-11.12.1.aarch64",
                           product_id: "nodejs6-6.14.1-11.12.1.aarch64",
                        },
                     },
                     {
                        category: "product_version",
                        name: "nodejs6-devel-6.14.1-11.12.1.aarch64",
                        product: {
                           name: "nodejs6-devel-6.14.1-11.12.1.aarch64",
                           product_id: "nodejs6-devel-6.14.1-11.12.1.aarch64",
                        },
                     },
                     {
                        category: "product_version",
                        name: "npm6-6.14.1-11.12.1.aarch64",
                        product: {
                           name: "npm6-6.14.1-11.12.1.aarch64",
                           product_id: "npm6-6.14.1-11.12.1.aarch64",
                        },
                     },
                  ],
                  category: "architecture",
                  name: "aarch64",
               },
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "nodejs6-docs-6.14.1-11.12.1.noarch",
                        product: {
                           name: "nodejs6-docs-6.14.1-11.12.1.noarch",
                           product_id: "nodejs6-docs-6.14.1-11.12.1.noarch",
                        },
                     },
                  ],
                  category: "architecture",
                  name: "noarch",
               },
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "nodejs6-6.14.1-11.12.1.ppc64le",
                        product: {
                           name: "nodejs6-6.14.1-11.12.1.ppc64le",
                           product_id: "nodejs6-6.14.1-11.12.1.ppc64le",
                        },
                     },
                     {
                        category: "product_version",
                        name: "nodejs6-devel-6.14.1-11.12.1.ppc64le",
                        product: {
                           name: "nodejs6-devel-6.14.1-11.12.1.ppc64le",
                           product_id: "nodejs6-devel-6.14.1-11.12.1.ppc64le",
                        },
                     },
                     {
                        category: "product_version",
                        name: "npm6-6.14.1-11.12.1.ppc64le",
                        product: {
                           name: "npm6-6.14.1-11.12.1.ppc64le",
                           product_id: "npm6-6.14.1-11.12.1.ppc64le",
                        },
                     },
                  ],
                  category: "architecture",
                  name: "ppc64le",
               },
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "nodejs6-6.14.1-11.12.1.s390x",
                        product: {
                           name: "nodejs6-6.14.1-11.12.1.s390x",
                           product_id: "nodejs6-6.14.1-11.12.1.s390x",
                        },
                     },
                     {
                        category: "product_version",
                        name: "nodejs6-devel-6.14.1-11.12.1.s390x",
                        product: {
                           name: "nodejs6-devel-6.14.1-11.12.1.s390x",
                           product_id: "nodejs6-devel-6.14.1-11.12.1.s390x",
                        },
                     },
                     {
                        category: "product_version",
                        name: "npm6-6.14.1-11.12.1.s390x",
                        product: {
                           name: "npm6-6.14.1-11.12.1.s390x",
                           product_id: "npm6-6.14.1-11.12.1.s390x",
                        },
                     },
                  ],
                  category: "architecture",
                  name: "s390x",
               },
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "nodejs6-6.14.1-11.12.1.x86_64",
                        product: {
                           name: "nodejs6-6.14.1-11.12.1.x86_64",
                           product_id: "nodejs6-6.14.1-11.12.1.x86_64",
                        },
                     },
                     {
                        category: "product_version",
                        name: "nodejs6-devel-6.14.1-11.12.1.x86_64",
                        product: {
                           name: "nodejs6-devel-6.14.1-11.12.1.x86_64",
                           product_id: "nodejs6-devel-6.14.1-11.12.1.x86_64",
                        },
                     },
                     {
                        category: "product_version",
                        name: "npm6-6.14.1-11.12.1.x86_64",
                        product: {
                           name: "npm6-6.14.1-11.12.1.x86_64",
                           product_id: "npm6-6.14.1-11.12.1.x86_64",
                        },
                     },
                  ],
                  category: "architecture",
                  name: "x86_64",
               },
               {
                  branches: [
                     {
                        category: "product_name",
                        name: "SUSE OpenStack Cloud 7",
                        product: {
                           name: "SUSE OpenStack Cloud 7",
                           product_id: "SUSE OpenStack Cloud 7",
                           product_identification_helper: {
                              cpe: "cpe:/o:suse:suse-openstack-cloud:7",
                           },
                        },
                     },
                     {
                        category: "product_name",
                        name: "SUSE Linux Enterprise Module for Web and Scripting 12",
                        product: {
                           name: "SUSE Linux Enterprise Module for Web and Scripting 12",
                           product_id: "SUSE Linux Enterprise Module for Web and Scripting 12",
                           product_identification_helper: {
                              cpe: "cpe:/o:suse:sle-module-web-scripting:12",
                           },
                        },
                     },
                     {
                        category: "product_name",
                        name: "SUSE Enterprise Storage 4",
                        product: {
                           name: "SUSE Enterprise Storage 4",
                           product_id: "SUSE Enterprise Storage 4",
                           product_identification_helper: {
                              cpe: "cpe:/o:suse:ses:4",
                           },
                        },
                     },
                  ],
                  category: "product_family",
                  name: "SUSE Linux Enterprise",
               },
            ],
            category: "vendor",
            name: "SUSE",
         },
      ],
      relationships: [
         {
            category: "default_component_of",
            full_product_name: {
               name: "nodejs6-6.14.1-11.12.1.aarch64 as component of SUSE OpenStack Cloud 7",
               product_id: "SUSE OpenStack Cloud 7:nodejs6-6.14.1-11.12.1.aarch64",
            },
            product_reference: "nodejs6-6.14.1-11.12.1.aarch64",
            relates_to_product_reference: "SUSE OpenStack Cloud 7",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "nodejs6-6.14.1-11.12.1.s390x as component of SUSE OpenStack Cloud 7",
               product_id: "SUSE OpenStack Cloud 7:nodejs6-6.14.1-11.12.1.s390x",
            },
            product_reference: "nodejs6-6.14.1-11.12.1.s390x",
            relates_to_product_reference: "SUSE OpenStack Cloud 7",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "nodejs6-6.14.1-11.12.1.x86_64 as component of SUSE OpenStack Cloud 7",
               product_id: "SUSE OpenStack Cloud 7:nodejs6-6.14.1-11.12.1.x86_64",
            },
            product_reference: "nodejs6-6.14.1-11.12.1.x86_64",
            relates_to_product_reference: "SUSE OpenStack Cloud 7",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "nodejs6-6.14.1-11.12.1.aarch64 as component of SUSE Linux Enterprise Module for Web and Scripting 12",
               product_id: "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.14.1-11.12.1.aarch64",
            },
            product_reference: "nodejs6-6.14.1-11.12.1.aarch64",
            relates_to_product_reference: "SUSE Linux Enterprise Module for Web and Scripting 12",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "nodejs6-6.14.1-11.12.1.ppc64le as component of SUSE Linux Enterprise Module for Web and Scripting 12",
               product_id: "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.14.1-11.12.1.ppc64le",
            },
            product_reference: "nodejs6-6.14.1-11.12.1.ppc64le",
            relates_to_product_reference: "SUSE Linux Enterprise Module for Web and Scripting 12",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "nodejs6-6.14.1-11.12.1.s390x as component of SUSE Linux Enterprise Module for Web and Scripting 12",
               product_id: "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.14.1-11.12.1.s390x",
            },
            product_reference: "nodejs6-6.14.1-11.12.1.s390x",
            relates_to_product_reference: "SUSE Linux Enterprise Module for Web and Scripting 12",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "nodejs6-6.14.1-11.12.1.x86_64 as component of SUSE Linux Enterprise Module for Web and Scripting 12",
               product_id: "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.14.1-11.12.1.x86_64",
            },
            product_reference: "nodejs6-6.14.1-11.12.1.x86_64",
            relates_to_product_reference: "SUSE Linux Enterprise Module for Web and Scripting 12",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "nodejs6-devel-6.14.1-11.12.1.aarch64 as component of SUSE Linux Enterprise Module for Web and Scripting 12",
               product_id: "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.14.1-11.12.1.aarch64",
            },
            product_reference: "nodejs6-devel-6.14.1-11.12.1.aarch64",
            relates_to_product_reference: "SUSE Linux Enterprise Module for Web and Scripting 12",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "nodejs6-devel-6.14.1-11.12.1.ppc64le as component of SUSE Linux Enterprise Module for Web and Scripting 12",
               product_id: "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.14.1-11.12.1.ppc64le",
            },
            product_reference: "nodejs6-devel-6.14.1-11.12.1.ppc64le",
            relates_to_product_reference: "SUSE Linux Enterprise Module for Web and Scripting 12",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "nodejs6-devel-6.14.1-11.12.1.s390x as component of SUSE Linux Enterprise Module for Web and Scripting 12",
               product_id: "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.14.1-11.12.1.s390x",
            },
            product_reference: "nodejs6-devel-6.14.1-11.12.1.s390x",
            relates_to_product_reference: "SUSE Linux Enterprise Module for Web and Scripting 12",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "nodejs6-devel-6.14.1-11.12.1.x86_64 as component of SUSE Linux Enterprise Module for Web and Scripting 12",
               product_id: "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.14.1-11.12.1.x86_64",
            },
            product_reference: "nodejs6-devel-6.14.1-11.12.1.x86_64",
            relates_to_product_reference: "SUSE Linux Enterprise Module for Web and Scripting 12",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "nodejs6-docs-6.14.1-11.12.1.noarch as component of SUSE Linux Enterprise Module for Web and Scripting 12",
               product_id: "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.14.1-11.12.1.noarch",
            },
            product_reference: "nodejs6-docs-6.14.1-11.12.1.noarch",
            relates_to_product_reference: "SUSE Linux Enterprise Module for Web and Scripting 12",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "npm6-6.14.1-11.12.1.aarch64 as component of SUSE Linux Enterprise Module for Web and Scripting 12",
               product_id: "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.14.1-11.12.1.aarch64",
            },
            product_reference: "npm6-6.14.1-11.12.1.aarch64",
            relates_to_product_reference: "SUSE Linux Enterprise Module for Web and Scripting 12",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "npm6-6.14.1-11.12.1.ppc64le as component of SUSE Linux Enterprise Module for Web and Scripting 12",
               product_id: "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.14.1-11.12.1.ppc64le",
            },
            product_reference: "npm6-6.14.1-11.12.1.ppc64le",
            relates_to_product_reference: "SUSE Linux Enterprise Module for Web and Scripting 12",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "npm6-6.14.1-11.12.1.s390x as component of SUSE Linux Enterprise Module for Web and Scripting 12",
               product_id: "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.14.1-11.12.1.s390x",
            },
            product_reference: "npm6-6.14.1-11.12.1.s390x",
            relates_to_product_reference: "SUSE Linux Enterprise Module for Web and Scripting 12",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "npm6-6.14.1-11.12.1.x86_64 as component of SUSE Linux Enterprise Module for Web and Scripting 12",
               product_id: "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.14.1-11.12.1.x86_64",
            },
            product_reference: "npm6-6.14.1-11.12.1.x86_64",
            relates_to_product_reference: "SUSE Linux Enterprise Module for Web and Scripting 12",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "nodejs6-6.14.1-11.12.1.aarch64 as component of SUSE Enterprise Storage 4",
               product_id: "SUSE Enterprise Storage 4:nodejs6-6.14.1-11.12.1.aarch64",
            },
            product_reference: "nodejs6-6.14.1-11.12.1.aarch64",
            relates_to_product_reference: "SUSE Enterprise Storage 4",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "nodejs6-6.14.1-11.12.1.x86_64 as component of SUSE Enterprise Storage 4",
               product_id: "SUSE Enterprise Storage 4:nodejs6-6.14.1-11.12.1.x86_64",
            },
            product_reference: "nodejs6-6.14.1-11.12.1.x86_64",
            relates_to_product_reference: "SUSE Enterprise Storage 4",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2018-7158",
         ids: [
            {
               system_name: "SUSE CVE Page",
               text: "https://www.suse.com/security/cve/CVE-2018-7158",
            },
         ],
         notes: [
            {
               category: "general",
               text: "The `'path'` module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. The code in question was replaced in Node.js 6.x and later so this vulnerability only impacts all versions of Node.js 4.x. The regular expression, `splitPathRe`, used within the `'path'` module for the various path parsing functions, including `path.dirname()`, `path.extname()` and `path.parse()` was structured in such a way as to allow an attacker to craft a string, that when passed through one of these functions, could take a significant amount of time to evaluate, potentially leading to a full denial of service.",
               title: "CVE description",
            },
         ],
         product_status: {
            recommended: [
               "SUSE Enterprise Storage 4:nodejs6-6.14.1-11.12.1.aarch64",
               "SUSE Enterprise Storage 4:nodejs6-6.14.1-11.12.1.x86_64",
               "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.14.1-11.12.1.aarch64",
               "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.14.1-11.12.1.ppc64le",
               "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.14.1-11.12.1.s390x",
               "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.14.1-11.12.1.x86_64",
               "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.14.1-11.12.1.aarch64",
               "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.14.1-11.12.1.ppc64le",
               "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.14.1-11.12.1.s390x",
               "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.14.1-11.12.1.x86_64",
               "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.14.1-11.12.1.noarch",
               "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.14.1-11.12.1.aarch64",
               "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.14.1-11.12.1.ppc64le",
               "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.14.1-11.12.1.s390x",
               "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.14.1-11.12.1.x86_64",
               "SUSE OpenStack Cloud 7:nodejs6-6.14.1-11.12.1.aarch64",
               "SUSE OpenStack Cloud 7:nodejs6-6.14.1-11.12.1.s390x",
               "SUSE OpenStack Cloud 7:nodejs6-6.14.1-11.12.1.x86_64",
            ],
         },
         references: [
            {
               category: "external",
               summary: "CVE-2018-7158",
               url: "https://www.suse.com/security/cve/CVE-2018-7158",
            },
            {
               category: "external",
               summary: "SUSE Bug 1087459 for CVE-2018-7158",
               url: "https://bugzilla.suse.com/1087459",
            },
         ],
         remediations: [
            {
               category: "vendor_fix",
               details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
               product_ids: [
                  "SUSE Enterprise Storage 4:nodejs6-6.14.1-11.12.1.aarch64",
                  "SUSE Enterprise Storage 4:nodejs6-6.14.1-11.12.1.x86_64",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.14.1-11.12.1.aarch64",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.14.1-11.12.1.ppc64le",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.14.1-11.12.1.s390x",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.14.1-11.12.1.x86_64",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.14.1-11.12.1.aarch64",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.14.1-11.12.1.ppc64le",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.14.1-11.12.1.s390x",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.14.1-11.12.1.x86_64",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.14.1-11.12.1.noarch",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.14.1-11.12.1.aarch64",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.14.1-11.12.1.ppc64le",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.14.1-11.12.1.s390x",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.14.1-11.12.1.x86_64",
                  "SUSE OpenStack Cloud 7:nodejs6-6.14.1-11.12.1.aarch64",
                  "SUSE OpenStack Cloud 7:nodejs6-6.14.1-11.12.1.s390x",
                  "SUSE OpenStack Cloud 7:nodejs6-6.14.1-11.12.1.x86_64",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  baseScore: 5.9,
                  baseSeverity: "MEDIUM",
                  vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  version: "3.0",
               },
               products: [
                  "SUSE Enterprise Storage 4:nodejs6-6.14.1-11.12.1.aarch64",
                  "SUSE Enterprise Storage 4:nodejs6-6.14.1-11.12.1.x86_64",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.14.1-11.12.1.aarch64",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.14.1-11.12.1.ppc64le",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.14.1-11.12.1.s390x",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.14.1-11.12.1.x86_64",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.14.1-11.12.1.aarch64",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.14.1-11.12.1.ppc64le",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.14.1-11.12.1.s390x",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.14.1-11.12.1.x86_64",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.14.1-11.12.1.noarch",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.14.1-11.12.1.aarch64",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.14.1-11.12.1.ppc64le",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.14.1-11.12.1.s390x",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.14.1-11.12.1.x86_64",
                  "SUSE OpenStack Cloud 7:nodejs6-6.14.1-11.12.1.aarch64",
                  "SUSE OpenStack Cloud 7:nodejs6-6.14.1-11.12.1.s390x",
                  "SUSE OpenStack Cloud 7:nodejs6-6.14.1-11.12.1.x86_64",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               date: "2018-05-09T14:18:51Z",
               details: "moderate",
            },
         ],
         title: "CVE-2018-7158",
      },
      {
         cve: "CVE-2018-7159",
         ids: [
            {
               system_name: "SUSE CVE Page",
               text: "https://www.suse.com/security/cve/CVE-2018-7159",
            },
         ],
         notes: [
            {
               category: "general",
               text: "The HTTP parser in all current versions of Node.js ignores spaces in the `Content-Length` header, allowing input such as `Content-Length: 1 2` to be interpreted as having a value of `12`. The HTTP specification does not allow for spaces in the `Content-Length` value and the Node.js HTTP parser has been brought into line on this particular difference. The security risk of this flaw to Node.js users is considered to be VERY LOW as it is difficult, and may be impossible, to craft an attack that makes use of this flaw in a way that could not already be achieved by supplying an incorrect value for `Content-Length`. Vulnerabilities may exist in user-code that make incorrect assumptions about the potential accuracy of this value compared to the actual length of the data supplied. Node.js users crafting lower-level HTTP utilities are advised to re-check the length of any input supplied after parsing is complete.",
               title: "CVE description",
            },
         ],
         product_status: {
            recommended: [
               "SUSE Enterprise Storage 4:nodejs6-6.14.1-11.12.1.aarch64",
               "SUSE Enterprise Storage 4:nodejs6-6.14.1-11.12.1.x86_64",
               "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.14.1-11.12.1.aarch64",
               "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.14.1-11.12.1.ppc64le",
               "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.14.1-11.12.1.s390x",
               "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.14.1-11.12.1.x86_64",
               "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.14.1-11.12.1.aarch64",
               "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.14.1-11.12.1.ppc64le",
               "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.14.1-11.12.1.s390x",
               "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.14.1-11.12.1.x86_64",
               "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.14.1-11.12.1.noarch",
               "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.14.1-11.12.1.aarch64",
               "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.14.1-11.12.1.ppc64le",
               "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.14.1-11.12.1.s390x",
               "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.14.1-11.12.1.x86_64",
               "SUSE OpenStack Cloud 7:nodejs6-6.14.1-11.12.1.aarch64",
               "SUSE OpenStack Cloud 7:nodejs6-6.14.1-11.12.1.s390x",
               "SUSE OpenStack Cloud 7:nodejs6-6.14.1-11.12.1.x86_64",
            ],
         },
         references: [
            {
               category: "external",
               summary: "CVE-2018-7159",
               url: "https://www.suse.com/security/cve/CVE-2018-7159",
            },
            {
               category: "external",
               summary: "SUSE Bug 1087453 for CVE-2018-7159",
               url: "https://bugzilla.suse.com/1087453",
            },
         ],
         remediations: [
            {
               category: "vendor_fix",
               details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
               product_ids: [
                  "SUSE Enterprise Storage 4:nodejs6-6.14.1-11.12.1.aarch64",
                  "SUSE Enterprise Storage 4:nodejs6-6.14.1-11.12.1.x86_64",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.14.1-11.12.1.aarch64",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.14.1-11.12.1.ppc64le",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.14.1-11.12.1.s390x",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.14.1-11.12.1.x86_64",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.14.1-11.12.1.aarch64",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.14.1-11.12.1.ppc64le",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.14.1-11.12.1.s390x",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.14.1-11.12.1.x86_64",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.14.1-11.12.1.noarch",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.14.1-11.12.1.aarch64",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.14.1-11.12.1.ppc64le",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.14.1-11.12.1.s390x",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.14.1-11.12.1.x86_64",
                  "SUSE OpenStack Cloud 7:nodejs6-6.14.1-11.12.1.aarch64",
                  "SUSE OpenStack Cloud 7:nodejs6-6.14.1-11.12.1.s390x",
                  "SUSE OpenStack Cloud 7:nodejs6-6.14.1-11.12.1.x86_64",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  baseScore: 5.3,
                  baseSeverity: "MEDIUM",
                  vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                  version: "3.0",
               },
               products: [
                  "SUSE Enterprise Storage 4:nodejs6-6.14.1-11.12.1.aarch64",
                  "SUSE Enterprise Storage 4:nodejs6-6.14.1-11.12.1.x86_64",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.14.1-11.12.1.aarch64",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.14.1-11.12.1.ppc64le",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.14.1-11.12.1.s390x",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.14.1-11.12.1.x86_64",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.14.1-11.12.1.aarch64",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.14.1-11.12.1.ppc64le",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.14.1-11.12.1.s390x",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.14.1-11.12.1.x86_64",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.14.1-11.12.1.noarch",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.14.1-11.12.1.aarch64",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.14.1-11.12.1.ppc64le",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.14.1-11.12.1.s390x",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.14.1-11.12.1.x86_64",
                  "SUSE OpenStack Cloud 7:nodejs6-6.14.1-11.12.1.aarch64",
                  "SUSE OpenStack Cloud 7:nodejs6-6.14.1-11.12.1.s390x",
                  "SUSE OpenStack Cloud 7:nodejs6-6.14.1-11.12.1.x86_64",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               date: "2018-05-09T14:18:51Z",
               details: "low",
            },
         ],
         title: "CVE-2018-7159",
      },
      {
         cve: "CVE-2018-7160",
         ids: [
            {
               system_name: "SUSE CVE Page",
               text: "https://www.suse.com/security/cve/CVE-2018-7160",
            },
         ],
         notes: [
            {
               category: "general",
               text: "The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. An attack is possible from malicious websites open in a web browser on the same computer, or another computer with network access to the computer running the Node.js process. A malicious website could use a DNS rebinding attack to trick the web browser to bypass same-origin-policy checks and to allow HTTP connections to localhost or to hosts on the local network. If a Node.js process with the debug port active is running on localhost or on a host on the local network, the malicious website could connect to it as a debugger, and get full code execution access.",
               title: "CVE description",
            },
         ],
         product_status: {
            recommended: [
               "SUSE Enterprise Storage 4:nodejs6-6.14.1-11.12.1.aarch64",
               "SUSE Enterprise Storage 4:nodejs6-6.14.1-11.12.1.x86_64",
               "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.14.1-11.12.1.aarch64",
               "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.14.1-11.12.1.ppc64le",
               "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.14.1-11.12.1.s390x",
               "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.14.1-11.12.1.x86_64",
               "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.14.1-11.12.1.aarch64",
               "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.14.1-11.12.1.ppc64le",
               "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.14.1-11.12.1.s390x",
               "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.14.1-11.12.1.x86_64",
               "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.14.1-11.12.1.noarch",
               "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.14.1-11.12.1.aarch64",
               "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.14.1-11.12.1.ppc64le",
               "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.14.1-11.12.1.s390x",
               "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.14.1-11.12.1.x86_64",
               "SUSE OpenStack Cloud 7:nodejs6-6.14.1-11.12.1.aarch64",
               "SUSE OpenStack Cloud 7:nodejs6-6.14.1-11.12.1.s390x",
               "SUSE OpenStack Cloud 7:nodejs6-6.14.1-11.12.1.x86_64",
            ],
         },
         references: [
            {
               category: "external",
               summary: "CVE-2018-7160",
               url: "https://www.suse.com/security/cve/CVE-2018-7160",
            },
            {
               category: "external",
               summary: "SUSE Bug 1087463 for CVE-2018-7160",
               url: "https://bugzilla.suse.com/1087463",
            },
            {
               category: "external",
               summary: "SUSE Bug 1182620 for CVE-2018-7160",
               url: "https://bugzilla.suse.com/1182620",
            },
         ],
         remediations: [
            {
               category: "vendor_fix",
               details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
               product_ids: [
                  "SUSE Enterprise Storage 4:nodejs6-6.14.1-11.12.1.aarch64",
                  "SUSE Enterprise Storage 4:nodejs6-6.14.1-11.12.1.x86_64",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.14.1-11.12.1.aarch64",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.14.1-11.12.1.ppc64le",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.14.1-11.12.1.s390x",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.14.1-11.12.1.x86_64",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.14.1-11.12.1.aarch64",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.14.1-11.12.1.ppc64le",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.14.1-11.12.1.s390x",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.14.1-11.12.1.x86_64",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.14.1-11.12.1.noarch",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.14.1-11.12.1.aarch64",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.14.1-11.12.1.ppc64le",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.14.1-11.12.1.s390x",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.14.1-11.12.1.x86_64",
                  "SUSE OpenStack Cloud 7:nodejs6-6.14.1-11.12.1.aarch64",
                  "SUSE OpenStack Cloud 7:nodejs6-6.14.1-11.12.1.s390x",
                  "SUSE OpenStack Cloud 7:nodejs6-6.14.1-11.12.1.x86_64",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  baseScore: 8.3,
                  baseSeverity: "HIGH",
                  vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
                  version: "3.0",
               },
               products: [
                  "SUSE Enterprise Storage 4:nodejs6-6.14.1-11.12.1.aarch64",
                  "SUSE Enterprise Storage 4:nodejs6-6.14.1-11.12.1.x86_64",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.14.1-11.12.1.aarch64",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.14.1-11.12.1.ppc64le",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.14.1-11.12.1.s390x",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.14.1-11.12.1.x86_64",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.14.1-11.12.1.aarch64",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.14.1-11.12.1.ppc64le",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.14.1-11.12.1.s390x",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.14.1-11.12.1.x86_64",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.14.1-11.12.1.noarch",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.14.1-11.12.1.aarch64",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.14.1-11.12.1.ppc64le",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.14.1-11.12.1.s390x",
                  "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.14.1-11.12.1.x86_64",
                  "SUSE OpenStack Cloud 7:nodejs6-6.14.1-11.12.1.aarch64",
                  "SUSE OpenStack Cloud 7:nodejs6-6.14.1-11.12.1.s390x",
                  "SUSE OpenStack Cloud 7:nodejs6-6.14.1-11.12.1.x86_64",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               date: "2018-05-09T14:18:51Z",
               details: "moderate",
            },
         ],
         title: "CVE-2018-7160",
      },
   ],
}

CVE-2018-7159 (GCVE-0-2018-7159)

Vulnerability from cvelistv5

Published

2018-05-17 14:00

Modified

2024-09-17 01:06

Severity ?

Summary

The HTTP parser in all current versions of Node.js ignores spaces in the `Content-Length` header, allowing input such as `Content-Length: 1 2` to be interpreted as having a value of `12`. The HTTP specification does not allow for spaces in the `Content-Length` value and the Node.js HTTP parser has been brought into line on this particular difference. The security risk of this flaw to Node.js users is considered to be VERY LOW as it is difficult, and may be impossible, to craft an attack that makes use of this flaw in a way that could not already be achieved by supplying an incorrect value for `Content-Length`. Vulnerabilities may exist in user-code that make incorrect assumptions about the potential accuracy of this value compared to the actual length of the data supplied. Node.js users crafting lower-level HTTP utilities are advised to re-check the length of any input supplied after parsing is complete.

References

▼	URL	Tags
	https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/	x_refsource_CONFIRM
	https://access.redhat.com/errata/RHSA-2019:2258	vendor-advisory, x_refsource_REDHAT
	https://support.f5.com/csp/article/K27228191?utm_source=f5support&amp%3Butm_medium=RSS	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	The Node.js Project	Node.js	Version: 4.x Version: 6.x Version: 8.x Version: 9.x

Show details on NVD website

JSON

To clipboard

{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-05T06:24:10.511Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/",
               },
               {
                  name: "RHSA-2019:2258",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_REDHAT",
                     "x_transferred",
                  ],
                  url: "https://access.redhat.com/errata/RHSA-2019:2258",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://support.f5.com/csp/article/K27228191?utm_source=f5support&amp%3Butm_medium=RSS",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "Node.js",
               vendor: "The Node.js Project",
               versions: [
                  {
                     status: "affected",
                     version: "4.x",
                  },
                  {
                     status: "affected",
                     version: "6.x",
                  },
                  {
                     status: "affected",
                     version: "8.x",
                  },
                  {
                     status: "affected",
                     version: "9.x",
                  },
               ],
            },
         ],
         datePublic: "2018-03-21T00:00:00",
         descriptions: [
            {
               lang: "en",
               value: "The HTTP parser in all current versions of Node.js ignores spaces in the `Content-Length` header, allowing input such as `Content-Length: 1 2` to be interpreted as having a value of `12`. The HTTP specification does not allow for spaces in the `Content-Length` value and the Node.js HTTP parser has been brought into line on this particular difference. The security risk of this flaw to Node.js users is considered to be VERY LOW as it is difficult, and may be impossible, to craft an attack that makes use of this flaw in a way that could not already be achieved by supplying an incorrect value for `Content-Length`. Vulnerabilities may exist in user-code that make incorrect assumptions about the potential accuracy of this value compared to the actual length of the data supplied. Node.js users crafting lower-level HTTP utilities are advised to re-check the length of any input supplied after parsing is complete.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-115",
                     description: "CWE-115: Misinterpretation of Input",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2019-10-09T19:07:41",
            orgId: "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
            shortName: "nodejs",
         },
         references: [
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/",
            },
            {
               name: "RHSA-2019:2258",
               tags: [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
               ],
               url: "https://access.redhat.com/errata/RHSA-2019:2258",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://support.f5.com/csp/article/K27228191?utm_source=f5support&amp%3Butm_medium=RSS",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve-request@iojs.org",
               DATE_PUBLIC: "2018-03-21T00:00:00",
               ID: "CVE-2018-7159",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "Node.js",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "4.x",
                                       },
                                       {
                                          version_value: "6.x",
                                       },
                                       {
                                          version_value: "8.x",
                                       },
                                       {
                                          version_value: "9.x",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "The Node.js Project",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "The HTTP parser in all current versions of Node.js ignores spaces in the `Content-Length` header, allowing input such as `Content-Length: 1 2` to be interpreted as having a value of `12`. The HTTP specification does not allow for spaces in the `Content-Length` value and the Node.js HTTP parser has been brought into line on this particular difference. The security risk of this flaw to Node.js users is considered to be VERY LOW as it is difficult, and may be impossible, to craft an attack that makes use of this flaw in a way that could not already be achieved by supplying an incorrect value for `Content-Length`. Vulnerabilities may exist in user-code that make incorrect assumptions about the potential accuracy of this value compared to the actual length of the data supplied. Node.js users crafting lower-level HTTP utilities are advised to re-check the length of any input supplied after parsing is complete.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "CWE-115: Misinterpretation of Input",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/",
                     refsource: "CONFIRM",
                     url: "https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/",
                  },
                  {
                     name: "RHSA-2019:2258",
                     refsource: "REDHAT",
                     url: "https://access.redhat.com/errata/RHSA-2019:2258",
                  },
                  {
                     name: "https://support.f5.com/csp/article/K27228191?utm_source=f5support&amp;utm_medium=RSS",
                     refsource: "CONFIRM",
                     url: "https://support.f5.com/csp/article/K27228191?utm_source=f5support&amp;utm_medium=RSS",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
      assignerShortName: "nodejs",
      cveId: "CVE-2018-7159",
      datePublished: "2018-05-17T14:00:00Z",
      dateReserved: "2018-02-15T00:00:00",
      dateUpdated: "2024-09-17T01:06:04.658Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

CVE-2018-7158 (GCVE-0-2018-7158)

Vulnerability from cvelistv5

Published

2018-05-17 14:00

Modified

2024-09-16 16:48

Severity ?

Summary

The `'path'` module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. The code in question was replaced in Node.js 6.x and later so this vulnerability only impacts all versions of Node.js 4.x. The regular expression, `splitPathRe`, used within the `'path'` module for the various path parsing functions, including `path.dirname()`, `path.extname()` and `path.parse()` was structured in such a way as to allow an attacker to craft a string, that when passed through one of these functions, could take a significant amount of time to evaluate, potentially leading to a full denial of service.

References

▼	URL	Tags
	https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	The Node.js Project	Node.js	Version: 4.x

Show details on NVD website

JSON

To clipboard

{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-05T06:24:10.491Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "Node.js",
               vendor: "The Node.js Project",
               versions: [
                  {
                     status: "affected",
                     version: "4.x",
                  },
               ],
            },
         ],
         datePublic: "2018-03-21T00:00:00",
         descriptions: [
            {
               lang: "en",
               value: "The `'path'` module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. The code in question was replaced in Node.js 6.x and later so this vulnerability only impacts all versions of Node.js 4.x. The regular expression, `splitPathRe`, used within the `'path'` module for the various path parsing functions, including `path.dirname()`, `path.extname()` and `path.parse()` was structured in such a way as to allow an attacker to craft a string, that when passed through one of these functions, could take a significant amount of time to evaluate, potentially leading to a full denial of service.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-185",
                     description: "CWE-185: Incorrect Regular Expression",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2018-05-17T13:57:01",
            orgId: "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
            shortName: "nodejs",
         },
         references: [
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve-request@iojs.org",
               DATE_PUBLIC: "2018-03-21T00:00:00",
               ID: "CVE-2018-7158",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "Node.js",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "4.x",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "The Node.js Project",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "The `'path'` module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. The code in question was replaced in Node.js 6.x and later so this vulnerability only impacts all versions of Node.js 4.x. The regular expression, `splitPathRe`, used within the `'path'` module for the various path parsing functions, including `path.dirname()`, `path.extname()` and `path.parse()` was structured in such a way as to allow an attacker to craft a string, that when passed through one of these functions, could take a significant amount of time to evaluate, potentially leading to a full denial of service.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "CWE-185: Incorrect Regular Expression",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/",
                     refsource: "CONFIRM",
                     url: "https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
      assignerShortName: "nodejs",
      cveId: "CVE-2018-7158",
      datePublished: "2018-05-17T14:00:00Z",
      dateReserved: "2018-02-15T00:00:00",
      dateUpdated: "2024-09-16T16:48:51.289Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

CVE-2018-7160 (GCVE-0-2018-7160)

Vulnerability from cvelistv5

Published

2018-05-17 14:00

Modified

2024-09-17 01:35

Severity ?

Summary

The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. An attack is possible from malicious websites open in a web browser on the same computer, or another computer with network access to the computer running the Node.js process. A malicious website could use a DNS rebinding attack to trick the web browser to bypass same-origin-policy checks and to allow HTTP connections to localhost or to hosts on the local network. If a Node.js process with the debug port active is running on localhost or on a host on the local network, the malicious website could connect to it as a debugger, and get full code execution access.

References

▼	URL	Tags
	https://www.oracle.com//security-alerts/cpujul2021.html	x_refsource_MISC
	https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/	x_refsource_CONFIRM
	https://support.f5.com/csp/article/K63025104?utm_source=f5support&amp%3Butm_medium=RSS	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	The Node.js Project	Node.js	Version: ^6.0.0 \|\| ^8.0.0 \|\| ^9.0.0

Show details on NVD website

JSON

To clipboard

{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-05T06:24:10.499Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://www.oracle.com//security-alerts/cpujul2021.html",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://support.f5.com/csp/article/K63025104?utm_source=f5support&amp%3Butm_medium=RSS",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "Node.js",
               vendor: "The Node.js Project",
               versions: [
                  {
                     status: "affected",
                     version: "^6.0.0 || ^8.0.0 || ^9.0.0",
                  },
               ],
            },
         ],
         datePublic: "2018-03-21T00:00:00",
         descriptions: [
            {
               lang: "en",
               value: "The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. An attack is possible from malicious websites open in a web browser on the same computer, or another computer with network access to the computer running the Node.js process. A malicious website could use a DNS rebinding attack to trick the web browser to bypass same-origin-policy checks and to allow HTTP connections to localhost or to hosts on the local network. If a Node.js process with the debug port active is running on localhost or on a host on the local network, the malicious website could connect to it as a debugger, and get full code execution access.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-350",
                     description: "CWE-350: Reliance on Reverse DNS Resolution for a Security-Critical Action",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2021-07-20T22:53:16",
            orgId: "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
            shortName: "nodejs",
         },
         references: [
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://www.oracle.com//security-alerts/cpujul2021.html",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://support.f5.com/csp/article/K63025104?utm_source=f5support&amp%3Butm_medium=RSS",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve-request@iojs.org",
               DATE_PUBLIC: "2018-03-21T00:00:00",
               ID: "CVE-2018-7160",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "Node.js",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "^6.0.0 || ^8.0.0 || ^9.0.0",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "The Node.js Project",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. An attack is possible from malicious websites open in a web browser on the same computer, or another computer with network access to the computer running the Node.js process. A malicious website could use a DNS rebinding attack to trick the web browser to bypass same-origin-policy checks and to allow HTTP connections to localhost or to hosts on the local network. If a Node.js process with the debug port active is running on localhost or on a host on the local network, the malicious website could connect to it as a debugger, and get full code execution access.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "CWE-350: Reliance on Reverse DNS Resolution for a Security-Critical Action",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://www.oracle.com//security-alerts/cpujul2021.html",
                     refsource: "MISC",
                     url: "https://www.oracle.com//security-alerts/cpujul2021.html",
                  },
                  {
                     name: "https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/",
                     refsource: "CONFIRM",
                     url: "https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/",
                  },
                  {
                     name: "https://support.f5.com/csp/article/K63025104?utm_source=f5support&amp;utm_medium=RSS",
                     refsource: "CONFIRM",
                     url: "https://support.f5.com/csp/article/K63025104?utm_source=f5support&amp;utm_medium=RSS",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
      assignerShortName: "nodejs",
      cveId: "CVE-2018-7160",
      datePublished: "2018-05-17T14:00:00Z",
      dateReserved: "2018-02-15T00:00:00",
      dateUpdated: "2024-09-17T01:35:37.449Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

Vulnerability from csaf_suse

CVE-2018-7159 (GCVE-0-2018-7159)

Vulnerability from cvelistv5

CVE-2018-7158 (GCVE-0-2018-7158)

Vulnerability from cvelistv5

CVE-2018-7160 (GCVE-0-2018-7160)

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature