ArchLinuxASA-202107-33[ASA-202107-33] nodejs-lts-erbium: multiple issues
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.003 Low
EPSS
Percentile
70.4%
Arch Linux Security Advisory ASA-202107-33
Severity: High
Date : 2021-07-20
CVE-ID : CVE-2021-22918 CVE-2021-23362 CVE-2021-27290
Package : nodejs-lts-erbium
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-2128
Summary
The package nodejs-lts-erbium before version 12.22.3-1 is vulnerable to
multiple issues including denial of service and information disclosure.
Resolution
Upgrade to 12.22.3-1.
pacman -Syu “nodejs-lts-erbium>=12.22.3-1”
The problems have been fixed upstream in version 12.22.3.
Workaround
None.
Description
- CVE-2021-22918 (information disclosure)
libuv before version 1.14.1, as bundled by Node.js before versions
16.4.1, 14.17.2 and 12.22.2, is vulnerable to an out-of-bounds read in
the libuv’s uv__idna_toascii() function which is used to convert
strings to ASCII. This is called by Node’s dns module’s lookup()
function and can lead to information disclosures or crashes.
- CVE-2021-23362 (denial of service)
A security issue has been found in Node.js before versions 16.4.1,
14.17.2 and 12.22.2. There is a vulnerability in the hosted-git-info
npm module which may be vulnerable to denial of service attacks.
- CVE-2021-27290 (denial of service)
A security issue has been found in Node.js before versions 16.4.1,
14.17.2 and 12.22.2. There is a vulnerability in the ssri npm module
which may be vulnerable to denial of service attacks.
Impact
A remote attacker could disclose information by supplying crafted
domain names, or cause denial of service through high resource usage
with crafted Git repository URLs or Subresource Integrity (SRI) hashes.
References
https://github.com/libuv/libuv/issues/3147
https://hackerone.com/reports/1209681
https://github.com/libuv/libuv/commit/86dbeb4bd665749d6234ae90d30923e210de21b9
https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/#libuv-upgrade-out-of-bounds-read-medium-cve-2021-22918
https://github.com/nodejs/node/commit/d33aead28bcec32a2a450f884907a6d971631829
https://github.com/nodejs/node/commit/a7496aba0a95b6425e9651c297697b5dd67ac358
https://github.com/nodejs/node/commit/623fd1fcb557985bf452984856c1d0ce4fc096a7
https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/#npm-upgrade-hosted-git-info-regular-expression-denial-of-service-redos-medium-cve-2021-23362
https://snyk.io/vuln/SNYK-JS-HOSTEDGITINFO-1088355
https://github.com/npm/hosted-git-info/pull/76
https://github.com/npm/hosted-git-info/commit/bede0dc38e1785e732bf0a48ba6f81a4a908eba3
https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/#npm-upgrade-ssri-regular-expression-denial-of-service-redos-high-cve-2021-27290
https://github.com/advisories/GHSA-vx3p-948g-6vhq
https://doyensec.com/resources/Doyensec_Advisory_ssri_redos.pdf
https://github.com/npm/ssri/pull/17
https://github.com/npm/ssri/commit/76e223317d971f19e4db8191865bdad5edee40d2
https://security.archlinux.org/CVE-2021-22918
https://security.archlinux.org/CVE-2021-23362
https://security.archlinux.org/CVE-2021-27290
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| ArchLinux | any | any | nodejs-lts-erbium | < 12.22.3-1 | UNKNOWN |
References
doyensec.com/resources/Doyensec_Advisory_ssri_redos.pdf
github.com/advisories/GHSA-vx3p-948g-6vhq
github.com/libuv/libuv/commit/86dbeb4bd665749d6234ae90d30923e210de21b9
github.com/libuv/libuv/issues/3147
github.com/nodejs/node/commit/623fd1fcb557985bf452984856c1d0ce4fc096a7
github.com/nodejs/node/commit/a7496aba0a95b6425e9651c297697b5dd67ac358
github.com/nodejs/node/commit/d33aead28bcec32a2a450f884907a6d971631829
github.com/npm/hosted-git-info/commit/bede0dc38e1785e732bf0a48ba6f81a4a908eba3
github.com/npm/hosted-git-info/pull/76
github.com/npm/ssri/commit/76e223317d971f19e4db8191865bdad5edee40d2
github.com/npm/ssri/pull/17
hackerone.com/reports/1209681
nodejs.org/en/blog/vulnerability/july-2021-security-releases/#libuv-upgrade-out-of-bounds-read-medium-cve-2021-22918
nodejs.org/en/blog/vulnerability/july-2021-security-releases/#npm-upgrade-hosted-git-info-regular-expression-denial-of-service-redos-medium-cve-2021-23362
nodejs.org/en/blog/vulnerability/july-2021-security-releases/#npm-upgrade-ssri-regular-expression-denial-of-service-redos-high-cve-2021-27290
security.archlinux.org/AVG-2128
security.archlinux.org/CVE-2021-22918
security.archlinux.org/CVE-2021-23362
security.archlinux.org/CVE-2021-27290
snyk.io/vuln/SNYK-JS-HOSTEDGITINFO-1088355
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.003 Low
EPSS
Percentile
70.4%