Lucene search

K
mageiaGentoo FoundationMGASA-2023-0299
HistoryOct 23, 2023 - 12:04 a.m.

Updated nodejs packages fix security vulnerabilities

2023-10-2300:04:51
Gentoo Foundation
advisories.mageia.org
40
nodejs
security release
cve-2023-44487
cve-2023-45143
cve-2023-38552
cve-2023-39333
unix
high
medium
low
vulnerability
security fix
package update
code injection
integrity checks
nghttp2
undici
webassembly.

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.838

Percentile

98.5%

This is a security release. The following CVEs are fixed in this release: CVE-2023-44487: nghttp2 Security Release (High) CVE-2023-45143: undici Security Release (High) CVE-2023-38552: Integrity checks according to policies can be circumvented (Medium) CVE-2023-39333: Code injection via WebAssembly export names (Low) More detailed information on each of the vulnerabilities can be found in October 2023 Security Releases blog post.

OSVersionArchitecturePackageVersionFilename
Mageia9noarchnodejs< 18.18.2-1nodejs-18.18.2-1.mga9
Mageia9noarchyarnpkg< 1.22.19-14yarnpkg-1.22.19-14.mga9

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.838

Percentile

98.5%