Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.FEDORA_2023-6B866FBE84.NASL
HistoryJul 19, 2023 - 12:00 a.m.

Fedora 37 : nodejs18 (2023-6b866fbe84)

2023-07-1900:00:00
This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
7
fedora 37
node.js
vulnerability
windows
installation
x509 certificate
http request smuggling
diffiehellman
security
nessus

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

7.6 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

40.3%

JSON

The remote Fedora 37 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-6b866fbe84 advisory.

  • The use of proto in process.mainModule.proto.require() can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the experimental policy mechanism in all active release lines: v16, v18 and, v20. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js (CVE-2023-30581)

  • A vulnerability has been identified in the Node.js (.msi version) installation process, specifically affecting Windows users who install Node.js using the .msi installer. This vulnerability emerges during the repair operation, where the msiexec.exe process, running under the NT AUTHORITY\SYSTEM context, attempts to read the %USERPROFILE% environment variable from the current user’s registry. The issue arises when the path referenced by the %USERPROFILE% environment variable does not exist. In such cases, the msiexec.exe process attempts to create the specified path in an unsafe manner, potentially leading to the creation of arbitrary folders in arbitrary locations. The severity of this vulnerability is heightened by the fact that the %USERPROFILE% environment variable in the Windows registry can be modified by standard (or non-privileged) users. Consequently, unprivileged actors, including malicious entities or trojans, can manipulate the environment variable key to deceive the privileged msiexec.exe process. This manipulation can result in the creation of folders in unintended and potentially malicious locations. It is important to note that this vulnerability is specific to Windows users who install Node.js using the .msi installer. Users who opt for other installation methods are not affected by this particular issue.
    (CVE-2023-30585)

  • When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination occurs making it susceptible to DoS attacks when the attacker could force interruptions of application processing, as the process terminates when accessing public key info of provided certificates from user code. The current context of the users will be gone, and that will cause a DoS scenario. This vulnerability affects all active Node.js versions v16, v18, and, v20. (CVE-2023-30588)

  • The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20 (CVE-2023-30589)

  • The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet, but the function is also needed to compute the corresponding public key after calling setPrivateKey(). However, the documentation says this API call: Generates private and public Diffie-Hellman key values. The documented behavior is very different from the actual behavior, and this difference could easily lead to security issues in applications that use these APIs as the DiffieHellman may be used as the basis for application- level security, implications are consequently broad. (CVE-2023-30590)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
# The descriptive text and package checks in this plugin were
# extracted from Fedora Security Advisory FEDORA-2023-6b866fbe84
#

include('compat.inc');

if (description)
{
  script_id(178462);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/04/29");

  script_cve_id(
    "CVE-2023-30581",
    "CVE-2023-30585",
    "CVE-2023-30588",
    "CVE-2023-30589",
    "CVE-2023-30590"
  );
  script_xref(name:"FEDORA", value:"2023-6b866fbe84");

  script_name(english:"Fedora 37 : nodejs18 (2023-6b866fbe84)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Fedora host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Fedora 37 host has a package installed that is affected by multiple vulnerabilities as referenced in the
FEDORA-2023-6b866fbe84 advisory.

  - The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require
    modules outside of the policy.json definition. This vulnerability affects all users using the experimental
    policy mechanism in all active release lines: v16, v18 and, v20. Please note that at the time this CVE was
    issued, the policy is an experimental feature of Node.js (CVE-2023-30581)

  - A vulnerability has been identified in the Node.js (.msi version) installation process, specifically
    affecting Windows users who install Node.js using the .msi installer. This vulnerability emerges during
    the repair operation, where the msiexec.exe process, running under the NT AUTHORITY\SYSTEM context,
    attempts to read the %USERPROFILE% environment variable from the current user's registry. The issue arises
    when the path referenced by the %USERPROFILE% environment variable does not exist. In such cases, the
    msiexec.exe process attempts to create the specified path in an unsafe manner, potentially leading to
    the creation of arbitrary folders in arbitrary locations. The severity of this vulnerability is heightened
    by the fact that the %USERPROFILE% environment variable in the Windows registry can be modified by
    standard (or non-privileged) users. Consequently, unprivileged actors, including malicious entities or
    trojans, can manipulate the environment variable key to deceive the privileged msiexec.exe process. This
    manipulation can result in the creation of folders in unintended and potentially malicious locations. It
    is important to note that this vulnerability is specific to Windows users who install Node.js using the
    .msi installer. Users who opt for other installation methods are not affected by this particular issue.
    (CVE-2023-30585)

  - When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a
    non-expect termination occurs making it susceptible to DoS attacks when the attacker could force
    interruptions of application processing, as the process terminates when accessing public key info of
    provided certificates from user code. The current context of the users will be gone, and that will cause a
    DoS scenario. This vulnerability affects all active Node.js versions v16, v18, and, v20. (CVE-2023-30588)

  - The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit
    HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient
    to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence
    should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20
    (CVE-2023-30589)

  - The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or
    outdated) keys, that is, it only generates a private key if none has been set yet, but the function is
    also needed to compute the corresponding public key after calling setPrivateKey(). However, the
    documentation says this API call: Generates private and public Diffie-Hellman key values. The documented
    behavior is very different from the actual behavior, and this difference could easily lead to security
    issues in applications that use these APIs as the DiffieHellman may be used as the basis for application-
    level security, implications are consequently broad. (CVE-2023-30590)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2023-6b866fbe84");
  script_set_attribute(attribute:"solution", value:
"Update the affected 1:nodejs18 package.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-30590");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/06/29");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/07/12");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/07/19");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:37");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:nodejs18");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Fedora Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include('rpm.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Fedora' >!< os_release) audit(AUDIT_OS_NOT, 'Fedora');
var os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Fedora');
os_ver = os_ver[1];
if (! preg(pattern:"^37([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'Fedora 37', 'Fedora ' + os_ver);

if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Fedora', cpu);

var pkgs = [
    {'reference':'nodejs18-18.16.1-1.fc37', 'release':'FC37', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'}
];

var flag = 0;
foreach package_array ( pkgs ) {
  var reference = NULL;
  var _release = NULL;
  var sp = NULL;
  var _cpu = NULL;
  var el_string = NULL;
  var rpm_spec_vers_cmp = NULL;
  var epoch = NULL;
  var allowmaj = NULL;
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (!empty_or_null(package_array['release'])) _release = package_array['release'];
  if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
  if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
  if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
  if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
  if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
  if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
  if (reference && _release) {
    if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'nodejs18');
}
VendorProductVersionCPE
fedoraprojectfedora37cpe:/o:fedoraproject:fedora:37
fedoraprojectfedoranodejs18p-cpe:/a:fedoraproject:fedora:nodejs18

Related

fedora 8
nessus 43
openvas 21
ibm 15
osv 22
oraclelinux 4
almalinux 4
redhat 6
rocky 2
ubuntu 1
nodejsblog 1
mageia 1
prion 5
cvelist 5
ubuntucve 5
debiancve 5
debian 2
cve 5
alpinelinux 2
cbl_mariner 2
nvd 5
redhatcve 5
veracode 4
cgr 5
wolfi 5
hackerone 6
github 2
photon 2
ics 1
gentoo 1
oracle 1
fedora
fedora
[SECURITY] Fedora 38 Update: nodejs16-16.20.1-1.fc38
2023-07-21 02:27:10
[SECURITY] Fedora 37 Update: nodejs18-18.16.1-1.fc37
2023-07-19 04:21:14
[SECURITY] Fedora 37 Update: nodejs16-16.20.1-1.fc37
2023-07-21 01:26:42
nessus
nessus
AlmaLinux 9 : nodejs:18 (ALSA-2023:4330)
2023-08-02 00:00:00
AlmaLinux 8 : nodejs:16 (ALSA-2023:4537)
2023-08-09 00:00:00
Rocky Linux 8 : nodejs:18 (RLSA-2023:4536)
2023-10-06 00:00:00
openvas
openvas
Fedora: Security Advisory for nodejs18 (FEDORA-2023-cdddce304a)
2023-07-23 00:00:00
Fedora: Security Advisory for nodejs16 (FEDORA-2023-608a1417d3)
2023-07-23 00:00:00
Fedora: Security Advisory for nodejs18 (FEDORA-2023-6b866fbe84)
2023-07-20 00:00:00
ibm
ibm
Security Bulletin: IBM Event Streams is affected by multiple vulnerabilities in Node.js
2023-08-01 09:43:58
Security Bulletin: IBM App Connect Enterprise Certified Container operands are vulnerable to several vulnerabilities in Node.js due to [CVE-2023-30581] [CVE-2023-30588] [CVE-2023-30589] [CVE-2023-30590]
2023-09-07 15:11:40
Security Bulletin: IBM DataPower Gateway vulnerable to multiple issues in Node.js
2023-10-13 12:54:24
osv
osv
Moderate: nodejs:18 security, bug fix, and enhancement update
2023-10-06 23:10:12
Moderate: nodejs security, bug fix, and enhancement update
2023-07-31 00:00:00
Moderate: nodejs:18 security, bug fix, and enhancement update
2023-08-08 00:00:00
oraclelinux
oraclelinux
nodejs security, bug fix, and enhancement update
2023-08-02 00:00:00
nodejs:18 security, bug fix, and enhancement update
2023-08-10 00:00:00
18 security, bug fix, and enhancement update
2023-08-02 00:00:00
almalinux
almalinux
Moderate: nodejs:18 security, bug fix, and enhancement update
2023-08-08 00:00:00
Moderate: nodejs:16 security, bug fix, and enhancement update
2023-08-08 00:00:00
Moderate: nodejs:18 security, bug fix, and enhancement update
2023-07-31 00:00:00
redhat
redhat
(RHSA-2023:4330) Moderate: nodejs:18 security, bug fix, and enhancement update
2023-07-31 08:54:02
(RHSA-2023:4331) Moderate: nodejs security, bug fix, and enhancement update
2023-07-31 08:55:53
(RHSA-2023:4536) Moderate: nodejs:18 security, bug fix, and enhancement update
2023-08-08 07:21:44
rocky
rocky
nodejs:18 security, bug fix, and enhancement update
2023-10-06 23:10:12
nodejs:16 security, bug fix, and enhancement update
2023-08-08 12:34:39
ubuntu
ubuntu
Node.js vulnerabilities
2024-04-16 00:00:00
nodejsblog
nodejsblog
Tuesday June 20 2023 Security Releases
2023-06-20 00:00:00
mageia
mageia
Updated nodejs packages fix security vulnerability
2023-07-07 08:54:45
prion
prion
Code injection
2023-11-28 02:15:00
Design/Logic Flaw
2023-11-28 20:15:00
Crlf injection
2023-07-01 00:15:00
cvelist
cvelist
CVE-2023-30585
2023-11-28 01:23:08
CVE-2023-30590
2023-11-28 19:15:19
CVE-2023-30588
2023-11-28 19:15:19
ubuntucve
ubuntucve
CVE-2023-30585
2023-11-28 00:00:00
CVE-2023-30581
2023-11-23 00:00:00
CVE-2023-30588
2023-11-28 00:00:00
debiancve
debiancve
CVE-2023-30585
2023-11-28 02:15:42
CVE-2023-30581
2023-11-23 00:15:07
CVE-2023-30588
2023-11-28 20:15:07
debian
debian
[SECURITY] [DSA 5589-1] nodejs security update
2023-12-27 22:12:40
[SECURITY] [DLA 3776-1] nodejs security update
2024-03-27 00:40:58
cve
cve
CVE-2023-30585
2023-11-28 02:15:42
CVE-2023-30581
2023-11-23 00:15:07
CVE-2023-30588
2023-11-28 20:15:07
alpinelinux
alpinelinux
CVE-2023-30581
2023-11-23 00:15:07
CVE-2023-30589
2023-07-01 00:15:10
cbl_mariner
cbl_mariner
CVE-2023-30589 affecting package nodejs18 for versions less than 18.17.1-2
2023-09-27 18:02:50
CVE-2023-30589 affecting package nodejs for versions less than 16.20.1-2
2023-08-03 02:51:21
nvd
nvd
CVE-2023-30589
2023-07-01 00:15:10
CVE-2023-30585
2023-11-28 02:15:42
CVE-2023-30588
2023-11-28 20:15:07
redhatcve
redhatcve
CVE-2023-30590
2023-07-05 15:19:03
CVE-2023-30588
2023-07-05 15:18:43
CVE-2023-30581
2023-07-05 15:17:33
veracode
veracode
Inconsistency Between Implementation And Documented Design
2023-11-29 05:49:28
HTTP Request Smuggling (HRS)
2023-07-23 04:52:48
Denial Of Service (DoS)
2023-11-29 05:49:59
cgr
cgr
CVE-2023-30590 vulnerabilities
2024-05-19 03:07:16
CVE-2023-30585 vulnerabilities
2024-05-19 03:07:16
CVE-2023-30588 vulnerabilities
2024-05-19 03:07:16
wolfi
wolfi
CVE-2023-30590 vulnerabilities
2024-06-30 03:08:34
CVE-2023-30589 vulnerabilities
2024-06-30 03:08:34
CVE-2023-30588 vulnerabilities
2024-06-30 03:08:34
hackerone
hackerone
Internet Bug Bounty: HTTP Request Smuggling via Empty headers separated by CR
2023-06-21 02:32:11
Node.js: The use of __proto__ in process.mainModule.__proto__.require() bypasses the permission system in Node v19.6.1
2023-02-17 17:58:20
Node.js: DiffieHellman doesn't generate keys after setting a key
2023-03-31 13:33:05
github
github
llhttp vulnerable to HTTP request smuggling
2023-07-01 00:30:46
aiohttp.web.Application vulnerable to HTTP request smuggling via llhttp HTTP request parser
2023-07-20 14:52:00
photon
photon
Critical Photon OS Security Update - PHSA-2023-3.0-0606
2023-07-02 00:00:00
Important Photon OS Security Update - PHSA-2023-5.0-0041
2023-06-29 00:00:00
ics
ics
Siemens SINEC NMS
2024-02-15 12:00:00
gentoo
gentoo
Node.js: Multiple Vulnerabilities
2024-05-08 00:00:00
oracle
oracle
Oracle Critical Patch Update Advisory - October 2023
2023-10-17 00:00:00

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

7.6 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

40.3%

JSON
Related for FEDORA_2023-6B866FBE84.NASL
fedora8nessus43openvas21ibm15osv22oraclelinux4almalinux4redhat6rocky2ubuntu1nodejsblog1mageia1prion5cvelist5ubuntucve5debiancve5debian2cve5alpinelinux2cbl_mariner2nvd5redhatcve5veracode4cgr5wolfi5hackerone6github2photon2ics1gentoo1oracle1