CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
98.4%
The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2023:7205 advisory.
When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation and return a forged checksum to the node’s policy implementation, thus effectively disabling the integrity check. Impacts: This vulnerability affects all users using the experimental policy mechanism in all active release lines: 18.x and, 20.x. Please note that at the time this CVE was issued, the policy mechanism is an experimental feature of Node.js. (CVE-2023-38552)
A previously disclosed vulnerability (CVE-2023-30584) was patched insufficiently in commit 205f1e6. The new path traversal vulnerability arises because the implementation does not protect itself against the application overwriting built-in utility functions with user-defined implementations. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. (CVE-2023-39331)
Various node:fs
functions allow specifying paths as either strings or Uint8Array
objects. In Node.js environments, the Buffer
class extends the Uint8Array
class. Node.js prevents path traversal through strings (see CVE-2023-30584) and Buffer
objects (see CVE-2023-32004), but not through non-Buffer
Uint8Array
objects. This is distinct from CVE-2023-32004 which only referred to Buffer
objects.
However, the vulnerability follows the same pattern using Uint8Array
instead of Buffer
. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
(CVE-2023-39332)
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. (CVE-2023-44487)
Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear Cookie
headers. By design, cookie
headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since undici handles headers more liberally than the spec, there was a disconnect from the assumptions the spec made, and undici’s implementation of fetch. As such this may lead to accidental leakage of cookie to a third-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the third party site. This was patched in version 5.26.2. There are no known workarounds. (CVE-2023-45143)
Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The injected code may be able to access data and functions that the WebAssembly module itself does not have access to, similar to as if the WebAssembly module was a JavaScript module. Impacts: Thanks to dittyroma for reporting the issue and to Tobias Nieen for fixing it. (CVE-2023-39333)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The package checks in this plugin were extracted from
# Rocky Linux Security Advisory RLSA-2023:7205.
##
include('compat.inc');
if (description)
{
script_id(186401);
script_version("1.1");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/02/09");
script_cve_id(
"CVE-2023-38552",
"CVE-2023-39331",
"CVE-2023-39332",
"CVE-2023-39333",
"CVE-2023-44487",
"CVE-2023-45143"
);
script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2023/10/31");
script_xref(name:"RLSA", value:"2023:7205");
script_xref(name:"CEA-ID", value:"CEA-2024-0004");
script_name(english:"Rocky Linux 8 : nodejs:20 (RLSA-2023:7205)");
script_set_attribute(attribute:"synopsis", value:
"The remote Rocky Linux host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the
RLSA-2023:7205 advisory.
- When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the
application can intercept the operation and return a forged checksum to the node's policy implementation,
thus effectively disabling the integrity check. Impacts: This vulnerability affects all users using the
experimental policy mechanism in all active release lines: 18.x and, 20.x. Please note that at the time
this CVE was issued, the policy mechanism is an experimental feature of Node.js. (CVE-2023-38552)
- A previously disclosed vulnerability (CVE-2023-30584) was patched insufficiently in commit 205f1e6. The
new path traversal vulnerability arises because the implementation does not protect itself against the
application overwriting built-in utility functions with user-defined implementations. Please note that at
the time this CVE was issued, the permission model is an experimental feature of Node.js. (CVE-2023-39331)
- Various `node:fs` functions allow specifying paths as either strings or `Uint8Array` objects. In Node.js
environments, the `Buffer` class extends the `Uint8Array` class. Node.js prevents path traversal through
strings (see CVE-2023-30584) and `Buffer` objects (see CVE-2023-32004), but not through non-`Buffer`
`Uint8Array` objects. This is distinct from CVE-2023-32004 which only referred to `Buffer` objects.
However, the vulnerability follows the same pattern using `Uint8Array` instead of `Buffer`. Please note
that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
(CVE-2023-39332)
- The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation
can reset many streams quickly, as exploited in the wild in August through October 2023. (CVE-2023-44487)
- Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already
cleared Authorization headers on cross-origin redirects, but did not clear `Cookie` headers. By design,
`cookie` headers are forbidden request headers, disallowing them to be set in RequestInit.headers in
browser environments. Since undici handles headers more liberally than the spec, there was a disconnect
from the assumptions the spec made, and undici's implementation of fetch. As such this may lead to
accidental leakage of cookie to a third-party site or a malicious attacker who can control the redirection
target (ie. an open redirector) to leak the cookie to the third party site. This was patched in version
5.26.2. There are no known workarounds. (CVE-2023-45143)
- Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The
injected code may be able to access data and functions that the WebAssembly module itself does not have
access to, similar to as if the WebAssembly module was a JavaScript module. Impacts: Thanks to dittyroma
for reporting the issue and to Tobias Nieen for fixing it. (CVE-2023-39333)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://errata.rockylinux.org/RLSA-2023:7205");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2242803");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2244104");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2244413");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2244414");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2244415");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2244418");
script_set_attribute(attribute:"solution", value:
"Update the affected nodejs-nodemon, nodejs-packaging and / or nodejs-packaging-bundler packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-39332");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2023/10/10");
script_set_attribute(attribute:"patch_publication_date", value:"2023/11/28");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/11/28");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:rocky:linux:nodejs-nodemon");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:rocky:linux:nodejs-packaging");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:rocky:linux:nodejs-packaging-bundler");
script_set_attribute(attribute:"cpe", value:"cpe:/o:rocky:linux:8");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Rocky Linux Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/RockyLinux/release", "Host/RockyLinux/rpm-list", "Host/cpu");
exit(0);
}
include('rpm.inc');
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RockyLinux/release');
if (isnull(os_release) || 'Rocky Linux' >!< os_release) audit(AUDIT_OS_NOT, 'Rocky Linux');
var os_ver = pregmatch(pattern: "Rocky(?: Linux)? release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Rocky Linux');
os_ver = os_ver[1];
if (! preg(pattern:"^8([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'Rocky Linux 8.x', 'Rocky Linux ' + os_ver);
if (!get_kb_item('Host/RockyLinux/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Rocky Linux', cpu);
var module_ver = get_kb_item('Host/RockyLinux/appstream/nodejs');
if (isnull(module_ver)) audit(AUDIT_PACKAGE_NOT_INSTALLED, 'Module nodejs:20');
if ('20' >!< module_ver) audit(AUDIT_PACKAGE_NOT_AFFECTED, 'Module nodejs:' + module_ver);
var appstreams = {
'nodejs:20': [
{'reference':'nodejs-nodemon-3.0.1-1.module+el8.8.0+1459+02651ab6', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'nodejs-packaging-2021.06-4.module+el8.7.0+1072+5b168780', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'nodejs-packaging-bundler-2021.06-4.module+el8.7.0+1072+5b168780', 'release':'8', 'rpm_spec_vers_cmp':TRUE}
]
};
var flag = 0;
var appstreams_found = 0;
foreach var module (keys(appstreams)) {
var appstream = NULL;
var appstream_name = NULL;
var appstream_version = NULL;
var appstream_split = split(module, sep:':', keep:FALSE);
if (!empty_or_null(appstream_split)) {
appstream_name = appstream_split[0];
appstream_version = appstream_split[1];
if (!empty_or_null(appstream_name)) appstream = get_one_kb_item('Host/RockyLinux/appstream/' + appstream_name);
}
if (!empty_or_null(appstream) && appstream_version == appstream || appstream_name == 'all') {
appstreams_found++;
foreach var package_array ( appstreams[module] ) {
var reference = NULL;
var _release = NULL;
var sp = NULL;
var _cpu = NULL;
var el_string = NULL;
var rpm_spec_vers_cmp = NULL;
var epoch = NULL;
var allowmaj = NULL;
var exists_check = NULL;
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (!empty_or_null(package_array['release'])) _release = 'Rocky-' + package_array['release'];
if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {
if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
}
}
}
}
if (!appstreams_found) audit(AUDIT_PACKAGE_NOT_INSTALLED, 'Module nodejs:20');
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'nodejs-nodemon / nodejs-packaging / nodejs-packaging-bundler');
}
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38552
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39331
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39332
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39333
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44487
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45143
bugzilla.redhat.com/show_bug.cgi?id=2242803
bugzilla.redhat.com/show_bug.cgi?id=2244104
bugzilla.redhat.com/show_bug.cgi?id=2244413
bugzilla.redhat.com/show_bug.cgi?id=2244414
bugzilla.redhat.com/show_bug.cgi?id=2244415
bugzilla.redhat.com/show_bug.cgi?id=2244418
errata.rockylinux.org/RLSA-2023:7205
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
98.4%