The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:3250-1 advisory.
npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. --workspaces
, --workspace=<name>
). Anyone who has run npm pack
or npm publish
inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include. Users should upgrade to the latest, patched version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0 include the patched v8.11.0 version of npm. (CVE-2022-29244)
undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0.
Sanitizing all HTTP headers from untrusted sources to eliminate \r
is a workaround for this issue.
(CVE-2022-31150)
undici is an HTTP/1.1 client, written from scratch for Node.js.=< [email protected]
users are vulnerable to
CRLF Injection on headers when using unsanitized input as request headers, more specifically, inside the content-type
header. Example: import { request } from 'undici' const unsanitizedContentTypeInput = 'application/json\r \r GET /foo2 HTTP/1.1' await request('http://localhost:3000, { method: 'GET', headers: { 'content-type': unsanitizedContentTypeInput }, })
The above snippet will perform two requests in a single request
API call: 1) http://localhost:3000/
2) http://localhost:3000/foo2
This issue was patched in Undici v5.8.1. Sanitize input when sending content-type headers using user input as a workaround. (CVE-2022-35948)
undici is an HTTP/1.1 client, written from scratch for Node.js.undici
is vulnerable to SSRF (Server-side Request Forgery) when an application takes in user input into the path/pathname
option of undici.request
. If a user specifies a URL such as http://127.0.0.1
or //127.0.0.1
js const undici = require(undici) undici.request({origin: http://example.com, pathname: //127.0.0.1})
Instead of processing the request as http://example.org//127.0.0.1
(or http://example.org/http://127.0.0.1
when http://127.0.0.1 is used
), it actually processes the request as http://127.0.0.1/
and sends it to http://127.0.0.1
. If a developer passes in user input into path
parameter of undici.request
, it can result in an SSRF as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL. This issue was fixed in [email protected]
. The best workaround is to validate user input before passing it to the undici.request
call. (CVE-2022-35949)
Note that Nessus has not tested for these issues but has instead relied only on the applicationโs self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The package checks in this plugin were extracted from
# SUSE update advisory SUSE-SU-2022:3250-1. The text itself
# is copyright (C) SUSE.
##
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(164969);
script_version("1.6");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/07/14");
script_cve_id(
"CVE-2022-29244",
"CVE-2022-31150",
"CVE-2022-35948",
"CVE-2022-35949"
);
script_xref(name:"SuSE", value:"SUSE-SU-2022:3250-1");
script_name(english:"SUSE SLES15 Security Update : nodejs16 (SUSE-SU-2022:3250-1)");
script_set_attribute(attribute:"synopsis", value:
"The remote SUSE host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as
referenced in the SUSE-SU-2022:3250-1 advisory.
- npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or
with a workspace flag (ie. `--workspaces`, `--workspace=<name>`). Anyone who has run `npm pack` or `npm
publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published
files into the npm registry they did not intend to include. Users should upgrade to the latest, patched
version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0
include the patched v8.11.0 version of npm. (CVE-2022-29244)
- undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences
into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0.
Sanitizing all HTTP headers from untrusted sources to eliminate `\r
` is a workaround for this issue.
(CVE-2022-31150)
- undici is an HTTP/1.1 client, written from scratch for Node.js.`=< [email protected]` users are vulnerable to
_CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the
`content-type` header. Example: ``` import { request } from 'undici' const unsanitizedContentTypeInput =
'application/json\r
\r
GET /foo2 HTTP/1.1' await request('http://localhost:3000, { method: 'GET',
headers: { 'content-type': unsanitizedContentTypeInput }, }) ``` The above snippet will perform two
requests in a single `request` API call: 1) `http://localhost:3000/` 2) `http://localhost:3000/foo2` This
issue was patched in Undici v5.8.1. Sanitize input when sending content-type headers using user input as a
workaround. (CVE-2022-35948)
- undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side
Request Forgery) when an application takes in **user input** into the `path/pathname` option of
`undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js const undici
= require(undici) undici.request({origin: http://example.com, pathname: //127.0.0.1}) ``` Instead of
processing the request as `http://example.org//127.0.0.1` (or `http://example.org/http://127.0.0.1` when
`http://127.0.0.1 is used`), it actually processes the request as `http://127.0.0.1/` and sends it to
`http://127.0.0.1`. If a developer passes in user input into `path` parameter of `undici.request`, it can
result in an _SSRF_ as they will assume that the hostname cannot change, when in actual fact it can change
because the specified path parameter is combined with the base URL. This issue was fixed in
`[email protected]`. The best workaround is to validate user input before passing it to the `undici.request`
call. (CVE-2022-35949)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1200303");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1200517");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1201710");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1202382");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1202383");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2022-29244");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2022-31150");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2022-35948");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2022-35949");
# https://lists.suse.com/pipermail/sle-security-updates/2022-September/012208.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3eb4bc9b");
script_set_attribute(attribute:"solution", value:
"Update the affected nodejs16, nodejs16-devel, nodejs16-docs and / or npm16 packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-29244");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2022-35949");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2022/06/01");
script_set_attribute(attribute:"patch_publication_date", value:"2022/09/12");
script_set_attribute(attribute:"plugin_publication_date", value:"2022/09/13");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:nodejs16");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:nodejs16-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:nodejs16-docs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:npm16");
script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:15");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"SuSE Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
exit(0);
}
include('rpm.inc');
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item("Host/SuSE/release");
if (isnull(os_release) || os_release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
var os_ver = pregmatch(pattern: "^(SLE(S|D)(?:_SAP)?\d+)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');
os_ver = os_ver[1];
if (! preg(pattern:"^(SLES15|SLES_SAP15)$", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLES15 / SLES_SAP15', 'SUSE (' + os_ver + ')');
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE (' + os_ver + ')', cpu);
var service_pack = get_kb_item("Host/SuSE/patchlevel");
if (isnull(service_pack)) service_pack = "0";
if (os_ver == "SLES15" && (! preg(pattern:"^(4)$", string:service_pack))) audit(AUDIT_OS_NOT, "SLES15 SP4", os_ver + " SP" + service_pack);
if (os_ver == "SLES_SAP15" && (! preg(pattern:"^(4)$", string:service_pack))) audit(AUDIT_OS_NOT, "SLES_SAP15 SP4", os_ver + " SP" + service_pack);
var pkgs = [
{'reference':'nodejs16-16.17.0-150400.3.6.1', 'sp':'4', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.4']},
{'reference':'nodejs16-devel-16.17.0-150400.3.6.1', 'sp':'4', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.4']},
{'reference':'nodejs16-docs-16.17.0-150400.3.6.1', 'sp':'4', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.4']},
{'reference':'npm16-16.17.0-150400.3.6.1', 'sp':'4', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.4']},
{'reference':'nodejs16-16.17.0-150400.3.6.1', 'sp':'4', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-release-15.4', 'sle-module-web-scripting-release-15.4', 'sles-release-15.4']},
{'reference':'nodejs16-devel-16.17.0-150400.3.6.1', 'sp':'4', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-release-15.4', 'sle-module-web-scripting-release-15.4', 'sles-release-15.4']},
{'reference':'nodejs16-docs-16.17.0-150400.3.6.1', 'sp':'4', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-release-15.4', 'sle-module-web-scripting-release-15.4', 'sles-release-15.4']},
{'reference':'npm16-16.17.0-150400.3.6.1', 'sp':'4', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-release-15.4', 'sle-module-web-scripting-release-15.4', 'sles-release-15.4']}
];
var ltss_caveat_required = FALSE;
var flag = 0;
foreach var package_array ( pkgs ) {
var reference = NULL;
var _release = NULL;
var sp = NULL;
var _cpu = NULL;
var exists_check = NULL;
var rpm_spec_vers_cmp = NULL;
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (!empty_or_null(package_array['release'])) _release = package_array['release'];
if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
if (reference && _release) {
if (exists_check) {
var check_flag = 0;
foreach var check (exists_check) {
if (!rpm_exists(release:_release, rpm:check)) continue;
check_flag++;
}
if (!check_flag) continue;
}
if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'nodejs16 / nodejs16-devel / nodejs16-docs / npm16');
}
Vendor | Product | Version | CPE |
---|---|---|---|
novell | suse_linux | nodejs16 | p-cpe:/a:novell:suse_linux:nodejs16 |
novell | suse_linux | nodejs16-devel | p-cpe:/a:novell:suse_linux:nodejs16-devel |
novell | suse_linux | nodejs16-docs | p-cpe:/a:novell:suse_linux:nodejs16-docs |
novell | suse_linux | npm16 | p-cpe:/a:novell:suse_linux:npm16 |
novell | suse_linux | 15 | cpe:/o:novell:suse_linux:15 |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29244
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31150
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35948
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35949
www.nessus.org/u?3eb4bc9b
bugzilla.suse.com/1200303
bugzilla.suse.com/1200517
bugzilla.suse.com/1201710
bugzilla.suse.com/1202382
bugzilla.suse.com/1202383
www.suse.com/security/cve/CVE-2022-29244
www.suse.com/security/cve/CVE-2022-31150
www.suse.com/security/cve/CVE-2022-35948
www.suse.com/security/cve/CVE-2022-35949