Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.SUSE_SU-2022-3250-1.NASL
HistorySep 13, 2022 - 12:00 a.m.

SUSE SLES15 Security Update : nodejs16 (SUSE-SU-2022:3250-1)

2022-09-1300:00:00
This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
764
JSON

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:3250-1 advisory.

  • npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. --workspaces, --workspace=<name>). Anyone who has run npm pack or npm publish inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include. Users should upgrade to the latest, patched version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0 include the patched v8.11.0 version of npm. (CVE-2022-29244)

  • undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0.
    Sanitizing all HTTP headers from untrusted sources to eliminate \r is a workaround for this issue.
    (CVE-2022-31150)

  • undici is an HTTP/1.1 client, written from scratch for Node.js.=< [email protected] users are vulnerable to
    CRLF Injection on headers when using unsanitized input as request headers, more specifically, inside the content-type header. Example: import { request } from 'undici' const unsanitizedContentTypeInput = 'application/json\r \r GET /foo2 HTTP/1.1' await request('http://localhost:3000, { method: 'GET', headers: { 'content-type': unsanitizedContentTypeInput }, }) The above snippet will perform two requests in a single request API call: 1) http://localhost:3000/ 2) http://localhost:3000/foo2 This issue was patched in Undici v5.8.1. Sanitize input when sending content-type headers using user input as a workaround. (CVE-2022-35948)

  • undici is an HTTP/1.1 client, written from scratch for Node.js.undici is vulnerable to SSRF (Server-side Request Forgery) when an application takes in user input into the path/pathname option of undici.request. If a user specifies a URL such as http://127.0.0.1 or //127.0.0.1 js const undici = require(undici) undici.request({origin: http://example.com, pathname: //127.0.0.1}) Instead of processing the request as http://example.org//127.0.0.1 (or http://example.org/http://127.0.0.1 when http://127.0.0.1 is used), it actually processes the request as http://127.0.0.1/ and sends it to http://127.0.0.1. If a developer passes in user input into path parameter of undici.request, it can result in an SSRF as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL. This issue was fixed in [email protected]. The best workaround is to validate user input before passing it to the undici.request call. (CVE-2022-35949)

Note that Nessus has not tested for these issues but has instead relied only on the applicationโ€™s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The package checks in this plugin were extracted from
# SUSE update advisory SUSE-SU-2022:3250-1. The text itself
# is copyright (C) SUSE.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(164969);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/07/14");

  script_cve_id(
    "CVE-2022-29244",
    "CVE-2022-31150",
    "CVE-2022-35948",
    "CVE-2022-35949"
  );
  script_xref(name:"SuSE", value:"SUSE-SU-2022:3250-1");

  script_name(english:"SUSE SLES15 Security Update : nodejs16 (SUSE-SU-2022:3250-1)");

  script_set_attribute(attribute:"synopsis", value:
"The remote SUSE host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as
referenced in the SUSE-SU-2022:3250-1 advisory.

  - npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or
    with a workspace flag (ie. `--workspaces`, `--workspace=<name>`). Anyone who has run `npm pack` or `npm
    publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published
    files into the npm registry they did not intend to include. Users should upgrade to the latest, patched
    version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0
    include the patched v8.11.0 version of npm. (CVE-2022-29244)

  - undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences
    into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0.
    Sanitizing all HTTP headers from untrusted sources to eliminate `\r
` is a workaround for this issue.
    (CVE-2022-31150)

  - undici is an HTTP/1.1 client, written from scratch for Node.js.`=< [email protected]` users are vulnerable to
    _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the
    `content-type` header. Example: ``` import { request } from 'undici' const unsanitizedContentTypeInput =
    'application/json\r
\r
GET /foo2 HTTP/1.1' await request('http://localhost:3000, { method: 'GET',
    headers: { 'content-type': unsanitizedContentTypeInput }, }) ``` The above snippet will perform two
    requests in a single `request` API call: 1) `http://localhost:3000/` 2) `http://localhost:3000/foo2` This
    issue was patched in Undici v5.8.1. Sanitize input when sending content-type headers using user input as a
    workaround. (CVE-2022-35948)

  - undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side
    Request Forgery) when an application takes in **user input** into the `path/pathname` option of
    `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js const undici
    = require(undici) undici.request({origin: http://example.com, pathname: //127.0.0.1}) ``` Instead of
    processing the request as `http://example.org//127.0.0.1` (or `http://example.org/http://127.0.0.1` when
    `http://127.0.0.1 is used`), it actually processes the request as `http://127.0.0.1/` and sends it to
    `http://127.0.0.1`. If a developer passes in user input into `path` parameter of `undici.request`, it can
    result in an _SSRF_ as they will assume that the hostname cannot change, when in actual fact it can change
    because the specified path parameter is combined with the base URL. This issue was fixed in
    `[email protected]`. The best workaround is to validate user input before passing it to the `undici.request`
    call. (CVE-2022-35949)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1200303");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1200517");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1201710");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1202382");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1202383");
  script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2022-29244");
  script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2022-31150");
  script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2022-35948");
  script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2022-35949");
  # https://lists.suse.com/pipermail/sle-security-updates/2022-September/012208.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3eb4bc9b");
  script_set_attribute(attribute:"solution", value:
"Update the affected nodejs16, nodejs16-devel, nodejs16-docs and / or npm16 packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-29244");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2022-35949");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/06/01");
  script_set_attribute(attribute:"patch_publication_date", value:"2022/09/12");
  script_set_attribute(attribute:"plugin_publication_date", value:"2022/09/13");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:nodejs16");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:nodejs16-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:nodejs16-docs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:npm16");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:15");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"SuSE Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");

  exit(0);
}


include('rpm.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item("Host/SuSE/release");
if (isnull(os_release) || os_release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
var os_ver = pregmatch(pattern: "^(SLE(S|D)(?:_SAP)?\d+)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');
os_ver = os_ver[1];
if (! preg(pattern:"^(SLES15|SLES_SAP15)$", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLES15 / SLES_SAP15', 'SUSE (' + os_ver + ')');

if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE (' + os_ver + ')', cpu);

var service_pack = get_kb_item("Host/SuSE/patchlevel");
if (isnull(service_pack)) service_pack = "0";
if (os_ver == "SLES15" && (! preg(pattern:"^(4)$", string:service_pack))) audit(AUDIT_OS_NOT, "SLES15 SP4", os_ver + " SP" + service_pack);
if (os_ver == "SLES_SAP15" && (! preg(pattern:"^(4)$", string:service_pack))) audit(AUDIT_OS_NOT, "SLES_SAP15 SP4", os_ver + " SP" + service_pack);

var pkgs = [
    {'reference':'nodejs16-16.17.0-150400.3.6.1', 'sp':'4', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.4']},
    {'reference':'nodejs16-devel-16.17.0-150400.3.6.1', 'sp':'4', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.4']},
    {'reference':'nodejs16-docs-16.17.0-150400.3.6.1', 'sp':'4', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.4']},
    {'reference':'npm16-16.17.0-150400.3.6.1', 'sp':'4', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.4']},
    {'reference':'nodejs16-16.17.0-150400.3.6.1', 'sp':'4', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-release-15.4', 'sle-module-web-scripting-release-15.4', 'sles-release-15.4']},
    {'reference':'nodejs16-devel-16.17.0-150400.3.6.1', 'sp':'4', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-release-15.4', 'sle-module-web-scripting-release-15.4', 'sles-release-15.4']},
    {'reference':'nodejs16-docs-16.17.0-150400.3.6.1', 'sp':'4', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-release-15.4', 'sle-module-web-scripting-release-15.4', 'sles-release-15.4']},
    {'reference':'npm16-16.17.0-150400.3.6.1', 'sp':'4', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-release-15.4', 'sle-module-web-scripting-release-15.4', 'sles-release-15.4']}
];

var ltss_caveat_required = FALSE;
var flag = 0;
foreach var package_array ( pkgs ) {
  var reference = NULL;
  var _release = NULL;
  var sp = NULL;
  var _cpu = NULL;
  var exists_check = NULL;
  var rpm_spec_vers_cmp = NULL;
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (!empty_or_null(package_array['release'])) _release = package_array['release'];
  if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
  if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
  if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
  if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
  if (reference && _release) {
    if (exists_check) {
      var check_flag = 0;
      foreach var check (exists_check) {
        if (!rpm_exists(release:_release, rpm:check)) continue;
        check_flag++;
      }
      if (!check_flag) continue;
    }
    if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'nodejs16 / nodejs16-devel / nodejs16-docs / npm16');
}
VendorProductVersionCPE
novellsuse_linuxnodejs16p-cpe:/a:novell:suse_linux:nodejs16
novellsuse_linuxnodejs16-develp-cpe:/a:novell:suse_linux:nodejs16-devel
novellsuse_linuxnodejs16-docsp-cpe:/a:novell:suse_linux:nodejs16-docs
novellsuse_linuxnpm16p-cpe:/a:novell:suse_linux:npm16
novellsuse_linux15cpe:/o:novell:suse_linux:15

Related

suse 2
nessus 6
openvas 5
ibm 13
ubuntucve 4
debiancve 3
cve 4
osv 10
prion 4
veracode 4
redhatcve 4
github 4
hackerone 2
alpinelinux 1
redos 1
redhat 3
oraclelinux 1
rocky 1
almalinux 1
suse
suse
Security update for nodejs16 (moderate)
2022-09-12 00:00:00
Security update for nodejs16 (moderate)
2022-09-12 00:00:00
nessus
nessus
SUSE SLES12 Security Update : nodejs16 (SUSE-SU-2022:3196-1)
2022-09-09 00:00:00
SUSE SLES15 Security Update : nodejs16 (SUSE-SU-2022:3251-1)
2022-09-13 00:00:00
Rocky Linux 9 : nodejs and nodejs-nodemon (RLSA-2022:6595)
2023-02-06 00:00:00
openvas
openvas
openSUSE: Security Advisory for nodejs16 (SUSE-SU-2022:3250-1)
2022-09-13 00:00:00
openSUSE: Security Advisory for nodejs16 (SUSE-SU-2022:3251-1)
2022-09-13 00:00:00
SUSE: Security Advisory (SUSE-SU-2022:3196-1)
2022-09-09 00:00:00
ibm
ibm
Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring operands may be vulnerable to loss of confidentiality due to CVE-2022-35948 and CVE-2022-35949
2022-08-18 14:30:37
Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Node.js npm module information disclosure (CVE-2022-29244)
2023-04-19 21:24:57
Security Bulletin: IBM App Connect Enterprise Certified Container may be vulnerable to loss of confidentiality due to CVE-2022-29244
2022-11-04 18:15:14
ubuntucve
ubuntucve
CVE-2022-31150
2022-07-19 00:00:00
CVE-2022-35948
2022-08-15 00:00:00
CVE-2022-35949
2022-08-12 00:00:00
debiancve
debiancve
CVE-2022-31150
2022-07-19 21:15:00
CVE-2022-35949
2022-08-12 23:15:00
CVE-2022-35948
2022-08-15 11:21:00
cve
cve
CVE-2022-31150
2022-07-19 21:15:00
CVE-2022-35948
2022-08-15 11:21:00
CVE-2022-35949
2022-08-12 23:15:00
osv
osv
CVE-2022-35949
2022-08-12 23:15:07
CVE-2022-31150
2022-07-19 21:15:15
`undici.request` vulnerable to SSRF using absolute URL on `pathname`
2022-08-18 18:59:46
prion
prion
Crlf injection
2022-07-19 21:15:00
Server side request forgery (ssrf)
2022-08-12 23:15:00
Code injection
2022-06-13 14:15:00
veracode
veracode
CRLF Injection
2022-07-20 04:30:53
Server-Side Request Forgery (SSRF)
2022-08-15 10:21:55
CRLF Injection
2022-08-15 15:46:22
redhatcve
redhatcve
CVE-2022-31150
2022-07-21 10:48:26
CVE-2022-35949
2022-08-24 11:39:42
CVE-2022-35948
2022-08-24 13:10:35
github
github
Nodejs โ€˜undiciโ€™ vulnerable to CRLF Injection via Content-Type
2022-08-18 19:02:56
`undici.request` vulnerable to SSRF using absolute URL on `pathname`
2022-08-18 18:59:46
Packing does not respect root-level ignore files in workspaces
2022-06-02 15:37:27
hackerone
hackerone
Internet Bug Bounty: CVE-2022-35948: CRLF Injection in Nodejs โ€˜undiciโ€™ via Content-Type
2022-08-09 15:43:20
Internet Bug Bounty: [CVE-2022-35949]: undici.request vulnerable to SSRF using absolute / protocol-relative URL on pathname
2022-08-09 13:51:45
alpinelinux
alpinelinux
CVE-2022-29244
2022-06-13 14:15:00
redos
redos
ROS-20230616-01
2023-06-16 00:00:00
redhat
redhat
(RHSA-2022:7276) Moderate: Red Hat Advanced Cluster Management 2.4.8 security fixes and container updates
2022-11-01 13:17:42
(RHSA-2022:6595) Moderate: nodejs and nodejs-nodemon security and bug fix update
2022-09-20 11:37:49
(RHSA-2022:6696) Critical: Red Hat Advanced Cluster Management 2.4.6 security update and bug fixes
2022-09-26 11:54:51
oraclelinux
oraclelinux
nodejs and nodejs-nodemon security and bug fix update
2022-09-22 00:00:00
rocky
rocky
nodejs and nodejs-nodemon security and bug fix update
2022-09-20 11:37:49
almalinux
almalinux
Moderate: nodejs and nodejs-nodemon security and bug fix update
2022-09-20 00:00:00
JSON
Related for SUSE_SU-2022-3250-1.NASL
suse2nessus6openvas5ibm13ubuntucve4debiancve3cve4osv10prion4veracode4redhatcve4github4hackerone2alpinelinux1redos1redhat3oraclelinux1rocky1almalinux1