TencentOS Server 4: nodejs (TSSA-2024:0614)

🗓️ 16 Jun 2025 00:00:00Reported by TenableType

TencentOS Server 4 is vulnerable due to outdated versions, requiring updates to address multiple flaws.

Reporter	Title	Published	Views	Family All 1266
IBM Security Bulletins	Security Bulletin: Security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for Febuary 2023	10 Mar 202318:29	–	ibm
IBM Security Bulletins	Security Bulletin: IBM App Connect Enterprise Certified Container operands are vulnerable to security restrictions bypass due to [CVE-2023-38552], [CVE-2023-39333]	14 Dec 202310:38	–	ibm
IBM Security Bulletins	Security Bulletin: QRadar Deployment Intelligence App for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities (CVE-2022-25881, CVE-2021-23440, CVE-2022-24785, CVE-2022-46175)	6 Jun 202320:02	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Node.js	27 Sep 202321:08	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Node.js http-cache-semantics	2 May 202321:46	–	ibm
IBM Security Bulletins	Security Bulletin: IBM InfoSphere Information Server is affected by a vulnerability in Node.js http-cache-semantics module (CVE-2022-25881)	17 May 202319:33	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Cognos Controller is affected by vulnerabilities	15 Apr 202503:15	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Event Streams is affected by a vulnerability in Node.js (CVE-2023-32006)	29 Nov 202322:29	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities affect IBM Db2® Graph	24 Apr 202322:02	–	ibm
IBM Security Bulletins	Security Bulletin: There is a security vulnerability in Node.js http-cache-semantics module used by IBM Maximo for Civil Infrastructure in Maximo Application Suite (CVE-2022-25881)	17 Apr 202313:11	–	ibm

Source	Link
mirrors	www.mirrors.tencent.com/tlinux/errata/tssa-20240614.xml
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Tencent Linux Security Advisory TSSA-2024:0614.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(239784);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/11/20");

  script_cve_id(
    "CVE-2022-25881",
    "CVE-2023-23918",
    "CVE-2023-23919",
    "CVE-2023-23920",
    "CVE-2023-30581",
    "CVE-2023-30588",
    "CVE-2023-30589",
    "CVE-2023-30590",
    "CVE-2023-32002",
    "CVE-2023-32006",
    "CVE-2023-32559",
    "CVE-2023-38552",
    "CVE-2023-39332",
    "CVE-2023-39333",
    "CVE-2023-45143"
  );

  script_name(english:"TencentOS Server 4: nodejs (TSSA-2024:0614)");

  script_set_attribute(attribute:"synopsis", value:
"The remote TencentOS Server 4 host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is,
therefore, affected by multiple vulnerabilities as referenced in the TSSA-2024:0614 advisory.

    Package updates are available for TencentOS Server 4 that fix the following vulnerabilities:

    CVE-2023-45143:
    Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already
    cleared Authorization headers on cross-origin redirects, but did not clear `Cookie` headers. By design,
    `cookie` headers are forbidden request headers, disallowing them to be set in RequestInit.headers in
    browser environments. Since undici handles headers more liberally than the spec, there was a disconnect
    from the assumptions the spec made, and undici's implementation of fetch. As such this may lead to
    accidental leakage of cookie to a third-party site or a malicious attacker who can control the redirection
    target (ie. an open redirector) to leak the cookie to the third party site. This was patched in version
    5.26.2. There are no known workarounds.

    CVE-2023-39332:
    Various `node:fs` functions allow specifying paths as either strings or `Uint8Array` objects. In Node.js
    environments, the `Buffer` class extends the `Uint8Array` class. Node.js prevents path traversal through
    strings (see CVE-2023-30584) and `Buffer` objects (see CVE-2023-32004), but not through non-`Buffer`
    `Uint8Array` objects.

    This is distinct from CVE-2023-32004 which only referred to `Buffer` objects. However, the vulnerability
    follows the same pattern using `Uint8Array` instead of `Buffer`.

    Please note that at the time this CVE was issued, the permission model is an experimental feature of
    Node.js.

    CVE-2023-38552:
    When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the
    application can intercept the operation and return a forged checksum to the node's policy implementation,
    thus effectively disabling the integrity check.
    Impacts:
    This vulnerability affects all users using the experimental policy mechanism in all active release lines:
    18.x and, 20.x.
    Please note that at the time this CVE was issued, the policy mechanism is an experimental feature of
    Node.js.

    CVE-2023-32559:
    A privilege escalation vulnerability exists in the experimental policy mechanism in all active release
    lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy
    mechanism by requiring internal modules and eventually take advantage of `process.binding('spawn_sync')`
    run arbitrary code, outside of the limits defined in a `policy.json` file. Please note that at the time
    this CVE was issued, the policy is an experimental feature of Node.js.

    CVE-2023-32006:
    The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules
    outside of the policy.json definition for a given module.

    This vulnerability affects all users using the experimental policy mechanism in all active release lines:
    16.x, 18.x, and, 20.x.

    Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

    CVE-2023-32002:
    The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json
    definition for a given module.

    This vulnerability affects all users using the experimental policy mechanism in all active release lines:
    16.x, 18.x and, 20.x.

    Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

    CVE-2023-30590:
    The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or
    outdated) keys, that is, it only generates a private key if none has been set yet, but the function is
    also needed to compute the corresponding public key after calling setPrivateKey(). However, the
    documentation says this API call: Generates private and public Diffie-Hellman key values.

    The documented behavior is very different from the actual behavior, and this difference could easily lead
    to security issues in applications that use these APIs as the DiffieHellman may be used as the basis for
    application-level security, implications are consequently broad.

    CVE-2023-30588:
    When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a
    non-expect termination occurs making it susceptible to DoS attacks when the attacker could force
    interruptions of application processing, as the process terminates when accessing public key info of
    provided certificates from user code. The current context of the users will be gone, and that will cause a
    DoS scenario. This vulnerability affects all active Node.js versions v16, v18, and, v20.

    CVE-2023-30581:
    The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require
    modules outside of the policy.json definition. This vulnerability affects all users using the experimental
    policy mechanism in all active release lines: v16, v18 and, v20.

    Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js

    CVE-2023-39333:
    Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The
    injected code may be able to access data and functions that the WebAssembly module itself does not have
    access to, similar to as if the WebAssembly module was a JavaScript module.

    CVE-2023-23918:
    A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made
    it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in
    Node.js and access non authorized modules by using process.mainModule.require(). This only affects users
    who had enabled the experimental permissions option with --experimental-policy.

    CVE-2023-23920:
    An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that
    could allow an attacker to search and potentially load ICU data when running with elevated privileges.

    CVE-2022-25881:
    This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via
    malicious request header values sent to a server, when that server reads the cache policy from the request
    using this library.

    CVE-2023-23919:
    A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases
    did does not clear the OpenSSL error stack after operations that may set it. This may lead to false
    positive errors during subsequent cryptographic operations that happen to be on the same thread. This in
    turn could be used to cause a denial of service.

    CVE-2023-30589:
    The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit
    HTTP requests. This can lead to HTTP Request Smuggling (HRS).

    The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According
    to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js
    active versions: v16, v18, and, v20

Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://mirrors.tencent.com/tlinux/errata/tssa-20240614.xml");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-39332");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/10/24");
  script_set_attribute(attribute:"patch_publication_date", value:"2024/10/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/06/16");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:tencent:tencentos_server:4");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:tencent:tencentos_server:nodejs");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tencent Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/etc/os-release", "Host/TencentOS/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'TencentOS' >!< os_product) audit(AUDIT_OS_NOT, 'TencentOS');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'TencentOS');
if (! preg(pattern:"^4([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'TencentOS 4.x', 'TencentOS ' + os_version);

if (!get_kb_item('Host/TencentOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'TencentOS', cpu);

var constraints = [
  {
    'release': '4',
    'pkgs': [
      {'reference':'nodejs-18.18.2-1.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'nodejs-18.18.2-1.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'nodejs-debuginfo-18.18.2-1.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'nodejs-debuginfo-18.18.2-1.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'nodejs-debugsource-18.18.2-1.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'nodejs-debugsource-18.18.2-1.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'nodejs-devel-18.18.2-1.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'nodejs-devel-18.18.2-1.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'nodejs-docs-18.18.2-1.tl4', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'nodejs-full-i18n-18.18.2-1.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'nodejs-full-i18n-18.18.2-1.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'nodejs-libs-18.18.2-1.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'nodejs-libs-18.18.2-1.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'nodejs-libs-debuginfo-18.18.2-1.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'nodejs-libs-debuginfo-18.18.2-1.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'npm-9.8.1-18.18.2.1.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'npm-9.8.1-18.18.2.1.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'v8-devel-10.2.154.26-18.18.2.1.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'v8-devel-10.2.154.26-18.18.2.1.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'nodejs / nodejs-debuginfo / nodejs-debugsource / etc');
}

20 Nov 2025 00:00Current

7High risk

Vulners AI Score7

CVSS 3.19.8

EPSS0.01916

SSVC