Lucene search

K
osvGoogleOSV:ALSA-2023:1583
HistoryApr 04, 2023 - 12:00 a.m.

Moderate: nodejs:18 security, bug fix, and enhancement update

2023-04-0400:00:00
Google
osv.dev
24
node.js
security
bug fix
enhancement
javascript
cve-2021-35065
cve-2022-25881
cve-2023-23918
cve-2023-23936
cve-2023-23920
cve-2023-24807
upstream version

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.1

Confidence

High

EPSS

0.002

Percentile

57.8%

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version: nodejs (18.14.2).

Security Fix(es):

  • glob-parent: Regular Expression Denial of Service (CVE-2021-35065)
  • http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability (CVE-2022-25881)
  • Node.js: Permissions policies can be bypassed via process.mainModule (CVE-2023-23918)
  • Node.js: Fetch API did not protect against CRLF injection in host headers (CVE-2023-23936)
  • Node.js: insecure loading of ICU data through ICU_DATA environment variable (CVE-2023-23920)
  • Node.js: Regular Expression Denial of Service in Headers fetch API (CVE-2023-24807)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.1

Confidence

High

EPSS

0.002

Percentile

57.8%