Lucene search

K
osvGoogleOSV:RLSA-2024:2778
HistoryMay 09, 2024 - 6:50 p.m.

Important: nodejs:20 security update

2024-05-0918:50:42
Google
osv.dev
7
node.js
security update
c-ares
nghttp2
denial of service
http request smuggling
cvss score
references

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

6.2 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.5%

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

Security Fix(es):

  • c-ares: Out of bounds read in ares__read_line() (CVE-2024-25629)

  • nghttp2: CONTINUATION frames DoS (CVE-2024-28182)

  • nodejs: using the fetch() function to retrieve content from an untrusted URL leads to denial of service (CVE-2024-22025)

  • nodejs: CONTINUATION frames DoS (CVE-2024-27983)

  • nodejs: HTTP Request Smuggling via Content Length Obfuscation (CVE-2024-27982)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

6.2 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.5%