553 lines
42 KiB
XML
553 lines
42 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<cvrfdoc xmlns="http://www.icasi.org/CVRF/schema/cvrf/1.1" xmlns:cvrf="http://www.icasi.org/CVRF/schema/cvrf/1.1">
|
|
<DocumentTitle xml:lang="en">An update for nodejs is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3</DocumentTitle>
|
|
<DocumentType>Security Advisory</DocumentType>
|
|
<DocumentPublisher Type="Vendor">
|
|
<ContactDetails>openeuler-security@openeuler.org</ContactDetails>
|
|
<IssuingAuthority>openEuler security committee</IssuingAuthority>
|
|
</DocumentPublisher>
|
|
<DocumentTracking>
|
|
<Identification>
|
|
<ID>openEuler-SA-2022-1620</ID>
|
|
</Identification>
|
|
<Status>Final</Status>
|
|
<Version>1.0</Version>
|
|
<RevisionHistory>
|
|
<Revision>
|
|
<Number>1.0</Number>
|
|
<Date>2022-04-29</Date>
|
|
<Description>Initial</Description>
|
|
</Revision>
|
|
</RevisionHistory>
|
|
<InitialReleaseDate>2022-04-29</InitialReleaseDate>
|
|
<CurrentReleaseDate>2022-04-29</CurrentReleaseDate>
|
|
<Generator>
|
|
<Engine>openEuler SA Tool V1.0</Engine>
|
|
<Date>2022-04-29</Date>
|
|
</Generator>
|
|
</DocumentTracking>
|
|
<DocumentNotes>
|
|
<Note Title="Synopsis" Type="General" Ordinal="1" xml:lang="en">nodejs security update</Note>
|
|
<Note Title="Summary" Type="General" Ordinal="2" xml:lang="en">An update for nodejs is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3.</Note>
|
|
<Note Title="Description" Type="General" Ordinal="3" xml:lang="en">Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices.
|
|
|
|
|
|
|
|
Security Fix(es):
|
|
|
|
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)(CVE-2020-15366)
|
|
|
|
The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a "purpose" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named "purpose" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).(CVE-2021-3450)
|
|
|
|
Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option.(CVE-2021-44532)
|
|
|
|
Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification.Affected versions of Node.js that do not accept multi-value Relative Distinguished Names and are thus not vulnerable to such attacks themselves. However, third-party code that uses node's ambiguous presentation of certificate subjects may be vulnerable.(CVE-2021-44533)
|
|
|
|
Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the --security-revert command-line option.(CVE-2021-44531)
|
|
|
|
Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "__proto__". The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js >= 12.22.9, >= 14.18.3, >= 16.13.2, and >= 17.3.1 use a null protoype for the object these properties are being assigned to.(CVE-2022-21824)
|
|
|
|
ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.(CVE-2021-27290)
|
|
|
|
Node.js before 16.4.1, 14.17.2, and 12.22.2 is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH and DLL hijacking.(CVE-2021-22921)
|
|
|
|
`@npmcli/arborist`, the library that calculates dependency trees and manages the `node_modules` folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder. This is, in part, accomplished by resolving dependency specifiers defined in `package.json` manifests for dependencies with a specific name, and nesting folders to resolve conflicting dependencies. When multiple dependencies differ only in the case of their name, Arborist's internal data structure saw them as separate items that could coexist within the same level in the `node_modules` hierarchy. However, on case-insensitive file systems (such as macOS and Windows), this is not the case. Combined with a symlink dependency such as `file:/some/path`, this allowed an attacker to create a situation in which arbitrary contents could be written to any location on the filesystem. For example, a package `pwn-a` could define a dependency in their `package.json` file such as `"foo": "file:/some/path"`. Another package, `pwn-b` could define a dependency such as `FOO: "file:foo.tgz"`. On case-insensitive file systems, if `pwn-a` was installed, and then `pwn-b` was installed afterwards, the contents of `foo.tgz` would be written to `/some/path`, and any existing contents of `/some/path` would be removed. Anyone using npm v7.20.6 or earlier on a case-insensitive filesystem is potentially affected. This is patched in @npmcli/arborist 2.8.2 which is included in npm v7.20.7 and above.(CVE-2021-39134)
|
|
|
|
`@npmcli/arborist`, the library that calculates dependency trees and manages the node_modules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder. This is accomplished by extracting package contents into a project's `node_modules` folder. If the `node_modules` folder of the root project or any of its dependencies is somehow replaced with a symbolic link, it could allow Arborist to write package dependencies to any arbitrary location on the file system. Note that symbolic links contained within package artifact contents are filtered out, so another means of creating a `node_modules` symbolic link would have to be employed. 1. A `preinstall` script could replace `node_modules` with a symlink. (This is prevented by using `--ignore-scripts`.) 2. An attacker could supply the target with a git repository, instructing them to run `npm install --ignore-scripts` in the root. This may be successful, because `npm install --ignore-scripts` is typically not capable of making changes outside of the project directory, so it may be deemed safe. This is patched in @npmcli/arborist 2.8.2 which is included in npm v7.20.7 and above. For more information including workarounds please see the referenced GHSA-gmw6-94gg-2rc2.(CVE-2021-39135)
|
|
|
|
The parser in accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6.(CVE-2021-22959)
|
|
|
|
The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions.(CVE-2021-22960)</Note>
|
|
<Note Title="Topic" Type="General" Ordinal="4" xml:lang="en">An update for nodejs is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3.
|
|
|
|
openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.</Note>
|
|
<Note Title="Severity" Type="General" Ordinal="5" xml:lang="en">High</Note>
|
|
<Note Title="Affected Component" Type="General" Ordinal="6" xml:lang="en">nodejs</Note>
|
|
</DocumentNotes>
|
|
<DocumentReferences>
|
|
<Reference Type="Self">
|
|
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1620</URL>
|
|
</Reference>
|
|
<Reference Type="openEuler CVE">
|
|
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2020-15366</URL>
|
|
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-3450</URL>
|
|
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-44532</URL>
|
|
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-44533</URL>
|
|
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-44531</URL>
|
|
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-21824</URL>
|
|
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-27290</URL>
|
|
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-22921</URL>
|
|
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-39134</URL>
|
|
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-39135</URL>
|
|
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-22959</URL>
|
|
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-22960</URL>
|
|
</Reference>
|
|
<Reference Type="Other">
|
|
<URL>https://nvd.nist.gov/vuln/detail/CVE-2020-15366</URL>
|
|
<URL>https://nvd.nist.gov/vuln/detail/CVE-2021-3450</URL>
|
|
<URL>https://nvd.nist.gov/vuln/detail/CVE-2021-44532</URL>
|
|
<URL>https://nvd.nist.gov/vuln/detail/CVE-2021-44533</URL>
|
|
<URL>https://nvd.nist.gov/vuln/detail/CVE-2021-44531</URL>
|
|
<URL>https://nvd.nist.gov/vuln/detail/CVE-2022-21824</URL>
|
|
<URL>https://nvd.nist.gov/vuln/detail/CVE-2021-27290</URL>
|
|
<URL>https://nvd.nist.gov/vuln/detail/CVE-2021-22921</URL>
|
|
<URL>https://nvd.nist.gov/vuln/detail/CVE-2021-39134</URL>
|
|
<URL>https://nvd.nist.gov/vuln/detail/CVE-2021-39135</URL>
|
|
<URL>https://nvd.nist.gov/vuln/detail/CVE-2021-22959</URL>
|
|
<URL>https://nvd.nist.gov/vuln/detail/CVE-2021-22960</URL>
|
|
</Reference>
|
|
</DocumentReferences>
|
|
<ProductTree xmlns="http://www.icasi.org/CVRF/schema/prod/1.1">
|
|
<Branch Type="Product Name" Name="openEuler">
|
|
<FullProductName ProductID="openEuler-20.03-LTS-SP1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">openEuler-20.03-LTS-SP1</FullProductName>
|
|
<FullProductName ProductID="openEuler-20.03-LTS-SP2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">openEuler-20.03-LTS-SP2</FullProductName>
|
|
<FullProductName ProductID="openEuler-20.03-LTS-SP3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">openEuler-20.03-LTS-SP3</FullProductName>
|
|
</Branch>
|
|
<Branch Type="Package Arch" Name="aarch64">
|
|
<FullProductName ProductID="npm-6.14.16-1.12.22.11.1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">npm-6.14.16-1.12.22.11.1.oe1.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="nodejs-debugsource-12.22.11-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">nodejs-debugsource-12.22.11-1.oe1.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="nodejs-full-i18n-12.22.11-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">nodejs-full-i18n-12.22.11-1.oe1.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="nodejs-12.22.11-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">nodejs-12.22.11-1.oe1.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="nodejs-libs-12.22.11-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">nodejs-libs-12.22.11-1.oe1.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="nodejs-debuginfo-12.22.11-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">nodejs-debuginfo-12.22.11-1.oe1.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="v8-devel-7.8.279.23-1.12.22.11.1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">v8-devel-7.8.279.23-1.12.22.11.1.oe1.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="nodejs-devel-12.22.11-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">nodejs-devel-12.22.11-1.oe1.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="npm-6.14.16-1.12.22.11.1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">npm-6.14.16-1.12.22.11.1.oe1.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="nodejs-debugsource-12.22.11-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">nodejs-debugsource-12.22.11-1.oe1.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="nodejs-full-i18n-12.22.11-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">nodejs-full-i18n-12.22.11-1.oe1.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="nodejs-12.22.11-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">nodejs-12.22.11-1.oe1.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="nodejs-libs-12.22.11-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">nodejs-libs-12.22.11-1.oe1.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="nodejs-debuginfo-12.22.11-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">nodejs-debuginfo-12.22.11-1.oe1.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="v8-devel-7.8.279.23-1.12.22.11.1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">v8-devel-7.8.279.23-1.12.22.11.1.oe1.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="nodejs-devel-12.22.11-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">nodejs-devel-12.22.11-1.oe1.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="npm-6.14.16-1.12.22.11.1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">npm-6.14.16-1.12.22.11.1.oe1.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="nodejs-debugsource-12.22.11-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">nodejs-debugsource-12.22.11-1.oe1.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="nodejs-full-i18n-12.22.11-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">nodejs-full-i18n-12.22.11-1.oe1.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="nodejs-12.22.11-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">nodejs-12.22.11-1.oe1.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="nodejs-libs-12.22.11-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">nodejs-libs-12.22.11-1.oe1.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="nodejs-debuginfo-12.22.11-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">nodejs-debuginfo-12.22.11-1.oe1.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="v8-devel-7.8.279.23-1.12.22.11.1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">v8-devel-7.8.279.23-1.12.22.11.1.oe1.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="nodejs-devel-12.22.11-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">nodejs-devel-12.22.11-1.oe1.aarch64.rpm</FullProductName>
|
|
</Branch>
|
|
<Branch Type="Package Arch" Name="noarch">
|
|
<FullProductName ProductID="nodejs-docs-12.22.11-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">nodejs-docs-12.22.11-1.oe1.noarch.rpm</FullProductName>
|
|
<FullProductName ProductID="nodejs-docs-12.22.11-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">nodejs-docs-12.22.11-1.oe1.noarch.rpm</FullProductName>
|
|
<FullProductName ProductID="nodejs-docs-12.22.11-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">nodejs-docs-12.22.11-1.oe1.noarch.rpm</FullProductName>
|
|
</Branch>
|
|
<Branch Type="Package Arch" Name="src">
|
|
<FullProductName ProductID="nodejs-12.22.11-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">nodejs-12.22.11-1.oe1.src.rpm</FullProductName>
|
|
<FullProductName ProductID="nodejs-12.22.11-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">nodejs-12.22.11-1.oe1.src.rpm</FullProductName>
|
|
<FullProductName ProductID="nodejs-12.22.11-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">nodejs-12.22.11-1.oe1.src.rpm</FullProductName>
|
|
</Branch>
|
|
<Branch Type="Package Arch" Name="x86_64">
|
|
<FullProductName ProductID="nodejs-12.22.11-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">nodejs-12.22.11-1.oe1.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="nodejs-full-i18n-12.22.11-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">nodejs-full-i18n-12.22.11-1.oe1.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="nodejs-debuginfo-12.22.11-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">nodejs-debuginfo-12.22.11-1.oe1.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="nodejs-devel-12.22.11-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">nodejs-devel-12.22.11-1.oe1.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="npm-6.14.16-1.12.22.11.1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">npm-6.14.16-1.12.22.11.1.oe1.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="nodejs-libs-12.22.11-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">nodejs-libs-12.22.11-1.oe1.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="v8-devel-7.8.279.23-1.12.22.11.1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">v8-devel-7.8.279.23-1.12.22.11.1.oe1.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="nodejs-debugsource-12.22.11-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">nodejs-debugsource-12.22.11-1.oe1.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="nodejs-12.22.11-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">nodejs-12.22.11-1.oe1.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="nodejs-full-i18n-12.22.11-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">nodejs-full-i18n-12.22.11-1.oe1.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="nodejs-debuginfo-12.22.11-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">nodejs-debuginfo-12.22.11-1.oe1.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="nodejs-devel-12.22.11-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">nodejs-devel-12.22.11-1.oe1.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="npm-6.14.16-1.12.22.11.1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">npm-6.14.16-1.12.22.11.1.oe1.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="nodejs-libs-12.22.11-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">nodejs-libs-12.22.11-1.oe1.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="v8-devel-7.8.279.23-1.12.22.11.1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">v8-devel-7.8.279.23-1.12.22.11.1.oe1.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="nodejs-debugsource-12.22.11-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">nodejs-debugsource-12.22.11-1.oe1.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="nodejs-12.22.11-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">nodejs-12.22.11-1.oe1.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="nodejs-full-i18n-12.22.11-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">nodejs-full-i18n-12.22.11-1.oe1.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="nodejs-debuginfo-12.22.11-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">nodejs-debuginfo-12.22.11-1.oe1.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="nodejs-devel-12.22.11-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">nodejs-devel-12.22.11-1.oe1.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="npm-6.14.16-1.12.22.11.1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">npm-6.14.16-1.12.22.11.1.oe1.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="nodejs-libs-12.22.11-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">nodejs-libs-12.22.11-1.oe1.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="v8-devel-7.8.279.23-1.12.22.11.1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">v8-devel-7.8.279.23-1.12.22.11.1.oe1.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="nodejs-debugsource-12.22.11-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">nodejs-debugsource-12.22.11-1.oe1.x86_64.rpm</FullProductName>
|
|
</Branch>
|
|
</ProductTree>
|
|
<Vulnerability Ordinal="1" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
|
|
<Notes>
|
|
<Note Title="Vulnerability Description" Type="General" Ordinal="1" xml:lang="en">An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)</Note>
|
|
</Notes>
|
|
<ReleaseDate>2022-04-29</ReleaseDate>
|
|
<CVE>CVE-2020-15366</CVE>
|
|
<ProductStatuses>
|
|
<Status Type="Fixed">
|
|
<ProductID>openEuler-20.03-LTS-SP1</ProductID>
|
|
<ProductID>openEuler-20.03-LTS-SP2</ProductID>
|
|
<ProductID>openEuler-20.03-LTS-SP3</ProductID>
|
|
</Status>
|
|
</ProductStatuses>
|
|
<Threats>
|
|
<Threat Type="Impact">
|
|
<Description>Medium</Description>
|
|
</Threat>
|
|
</Threats>
|
|
<CVSSScoreSets>
|
|
<ScoreSet>
|
|
<BaseScore>5.6</BaseScore>
|
|
<Vector>AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L</Vector>
|
|
</ScoreSet>
|
|
</CVSSScoreSets>
|
|
<Remediations>
|
|
<Remediation Type="Vendor Fix">
|
|
<Description>nodejs security update</Description>
|
|
<DATE>2022-04-29</DATE>
|
|
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1620</URL>
|
|
</Remediation>
|
|
</Remediations>
|
|
</Vulnerability>
|
|
<Vulnerability Ordinal="2" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
|
|
<Notes>
|
|
<Note Title="Vulnerability Description" Type="General" Ordinal="2" xml:lang="en">The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a purpose has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named purpose values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).</Note>
|
|
</Notes>
|
|
<ReleaseDate>2022-04-29</ReleaseDate>
|
|
<CVE>CVE-2021-3450</CVE>
|
|
<ProductStatuses>
|
|
<Status Type="Fixed">
|
|
<ProductID>openEuler-20.03-LTS-SP1</ProductID>
|
|
<ProductID>openEuler-20.03-LTS-SP2</ProductID>
|
|
<ProductID>openEuler-20.03-LTS-SP3</ProductID>
|
|
</Status>
|
|
</ProductStatuses>
|
|
<Threats>
|
|
<Threat Type="Impact">
|
|
<Description>High</Description>
|
|
</Threat>
|
|
</Threats>
|
|
<CVSSScoreSets>
|
|
<ScoreSet>
|
|
<BaseScore>7.4</BaseScore>
|
|
<Vector>AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N</Vector>
|
|
</ScoreSet>
|
|
</CVSSScoreSets>
|
|
<Remediations>
|
|
<Remediation Type="Vendor Fix">
|
|
<Description>nodejs security update</Description>
|
|
<DATE>2022-04-29</DATE>
|
|
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1620</URL>
|
|
</Remediation>
|
|
</Remediations>
|
|
</Vulnerability>
|
|
<Vulnerability Ordinal="3" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
|
|
<Notes>
|
|
<Note Title="Vulnerability Description" Type="General" Ordinal="3" xml:lang="en">Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option.</Note>
|
|
</Notes>
|
|
<ReleaseDate>2022-04-29</ReleaseDate>
|
|
<CVE>CVE-2021-44532</CVE>
|
|
<ProductStatuses>
|
|
<Status Type="Fixed">
|
|
<ProductID>openEuler-20.03-LTS-SP1</ProductID>
|
|
<ProductID>openEuler-20.03-LTS-SP2</ProductID>
|
|
<ProductID>openEuler-20.03-LTS-SP3</ProductID>
|
|
</Status>
|
|
</ProductStatuses>
|
|
<Threats>
|
|
<Threat Type="Impact">
|
|
<Description>Medium</Description>
|
|
</Threat>
|
|
</Threats>
|
|
<CVSSScoreSets>
|
|
<ScoreSet>
|
|
<BaseScore>5.3</BaseScore>
|
|
<Vector>AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N</Vector>
|
|
</ScoreSet>
|
|
</CVSSScoreSets>
|
|
<Remediations>
|
|
<Remediation Type="Vendor Fix">
|
|
<Description>nodejs security update</Description>
|
|
<DATE>2022-04-29</DATE>
|
|
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1620</URL>
|
|
</Remediation>
|
|
</Remediations>
|
|
</Vulnerability>
|
|
<Vulnerability Ordinal="4" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
|
|
<Notes>
|
|
<Note Title="Vulnerability Description" Type="General" Ordinal="4" xml:lang="en">Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification.Affected versions of Node.js that do not accept multi-value Relative Distinguished Names and are thus not vulnerable to such attacks themselves. However, third-party code that uses node s ambiguous presentation of certificate subjects may be vulnerable.</Note>
|
|
</Notes>
|
|
<ReleaseDate>2022-04-29</ReleaseDate>
|
|
<CVE>CVE-2021-44533</CVE>
|
|
<ProductStatuses>
|
|
<Status Type="Fixed">
|
|
<ProductID>openEuler-20.03-LTS-SP1</ProductID>
|
|
<ProductID>openEuler-20.03-LTS-SP2</ProductID>
|
|
<ProductID>openEuler-20.03-LTS-SP3</ProductID>
|
|
</Status>
|
|
</ProductStatuses>
|
|
<Threats>
|
|
<Threat Type="Impact">
|
|
<Description>Medium</Description>
|
|
</Threat>
|
|
</Threats>
|
|
<CVSSScoreSets>
|
|
<ScoreSet>
|
|
<BaseScore>5.3</BaseScore>
|
|
<Vector>AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N</Vector>
|
|
</ScoreSet>
|
|
</CVSSScoreSets>
|
|
<Remediations>
|
|
<Remediation Type="Vendor Fix">
|
|
<Description>nodejs security update</Description>
|
|
<DATE>2022-04-29</DATE>
|
|
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1620</URL>
|
|
</Remediation>
|
|
</Remediations>
|
|
</Vulnerability>
|
|
<Vulnerability Ordinal="5" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
|
|
<Notes>
|
|
<Note Title="Vulnerability Description" Type="General" Ordinal="5" xml:lang="en">Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the --security-revert command-line option.</Note>
|
|
</Notes>
|
|
<ReleaseDate>2022-04-29</ReleaseDate>
|
|
<CVE>CVE-2021-44531</CVE>
|
|
<ProductStatuses>
|
|
<Status Type="Fixed">
|
|
<ProductID>openEuler-20.03-LTS-SP1</ProductID>
|
|
<ProductID>openEuler-20.03-LTS-SP2</ProductID>
|
|
<ProductID>openEuler-20.03-LTS-SP3</ProductID>
|
|
</Status>
|
|
</ProductStatuses>
|
|
<Threats>
|
|
<Threat Type="Impact">
|
|
<Description>High</Description>
|
|
</Threat>
|
|
</Threats>
|
|
<CVSSScoreSets>
|
|
<ScoreSet>
|
|
<BaseScore>7.4</BaseScore>
|
|
<Vector>AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N</Vector>
|
|
</ScoreSet>
|
|
</CVSSScoreSets>
|
|
<Remediations>
|
|
<Remediation Type="Vendor Fix">
|
|
<Description>nodejs security update</Description>
|
|
<DATE>2022-04-29</DATE>
|
|
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1620</URL>
|
|
</Remediation>
|
|
</Remediations>
|
|
</Vulnerability>
|
|
<Vulnerability Ordinal="6" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
|
|
<Notes>
|
|
<Note Title="Vulnerability Description" Type="General" Ordinal="6" xml:lang="en">Due to the formatting logic of the console.table() function it was not safe to allow user controlled input to be passed to the properties parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be __proto__ . The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js >= 12.22.9, >= 14.18.3, >= 16.13.2, and >= 17.3.1 use a null protoype for the object these properties are being assigned to.</Note>
|
|
</Notes>
|
|
<ReleaseDate>2022-04-29</ReleaseDate>
|
|
<CVE>CVE-2022-21824</CVE>
|
|
<ProductStatuses>
|
|
<Status Type="Fixed">
|
|
<ProductID>openEuler-20.03-LTS-SP1</ProductID>
|
|
<ProductID>openEuler-20.03-LTS-SP2</ProductID>
|
|
<ProductID>openEuler-20.03-LTS-SP3</ProductID>
|
|
</Status>
|
|
</ProductStatuses>
|
|
<Threats>
|
|
<Threat Type="Impact">
|
|
<Description>High</Description>
|
|
</Threat>
|
|
</Threats>
|
|
<CVSSScoreSets>
|
|
<ScoreSet>
|
|
<BaseScore>8.2</BaseScore>
|
|
<Vector>AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H</Vector>
|
|
</ScoreSet>
|
|
</CVSSScoreSets>
|
|
<Remediations>
|
|
<Remediation Type="Vendor Fix">
|
|
<Description>nodejs security update</Description>
|
|
<DATE>2022-04-29</DATE>
|
|
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1620</URL>
|
|
</Remediation>
|
|
</Remediations>
|
|
</Vulnerability>
|
|
<Vulnerability Ordinal="7" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
|
|
<Notes>
|
|
<Note Title="Vulnerability Description" Type="General" Ordinal="7" xml:lang="en">ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.</Note>
|
|
</Notes>
|
|
<ReleaseDate>2022-04-29</ReleaseDate>
|
|
<CVE>CVE-2021-27290</CVE>
|
|
<ProductStatuses>
|
|
<Status Type="Fixed">
|
|
<ProductID>openEuler-20.03-LTS-SP1</ProductID>
|
|
<ProductID>openEuler-20.03-LTS-SP2</ProductID>
|
|
<ProductID>openEuler-20.03-LTS-SP3</ProductID>
|
|
</Status>
|
|
</ProductStatuses>
|
|
<Threats>
|
|
<Threat Type="Impact">
|
|
<Description>High</Description>
|
|
</Threat>
|
|
</Threats>
|
|
<CVSSScoreSets>
|
|
<ScoreSet>
|
|
<BaseScore>7.5</BaseScore>
|
|
<Vector>AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</Vector>
|
|
</ScoreSet>
|
|
</CVSSScoreSets>
|
|
<Remediations>
|
|
<Remediation Type="Vendor Fix">
|
|
<Description>nodejs security update</Description>
|
|
<DATE>2022-04-29</DATE>
|
|
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1620</URL>
|
|
</Remediation>
|
|
</Remediations>
|
|
</Vulnerability>
|
|
<Vulnerability Ordinal="8" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
|
|
<Notes>
|
|
<Note Title="Vulnerability Description" Type="General" Ordinal="8" xml:lang="en">Node.js before 16.4.1, 14.17.2, and 12.22.2 is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH and DLL hijacking.</Note>
|
|
</Notes>
|
|
<ReleaseDate>2022-04-29</ReleaseDate>
|
|
<CVE>CVE-2021-22921</CVE>
|
|
<ProductStatuses>
|
|
<Status Type="Fixed">
|
|
<ProductID>openEuler-20.03-LTS-SP1</ProductID>
|
|
<ProductID>openEuler-20.03-LTS-SP2</ProductID>
|
|
<ProductID>openEuler-20.03-LTS-SP3</ProductID>
|
|
</Status>
|
|
</ProductStatuses>
|
|
<Threats>
|
|
<Threat Type="Impact">
|
|
<Description>High</Description>
|
|
</Threat>
|
|
</Threats>
|
|
<CVSSScoreSets>
|
|
<ScoreSet>
|
|
<BaseScore>7.8</BaseScore>
|
|
<Vector>AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H</Vector>
|
|
</ScoreSet>
|
|
</CVSSScoreSets>
|
|
<Remediations>
|
|
<Remediation Type="Vendor Fix">
|
|
<Description>nodejs security update</Description>
|
|
<DATE>2022-04-29</DATE>
|
|
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1620</URL>
|
|
</Remediation>
|
|
</Remediations>
|
|
</Vulnerability>
|
|
<Vulnerability Ordinal="9" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
|
|
<Notes>
|
|
<Note Title="Vulnerability Description" Type="General" Ordinal="9" xml:lang="en">`@npmcli/arborist`, the library that calculates dependency trees and manages the `node_modules` folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder. This is, in part, accomplished by resolving dependency specifiers defined in `package.json` manifests for dependencies with a specific name, and nesting folders to resolve conflicting dependencies. When multiple dependencies differ only in the case of their name, Arborist s internal data structure saw them as separate items that could coexist within the same level in the `node_modules` hierarchy. However, on case-insensitive file systems (such as macOS and Windows), this is not the case. Combined with a symlink dependency such as `file:/some/path`, this allowed an attacker to create a situation in which arbitrary contents could be written to any location on the filesystem. For example, a package `pwn-a` could define a dependency in their `package.json` file such as ` foo : file:/some/path `. Another package, `pwn-b` could define a dependency such as `FOO: file:foo.tgz `. On case-insensitive file systems, if `pwn-a` was installed, and then `pwn-b` was installed afterwards, the contents of `foo.tgz` would be written to `/some/path`, and any existing contents of `/some/path` would be removed. Anyone using npm v7.20.6 or earlier on a case-insensitive filesystem is potentially affected. This is patched in @npmcli/arborist 2.8.2 which is included in npm v7.20.7 and above.</Note>
|
|
</Notes>
|
|
<ReleaseDate>2022-04-29</ReleaseDate>
|
|
<CVE>CVE-2021-39134</CVE>
|
|
<ProductStatuses>
|
|
<Status Type="Fixed">
|
|
<ProductID>openEuler-20.03-LTS-SP1</ProductID>
|
|
<ProductID>openEuler-20.03-LTS-SP2</ProductID>
|
|
<ProductID>openEuler-20.03-LTS-SP3</ProductID>
|
|
</Status>
|
|
</ProductStatuses>
|
|
<Threats>
|
|
<Threat Type="Impact">
|
|
<Description>High</Description>
|
|
</Threat>
|
|
</Threats>
|
|
<CVSSScoreSets>
|
|
<ScoreSet>
|
|
<BaseScore>7.8</BaseScore>
|
|
<Vector>AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H</Vector>
|
|
</ScoreSet>
|
|
</CVSSScoreSets>
|
|
<Remediations>
|
|
<Remediation Type="Vendor Fix">
|
|
<Description>nodejs security update</Description>
|
|
<DATE>2022-04-29</DATE>
|
|
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1620</URL>
|
|
</Remediation>
|
|
</Remediations>
|
|
</Vulnerability>
|
|
<Vulnerability Ordinal="10" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
|
|
<Notes>
|
|
<Note Title="Vulnerability Description" Type="General" Ordinal="10" xml:lang="en">`@npmcli/arborist`, the library that calculates dependency trees and manages the node_modules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder. This is accomplished by extracting package contents into a project s `node_modules` folder. If the `node_modules` folder of the root project or any of its dependencies is somehow replaced with a symbolic link, it could allow Arborist to write package dependencies to any arbitrary location on the file system. Note that symbolic links contained within package artifact contents are filtered out, so another means of creating a `node_modules` symbolic link would have to be employed. 1. A `preinstall` script could replace `node_modules` with a symlink. (This is prevented by using `--ignore-scripts`.) 2. An attacker could supply the target with a git repository, instructing them to run `npm install --ignore-scripts` in the root. This may be successful, because `npm install --ignore-scripts` is typically not capable of making changes outside of the project directory, so it may be deemed safe. This is patched in @npmcli/arborist 2.8.2 which is included in npm v7.20.7 and above. For more information including workarounds please see the referenced GHSA-gmw6-94gg-2rc2.</Note>
|
|
</Notes>
|
|
<ReleaseDate>2022-04-29</ReleaseDate>
|
|
<CVE>CVE-2021-39135</CVE>
|
|
<ProductStatuses>
|
|
<Status Type="Fixed">
|
|
<ProductID>openEuler-20.03-LTS-SP1</ProductID>
|
|
<ProductID>openEuler-20.03-LTS-SP2</ProductID>
|
|
<ProductID>openEuler-20.03-LTS-SP3</ProductID>
|
|
</Status>
|
|
</ProductStatuses>
|
|
<Threats>
|
|
<Threat Type="Impact">
|
|
<Description>High</Description>
|
|
</Threat>
|
|
</Threats>
|
|
<CVSSScoreSets>
|
|
<ScoreSet>
|
|
<BaseScore>7.8</BaseScore>
|
|
<Vector>AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H</Vector>
|
|
</ScoreSet>
|
|
</CVSSScoreSets>
|
|
<Remediations>
|
|
<Remediation Type="Vendor Fix">
|
|
<Description>nodejs security update</Description>
|
|
<DATE>2022-04-29</DATE>
|
|
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1620</URL>
|
|
</Remediation>
|
|
</Remediations>
|
|
</Vulnerability>
|
|
<Vulnerability Ordinal="11" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
|
|
<Notes>
|
|
<Note Title="Vulnerability Description" Type="General" Ordinal="11" xml:lang="en">The parser in accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6.</Note>
|
|
</Notes>
|
|
<ReleaseDate>2022-04-29</ReleaseDate>
|
|
<CVE>CVE-2021-22959</CVE>
|
|
<ProductStatuses>
|
|
<Status Type="Fixed">
|
|
<ProductID>openEuler-20.03-LTS-SP1</ProductID>
|
|
<ProductID>openEuler-20.03-LTS-SP2</ProductID>
|
|
<ProductID>openEuler-20.03-LTS-SP3</ProductID>
|
|
</Status>
|
|
</ProductStatuses>
|
|
<Threats>
|
|
<Threat Type="Impact">
|
|
<Description>Medium</Description>
|
|
</Threat>
|
|
</Threats>
|
|
<CVSSScoreSets>
|
|
<ScoreSet>
|
|
<BaseScore>6.5</BaseScore>
|
|
<Vector>AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N</Vector>
|
|
</ScoreSet>
|
|
</CVSSScoreSets>
|
|
<Remediations>
|
|
<Remediation Type="Vendor Fix">
|
|
<Description>nodejs security update</Description>
|
|
<DATE>2022-04-29</DATE>
|
|
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1620</URL>
|
|
</Remediation>
|
|
</Remediations>
|
|
</Vulnerability>
|
|
<Vulnerability Ordinal="12" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
|
|
<Notes>
|
|
<Note Title="Vulnerability Description" Type="General" Ordinal="12" xml:lang="en">The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions.</Note>
|
|
</Notes>
|
|
<ReleaseDate>2022-04-29</ReleaseDate>
|
|
<CVE>CVE-2021-22960</CVE>
|
|
<ProductStatuses>
|
|
<Status Type="Fixed">
|
|
<ProductID>openEuler-20.03-LTS-SP1</ProductID>
|
|
<ProductID>openEuler-20.03-LTS-SP2</ProductID>
|
|
<ProductID>openEuler-20.03-LTS-SP3</ProductID>
|
|
</Status>
|
|
</ProductStatuses>
|
|
<Threats>
|
|
<Threat Type="Impact">
|
|
<Description>Medium</Description>
|
|
</Threat>
|
|
</Threats>
|
|
<CVSSScoreSets>
|
|
<ScoreSet>
|
|
<BaseScore>6.5</BaseScore>
|
|
<Vector>AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N</Vector>
|
|
</ScoreSet>
|
|
</CVSSScoreSets>
|
|
<Remediations>
|
|
<Remediation Type="Vendor Fix">
|
|
<Description>nodejs security update</Description>
|
|
<DATE>2022-04-29</DATE>
|
|
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1620</URL>
|
|
</Remediation>
|
|
</Remediations>
|
|
</Vulnerability>
|
|
</cvrfdoc> |