nodejs14-14.17.5-1.2 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11096-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z nodejs14-14.17.5-1.2 on GA media These are all security issues fixed in the nodejs14-14.17.5-1.2 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11096 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2020-11080/ SUSE CVE CVE-2020-11080 page https://www.suse.com/security/cve/CVE-2020-15095/ SUSE CVE CVE-2020-15095 page https://www.suse.com/security/cve/CVE-2020-7774/ SUSE CVE CVE-2020-7774 page https://www.suse.com/security/cve/CVE-2020-8172/ SUSE CVE CVE-2020-8172 page https://www.suse.com/security/cve/CVE-2020-8174/ SUSE CVE CVE-2020-8174 page https://www.suse.com/security/cve/CVE-2020-8201/ SUSE CVE CVE-2020-8201 page https://www.suse.com/security/cve/CVE-2020-8251/ SUSE CVE CVE-2020-8251 page https://www.suse.com/security/cve/CVE-2020-8265/ SUSE CVE CVE-2020-8265 page https://www.suse.com/security/cve/CVE-2020-8277/ SUSE CVE CVE-2020-8277 page https://www.suse.com/security/cve/CVE-2020-8287/ SUSE CVE CVE-2020-8287 page https://www.suse.com/security/cve/CVE-2021-21148/ SUSE CVE CVE-2021-21148 page https://www.suse.com/security/cve/CVE-2021-22883/ SUSE CVE CVE-2021-22883 page https://www.suse.com/security/cve/CVE-2021-22884/ SUSE CVE CVE-2021-22884 page https://www.suse.com/security/cve/CVE-2021-22918/ SUSE CVE CVE-2021-22918 page https://www.suse.com/security/cve/CVE-2021-22930/ SUSE CVE CVE-2021-22930 page https://www.suse.com/security/cve/CVE-2021-22939/ SUSE CVE CVE-2021-22939 page https://www.suse.com/security/cve/CVE-2021-22940/ SUSE CVE CVE-2021-22940 page https://www.suse.com/security/cve/CVE-2021-27290/ SUSE CVE CVE-2021-27290 page https://www.suse.com/security/cve/CVE-2021-3672/ SUSE CVE CVE-2021-3672 page openSUSE Tumbleweed nodejs14-14.17.5-1.2 nodejs14-devel-14.17.5-1.2 nodejs14-docs-14.17.5-1.2 npm14-14.17.5-1.2 nodejs14-14.17.5-1.2 as a component of openSUSE Tumbleweed nodejs14-devel-14.17.5-1.2 as a component of openSUSE Tumbleweed nodejs14-docs-14.17.5-1.2 as a component of openSUSE Tumbleweed npm14-14.17.5-1.2 as a component of openSUSE Tumbleweed In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection. CVE-2020-11080 openSUSE Tumbleweed:nodejs14-14.17.5-1.2 openSUSE Tumbleweed:nodejs14-devel-14.17.5-1.2 openSUSE Tumbleweed:nodejs14-docs-14.17.5-1.2 openSUSE Tumbleweed:npm14-14.17.5-1.2 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-11080.html CVE-2020-11080 https://bugzilla.suse.com/1172441 SUSE Bug 1172441 https://bugzilla.suse.com/1172442 SUSE Bug 1172442 https://bugzilla.suse.com/1181358 SUSE Bug 1181358 Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "<protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>". The password value is not redacted and is printed to stdout and also to any generated log files. CVE-2020-15095 openSUSE Tumbleweed:nodejs14-14.17.5-1.2 openSUSE Tumbleweed:nodejs14-devel-14.17.5-1.2 openSUSE Tumbleweed:nodejs14-docs-14.17.5-1.2 openSUSE Tumbleweed:npm14-14.17.5-1.2 moderate 1.9 AV:L/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-15095.html CVE-2020-15095 https://bugzilla.suse.com/1173937 SUSE Bug 1173937 The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution. CVE-2020-7774 openSUSE Tumbleweed:nodejs14-14.17.5-1.2 openSUSE Tumbleweed:nodejs14-devel-14.17.5-1.2 openSUSE Tumbleweed:nodejs14-docs-14.17.5-1.2 openSUSE Tumbleweed:npm14-14.17.5-1.2 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-7774.html CVE-2020-7774 https://bugzilla.suse.com/1184450 SUSE Bug 1184450 TLS session reuse can lead to host certificate verification bypass in node version < 12.18.0 and < 14.4.0. CVE-2020-8172 openSUSE Tumbleweed:nodejs14-14.17.5-1.2 openSUSE Tumbleweed:nodejs14-devel-14.17.5-1.2 openSUSE Tumbleweed:nodejs14-docs-14.17.5-1.2 openSUSE Tumbleweed:npm14-14.17.5-1.2 important 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-8172.html CVE-2020-8172 https://bugzilla.suse.com/1172441 SUSE Bug 1172441 napi_get_value_string_*() allows various kinds of memory corruption in node < 10.21.0, 12.18.0, and < 14.4.0. CVE-2020-8174 openSUSE Tumbleweed:nodejs14-14.17.5-1.2 openSUSE Tumbleweed:nodejs14-devel-14.17.5-1.2 openSUSE Tumbleweed:nodejs14-docs-14.17.5-1.2 openSUSE Tumbleweed:npm14-14.17.5-1.2 critical 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-8174.html CVE-2020-8174 https://bugzilla.suse.com/1172443 SUSE Bug 1172443 Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system. The attack was possible due to a bug in processing of carrier-return symbols in the HTTP header names. CVE-2020-8201 openSUSE Tumbleweed:nodejs14-14.17.5-1.2 openSUSE Tumbleweed:nodejs14-devel-14.17.5-1.2 openSUSE Tumbleweed:nodejs14-docs-14.17.5-1.2 openSUSE Tumbleweed:npm14-14.17.5-1.2 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-8201.html CVE-2020-8201 https://bugzilla.suse.com/1176605 SUSE Bug 1176605 Node.js < 14.11.0 is vulnerable to HTTP denial of service (DoS) attacks based on delayed requests submission which can make the server unable to accept new connections. CVE-2020-8251 openSUSE Tumbleweed:nodejs14-14.17.5-1.2 openSUSE Tumbleweed:nodejs14-devel-14.17.5-1.2 openSUSE Tumbleweed:nodejs14-docs-14.17.5-1.2 openSUSE Tumbleweed:npm14-14.17.5-1.2 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-8251.html CVE-2020-8251 https://bugzilla.suse.com/1176604 SUSE Bug 1176604 Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits. CVE-2020-8265 openSUSE Tumbleweed:nodejs14-14.17.5-1.2 openSUSE Tumbleweed:nodejs14-devel-14.17.5-1.2 openSUSE Tumbleweed:nodejs14-docs-14.17.5-1.2 openSUSE Tumbleweed:npm14-14.17.5-1.2 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-8265.html CVE-2020-8265 https://bugzilla.suse.com/1180553 SUSE Bug 1180553 A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed in 15.2.1, 14.15.1, and 12.19.1. CVE-2020-8277 openSUSE Tumbleweed:nodejs14-14.17.5-1.2 openSUSE Tumbleweed:nodejs14-devel-14.17.5-1.2 openSUSE Tumbleweed:nodejs14-docs-14.17.5-1.2 openSUSE Tumbleweed:npm14-14.17.5-1.2 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-8277.html CVE-2020-8277 https://bugzilla.suse.com/1178882 SUSE Bug 1178882 Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling. CVE-2020-8287 openSUSE Tumbleweed:nodejs14-14.17.5-1.2 openSUSE Tumbleweed:nodejs14-devel-14.17.5-1.2 openSUSE Tumbleweed:nodejs14-docs-14.17.5-1.2 openSUSE Tumbleweed:npm14-14.17.5-1.2 moderate 6.4 AV:N/AC:L/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-8287.html CVE-2020-8287 https://bugzilla.suse.com/1180554 SUSE Bug 1180554 Heap buffer overflow in V8 in Google Chrome prior to 88.0.4324.150 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2021-21148 openSUSE Tumbleweed:nodejs14-14.17.5-1.2 openSUSE Tumbleweed:nodejs14-devel-14.17.5-1.2 openSUSE Tumbleweed:nodejs14-docs-14.17.5-1.2 openSUSE Tumbleweed:npm14-14.17.5-1.2 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-21148.html CVE-2021-21148 https://bugzilla.suse.com/1181827 SUSE Bug 1181827 Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory. CVE-2021-22883 openSUSE Tumbleweed:nodejs14-14.17.5-1.2 openSUSE Tumbleweed:nodejs14-devel-14.17.5-1.2 openSUSE Tumbleweed:nodejs14-docs-14.17.5-1.2 openSUSE Tumbleweed:npm14-14.17.5-1.2 important 7.8 AV:N/AC:L/Au:N/C:N/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-22883.html CVE-2021-22883 https://bugzilla.suse.com/1182619 SUSE Bug 1182619 Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes "localhost6". When "localhost6" is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the "localhost6" domain. As long as the attacker uses the "localhost6" domain, they can still apply the attack described in CVE-2018-7160. CVE-2021-22884 openSUSE Tumbleweed:nodejs14-14.17.5-1.2 openSUSE Tumbleweed:nodejs14-devel-14.17.5-1.2 openSUSE Tumbleweed:nodejs14-docs-14.17.5-1.2 openSUSE Tumbleweed:npm14-14.17.5-1.2 moderate 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-22884.html CVE-2021-22884 https://bugzilla.suse.com/1182620 SUSE Bug 1182620 https://bugzilla.suse.com/1188549 SUSE Bug 1188549 https://bugzilla.suse.com/1201328 SUSE Bug 1201328 Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo(). CVE-2021-22918 openSUSE Tumbleweed:nodejs14-14.17.5-1.2 openSUSE Tumbleweed:nodejs14-devel-14.17.5-1.2 openSUSE Tumbleweed:nodejs14-docs-14.17.5-1.2 openSUSE Tumbleweed:npm14-14.17.5-1.2 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-22918.html CVE-2021-22918 https://bugzilla.suse.com/1187973 SUSE Bug 1187973 Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior. CVE-2021-22930 openSUSE Tumbleweed:nodejs14-14.17.5-1.2 openSUSE Tumbleweed:nodejs14-devel-14.17.5-1.2 openSUSE Tumbleweed:nodejs14-docs-14.17.5-1.2 openSUSE Tumbleweed:npm14-14.17.5-1.2 critical 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-22930.html CVE-2021-22930 https://bugzilla.suse.com/1188917 SUSE Bug 1188917 https://bugzilla.suse.com/1189368 SUSE Bug 1189368 If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted. CVE-2021-22939 openSUSE Tumbleweed:nodejs14-14.17.5-1.2 openSUSE Tumbleweed:nodejs14-devel-14.17.5-1.2 openSUSE Tumbleweed:nodejs14-docs-14.17.5-1.2 openSUSE Tumbleweed:npm14-14.17.5-1.2 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-22939.html CVE-2021-22939 https://bugzilla.suse.com/1189369 SUSE Bug 1189369 Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior. CVE-2021-22940 openSUSE Tumbleweed:nodejs14-14.17.5-1.2 openSUSE Tumbleweed:nodejs14-devel-14.17.5-1.2 openSUSE Tumbleweed:nodejs14-docs-14.17.5-1.2 openSUSE Tumbleweed:npm14-14.17.5-1.2 critical 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-22940.html CVE-2021-22940 https://bugzilla.suse.com/1189368 SUSE Bug 1189368 ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option. CVE-2021-27290 openSUSE Tumbleweed:nodejs14-14.17.5-1.2 openSUSE Tumbleweed:nodejs14-devel-14.17.5-1.2 openSUSE Tumbleweed:nodejs14-docs-14.17.5-1.2 openSUSE Tumbleweed:npm14-14.17.5-1.2 important 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-27290.html CVE-2021-27290 https://bugzilla.suse.com/1187976 SUSE Bug 1187976 A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability. CVE-2021-3672 openSUSE Tumbleweed:nodejs14-14.17.5-1.2 openSUSE Tumbleweed:nodejs14-devel-14.17.5-1.2 openSUSE Tumbleweed:nodejs14-docs-14.17.5-1.2 openSUSE Tumbleweed:npm14-14.17.5-1.2 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-3672.html CVE-2021-3672 https://bugzilla.suse.com/1188881 SUSE Bug 1188881 https://bugzilla.suse.com/1193099 SUSE Bug 1193099