ArchLinux: 202107-13: nodejs: multiple issues | LinuxSecurity.com
Arch Linux Security Advisory ASA-202107-13
==========================================

Severity: High
Date    : 2021-07-06
CVE-ID  : CVE-2021-22918 CVE-2021-23362 CVE-2021-27290
Package : nodejs
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-2126

Summary
=======

The package nodejs before version 16.4.1-1 is vulnerable to multiple
issues including denial of service and information disclosure.

Resolution
==========

Upgrade to 16.4.1-1.

# pacman -Syu "nodejs>=16.4.1-1"

The problems have been fixed upstream in version 16.4.1.

Workaround
==========

None.

Description
===========

- CVE-2021-22918 (information disclosure)

Node.js before versions 16.4.1, 14.17.2 and 12.22.2 is vulnerable to an
out-of-bounds read in the libuv's uv__idna_toascii() function which is
used to convert strings to ASCII. This is called by Node's dns module's
lookup() function and can lead to information disclosures or crashes.

- CVE-2021-23362 (denial of service)

A security issue has been found in Node.js before versions 16.4.1,
14.17.2 and 12.22.2. There is a vulnerability in the hosted-git-info
npm module which may be vulnerable to denial of service attacks.

- CVE-2021-27290 (denial of service)

A security issue has been found in Node.js before versions 16.4.1,
14.17.2 and 12.22.2. There is a vulnerability in the ssri npm module
which may be vulnerable to denial of service attacks.

Impact
======

A remote attacker could disclose information by supplying crafted
domain names, or cause denial of service through high resource usage
with crafted Git repository URLs or Subresource Integrity (SRI) hashes.

References
==========

https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/#libuv-upgrade-out-of-bounds-read-medium-cve-2021-22918
https://hackerone.com/reports/1209681
https://github.com/nodejs/node/commit/d33aead28bcec32a2a450f884907a6d971631829
https://github.com/nodejs/node/commit/a7496aba0a95b6425e9651c297697b5dd67ac358
https://github.com/nodejs/node/commit/623fd1fcb557985bf452984856c1d0ce4fc096a7
https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/#npm-upgrade-hosted-git-info-regular-expression-denial-of-service-redos-medium-cve-2021-23362
https://snyk.io/vuln/SNYK-JS-HOSTEDGITINFO-1088355
https://github.com/npm/hosted-git-info/pull/76
https://github.com/npm/hosted-git-info/commit/bede0dc38e1785e732bf0a48ba6f81a4a908eba3
https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/#npm-upgrade-ssri-regular-expression-denial-of-service-redos-high-cve-2021-27290
https://github.com/advisories/GHSA-vx3p-948g-6vhq
https://doyensec.com/resources/Doyensec_Advisory_ssri_redos.pdf
https://github.com/npm/ssri/pull/17
https://github.com/npm/ssri/commit/76e223317d971f19e4db8191865bdad5edee40d2
https://security.archlinux.org/CVE-2021-22918
https://security.archlinux.org/CVE-2021-23362
https://security.archlinux.org/CVE-2021-27290

ArchLinux: 202107-13: nodejs: multiple issues

July 9, 2021
The package nodejs before version 16.4.1-1 is vulnerable to multiple issues including denial of service and information disclosure

Summary

- CVE-2021-22918 (information disclosure)
Node.js before versions 16.4.1, 14.17.2 and 12.22.2 is vulnerable to an out-of-bounds read in the libuv's uv__idna_toascii() function which is used to convert strings to ASCII. This is called by Node's dns module's lookup() function and can lead to information disclosures or crashes.
- CVE-2021-23362 (denial of service)
A security issue has been found in Node.js before versions 16.4.1, 14.17.2 and 12.22.2. There is a vulnerability in the hosted-git-info npm module which may be vulnerable to denial of service attacks.
- CVE-2021-27290 (denial of service)
A security issue has been found in Node.js before versions 16.4.1, 14.17.2 and 12.22.2. There is a vulnerability in the ssri npm module which may be vulnerable to denial of service attacks.

Resolution

Upgrade to 16.4.1-1.
# pacman -Syu "nodejs>=16.4.1-1"
The problems have been fixed upstream in version 16.4.1.

References

https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/#libuv-upgrade-out-of-bounds-read-medium-cve-2021-22918 https://hackerone.com/reports/1209681 https://github.com/nodejs/node/commit/d33aead28bcec32a2a450f884907a6d971631829 https://github.com/nodejs/node/commit/a7496aba0a95b6425e9651c297697b5dd67ac358 https://github.com/nodejs/node/commit/623fd1fcb557985bf452984856c1d0ce4fc096a7 https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/#npm-upgrade-hosted-git-info-regular-expression-denial-of-service-redos-medium-cve-2021-23362 https://snyk.io/vuln/SNYK-JS-HOSTEDGITINFO-1088355 https://github.com/npm/hosted-git-info/pull/76 https://github.com/npm/hosted-git-info/commit/bede0dc38e1785e732bf0a48ba6f81a4a908eba3 https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/#npm-upgrade-ssri-regular-expression-denial-of-service-redos-high-cve-2021-27290 https://github.com/advisories/GHSA-vx3p-948g-6vhq https://doyensec.com/resources/Doyensec_Advisory_ssri_redos.pdf https://github.com/npm/ssri/pull/17 https://github.com/npm/ssri/commit/76e223317d971f19e4db8191865bdad5edee40d2 https://security.archlinux.org/CVE-2021-22918 https://security.archlinux.org/CVE-2021-23362 https://security.archlinux.org/CVE-2021-27290

Severity
CVE-ID : CVE-2021-22918 CVE-2021-23362 CVE-2021-27290
Package : nodejs
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-2126

Impact

A remote attacker could disclose information by supplying crafted domain names, or cause denial of service through high resource usage with crafted Git repository URLs or Subresource Integrity (SRI) hashes.

Workaround

None.

Related News

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.