ArchLinux: 202107-33: nodejs-lts-erbium: multiple issues | LinuxSec...

Advisories

Arch Linux Security Advisory ASA-202107-33
==========================================

Severity: High
Date    : 2021-07-20
CVE-ID  : CVE-2021-22918 CVE-2021-23362 CVE-2021-27290
Package : nodejs-lts-erbium
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-2128

Summary
=======

The package nodejs-lts-erbium before version 12.22.3-1 is vulnerable to
multiple issues including denial of service and information disclosure.

Resolution
==========

Upgrade to 12.22.3-1.

# pacman -Syu "nodejs-lts-erbium>=12.22.3-1"

The problems have been fixed upstream in version 12.22.3.

Workaround
==========

None.

Description
===========

- CVE-2021-22918 (information disclosure)

libuv before version 1.14.1, as bundled by Node.js before versions
16.4.1, 14.17.2 and 12.22.2, is vulnerable to an out-of-bounds read in
the libuv's uv__idna_toascii() function which is used to convert
strings to ASCII. This is called by Node's dns module's lookup()
function and can lead to information disclosures or crashes.

- CVE-2021-23362 (denial of service)

A security issue has been found in Node.js before versions 16.4.1,
14.17.2 and 12.22.2. There is a vulnerability in the hosted-git-info
npm module which may be vulnerable to denial of service attacks.

- CVE-2021-27290 (denial of service)

A security issue has been found in Node.js before versions 16.4.1,
14.17.2 and 12.22.2. There is a vulnerability in the ssri npm module
which may be vulnerable to denial of service attacks.

Impact
======

A remote attacker could disclose information by supplying crafted
domain names, or cause denial of service through high resource usage
with crafted Git repository URLs or Subresource Integrity (SRI) hashes.

References
==========

https://github.com/libuv/libuv/issues/3147
https://hackerone.com/reports/1209681
https://github.com/libuv/libuv/commit/86dbeb4bd665749d6234ae90d30923e210de21b9
https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/#libuv-upgrade-out-of-bounds-read-medium-cve-2021-22918
https://github.com/nodejs/node/commit/d33aead28bcec32a2a450f884907a6d971631829
https://github.com/nodejs/node/commit/a7496aba0a95b6425e9651c297697b5dd67ac358
https://github.com/nodejs/node/commit/623fd1fcb557985bf452984856c1d0ce4fc096a7
https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/#npm-upgrade-hosted-git-info-regular-expression-denial-of-service-redos-medium-cve-2021-23362
https://snyk.io/vuln/SNYK-JS-HOSTEDGITINFO-1088355
https://github.com/npm/hosted-git-info/pull/76
https://github.com/npm/hosted-git-info/commit/bede0dc38e1785e732bf0a48ba6f81a4a908eba3
https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/#npm-upgrade-ssri-regular-expression-denial-of-service-redos-high-cve-2021-27290
https://github.com/advisories/GHSA-vx3p-948g-6vhq
https://doyensec.com/resources/Doyensec_Advisory_ssri_redos.pdf
https://github.com/npm/ssri/pull/17
https://github.com/npm/ssri/commit/76e223317d971f19e4db8191865bdad5edee40d2
https://security.archlinux.org/CVE-2021-22918
https://security.archlinux.org/CVE-2021-23362
https://security.archlinux.org/CVE-2021-27290

ArchLinux: 202107-33: nodejs-lts-erbium: multiple issues

July 20, 2021
The package nodejs-lts-erbium before version 12.22.3-1 is vulnerable to multiple issues including denial of service and information disclosure

Summary

- CVE-2021-22918 (information disclosure)
libuv before version 1.14.1, as bundled by Node.js before versions 16.4.1, 14.17.2 and 12.22.2, is vulnerable to an out-of-bounds read in the libuv's uv__idna_toascii() function which is used to convert strings to ASCII. This is called by Node's dns module's lookup() function and can lead to information disclosures or crashes.
- CVE-2021-23362 (denial of service)
A security issue has been found in Node.js before versions 16.4.1, 14.17.2 and 12.22.2. There is a vulnerability in the hosted-git-info npm module which may be vulnerable to denial of service attacks.
- CVE-2021-27290 (denial of service)
A security issue has been found in Node.js before versions 16.4.1, 14.17.2 and 12.22.2. There is a vulnerability in the ssri npm module which may be vulnerable to denial of service attacks.

Resolution

Upgrade to 12.22.3-1.
# pacman -Syu "nodejs-lts-erbium>=12.22.3-1"
The problems have been fixed upstream in version 12.22.3.

References

https://github.com/libuv/libuv/issues/3147 https://hackerone.com/reports/1209681 https://github.com/libuv/libuv/commit/86dbeb4bd665749d6234ae90d30923e210de21b9 https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/#libuv-upgrade-out-of-bounds-read-medium-cve-2021-22918 https://github.com/nodejs/node/commit/d33aead28bcec32a2a450f884907a6d971631829 https://github.com/nodejs/node/commit/a7496aba0a95b6425e9651c297697b5dd67ac358 https://github.com/nodejs/node/commit/623fd1fcb557985bf452984856c1d0ce4fc096a7 https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/#npm-upgrade-hosted-git-info-regular-expression-denial-of-service-redos-medium-cve-2021-23362 https://snyk.io/vuln/SNYK-JS-HOSTEDGITINFO-1088355 https://github.com/npm/hosted-git-info/pull/76 https://github.com/npm/hosted-git-info/commit/bede0dc38e1785e732bf0a48ba6f81a4a908eba3 https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/#npm-upgrade-ssri-regular-expression-denial-of-service-redos-high-cve-2021-27290 https://github.com/advisories/GHSA-vx3p-948g-6vhq https://doyensec.com/resources/Doyensec_Advisory_ssri_redos.pdf https://github.com/npm/ssri/pull/17 https://github.com/npm/ssri/commit/76e223317d971f19e4db8191865bdad5edee40d2 https://security.archlinux.org/CVE-2021-22918 https://security.archlinux.org/CVE-2021-23362 https://security.archlinux.org/CVE-2021-27290

Severity
CVE-ID : CVE-2021-22918 CVE-2021-23362 CVE-2021-27290
Package : nodejs-lts-erbium
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-2128

Impact

A remote attacker could disclose information by supplying crafted domain names, or cause denial of service through high resource usage with crafted Git repository URLs or Subresource Integrity (SRI) hashes.

Workaround

None.

Related News

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.