Alerts This Week
Warning Icon 1 916
Alerts This Week
Warning Icon 1 916

SUSE: 2024:0644-1 Critical: nodejs18 Denial Of Service Attack and Elevation

suse
Calendar Grey February 28, 2024
Dist Suse Esm H88
A security patch for nodejs18 addresses several vulnerabilities, such as Denial of Service (DoS) threats and privilege escalation risks specifically on SUSE platforms.
* bsc#1219724 * bsc#1219992 * bsc#1219993 * bsc#1219997 * bsc#1220014

Summary

## This update for nodejs18 fixes the following issues: Update to 18.19.1: (security updates) * CVE-2024-21892: Code injection and privilege escalation through Linux capabilities (bsc#1219992). * CVE-2024-22019: http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks (bsc#1219993). * CVE-2023-46809: Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) (bsc#1219997). * CVE-2024-22025: Denial of Service by resource exhaustion in fetch() brotli decoding (bsc#1220014). * CVE-2024-24758: undici version 5.28.3 (bsc#1220017). * CVE-2024-24806: libuv version 1.48.0 (bsc#1219724). Update to LTS version 18.19.0 * deps: npm updates to 10.x * esm: * Leverage loaders when resolving subsequent loaders

Topics%20covered

Topics Covered

security advisory denial of service software update critical threat SUSE Linux nodejs18 elevation flaw

References

* bsc#1219724

* bsc#1219992

* bsc#1219993

* bsc#1219997

* bsc#1220014

* bsc#1220017

Cross-

* CVE-2023-46809

* CVE-2024-21892

* CVE-2024-22019

* CVE-2024-22025

* CVE-2024-24758

* CVE-2024-24806

CVSS scores:

* CVE-2023-46809 ( SUSE ): 6.8 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

* CVE-2024-21892 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

* CVE-2024-22019 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

* CVE-2024-24758 ( SUSE ): 3.9 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L

* CVE-2024-24806 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

* CVE-2024-24806 ( NVD ): 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Affected Products:

* SUSE Linux Enterprise High Performance Computing 12 SP2

Severity
important
Lowest
Low
Medium
High
Critical

Announcement ID: SUSE-SU-2024:0644-1
Rating: important

Topics%20covered

Topics Covered

security advisory denial of service software update critical threat SUSE Linux nodejs18 elevation flaw

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here