rhsa-2024:1687
Vulnerability from csaf_redhat
Published
2024-04-08 09:13
Modified
2025-03-21 01:04
Summary
Red Hat Security Advisory: nodejs:20 security update
Notes
Topic
An update for the nodejs:20 module is now available for Red Hat Enterprise Linux
8.
Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.
Details
Node.js is a software development platform for building fast and scalable
network applications in the JavaScript programming language.
Security Fix(es):
* nodejs: vulnerable to timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding (Marvin) (CVE-2023-46809)
* nodejs: reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks (CVE-2024-22019)
* nodejs: code injection and privilege escalation through Linux capabilities (CVE-2024-21892)
* nodejs: path traversal by monkey-patching buffer internals (CVE-2024-21896)
* nodejs: multiple permission model bypasses due to improper path traversal sequence sanitization (CVE-2024-21891)
* nodejs: improper handling of wildcards in --allow-fs-read and --allow-fs-write (CVE-2024-21890)
* nodejs: setuid() does not drop all privileges due to io_uring (CVE-2024-22017)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for the nodejs:20 module is now available for Red Hat Enterprise Linux\n8.\n\nRed Hat Product Security has rated this update as having a security impact of\nImportant. A Common Vulnerability Scoring System (CVSS) base score, which gives\na detailed severity rating, is available for each vulnerability from the CVE\nlink(s) in the References section.", title: "Topic", }, { category: "general", text: "Node.js is a software development platform for building fast and scalable\nnetwork applications in the JavaScript programming language.\n\nSecurity Fix(es):\n\n* nodejs: vulnerable to timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding (Marvin) (CVE-2023-46809)\n\n* nodejs: reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks (CVE-2024-22019)\n\n* nodejs: code injection and privilege escalation through Linux capabilities (CVE-2024-21892)\n\n* nodejs: path traversal by monkey-patching buffer internals (CVE-2024-21896)\n\n* nodejs: multiple permission model bypasses due to improper path traversal sequence sanitization (CVE-2024-21891)\n\n* nodejs: improper handling of wildcards in --allow-fs-read and --allow-fs-write (CVE-2024-21890)\n\n* nodejs: setuid() does not drop all privileges due to io_uring (CVE-2024-22017)", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2024:1687", url: "https://access.redhat.com/errata/RHSA-2024:1687", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "2264569", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2264569", }, { category: "external", summary: "2264574", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2264574", }, { category: "external", summary: "2264582", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2264582", }, { category: "external", summary: "2265717", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2265717", }, { category: "external", summary: "2265720", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2265720", }, { category: "external", summary: "2265722", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2265722", }, { category: "external", summary: "2265727", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2265727", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_1687.json", }, ], title: "Red Hat Security Advisory: nodejs:20 security update", tracking: { current_release_date: "2025-03-21T01:04:10+00:00", generator: { date: "2025-03-21T01:04:10+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.1", }, }, id: "RHSA-2024:1687", initial_release_date: "2024-04-08T09:13:52+00:00", revision_history: [ { date: "2024-04-08T09:13:52+00:00", number: "1", summary: "Initial version", }, { date: "2024-04-08T09:13:52+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-21T01:04:10+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat Enterprise Linux AppStream (v. 8)", product: { name: "Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.9.0.Z.MAIN", product_identification_helper: { cpe: "cpe:/a:redhat:enterprise_linux:8::appstream", }, }, }, ], category: "product_family", name: "Red Hat Enterprise Linux", }, { branches: [ { category: "product_version", name: "nodejs:20:8090020240228165436:a75119d5", product: { name: "nodejs:20:8090020240228165436:a75119d5", product_id: "nodejs:20:8090020240228165436:a75119d5", product_identification_helper: { purl: "pkg:rpmmod/redhat/nodejs@20:8090020240228165436:a75119d5", }, }, }, { category: "product_version", name: "nodejs-docs-1:20.11.1-1.module+el8.9.0+21380+12032667.noarch", product: { name: "nodejs-docs-1:20.11.1-1.module+el8.9.0+21380+12032667.noarch", product_id: "nodejs-docs-1:20.11.1-1.module+el8.9.0+21380+12032667.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/nodejs-docs@20.11.1-1.module%2Bel8.9.0%2B21380%2B12032667?arch=noarch&epoch=1", }, }, }, { category: "product_version", name: "nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.noarch", product: { name: "nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.noarch", product_id: "nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/nodejs-nodemon@3.0.1-1.module%2Bel8.9.0%2B20473%2Bc4e3d824?arch=noarch", }, }, }, { category: "product_version", name: "nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", product: { name: "nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", product_id: "nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/nodejs-packaging@2021.06-4.module%2Bel8.9.0%2B19519%2Be25b965a?arch=noarch", }, }, }, { category: "product_version", name: "nodejs-packaging-bundler-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", product: { name: "nodejs-packaging-bundler-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", product_id: "nodejs-packaging-bundler-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/nodejs-packaging-bundler@2021.06-4.module%2Bel8.9.0%2B19519%2Be25b965a?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_version", name: "nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.src", product: { name: "nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.src", product_id: "nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.src", product_identification_helper: { purl: "pkg:rpm/redhat/nodejs@20.11.1-1.module%2Bel8.9.0%2B21380%2B12032667?arch=src&epoch=1", }, }, }, { category: "product_version", name: "nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.src", product: { name: "nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.src", product_id: "nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.src", product_identification_helper: { purl: "pkg:rpm/redhat/nodejs-nodemon@3.0.1-1.module%2Bel8.9.0%2B20473%2Bc4e3d824?arch=src", }, }, }, { category: "product_version", name: "nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.src", product: { name: "nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.src", product_id: "nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.src", product_identification_helper: { purl: "pkg:rpm/redhat/nodejs-packaging@2021.06-4.module%2Bel8.9.0%2B19519%2Be25b965a?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", product: { name: "nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", product_id: "nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/nodejs@20.11.1-1.module%2Bel8.9.0%2B21380%2B12032667?arch=x86_64&epoch=1", }, }, }, { category: "product_version", name: "nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", product: { name: "nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", product_id: "nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/nodejs-debuginfo@20.11.1-1.module%2Bel8.9.0%2B21380%2B12032667?arch=x86_64&epoch=1", }, }, }, { category: "product_version", name: "nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", product: { name: "nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", product_id: "nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/nodejs-debugsource@20.11.1-1.module%2Bel8.9.0%2B21380%2B12032667?arch=x86_64&epoch=1", }, }, }, { category: "product_version", name: "nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", product: { name: "nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", product_id: "nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/nodejs-devel@20.11.1-1.module%2Bel8.9.0%2B21380%2B12032667?arch=x86_64&epoch=1", }, }, }, { category: "product_version", name: "nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", product: { name: "nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", product_id: "nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/nodejs-full-i18n@20.11.1-1.module%2Bel8.9.0%2B21380%2B12032667?arch=x86_64&epoch=1", }, }, }, { category: "product_version", name: "npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.x86_64", product: { name: "npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.x86_64", product_id: "npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/npm@10.2.4-1.20.11.1.1.module%2Bel8.9.0%2B21380%2B12032667?arch=x86_64&epoch=1", }, }, }, ], category: "architecture", name: "x86_64", }, { branches: [ { category: "product_version", name: "nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", product: { name: "nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", product_id: "nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/nodejs@20.11.1-1.module%2Bel8.9.0%2B21380%2B12032667?arch=s390x&epoch=1", }, }, }, { category: "product_version", name: "nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", product: { name: "nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", product_id: "nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/nodejs-debuginfo@20.11.1-1.module%2Bel8.9.0%2B21380%2B12032667?arch=s390x&epoch=1", }, }, }, { category: "product_version", name: "nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", product: { name: "nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", product_id: "nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/nodejs-debugsource@20.11.1-1.module%2Bel8.9.0%2B21380%2B12032667?arch=s390x&epoch=1", }, }, }, { category: "product_version", name: "nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", product: { name: "nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", product_id: "nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/nodejs-devel@20.11.1-1.module%2Bel8.9.0%2B21380%2B12032667?arch=s390x&epoch=1", }, }, }, { category: "product_version", name: "nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", product: { name: "nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", product_id: "nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/nodejs-full-i18n@20.11.1-1.module%2Bel8.9.0%2B21380%2B12032667?arch=s390x&epoch=1", }, }, }, { category: "product_version", name: "npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.s390x", product: { name: "npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.s390x", product_id: "npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/npm@10.2.4-1.20.11.1.1.module%2Bel8.9.0%2B21380%2B12032667?arch=s390x&epoch=1", }, }, }, ], category: "architecture", name: "s390x", }, { branches: [ { category: "product_version", name: "nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", product: { name: "nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", product_id: "nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", product_identification_helper: { purl: "pkg:rpm/redhat/nodejs@20.11.1-1.module%2Bel8.9.0%2B21380%2B12032667?arch=ppc64le&epoch=1", }, }, }, { category: "product_version", name: "nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", product: { name: "nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", product_id: "nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", product_identification_helper: { purl: "pkg:rpm/redhat/nodejs-debuginfo@20.11.1-1.module%2Bel8.9.0%2B21380%2B12032667?arch=ppc64le&epoch=1", }, }, }, { category: "product_version", name: "nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", product: { name: "nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", product_id: "nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", product_identification_helper: { purl: "pkg:rpm/redhat/nodejs-debugsource@20.11.1-1.module%2Bel8.9.0%2B21380%2B12032667?arch=ppc64le&epoch=1", }, }, }, { category: "product_version", name: "nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", product: { name: "nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", product_id: "nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", product_identification_helper: { purl: "pkg:rpm/redhat/nodejs-devel@20.11.1-1.module%2Bel8.9.0%2B21380%2B12032667?arch=ppc64le&epoch=1", }, }, }, { category: "product_version", name: "nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", product: { name: "nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", product_id: "nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", product_identification_helper: { purl: "pkg:rpm/redhat/nodejs-full-i18n@20.11.1-1.module%2Bel8.9.0%2B21380%2B12032667?arch=ppc64le&epoch=1", }, }, }, { category: "product_version", name: "npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.ppc64le", product: { name: "npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.ppc64le", product_id: "npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.ppc64le", product_identification_helper: { purl: "pkg:rpm/redhat/npm@10.2.4-1.20.11.1.1.module%2Bel8.9.0%2B21380%2B12032667?arch=ppc64le&epoch=1", }, }, }, ], category: "architecture", name: "ppc64le", }, { branches: [ { category: "product_version", name: "nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", product: { name: "nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", product_id: "nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", product_identification_helper: { purl: "pkg:rpm/redhat/nodejs@20.11.1-1.module%2Bel8.9.0%2B21380%2B12032667?arch=aarch64&epoch=1", }, }, }, { category: "product_version", name: "nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", product: { name: "nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", product_id: "nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", product_identification_helper: { purl: "pkg:rpm/redhat/nodejs-debuginfo@20.11.1-1.module%2Bel8.9.0%2B21380%2B12032667?arch=aarch64&epoch=1", }, }, }, { category: "product_version", name: "nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", product: { name: "nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", product_id: "nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", product_identification_helper: { purl: "pkg:rpm/redhat/nodejs-debugsource@20.11.1-1.module%2Bel8.9.0%2B21380%2B12032667?arch=aarch64&epoch=1", }, }, }, { category: "product_version", name: "nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", product: { name: "nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", product_id: "nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", product_identification_helper: { purl: "pkg:rpm/redhat/nodejs-devel@20.11.1-1.module%2Bel8.9.0%2B21380%2B12032667?arch=aarch64&epoch=1", }, }, }, { category: "product_version", name: "nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", product: { name: "nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", product_id: "nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", product_identification_helper: { purl: "pkg:rpm/redhat/nodejs-full-i18n@20.11.1-1.module%2Bel8.9.0%2B21380%2B12032667?arch=aarch64&epoch=1", }, }, }, { category: "product_version", name: "npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.aarch64", product: { name: "npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.aarch64", product_id: "npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.aarch64", product_identification_helper: { purl: "pkg:rpm/redhat/npm@10.2.4-1.20.11.1.1.module%2Bel8.9.0%2B21380%2B12032667?arch=aarch64&epoch=1", }, }, }, ], category: "architecture", name: "aarch64", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "nodejs:20:8090020240228165436:a75119d5 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5", }, product_reference: "nodejs:20:8090020240228165436:a75119d5", relates_to_product_reference: "AppStream-8.9.0.Z.MAIN", }, { category: "default_component_of", full_product_name: { name: "nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64 as a component of nodejs:20:8090020240228165436:a75119d5 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", }, product_reference: "nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", relates_to_product_reference: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5", }, { category: "default_component_of", full_product_name: { name: "nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le as a component of nodejs:20:8090020240228165436:a75119d5 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", }, product_reference: "nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", relates_to_product_reference: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5", }, { category: "default_component_of", full_product_name: { name: "nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x as a component of nodejs:20:8090020240228165436:a75119d5 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", }, product_reference: "nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", relates_to_product_reference: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5", }, { category: "default_component_of", full_product_name: { name: "nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.src as a component of nodejs:20:8090020240228165436:a75119d5 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.src", }, product_reference: "nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.src", relates_to_product_reference: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5", }, { category: "default_component_of", full_product_name: { name: "nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64 as a component of nodejs:20:8090020240228165436:a75119d5 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", }, product_reference: "nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", relates_to_product_reference: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5", }, { category: "default_component_of", full_product_name: { name: "nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64 as a component of nodejs:20:8090020240228165436:a75119d5 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", }, product_reference: "nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", relates_to_product_reference: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5", }, { category: "default_component_of", full_product_name: { name: "nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le as a component of nodejs:20:8090020240228165436:a75119d5 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", }, product_reference: "nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", relates_to_product_reference: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5", }, { category: "default_component_of", full_product_name: { name: "nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x as a component of nodejs:20:8090020240228165436:a75119d5 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", }, product_reference: "nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", relates_to_product_reference: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5", }, { category: "default_component_of", full_product_name: { name: "nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64 as a component of nodejs:20:8090020240228165436:a75119d5 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", }, product_reference: "nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", relates_to_product_reference: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5", }, { category: "default_component_of", full_product_name: { name: "nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64 as a component of nodejs:20:8090020240228165436:a75119d5 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", }, product_reference: "nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", relates_to_product_reference: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5", }, { category: "default_component_of", full_product_name: { name: "nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le as a component of nodejs:20:8090020240228165436:a75119d5 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", }, product_reference: "nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", relates_to_product_reference: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5", }, { category: "default_component_of", full_product_name: { name: "nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x as a component of nodejs:20:8090020240228165436:a75119d5 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", }, product_reference: "nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", relates_to_product_reference: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5", }, { category: "default_component_of", full_product_name: { name: "nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64 as a component of nodejs:20:8090020240228165436:a75119d5 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", }, product_reference: "nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", relates_to_product_reference: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5", }, { category: "default_component_of", full_product_name: { name: "nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64 as a component of nodejs:20:8090020240228165436:a75119d5 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", }, product_reference: "nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", relates_to_product_reference: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5", }, { category: "default_component_of", full_product_name: { name: "nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le as a component of nodejs:20:8090020240228165436:a75119d5 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", }, product_reference: "nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", relates_to_product_reference: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5", }, { category: "default_component_of", full_product_name: { name: "nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x as a component of nodejs:20:8090020240228165436:a75119d5 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", }, product_reference: "nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", relates_to_product_reference: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5", }, { category: "default_component_of", full_product_name: { name: "nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64 as a component of nodejs:20:8090020240228165436:a75119d5 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", }, product_reference: "nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", relates_to_product_reference: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5", }, { category: "default_component_of", full_product_name: { name: "nodejs-docs-1:20.11.1-1.module+el8.9.0+21380+12032667.noarch as a component of nodejs:20:8090020240228165436:a75119d5 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-docs-1:20.11.1-1.module+el8.9.0+21380+12032667.noarch", }, product_reference: "nodejs-docs-1:20.11.1-1.module+el8.9.0+21380+12032667.noarch", relates_to_product_reference: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5", }, { category: "default_component_of", full_product_name: { name: "nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64 as a component of nodejs:20:8090020240228165436:a75119d5 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", }, product_reference: "nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", relates_to_product_reference: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5", }, { category: "default_component_of", full_product_name: { name: "nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le as a component of nodejs:20:8090020240228165436:a75119d5 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", }, product_reference: "nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", relates_to_product_reference: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5", }, { category: "default_component_of", full_product_name: { name: "nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x as a component of nodejs:20:8090020240228165436:a75119d5 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", }, product_reference: "nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", relates_to_product_reference: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5", }, { category: "default_component_of", full_product_name: { name: "nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64 as a component of nodejs:20:8090020240228165436:a75119d5 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", }, product_reference: "nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", relates_to_product_reference: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5", }, { category: "default_component_of", full_product_name: { name: "nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.noarch as a component of nodejs:20:8090020240228165436:a75119d5 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.noarch", }, product_reference: "nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.noarch", relates_to_product_reference: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5", }, { category: "default_component_of", full_product_name: { name: "nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.src as a component of nodejs:20:8090020240228165436:a75119d5 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.src", }, product_reference: "nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.src", relates_to_product_reference: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5", }, { category: "default_component_of", full_product_name: { name: "nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch as a component of nodejs:20:8090020240228165436:a75119d5 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", }, product_reference: "nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", relates_to_product_reference: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5", }, { category: "default_component_of", full_product_name: { name: "nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.src as a component of nodejs:20:8090020240228165436:a75119d5 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.src", }, product_reference: "nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.src", relates_to_product_reference: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5", }, { category: "default_component_of", full_product_name: { name: "nodejs-packaging-bundler-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch as a component of nodejs:20:8090020240228165436:a75119d5 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-bundler-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", }, product_reference: "nodejs-packaging-bundler-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", relates_to_product_reference: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5", }, { category: "default_component_of", full_product_name: { name: "npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.aarch64 as a component of nodejs:20:8090020240228165436:a75119d5 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.aarch64", }, product_reference: "npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.aarch64", relates_to_product_reference: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5", }, { category: "default_component_of", full_product_name: { name: "npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.ppc64le as a component of nodejs:20:8090020240228165436:a75119d5 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.ppc64le", }, product_reference: "npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.ppc64le", relates_to_product_reference: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5", }, { category: "default_component_of", full_product_name: { name: "npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.s390x as a component of nodejs:20:8090020240228165436:a75119d5 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.s390x", }, product_reference: "npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.s390x", relates_to_product_reference: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5", }, { category: "default_component_of", full_product_name: { name: "npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.x86_64 as a component of nodejs:20:8090020240228165436:a75119d5 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.x86_64", }, product_reference: "npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.x86_64", relates_to_product_reference: "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5", }, ], }, vulnerabilities: [ { cve: "CVE-2023-46809", cwe: { id: "CWE-208", name: "Observable Timing Discrepancy", }, discovery_date: "2024-02-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2264569", }, ], notes: [ { category: "description", text: "A flaw was found in Node.js. The privateDecrypt() API of the crypto library may allow a covert timing side-channel during PKCS#1 v1.5 padding error handling. This issue revealed significant timing differences in decryption for valid and invalid ciphertexts, which may allow a remote attacker to decrypt captured RSA ciphertexts or forge signatures, especially in scenarios involving API endpoints processing JSON Web Encryption messages.", title: "Vulnerability description", }, { category: "summary", text: "nodejs: vulnerable to timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding (Marvin)", title: "Vulnerability summary", }, { category: "other", text: "This Node.js vulnerability poses a notable risk as it allows for covert timing side-channel attacks during RSA ciphertext decryption, potentially enabling attackers to decrypt captured data or forge signatures.\n\nIt's classified as \"Medium\" severity rather than important due to its dependency on specific conditions for exploitation, such as the use of the privateDecrypt() API with PKCS#1 v1.5 padding.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-docs-1:20.11.1-1.module+el8.9.0+21380+12032667.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-bundler-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-46809", }, { category: "external", summary: "RHBZ#2264569", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2264569", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-46809", url: "https://www.cve.org/CVERecord?id=CVE-2023-46809", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-46809", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-46809", }, ], release_date: "2024-02-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-04-08T09:13:52+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-docs-1:20.11.1-1.module+el8.9.0+21380+12032667.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-bundler-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:1687", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-docs-1:20.11.1-1.module+el8.9.0+21380+12032667.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-bundler-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.x86_64", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-docs-1:20.11.1-1.module+el8.9.0+21380+12032667.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-bundler-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.x86_64", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "nodejs: vulnerable to timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding (Marvin)", }, { cve: "CVE-2024-21890", cwe: { id: "CWE-1059", name: "Insufficient Technical Documentation", }, discovery_date: "2024-02-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2265722", }, ], notes: [ { category: "description", text: "A flaw was found in the Node.js Permission Model, where it is not clarified in the documentation that wildcards should only be used as the last character of a file path. For example: --allow-fs-read=/home/node/.ssh/*.pub will ignore pub and give access to everything after .ssh/.", title: "Vulnerability description", }, { category: "summary", text: "nodejs: improper handling of wildcards in --allow-fs-read and --allow-fs-write", title: "Vulnerability summary", }, { category: "other", text: "This misleading documentation affects all users using the experimental permission model in active release lines 20.x and 21.x.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-docs-1:20.11.1-1.module+el8.9.0+21380+12032667.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-bundler-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-21890", }, { category: "external", summary: "RHBZ#2265722", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2265722", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-21890", url: "https://www.cve.org/CVERecord?id=CVE-2024-21890", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-21890", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-21890", }, ], release_date: "2024-02-19T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-04-08T09:13:52+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-docs-1:20.11.1-1.module+el8.9.0+21380+12032667.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-bundler-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:1687", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, products: [ "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-docs-1:20.11.1-1.module+el8.9.0+21380+12032667.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-bundler-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.x86_64", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "nodejs: improper handling of wildcards in --allow-fs-read and --allow-fs-write", }, { cve: "CVE-2024-21891", cwe: { id: "CWE-22", name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", }, discovery_date: "2024-02-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2265720", }, ], notes: [ { category: "description", text: "A flaw was found in Node.js. Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions, which can be overwritten with user-defined implementations, leading to a filesystem permission model bypass through a path traversal attack.", title: "Vulnerability description", }, { category: "summary", text: "nodejs: multiple permission model bypasses due to improper path traversal sequence sanitization", title: "Vulnerability summary", }, { category: "other", text: "This vulnerability affects users using the experimental permission model in active release lines 20.x and 21.x.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-docs-1:20.11.1-1.module+el8.9.0+21380+12032667.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-bundler-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-21891", }, { category: "external", summary: "RHBZ#2265720", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2265720", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-21891", url: "https://www.cve.org/CVERecord?id=CVE-2024-21891", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-21891", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-21891", }, ], release_date: "2024-02-19T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-04-08T09:13:52+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-docs-1:20.11.1-1.module+el8.9.0+21380+12032667.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-bundler-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:1687", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 6.6, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", version: "3.1", }, products: [ "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-docs-1:20.11.1-1.module+el8.9.0+21380+12032667.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-bundler-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.x86_64", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "nodejs: multiple permission model bypasses due to improper path traversal sequence sanitization", }, { cve: "CVE-2024-21892", cwe: { id: "CWE-94", name: "Improper Control of Generation of Code ('Code Injection')", }, discovery_date: "2024-02-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2264582", }, ], notes: [ { category: "description", text: "A flaw was found in Node.js. On Linux, Node.js ignores certain environment variables if an unprivileged user has set them while the process is running with elevated privileges, except for CAP_NET_BIND_SERVICE. Due to a bug in the implementation of this exception, Node.js incorrectly applies this exception even when other capabilities have been set. This flaw allows unprivileged users to inject code that inherits the process's elevated privileges.", title: "Vulnerability description", }, { category: "summary", text: "nodejs: code injection and privilege escalation through Linux capabilities", title: "Vulnerability summary", }, { category: "other", text: "This vulnerability is classified as an Important severity rather than Critical due to several factors. While it allows unprivileged users to inject code and potentially escalate privileges in a process running with elevated privileges, it does so under specific conditions and limitations. The vulnerability only affects Linux systems where Node.js is running with elevated privileges, and it relies on a specific bug in handling environment variables set by unprivileged users. Additionally, the impact is constrained to the Node.js environment and does not directly compromise the underlying operating system.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-docs-1:20.11.1-1.module+el8.9.0+21380+12032667.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-bundler-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-21892", }, { category: "external", summary: "RHBZ#2264582", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2264582", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-21892", url: "https://www.cve.org/CVERecord?id=CVE-2024-21892", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-21892", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-21892", }, ], release_date: "2024-02-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-04-08T09:13:52+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-docs-1:20.11.1-1.module+el8.9.0+21380+12032667.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-bundler-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:1687", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-docs-1:20.11.1-1.module+el8.9.0+21380+12032667.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-bundler-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.x86_64", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, products: [ "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-docs-1:20.11.1-1.module+el8.9.0+21380+12032667.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-bundler-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.x86_64", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "nodejs: code injection and privilege escalation through Linux capabilities", }, { cve: "CVE-2024-21896", cwe: { id: "CWE-22", name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", }, discovery_date: "2024-02-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2265717", }, ], notes: [ { category: "description", text: "A flaw was found in Node.js. The permission model protects itself against path traversal attacks by calling path.resolve() on any paths given by the user. If the path is to be treated as a buffer, the implementation uses Buffer.from() to obtain a buffer from the result of path.resolve(). By monkey-patching buffer internals, namely, Buffer.prototype.utf8Write, the application can modify the result of path.resolve(), which leads to a path traversal vulnerability.", title: "Vulnerability description", }, { category: "summary", text: "nodejs: path traversal by monkey-patching buffer internals", title: "Vulnerability summary", }, { category: "other", text: "This vulnerability affects users using the experimental permission model in active release lines 20.x and 21.x.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-docs-1:20.11.1-1.module+el8.9.0+21380+12032667.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-bundler-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-21896", }, { category: "external", summary: "RHBZ#2265717", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2265717", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-21896", url: "https://www.cve.org/CVERecord?id=CVE-2024-21896", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-21896", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-21896", }, ], release_date: "2024-02-19T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-04-08T09:13:52+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-docs-1:20.11.1-1.module+el8.9.0+21380+12032667.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-bundler-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:1687", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 7.9, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", version: "3.1", }, products: [ "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-docs-1:20.11.1-1.module+el8.9.0+21380+12032667.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-bundler-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.x86_64", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "nodejs: path traversal by monkey-patching buffer internals", }, { cve: "CVE-2024-22017", cwe: { id: "CWE-269", name: "Improper Privilege Management", }, discovery_date: "2024-02-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2265727", }, ], notes: [ { category: "description", text: "A flaw was found in Node.js, where the setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid(). This issue allows the process to perform privileged operations despite presumably having dropped such privileges through a call to setuid().", title: "Vulnerability description", }, { category: "summary", text: "nodejs: setuid() does not drop all privileges due to io_uring", title: "Vulnerability summary", }, { category: "other", text: "This vulnerability affects all users in active release lines 20.x, and 21.x.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-docs-1:20.11.1-1.module+el8.9.0+21380+12032667.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-bundler-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-22017", }, { category: "external", summary: "RHBZ#2265727", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2265727", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-22017", url: "https://www.cve.org/CVERecord?id=CVE-2024-22017", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-22017", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-22017", }, ], release_date: "2024-02-19T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-04-08T09:13:52+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-docs-1:20.11.1-1.module+el8.9.0+21380+12032667.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-bundler-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:1687", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7.3, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-docs-1:20.11.1-1.module+el8.9.0+21380+12032667.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-bundler-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.x86_64", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "nodejs: setuid() does not drop all privileges due to io_uring", }, { cve: "CVE-2024-22019", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2024-02-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2264574", }, ], notes: [ { category: "description", text: "A flaw was found in Node.js due to a lack of safeguards on chunk extension bytes. The server may read an unbounded number of bytes from a single connection, which can allow an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "nodejs: reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks", title: "Vulnerability summary", }, { category: "other", text: "While this vulnerability in Node.js HTTP servers poses a significant risk to system stability and availability, it is classified as a important severity issue rather than a critical one due to several factors. Firstly, while the vulnerability can lead to denial of service (DoS) attacks by causing resource exhaustion, it does not directly compromise the confidentiality or integrity of data stored or processed by the server. Additionally, the exploit requires the attacker to send specially crafted HTTP requests, which may limit the ease and scope of potential attacks compared to more critical vulnerabilities that can be exploited remotely without specific conditions.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-docs-1:20.11.1-1.module+el8.9.0+21380+12032667.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-bundler-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-22019", }, { category: "external", summary: "RHBZ#2264574", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2264574", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-22019", url: "https://www.cve.org/CVERecord?id=CVE-2024-22019", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-22019", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-22019", }, ], release_date: "2024-02-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-04-08T09:13:52+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-docs-1:20.11.1-1.module+el8.9.0+21380+12032667.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-bundler-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:1687", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-docs-1:20.11.1-1.module+el8.9.0+21380+12032667.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-bundler-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.x86_64", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-debugsource-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-devel-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-docs-1:20.11.1-1.module+el8.9.0+21380+12032667.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+21380+12032667.x86_64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-nodemon-0:3.0.1-1.module+el8.9.0+20473+c4e3d824.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-0:2021.06-4.module+el8.9.0+19519+e25b965a.src", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:nodejs-packaging-bundler-0:2021.06-4.module+el8.9.0+19519+e25b965a.noarch", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.aarch64", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.ppc64le", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.s390x", "AppStream-8.9.0.Z.MAIN:nodejs:20:8090020240228165436:a75119d5:npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.x86_64", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "nodejs: reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks", }, ], }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
Title of the comment
Description of the comment
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.