ALSA-2024:1687

Source

https://errata.almalinux.org/8/ALSA-2024-1687.html

Import Source

https://github.com/AlmaLinux/osv-database/blob/master/advisories/almalinux8/ALSA-2024:1687.json

Related

• CVE-2023-46809
• CVE-2024-21890
• CVE-2024-21891
• CVE-2024-21892
• CVE-2024-21896
• CVE-2024-22017
• CVE-2024-22019

Published

2024-04-08T00:00:00Z

Modified

2024-04-09T14:54:02Z

Details

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

Security Fix(es):

• nodejs: vulnerable to timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding (Marvin) (CVE-2023-46809)
• nodejs: reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks (CVE-2024-22019)
• nodejs: code injection and privilege escalation through Linux capabilities (CVE-2024-21892)
• nodejs: path traversal by monkey-patching buffer internals (CVE-2024-21896)
• nodejs: multiple permission model bypasses due to improper path traversal sequence sanitization (CVE-2024-21891)
• nodejs: improper handling of wildcards in --allow-fs-read and --allow-fs-write (CVE-2024-21890)
• nodejs: setuid() does not drop all privileges due to io_uring (CVE-2024-22017)

References

• https://access.redhat.com/errata/RHSA-2024:1687
• https://access.redhat.com/security/cve/CVE-2023-46809
• https://access.redhat.com/security/cve/CVE-2024-21890
• https://access.redhat.com/security/cve/CVE-2024-21891
• https://access.redhat.com/security/cve/CVE-2024-21892
• https://access.redhat.com/security/cve/CVE-2024-21896
• https://access.redhat.com/security/cve/CVE-2024-22017
• https://access.redhat.com/security/cve/CVE-2024-22019
• https://bugzilla.redhat.com/2264569
• https://bugzilla.redhat.com/2264574
• https://bugzilla.redhat.com/2264582
• https://bugzilla.redhat.com/2265717
• https://bugzilla.redhat.com/2265720
• https://bugzilla.redhat.com/2265722
• https://bugzilla.redhat.com/2265727
• https://errata.almalinux.org/8/ALSA-2024-1687.html