A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.
{ "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro", "ubuntu_priority": "medium", "binaries": [ { "binary_name": "nodejs", "binary_version": "8.10.0~dfsg-2ubuntu0.4+esm4" }, { "binary_name": "nodejs-dbgsym", "binary_version": "8.10.0~dfsg-2ubuntu0.4+esm4" }, { "binary_name": "nodejs-dev", "binary_version": "8.10.0~dfsg-2ubuntu0.4+esm4" }, { "binary_name": "nodejs-doc", "binary_version": "8.10.0~dfsg-2ubuntu0.4+esm4" } ] }
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "binary_name": "libnode-dev", "binary_version": "10.19.0~dfsg-3ubuntu1.3" }, { "binary_name": "libnode64", "binary_version": "10.19.0~dfsg-3ubuntu1.3" }, { "binary_name": "libnode64-dbgsym", "binary_version": "10.19.0~dfsg-3ubuntu1.3" }, { "binary_name": "nodejs", "binary_version": "10.19.0~dfsg-3ubuntu1.3" }, { "binary_name": "nodejs-dbgsym", "binary_version": "10.19.0~dfsg-3ubuntu1.3" }, { "binary_name": "nodejs-doc", "binary_version": "10.19.0~dfsg-3ubuntu1.3" } ] }
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "binary_name": "libnode-dev", "binary_version": "12.22.9~dfsg-1ubuntu3.2" }, { "binary_name": "libnode72", "binary_version": "12.22.9~dfsg-1ubuntu3.2" }, { "binary_name": "libnode72-dbgsym", "binary_version": "12.22.9~dfsg-1ubuntu3.2" }, { "binary_name": "nodejs", "binary_version": "12.22.9~dfsg-1ubuntu3.2" }, { "binary_name": "nodejs-dbgsym", "binary_version": "12.22.9~dfsg-1ubuntu3.2" }, { "binary_name": "nodejs-doc", "binary_version": "12.22.9~dfsg-1ubuntu3.2" } ] }