Описание
Security update for nodejs10
This update for nodejs10 fixes the following issues:
- CVE-2021-23343: Fixed ReDoS via splitDeviceRe, splitTailRe and splitPathRe (bsc#1192153).
- CVE-2021-32803: Fixed insufficient symlink protection in node-tar allowing arbitrary file creation and overwrite (bsc#1191963).
- CVE-2021-32804: Fixed insufficient absolute path sanitization in node-tar allowing arbitrary file creation and overwrite (bsc#1191962).
- CVE-2021-3918: Fixed improper controlled modification of object prototype attributes in json-schema (bsc#1192696).
- CVE-2021-3807: Fixed regular expression denial of service (ReDoS) matching ANSI escape codes in node-ansi-regex (bsc#1192154).
- CVE-2022-21824: Fixed prototype pollution via console.table (bsc#1194514).
Список пакетов
SUSE Linux Enterprise Module for Web and Scripting 12
Ссылки
- Link for SUSE-SU-2022:0570-1
- E-Mail link for SUSE-SU-2022:0570-1
- SUSE Security Ratings
- SUSE Bug 1191962
- SUSE Bug 1191963
- SUSE Bug 1192153
- SUSE Bug 1192154
- SUSE Bug 1192696
- SUSE Bug 1194514
- SUSE CVE CVE-2021-23343 page
- SUSE CVE CVE-2021-32803 page
- SUSE CVE CVE-2021-32804 page
- SUSE CVE CVE-2021-3807 page
- SUSE CVE CVE-2021-3918 page
- SUSE CVE CVE-2022-21824 page
Описание
All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
Затронутые продукты
Ссылки
- CVE-2021-23343
- SUSE Bug 1192153
Описание
The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary `stat` calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the `node-tar` directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where `node-tar` checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass `node-tar` symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.
Затронутые продукты
Ссылки
- CVE-2021-32803
- SUSE Bug 1191962
- SUSE Bug 1191963
Описание
The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom `onentry` method which sanitizes the `entry.path` or a `filter` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.
Затронутые продукты
Ссылки
- CVE-2021-32804
- SUSE Bug 1191962
Описание
ansi-regex is vulnerable to Inefficient Regular Expression Complexity
Затронутые продукты
Ссылки
- CVE-2021-3807
- SUSE Bug 1192154
Описание
json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Затронутые продукты
Ссылки
- CVE-2021-3918
- SUSE Bug 1192696
Описание
Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "__proto__". The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js >= 12.22.9, >= 14.18.3, >= 16.13.2, and >= 17.3.1 use a null protoype for the object these properties are being assigned to.
Затронутые продукты
Ссылки
- CVE-2022-21824
- SUSE Bug 1194514
- SUSE Bug 1202688