ALT-PU-2022-2226-2

Package update node in branch sisyphus

Version16.16.0-alt1

Published2026-02-04

Max severityCRITICAL

Severity:

Closed issues (6)

HIGH7.3

Уязвимость программной платформы Node.js, связанная с недостатками обработки HTTP-запросов, позволяющая нарушителю выполнять атаку "контрабанда HTTP-запросов"

Published: 2022-07-15Modified: 2024-09-13

CVSS 3.xHIGH 7.3

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVSS 2.0HIGH 7.5

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P

References

CVE-2022-32214

HIGH7.3

Уязвимость библиотеки providers.dll программной платформы Node.js, связанная с недостатками обработки HTTP-запросов, позволяющая нарушителю выполнить произвольный код

Published: 2022-07-15

CVSS 3.xHIGH 7.3

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVSS 2.0HIGH 7.5

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P

References

CVE-2022-32223

MEDIUM6.5

The llhttp parser
Published: 2022-07-14Modified: 2024-11-21
CVSS 3.xMEDIUM 6.5
`CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N`
References
https://hackerone.com/reports/1524692
https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/
https://www.debian.org/security/2023/dsa-5326
https://hackerone.com/reports/1524692
https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/
https://www.debian.org/security/2023/dsa-5326

MEDIUM6.5

The llhttp parser
Published: 2022-07-14Modified: 2024-11-21
CVSS 3.xMEDIUM 6.5
`CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N`
References
https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf
https://hackerone.com/reports/1501679
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ICG6CSIB3GUWH5DUSQEVX53MOJW7LYK/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCNN3YG2BCLS4ZEKJ3CLSUT6AS7AXTH3/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VMQK5L5SBYD47QQZ67LEMHNQ662GH3OY/
https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/
https://www.debian.org/security/2023/dsa-5326
https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf
https://hackerone.com/reports/1501679
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ICG6CSIB3GUWH5DUSQEVX53MOJW7LYK/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCNN3YG2BCLS4ZEKJ3CLSUT6AS7AXTH3/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VMQK5L5SBYD47QQZ67LEMHNQ662GH3OY/
https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/
https://www.debian.org/security/2023/dsa-5326

HIGH7.3

Node.js is vulnerable to Hijack Execution Flow: DLL Hijacking under certain conditions on Windows platforms.This vulnerability can be exploited if the victim has the following dependencies on a Windows machine:* OpenSSL has been installed and “C:\Program Files\Common Files\SSL\openssl.cnf” exists.Whenever the above conditions are present, `node.exe` will search for `providers.dll` in the current user directory.After that, `node.exe` will try to search for `providers.dll` by the DLL Search Order in Windows.It is possible for an attacker to place the malicious file `providers.dll` under a variety of paths and exploit this vulnerability.

Published: 2022-07-14Modified: 2024-11-21

CVSS 3.xHIGH 7.3

CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

References

GHSA-q5vx-44v4-gch4

CRITICAL9.1

llhttp allows HTTP Request Smuggling via Improper Delimiting of Header Fields

Published: 2022-07-15Modified: 2023-07-11

CVSS 3.xCRITICAL 9.1

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References