All errata/p10/ALT-PU-2022-3235-2
ALT-PU-2022-3235-2

Package update node in branch p10

Version14.21.1-alt1
Task#310516
Published2026-02-04
Max severityCRITICAL
Severity:

Closed issues (14)

BDU:2022-04390
HIGH7.3

Уязвимость программной платформы Node.js, связанная с недостатками обработки HTTP-запросов, позволяющая нарушителю выполнять атаку "контрабанда HTTP-запросов"

Published: 2022-07-15Modified: 2024-09-13
CVSS 3.xHIGH 7.3
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CVSS 2.0HIGH 7.5
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P
References
BDU:2022-04391
HIGH7.3

Уязвимость библиотеки providers.dll программной платформы Node.js, связанная с недостатками обработки HTTP-запросов, позволяющая нарушителю выполнить произвольный код

Published: 2022-07-15
CVSS 3.xHIGH 7.3
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CVSS 2.0HIGH 7.5
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P
References
BDU:2022-06821
HIGH7.5

Уязвимость реализации параметра --inspect программного средства работы с объектами Node.js, позволяющей нарушителю выполнить произвольный код

Published: 2022-11-17Modified: 2026-01-20
CVSS 3.xHIGH 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS 2.0HIGH 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:C/A:N
References
BDU:2023-00348
CRITICAL9.8

Уязвимость анализатора HTTP-кода llhttp программного обеспечения для управления сетевой инфраструктурой SINEC INS (Infrastructure Network Services), позволяющая нарушителю выполнить произвольный код

Published: 2023-01-24
CVSS 3.xCRITICAL 9.8
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.0CRITICAL 10.0
CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C
References
BDU:2024-07321
HIGH8.1

Уязвимость функции IsIPAddress() программной платформы Node.js, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании

Published: 2024-09-23Modified: 2026-01-20
CVSS 3.xHIGH 8.1
CVSS:3.x/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.0HIGH 7.6
CVSS:2.0/AV:N/AC:H/Au:N/C:C/I:C/A:C
References
CVE-2022-32212
HIGH8.1

A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.

Published: 2022-07-14Modified: 2024-11-21
CVSS 3.xHIGH 8.1
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
References
CVE-2022-32213
MEDIUM6.5

The llhttp parser
Published: 2022-07-14Modified: 2024-11-21
CVSS 3.xMEDIUM 6.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
References

CVE-2022-32215
MEDIUM6.5

The llhttp parser
Published: 2022-07-14Modified: 2024-11-21
CVSS 3.xMEDIUM 6.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
References

CVE-2022-32223
HIGH7.3

Node.js is vulnerable to Hijack Execution Flow: DLL Hijacking under certain conditions on Windows platforms.This vulnerability can be exploited if the victim has the following dependencies on a Windows machine:* OpenSSL has been installed and “C:\Program Files\Common Files\SSL\openssl.cnf” exists.Whenever the above conditions are present, `node.exe` will search for `providers.dll` in the current user directory.After that, `node.exe` will try to search for `providers.dll` by the DLL Search Order in Windows.It is possible for an attacker to place the malicious file `providers.dll` under a variety of paths and exploit this vulnerability.

Published: 2022-07-14Modified: 2024-11-21
CVSS 3.xHIGH 7.3
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
References
CVE-2022-35256
MEDIUM6.5

The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.

Published: 2022-12-05Modified: 2025-04-24
CVSS 3.xMEDIUM 6.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
References
CVE-2022-43548
HIGH8.1

A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.The fix for this issue in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212 was incomplete and this new CVE is to complete the fix.

Published: 2022-12-05Modified: 2025-04-24
CVSS 3.xHIGH 8.1
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
References
GHSA-5689-v88g-g6rv
CRITICAL9.1

llhttp allows HTTP Request Smuggling via Flawed Parsing of Transfer-Encoding

Published: 2022-07-15Modified: 2023-07-11
CVSS 3.xCRITICAL 9.1
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
References
GHSA-q5vx-44v4-gch4
CRITICAL9.1

llhttp allows HTTP Request Smuggling via Improper Delimiting of Header Fields

Published: 2022-07-15Modified: 2023-07-11
CVSS 3.xCRITICAL 9.1
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
References