{"schema_version":"1.7.2","id":"OESA-2022-1769","modified":"2022-07-22T11:04:01Z","published":"2022-07-22T11:04:01Z","upstream":["CVE-2020-15095","CVE-2020-7774","CVE-2020-7754","CVE-2020-7788","CVE-2021-3918"],"summary":"nodejs security update","details":"Node.js is a platform built on Chrome\u0026apos;s JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices.\r\n\r\nSecurity Fix(es):\r\n\r\nVersions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like \u0026quot;\u0026lt;protocol\u0026gt;://[\u0026lt;user\u0026gt;[:\u0026lt;password\u0026gt;]@]\u0026lt;hostname\u0026gt;[:\u0026lt;port\u0026gt;][:][/]\u0026lt;path\u0026gt;\u0026quot;. The password value is not redacted and is printed to stdout and also to any generated log files.(CVE-2020-15095)\n\nThis affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require( y18n )(); y18n.setLocale( proto ); y18n.updateLocale({polluted: true}); console.log(polluted); // true(CVE-2020-7774)\n\nThis affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters.(CVE-2020-7754)\n\nThis affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.(CVE-2020-7788)\n\njson-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ( Prototype Pollution )(CVE-2021-3918)","affected":[{"package":{"ecosystem":"openEuler:20.03-LTS-SP1","name":"nodejs","purl":"pkg:rpm/openEuler/nodejs\u0026distro=openEuler-20.03-LTS-SP1"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"12.22.11-1.oe1"}]}],"ecosystem_specific":{"aarch64":["npm-6.14.16-1.12.22.11.1.oe1.aarch64.rpm","nodejs-full-i18n-12.22.11-1.oe1.aarch64.rpm","nodejs-12.22.11-1.oe1.aarch64.rpm","nodejs-debuginfo-12.22.11-1.oe1.aarch64.rpm","nodejs-libs-12.22.11-1.oe1.aarch64.rpm","v8-devel-7.8.279.23-1.12.22.11.1.oe1.aarch64.rpm","nodejs-debugsource-12.22.11-1.oe1.aarch64.rpm","nodejs-devel-12.22.11-1.oe1.aarch64.rpm"],"noarch":["nodejs-docs-12.22.11-1.oe1.noarch.rpm"],"src":["nodejs-12.22.11-1.oe1.src.rpm"],"x86_64":["nodejs-12.22.11-1.oe1.x86_64.rpm","nodejs-full-i18n-12.22.11-1.oe1.x86_64.rpm","v8-devel-7.8.279.23-1.12.22.11.1.oe1.x86_64.rpm","nodejs-devel-12.22.11-1.oe1.x86_64.rpm","nodejs-debugsource-12.22.11-1.oe1.x86_64.rpm","npm-6.14.16-1.12.22.11.1.oe1.x86_64.rpm","nodejs-debuginfo-12.22.11-1.oe1.x86_64.rpm","nodejs-libs-12.22.11-1.oe1.x86_64.rpm"]}},{"package":{"ecosystem":"openEuler:20.03-LTS-SP3","name":"nodejs","purl":"pkg:rpm/openEuler/nodejs\u0026distro=openEuler-20.03-LTS-SP3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"12.22.11-1.oe1"}]}],"ecosystem_specific":{"aarch64":["nodejs-devel-12.22.11-1.oe1.aarch64.rpm","nodejs-debugsource-12.22.11-1.oe1.aarch64.rpm","v8-devel-7.8.279.23-1.12.22.11.1.oe1.aarch64.rpm","npm-6.14.16-1.12.22.11.1.oe1.aarch64.rpm","nodejs-12.22.11-1.oe1.aarch64.rpm","nodejs-debuginfo-12.22.11-1.oe1.aarch64.rpm","nodejs-full-i18n-12.22.11-1.oe1.aarch64.rpm","nodejs-libs-12.22.11-1.oe1.aarch64.rpm"],"noarch":["nodejs-docs-12.22.11-1.oe1.noarch.rpm"],"src":["nodejs-12.22.11-1.oe1.src.rpm"],"x86_64":["nodejs-libs-12.22.11-1.oe1.x86_64.rpm","v8-devel-7.8.279.23-1.12.22.11.1.oe1.x86_64.rpm","nodejs-12.22.11-1.oe1.x86_64.rpm","nodejs-debugsource-12.22.11-1.oe1.x86_64.rpm","nodejs-devel-12.22.11-1.oe1.x86_64.rpm","npm-6.14.16-1.12.22.11.1.oe1.x86_64.rpm","nodejs-full-i18n-12.22.11-1.oe1.x86_64.rpm","nodejs-debuginfo-12.22.11-1.oe1.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1769"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-15095"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-7774"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-7754"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-7788"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3918"}],"database_specific":{"severity":"Critical"}}