You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Clair scanner is reporting list of CVEs against image registry.access.redhat.com/ubi8/nodejs-12 and pointing to nodejs-14 advisory. So there are two issues I see here:
For nodejs image, it should consider the version of nodejs while comparing for known CVE. I get below report by clair for and image which has registry.access.redhat.com/ubi8/nodejs-12 as its base image
){
"image": ".com/test:2.6.1-dockerimg.63dd7052",
"unapproved": [
"RHSA-2021:5171",
"RHSA-2021:3666",
"RHSA-2022:0350",
"RHSA-2021:5171",
"RHSA-2021:3074",
"RHSA-2021:3666",
"RHSA-2021:0744",
"RHSA-2021:0551",
"RHSA-2022:0350",
"RHSA-2021:5171",
"RHSA-2021:3074",
"RHSA-2021:3666",
"RHSA-2021:0744",
"RHSA-2021:0551",
"RHSA-2022:0350",
"RHSA-2021:5171",
"RHSA-2021:3074",
"RHSA-2021:3666",
"RHSA-2021:0744",
"RHSA-2021:0551",
"RHSA-2022:0350",
"RHSA-2021:5171",
"RHSA-2022:0350"
],
"vulnerabilities": [
{
"featurename": "nodejs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:3666",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix(es): * nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22930) * nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22940) * c-ares: Missing input validation of host names may lead to domain hijacking (CVE-2021-3672) * nodejs: Improper handling of untypical characters in domain names (CVE-2021-22931) * nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite (CVE-2021-32803) * nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite (CVE-2021-32804) * nodejs: Incomplete validation of tls rejectUnauthorized parameter (CVE-2021-22939) * nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe (CVE-2021-23343) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * nodejs:14/nodejs: Make FIPS options always available (BZ#1993924)",
"link": "https://access.redhat.com/errata/RHSA-2021:3666",
"severity": "High",
"fixedby": "1:14.17.5-1.module+el8.4.0+12247+e2879e58"
},
{
"featurename": "npm",
"featureversion": "1:6.14.14-1.12.22.5.1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:3666",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix(es): * nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22930) * nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22940) * c-ares: Missing input validation of host names may lead to domain hijacking (CVE-2021-3672) * nodejs: Improper handling of untypical characters in domain names (CVE-2021-22931) * nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite (CVE-2021-32803) * nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite (CVE-2021-32804) * nodejs: Incomplete validation of tls rejectUnauthorized parameter (CVE-2021-22939) * nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe (CVE-2021-23343) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * nodejs:14/nodejs: Make FIPS options always available (BZ#1993924)",
"link": "https://access.redhat.com/errata/RHSA-2021:3666",
"severity": "High",
"fixedby": "1:6.14.14-1.14.17.5.1.module+el8.4.0+12247+e2879e58"
},
{
"featurename": "nodejs-docs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:0744",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.16.0). Security Fix(es): * nodejs: HTTP2 'unknownProtocol' cause DoS by resource exhaustion (CVE-2021-22883) * nodejs: DNS rebinding in --inspect (CVE-2021-22884) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * Node.js should not be built with "--debug-nghttp2" (BZ#1932427)",
"link": "https://access.redhat.com/errata/RHSA-2021:0744",
"severity": "High",
"fixedby": "1:14.16.0-2.module+el8.3.0+10180+b92e1eb6"
},
{
"featurename": "nodejs-docs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:3666",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix(es): * nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22930) * nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22940) * c-ares: Missing input validation of host names may lead to domain hijacking (CVE-2021-3672) * nodejs: Improper handling of untypical characters in domain names (CVE-2021-22931) * nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite (CVE-2021-32803) * nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite (CVE-2021-32804) * nodejs: Incomplete validation of tls rejectUnauthorized parameter (CVE-2021-22939) * nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe (CVE-2021-23343) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * nodejs:14/nodejs: Make FIPS options always available (BZ#1993924)",
"link": "https://access.redhat.com/errata/RHSA-2021:3666",
"severity": "High",
"fixedby": "1:14.17.5-1.module+el8.4.0+12247+e2879e58"
},
{
"featurename": "nodejs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:0744",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.16.0). Security Fix(es): * nodejs: HTTP2 'unknownProtocol' cause DoS by resource exhaustion (CVE-2021-22883) * nodejs: DNS rebinding in --inspect (CVE-2021-22884) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * Node.js should not be built with "--debug-nghttp2" (BZ#1932427)",
"link": "https://access.redhat.com/errata/RHSA-2021:0744[]((test)",
"severity": "High",
"fixedby": "1:14.16.0-2.module+el8.3.0+10180+b92e1eb6"
},
{
"featurename": "nodejs-full-i18n",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:3666",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix(es): * nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22930) * nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22940) * c-ares: Missing input validation of host names may lead to domain hijacking (CVE-2021-3672) * nodejs: Improper handling of untypical characters in domain names (CVE-2021-22931) * nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite (CVE-2021-32803) * nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite (CVE-2021-32804) * nodejs: Incomplete validation of tls rejectUnauthorized parameter (CVE-2021-22939) * nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe (CVE-2021-23343) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * nodejs:14/nodejs: Make FIPS options always available (BZ#1993924)",
"link": "https://access.redhat.com/errata/RHSA-2021:3666",
"severity": "High",
"fixedby": "1:14.17.5-1.module+el8.4.0+12247+e2879e58"
},
{
"featurename": "nodejs-full-i18n",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:0744",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.16.0). Security Fix(es): * nodejs: HTTP2 'unknownProtocol' cause DoS by resource exhaustion (CVE-2021-22883) * nodejs: DNS rebinding in --inspect (CVE-2021-22884) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * Node.js should not be built with "--debug-nghttp2" (BZ#1932427)",
"link": "https://access.redhat.com/errata/RHSA-2021:0744",
"severity": "High",
"fixedby": "1:14.16.0-2.module+el8.3.0+10180+b92e1eb6"
},
{
"featurename": "npm",
"featureversion": "1:6.14.14-1.12.22.5.1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:5171",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (16.13.1), nodejs-nodemon (2.0.15). (BZ#2027610) Security Fix(es): * nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) * nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788) * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) * nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) * normalize-url: ReDoS for data URLs (CVE-2021-33502) * llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959) * llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2021:5171",
"severity": "Medium",
"fixedby": "1:8.1.2-1.16.13.1.3.module+el8.5.0+13548+45d748af"
},
{
"featurename": "nodejs-full-i18n",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2022:0350",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.18.2), nodejs-nodemon (2.0.15). (BZ#2027609) Security Fix(es): * nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) * nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788) * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) * nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) * normalize-url: ReDoS for data URLs (CVE-2021-33502) * nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37701) * nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37712) * llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959) * llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2022:0350",
"severity": "Medium",
"fixedby": "1:14.18.2-2.module+el8.5.0+13644+8d46dafd"
},
{
"featurename": "nodejs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:5171",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (16.13.1), nodejs-nodemon (2.0.15). (BZ#2027610) Security Fix(es): * nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) * nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788) * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) * nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) * normalize-url: ReDoS for data URLs (CVE-2021-33502) * llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959) * llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2021:5171",
"severity": "Medium",
"fixedby": "1:16.13.1-3.module+el8.5.0+13548+45d748af"
},
{
"featurename": "nodejs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:3074",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.17.3). (BZ#1978203) Security Fix(es): * nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl() (CVE-2021-23362) * nodejs-ssri: Regular expression DoS (ReDoS) when parsing malicious SRI in strict mode (CVE-2021-27290) * libuv: out-of-bounds read in uv__idna_toascii() can lead to information disclosures or crashes (CVE-2021-22918) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2021:3074",
"severity": "Medium",
"fixedby": "1:14.17.3-2.module+el8.4.0+11738+3bd42762"
},
{
"featurename": "nodejs-full-i18n",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:0551",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.15.4). Security Fix(es): * nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS (CVE-2020-7754) * nodejs-y18n: prototype pollution vulnerability (CVE-2020-7774) * nodejs-ini: prototype pollution via malicious INI file (CVE-2020-7788) * nodejs: use-after-free in the TLS implementation (CVE-2020-8265) * c-ares: ares_parse_{a,aaaa}reply() insufficient naddrttls validation DoS (CVE-2020-8277) * nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366) * nodejs: HTTP request smuggling via two copies of a header field in an http request (CVE-2020-8287) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * yarn install crashes with nodejs:14 on aarch64 (BZ#1916465)",
"link": "https://access.redhat.com/errata/RHSA-2021:0551",
"severity": "Medium",
"fixedby": "1:14.15.4-2.module+el8.3.0+9635+ffdf8381"
},
{
"featurename": "nodejs-full-i18n",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:3074",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.17.3). (BZ#1978203) Security Fix(es): * nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl() (CVE-2021-23362) * nodejs-ssri: Regular expression DoS (ReDoS) when parsing malicious SRI in strict mode (CVE-2021-27290) * libuv: out-of-bounds read in uv__idna_toascii() can lead to information disclosures or crashes (CVE-2021-22918) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2021:3074",
"severity": "Medium",
"fixedby": "1:14.17.3-2.module+el8.4.0+11738+3bd42762"
},
{
"featurename": "nodejs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:0551",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.15.4). Security Fix(es): * nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS (CVE-2020-7754) * nodejs-y18n: prototype pollution vulnerability (CVE-2020-7774) * nodejs-ini: prototype pollution via malicious INI file (CVE-2020-7788) * nodejs: use-after-free in the TLS implementation (CVE-2020-8265) * c-ares: ares_parse{a,aaaa}reply() insufficient naddrttls validation DoS (CVE-2020-8277) * nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366) * nodejs: HTTP request smuggling via two copies of a header field in an http request (CVE-2020-8287) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * yarn install crashes with nodejs:14 on aarch64 (BZ#1916465)",
"link": "https://access.redhat.com/errata/RHSA-2021:0551",
"severity": "Medium",
"fixedby": "1:14.15.4-2.module+el8.3.0+9635+ffdf8381"
},
{
"featurename": "nodejs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2022:0350",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.18.2), nodejs-nodemon (2.0.15). (BZ#2027609) Security Fix(es): * nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) * nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788) * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) * nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) * normalize-url: ReDoS for data URLs (CVE-2021-33502) * nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37701) * nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37712) * llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959) * llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2022:0350",
"severity": "Medium",
"fixedby": "1:14.18.2-2.module+el8.5.0+13644+8d46dafd"
},
{
"featurename": "nodejs-docs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:5171",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (16.13.1), nodejs-nodemon (2.0.15). (BZ#2027610) Security Fix(es): * nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) * nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788) * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) * nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) * normalize-url: ReDoS for data URLs (CVE-2021-33502) * llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959) * llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2021:5171",
"severity": "Medium",
"fixedby": "1:16.13.1-3.module+el8.5.0+13548+45d748af"
},
{
"featurename": "nodejs-docs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:3074",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.17.3). (BZ#1978203) Security Fix(es): * nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl() (CVE-2021-23362) * nodejs-ssri: Regular expression DoS (ReDoS) when parsing malicious SRI in strict mode (CVE-2021-27290) * libuv: out-of-bounds read in uv__idna_toascii() can lead to information disclosures or crashes (CVE-2021-22918) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2021:3074",
"severity": "Medium",
"fixedby": "1:14.17.3-2.module+el8.4.0+11738+3bd42762"
},
{
"featurename": "nodejs-full-i18n",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:5171",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (16.13.1), nodejs-nodemon (2.0.15). (BZ#2027610) Security Fix(es): * nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) * nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788) * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) * nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) * normalize-url: ReDoS for data URLs (CVE-2021-33502) * llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959) * llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2021:5171",
"severity": "Medium",
"fixedby": "1:16.13.1-3.module+el8.5.0+13548+45d748af"
},
{
"featurename": "npm",
"featureversion": "1:6.14.14-1.12.22.5.1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2022:0350",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.18.2), nodejs-nodemon (2.0.15). (BZ#2027609) Security Fix(es): * nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) * nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788) * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) * nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) * normalize-url: ReDoS for data URLs (CVE-2021-33502) * nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37701) * nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37712) * llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959) * llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2022:0350",
"severity": "Medium",
"fixedby": "1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd"
},
{
"featurename": "nodejs-docs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:0551",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.15.4). Security Fix(es): * nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS (CVE-2020-7754) * nodejs-y18n: prototype pollution vulnerability (CVE-2020-7774) * nodejs-ini: prototype pollution via malicious INI file (CVE-2020-7788) * nodejs: use-after-free in the TLS implementation (CVE-2020-8265) * c-ares: ares_parse{a,aaaa}_reply() insufficient naddrttls validation DoS (CVE-2020-8277) * nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366) * nodejs: HTTP request smuggling via two copies of a header field in an http request (CVE-2020-8287) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * yarn install crashes with nodejs:14 on aarch64 (BZ#1916465)",
"link": "https://access.redhat.com/errata/RHSA-2021:0551",
"severity": "Medium",
"fixedby": "1:14.15.4-2.module+el8.3.0+9635+ffdf8381"
},
{
"featurename": "nodejs-docs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2022:0350",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.18.2), nodejs-nodemon (2.0.15). (BZ#2027609) Security Fix(es): * nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) * nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788) * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) * nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) * normalize-url: ReDoS for data URLs (CVE-2021-33502) * nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37701) * nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37712) * llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959) * llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2022:0350",
"severity": "Medium",
"fixedby": "1:14.18.2-2.module+el8.5.0+13644+8d46dafd"
},
{
"featurename": "nodejs-nodemon",
"featureversion": "2.0.3-1.module+el8.4.0+11732+c668cc9f",
"vulnerability": "RHSA-2021:5171",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (16.13.1), nodejs-nodemon (2.0.15). (BZ#2027610) Security Fix(es): * nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) * nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788) * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) * nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) * normalize-url: ReDoS for data URLs (CVE-2021-33502) * llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959) * llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2021:5171",
"severity": "Medium",
"fixedby": "0:2.0.15-1.module+el8.5.0+13548+45d748af"
},
{
"featurename": "nodejs-nodemon",
"featureversion": "2.0.3-1.module+el8.4.0+11732+c668cc9f",
"vulnerability": "RHSA-2022:0350",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.18.2), nodejs-nodemon (2.0.15). (BZ#2027609) Security Fix(es): * nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) * nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788) * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) * nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) * normalize-url: ReDoS for data URLs (CVE-2021-33502) * nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37701) * nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37712) * llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959) * llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2022:0350",
"severity": "Medium",
"fixedby": "0:2.0.15-1.module+el8.5.0+13504+a2e74d91"
}
]
}clair found vulnerabilities
For nodejs-12, actual errata link is "https://access.redhat.com/errata/RHSA-2021:3623". Please notice that featureversion marked in above report is actually the version which fixes the CVE for nodejs-12
The text was updated successfully, but these errors were encountered:
Clair scanner is reporting list of CVEs against image registry.access.redhat.com/ubi8/nodejs-12 and pointing to nodejs-14 advisory. So there are two issues I see here:
){
"image": ".com/test:2.6.1-dockerimg.63dd7052",
"unapproved": [
"RHSA-2021:5171",
"RHSA-2021:3666",
"RHSA-2022:0350",
"RHSA-2021:5171",
"RHSA-2021:3074",
"RHSA-2021:3666",
"RHSA-2021:0744",
"RHSA-2021:0551",
"RHSA-2022:0350",
"RHSA-2021:5171",
"RHSA-2021:3074",
"RHSA-2021:3666",
"RHSA-2021:0744",
"RHSA-2021:0551",
"RHSA-2022:0350",
"RHSA-2021:5171",
"RHSA-2021:3074",
"RHSA-2021:3666",
"RHSA-2021:0744",
"RHSA-2021:0551",
"RHSA-2022:0350",
"RHSA-2021:5171",
"RHSA-2022:0350"
],
"vulnerabilities": [
{
"featurename": "nodejs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:3666",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix(es): * nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22930) * nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22940) * c-ares: Missing input validation of host names may lead to domain hijacking (CVE-2021-3672) * nodejs: Improper handling of untypical characters in domain names (CVE-2021-22931) * nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite (CVE-2021-32803) * nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite (CVE-2021-32804) * nodejs: Incomplete validation of tls rejectUnauthorized parameter (CVE-2021-22939) * nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe (CVE-2021-23343) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * nodejs:14/nodejs: Make FIPS options always available (BZ#1993924)",
"link": "https://access.redhat.com/errata/RHSA-2021:3666",
"severity": "High",
"fixedby": "1:14.17.5-1.module+el8.4.0+12247+e2879e58"
},
{
"featurename": "npm",
"featureversion": "1:6.14.14-1.12.22.5.1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:3666",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix(es): * nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22930) * nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22940) * c-ares: Missing input validation of host names may lead to domain hijacking (CVE-2021-3672) * nodejs: Improper handling of untypical characters in domain names (CVE-2021-22931) * nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite (CVE-2021-32803) * nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite (CVE-2021-32804) * nodejs: Incomplete validation of tls rejectUnauthorized parameter (CVE-2021-22939) * nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe (CVE-2021-23343) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * nodejs:14/nodejs: Make FIPS options always available (BZ#1993924)",
"link": "https://access.redhat.com/errata/RHSA-2021:3666",
"severity": "High",
"fixedby": "1:6.14.14-1.14.17.5.1.module+el8.4.0+12247+e2879e58"
},
{
"featurename": "nodejs-docs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:0744",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.16.0). Security Fix(es): * nodejs: HTTP2 'unknownProtocol' cause DoS by resource exhaustion (CVE-2021-22883) * nodejs: DNS rebinding in --inspect (CVE-2021-22884) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * Node.js should not be built with "--debug-nghttp2" (BZ#1932427)",
"link": "https://access.redhat.com/errata/RHSA-2021:0744",
"severity": "High",
"fixedby": "1:14.16.0-2.module+el8.3.0+10180+b92e1eb6"
},
{
"featurename": "nodejs-docs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:3666",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix(es): * nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22930) * nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22940) * c-ares: Missing input validation of host names may lead to domain hijacking (CVE-2021-3672) * nodejs: Improper handling of untypical characters in domain names (CVE-2021-22931) * nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite (CVE-2021-32803) * nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite (CVE-2021-32804) * nodejs: Incomplete validation of tls rejectUnauthorized parameter (CVE-2021-22939) * nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe (CVE-2021-23343) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * nodejs:14/nodejs: Make FIPS options always available (BZ#1993924)",
"link": "https://access.redhat.com/errata/RHSA-2021:3666",
"severity": "High",
"fixedby": "1:14.17.5-1.module+el8.4.0+12247+e2879e58"
},
{
"featurename": "nodejs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:0744",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.16.0). Security Fix(es): * nodejs: HTTP2 'unknownProtocol' cause DoS by resource exhaustion (CVE-2021-22883) * nodejs: DNS rebinding in --inspect (CVE-2021-22884) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * Node.js should not be built with "--debug-nghttp2" (BZ#1932427)",
"link": "https://access.redhat.com/errata/RHSA-2021:0744[]((test)",
"severity": "High",
"fixedby": "1:14.16.0-2.module+el8.3.0+10180+b92e1eb6"
},
{
"featurename": "nodejs-full-i18n",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:3666",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix(es): * nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22930) * nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22940) * c-ares: Missing input validation of host names may lead to domain hijacking (CVE-2021-3672) * nodejs: Improper handling of untypical characters in domain names (CVE-2021-22931) * nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite (CVE-2021-32803) * nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite (CVE-2021-32804) * nodejs: Incomplete validation of tls rejectUnauthorized parameter (CVE-2021-22939) * nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe (CVE-2021-23343) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * nodejs:14/nodejs: Make FIPS options always available (BZ#1993924)",
"link": "https://access.redhat.com/errata/RHSA-2021:3666",
"severity": "High",
"fixedby": "1:14.17.5-1.module+el8.4.0+12247+e2879e58"
},
{
"featurename": "nodejs-full-i18n",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:0744",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.16.0). Security Fix(es): * nodejs: HTTP2 'unknownProtocol' cause DoS by resource exhaustion (CVE-2021-22883) * nodejs: DNS rebinding in --inspect (CVE-2021-22884) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * Node.js should not be built with "--debug-nghttp2" (BZ#1932427)",
"link": "https://access.redhat.com/errata/RHSA-2021:0744",
"severity": "High",
"fixedby": "1:14.16.0-2.module+el8.3.0+10180+b92e1eb6"
},
{
"featurename": "npm",
"featureversion": "1:6.14.14-1.12.22.5.1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:5171",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (16.13.1), nodejs-nodemon (2.0.15). (BZ#2027610) Security Fix(es): * nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) * nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788) * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) * nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) * normalize-url: ReDoS for data URLs (CVE-2021-33502) * llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959) * llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2021:5171",
"severity": "Medium",
"fixedby": "1:8.1.2-1.16.13.1.3.module+el8.5.0+13548+45d748af"
},
{
"featurename": "nodejs-full-i18n",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2022:0350",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.18.2), nodejs-nodemon (2.0.15). (BZ#2027609) Security Fix(es): * nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) * nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788) * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) * nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) * normalize-url: ReDoS for data URLs (CVE-2021-33502) * nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37701) * nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37712) * llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959) * llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2022:0350",
"severity": "Medium",
"fixedby": "1:14.18.2-2.module+el8.5.0+13644+8d46dafd"
},
{
"featurename": "nodejs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:5171",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (16.13.1), nodejs-nodemon (2.0.15). (BZ#2027610) Security Fix(es): * nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) * nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788) * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) * nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) * normalize-url: ReDoS for data URLs (CVE-2021-33502) * llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959) * llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2021:5171",
"severity": "Medium",
"fixedby": "1:16.13.1-3.module+el8.5.0+13548+45d748af"
},
{
"featurename": "nodejs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:3074",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.17.3). (BZ#1978203) Security Fix(es): * nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl() (CVE-2021-23362) * nodejs-ssri: Regular expression DoS (ReDoS) when parsing malicious SRI in strict mode (CVE-2021-27290) * libuv: out-of-bounds read in uv__idna_toascii() can lead to information disclosures or crashes (CVE-2021-22918) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2021:3074",
"severity": "Medium",
"fixedby": "1:14.17.3-2.module+el8.4.0+11738+3bd42762"
},
{
"featurename": "nodejs-full-i18n",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:0551",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.15.4). Security Fix(es): * nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS (CVE-2020-7754) * nodejs-y18n: prototype pollution vulnerability (CVE-2020-7774) * nodejs-ini: prototype pollution via malicious INI file (CVE-2020-7788) * nodejs: use-after-free in the TLS implementation (CVE-2020-8265) * c-ares: ares_parse_{a,aaaa}reply() insufficient naddrttls validation DoS (CVE-2020-8277) * nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366) * nodejs: HTTP request smuggling via two copies of a header field in an http request (CVE-2020-8287) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * yarn install crashes with nodejs:14 on aarch64 (BZ#1916465)",
"link": "https://access.redhat.com/errata/RHSA-2021:0551",
"severity": "Medium",
"fixedby": "1:14.15.4-2.module+el8.3.0+9635+ffdf8381"
},
{
"featurename": "nodejs-full-i18n",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:3074",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.17.3). (BZ#1978203) Security Fix(es): * nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl() (CVE-2021-23362) * nodejs-ssri: Regular expression DoS (ReDoS) when parsing malicious SRI in strict mode (CVE-2021-27290) * libuv: out-of-bounds read in uv__idna_toascii() can lead to information disclosures or crashes (CVE-2021-22918) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2021:3074",
"severity": "Medium",
"fixedby": "1:14.17.3-2.module+el8.4.0+11738+3bd42762"
},
{
"featurename": "nodejs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:0551",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.15.4). Security Fix(es): * nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS (CVE-2020-7754) * nodejs-y18n: prototype pollution vulnerability (CVE-2020-7774) * nodejs-ini: prototype pollution via malicious INI file (CVE-2020-7788) * nodejs: use-after-free in the TLS implementation (CVE-2020-8265) * c-ares: ares_parse{a,aaaa}reply() insufficient naddrttls validation DoS (CVE-2020-8277) * nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366) * nodejs: HTTP request smuggling via two copies of a header field in an http request (CVE-2020-8287) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * yarn install crashes with nodejs:14 on aarch64 (BZ#1916465)",
"link": "https://access.redhat.com/errata/RHSA-2021:0551",
"severity": "Medium",
"fixedby": "1:14.15.4-2.module+el8.3.0+9635+ffdf8381"
},
{
"featurename": "nodejs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2022:0350",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.18.2), nodejs-nodemon (2.0.15). (BZ#2027609) Security Fix(es): * nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) * nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788) * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) * nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) * normalize-url: ReDoS for data URLs (CVE-2021-33502) * nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37701) * nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37712) * llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959) * llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2022:0350",
"severity": "Medium",
"fixedby": "1:14.18.2-2.module+el8.5.0+13644+8d46dafd"
},
{
"featurename": "nodejs-docs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:5171",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (16.13.1), nodejs-nodemon (2.0.15). (BZ#2027610) Security Fix(es): * nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) * nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788) * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) * nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) * normalize-url: ReDoS for data URLs (CVE-2021-33502) * llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959) * llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2021:5171",
"severity": "Medium",
"fixedby": "1:16.13.1-3.module+el8.5.0+13548+45d748af"
},
{
"featurename": "nodejs-docs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:3074",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.17.3). (BZ#1978203) Security Fix(es): * nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl() (CVE-2021-23362) * nodejs-ssri: Regular expression DoS (ReDoS) when parsing malicious SRI in strict mode (CVE-2021-27290) * libuv: out-of-bounds read in uv__idna_toascii() can lead to information disclosures or crashes (CVE-2021-22918) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2021:3074",
"severity": "Medium",
"fixedby": "1:14.17.3-2.module+el8.4.0+11738+3bd42762"
},
{
"featurename": "nodejs-full-i18n",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:5171",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (16.13.1), nodejs-nodemon (2.0.15). (BZ#2027610) Security Fix(es): * nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) * nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788) * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) * nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) * normalize-url: ReDoS for data URLs (CVE-2021-33502) * llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959) * llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2021:5171",
"severity": "Medium",
"fixedby": "1:16.13.1-3.module+el8.5.0+13548+45d748af"
},
{
"featurename": "npm",
"featureversion": "1:6.14.14-1.12.22.5.1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2022:0350",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.18.2), nodejs-nodemon (2.0.15). (BZ#2027609) Security Fix(es): * nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) * nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788) * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) * nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) * normalize-url: ReDoS for data URLs (CVE-2021-33502) * nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37701) * nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37712) * llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959) * llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2022:0350",
"severity": "Medium",
"fixedby": "1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd"
},
{
"featurename": "nodejs-docs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:0551",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.15.4). Security Fix(es): * nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS (CVE-2020-7754) * nodejs-y18n: prototype pollution vulnerability (CVE-2020-7774) * nodejs-ini: prototype pollution via malicious INI file (CVE-2020-7788) * nodejs: use-after-free in the TLS implementation (CVE-2020-8265) * c-ares: ares_parse{a,aaaa}_reply() insufficient naddrttls validation DoS (CVE-2020-8277) * nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366) * nodejs: HTTP request smuggling via two copies of a header field in an http request (CVE-2020-8287) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * yarn install crashes with nodejs:14 on aarch64 (BZ#1916465)",
"link": "https://access.redhat.com/errata/RHSA-2021:0551",
"severity": "Medium",
"fixedby": "1:14.15.4-2.module+el8.3.0+9635+ffdf8381"
},
{
"featurename": "nodejs-docs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2022:0350",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.18.2), nodejs-nodemon (2.0.15). (BZ#2027609) Security Fix(es): * nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) * nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788) * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) * nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) * normalize-url: ReDoS for data URLs (CVE-2021-33502) * nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37701) * nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37712) * llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959) * llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2022:0350",
"severity": "Medium",
"fixedby": "1:14.18.2-2.module+el8.5.0+13644+8d46dafd"
},
{
"featurename": "nodejs-nodemon",
"featureversion": "2.0.3-1.module+el8.4.0+11732+c668cc9f",
"vulnerability": "RHSA-2021:5171",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (16.13.1), nodejs-nodemon (2.0.15). (BZ#2027610) Security Fix(es): * nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) * nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788) * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) * nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) * normalize-url: ReDoS for data URLs (CVE-2021-33502) * llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959) * llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2021:5171",
"severity": "Medium",
"fixedby": "0:2.0.15-1.module+el8.5.0+13548+45d748af"
},
{
"featurename": "nodejs-nodemon",
"featureversion": "2.0.3-1.module+el8.4.0+11732+c668cc9f",
"vulnerability": "RHSA-2022:0350",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.18.2), nodejs-nodemon (2.0.15). (BZ#2027609) Security Fix(es): * nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) * nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788) * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) * nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) * normalize-url: ReDoS for data URLs (CVE-2021-33502) * nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37701) * nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37712) * llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959) * llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2022:0350",
"severity": "Medium",
"fixedby": "0:2.0.15-1.module+el8.5.0+13504+a2e74d91"
}
]
}clair found vulnerabilities
The text was updated successfully, but these errors were encountered: