Clair scanner is reporting list of CVEs against image registry.access.redhat.com/ubi8/nodejs-12 and pointing to nodejs-14 advisory. So there are two issues I see here:
- For nodejs image, it should consider the version of nodejs while comparing for known CVE. I get below report by clair for and image which has registry.access.redhat.com/ubi8/nodejs-12 as its base image
){
"image": ".com/test:2.6.1-dockerimg.63dd7052",
"unapproved": [
"RHSA-2021:5171",
"RHSA-2021:3666",
"RHSA-2022:0350",
"RHSA-2021:5171",
"RHSA-2021:3074",
"RHSA-2021:3666",
"RHSA-2021:0744",
"RHSA-2021:0551",
"RHSA-2022:0350",
"RHSA-2021:5171",
"RHSA-2021:3074",
"RHSA-2021:3666",
"RHSA-2021:0744",
"RHSA-2021:0551",
"RHSA-2022:0350",
"RHSA-2021:5171",
"RHSA-2021:3074",
"RHSA-2021:3666",
"RHSA-2021:0744",
"RHSA-2021:0551",
"RHSA-2022:0350",
"RHSA-2021:5171",
"RHSA-2022:0350"
],
"vulnerabilities": [
{
"featurename": "nodejs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:3666",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix(es): * nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22930) * nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22940) * c-ares: Missing input validation of host names may lead to domain hijacking (CVE-2021-3672) * nodejs: Improper handling of untypical characters in domain names (CVE-2021-22931) * nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite (CVE-2021-32803) * nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite (CVE-2021-32804) * nodejs: Incomplete validation of tls rejectUnauthorized parameter (CVE-2021-22939) * nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe (CVE-2021-23343) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * nodejs:14/nodejs: Make FIPS options always available (BZ#1993924)",
"link": "https://access.redhat.com/errata/RHSA-2021:3666",
"severity": "High",
"fixedby": "1:14.17.5-1.module+el8.4.0+12247+e2879e58"
},
{
"featurename": "npm",
"featureversion": "1:6.14.14-1.12.22.5.1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:3666",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix(es): * nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22930) * nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22940) * c-ares: Missing input validation of host names may lead to domain hijacking (CVE-2021-3672) * nodejs: Improper handling of untypical characters in domain names (CVE-2021-22931) * nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite (CVE-2021-32803) * nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite (CVE-2021-32804) * nodejs: Incomplete validation of tls rejectUnauthorized parameter (CVE-2021-22939) * nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe (CVE-2021-23343) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * nodejs:14/nodejs: Make FIPS options always available (BZ#1993924)",
"link": "https://access.redhat.com/errata/RHSA-2021:3666",
"severity": "High",
"fixedby": "1:6.14.14-1.14.17.5.1.module+el8.4.0+12247+e2879e58"
},
{
"featurename": "nodejs-docs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:0744",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.16.0). Security Fix(es): * nodejs: HTTP2 'unknownProtocol' cause DoS by resource exhaustion (CVE-2021-22883) * nodejs: DNS rebinding in --inspect (CVE-2021-22884) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * Node.js should not be built with "--debug-nghttp2" (BZ#1932427)",
"link": "https://access.redhat.com/errata/RHSA-2021:0744",
"severity": "High",
"fixedby": "1:14.16.0-2.module+el8.3.0+10180+b92e1eb6"
},
{
"featurename": "nodejs-docs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:3666",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix(es): * nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22930) * nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22940) * c-ares: Missing input validation of host names may lead to domain hijacking (CVE-2021-3672) * nodejs: Improper handling of untypical characters in domain names (CVE-2021-22931) * nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite (CVE-2021-32803) * nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite (CVE-2021-32804) * nodejs: Incomplete validation of tls rejectUnauthorized parameter (CVE-2021-22939) * nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe (CVE-2021-23343) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * nodejs:14/nodejs: Make FIPS options always available (BZ#1993924)",
"link": "https://access.redhat.com/errata/RHSA-2021:3666",
"severity": "High",
"fixedby": "1:14.17.5-1.module+el8.4.0+12247+e2879e58"
},
{
"featurename": "nodejs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:0744",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.16.0). Security Fix(es): * nodejs: HTTP2 'unknownProtocol' cause DoS by resource exhaustion (CVE-2021-22883) * nodejs: DNS rebinding in --inspect (CVE-2021-22884) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * Node.js should not be built with "--debug-nghttp2" (BZ#1932427)",
"link": "https://access.redhat.com/errata/RHSA-2021:0744[]((test)",
"severity": "High",
"fixedby": "1:14.16.0-2.module+el8.3.0+10180+b92e1eb6"
},
{
"featurename": "nodejs-full-i18n",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:3666",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix(es): * nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22930) * nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22940) * c-ares: Missing input validation of host names may lead to domain hijacking (CVE-2021-3672) * nodejs: Improper handling of untypical characters in domain names (CVE-2021-22931) * nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite (CVE-2021-32803) * nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite (CVE-2021-32804) * nodejs: Incomplete validation of tls rejectUnauthorized parameter (CVE-2021-22939) * nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe (CVE-2021-23343) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * nodejs:14/nodejs: Make FIPS options always available (BZ#1993924)",
"link": "https://access.redhat.com/errata/RHSA-2021:3666",
"severity": "High",
"fixedby": "1:14.17.5-1.module+el8.4.0+12247+e2879e58"
},
{
"featurename": "nodejs-full-i18n",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:0744",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.16.0). Security Fix(es): * nodejs: HTTP2 'unknownProtocol' cause DoS by resource exhaustion (CVE-2021-22883) * nodejs: DNS rebinding in --inspect (CVE-2021-22884) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * Node.js should not be built with "--debug-nghttp2" (BZ#1932427)",
"link": "https://access.redhat.com/errata/RHSA-2021:0744",
"severity": "High",
"fixedby": "1:14.16.0-2.module+el8.3.0+10180+b92e1eb6"
},
{
"featurename": "npm",
"featureversion": "1:6.14.14-1.12.22.5.1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:5171",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (16.13.1), nodejs-nodemon (2.0.15). (BZ#2027610) Security Fix(es): * nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) * nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788) * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) * nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) * normalize-url: ReDoS for data URLs (CVE-2021-33502) * llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959) * llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2021:5171",
"severity": "Medium",
"fixedby": "1:8.1.2-1.16.13.1.3.module+el8.5.0+13548+45d748af"
},
{
"featurename": "nodejs-full-i18n",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2022:0350",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.18.2), nodejs-nodemon (2.0.15). (BZ#2027609) Security Fix(es): * nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) * nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788) * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) * nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) * normalize-url: ReDoS for data URLs (CVE-2021-33502) * nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37701) * nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37712) * llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959) * llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2022:0350",
"severity": "Medium",
"fixedby": "1:14.18.2-2.module+el8.5.0+13644+8d46dafd"
},
{
"featurename": "nodejs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:5171",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (16.13.1), nodejs-nodemon (2.0.15). (BZ#2027610) Security Fix(es): * nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) * nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788) * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) * nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) * normalize-url: ReDoS for data URLs (CVE-2021-33502) * llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959) * llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2021:5171",
"severity": "Medium",
"fixedby": "1:16.13.1-3.module+el8.5.0+13548+45d748af"
},
{
"featurename": "nodejs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:3074",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.17.3). (BZ#1978203) Security Fix(es): * nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl() (CVE-2021-23362) * nodejs-ssri: Regular expression DoS (ReDoS) when parsing malicious SRI in strict mode (CVE-2021-27290) * libuv: out-of-bounds read in uv__idna_toascii() can lead to information disclosures or crashes (CVE-2021-22918) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2021:3074",
"severity": "Medium",
"fixedby": "1:14.17.3-2.module+el8.4.0+11738+3bd42762"
},
{
"featurename": "nodejs-full-i18n",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:0551",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.15.4). Security Fix(es): * nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS (CVE-2020-7754) * nodejs-y18n: prototype pollution vulnerability (CVE-2020-7774) * nodejs-ini: prototype pollution via malicious INI file (CVE-2020-7788) * nodejs: use-after-free in the TLS implementation (CVE-2020-8265) * c-ares: ares_parse_{a,aaaa}reply() insufficient naddrttls validation DoS (CVE-2020-8277) * nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366) * nodejs: HTTP request smuggling via two copies of a header field in an http request (CVE-2020-8287) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * yarn install crashes with nodejs:14 on aarch64 (BZ#1916465)",
"link": "https://access.redhat.com/errata/RHSA-2021:0551",
"severity": "Medium",
"fixedby": "1:14.15.4-2.module+el8.3.0+9635+ffdf8381"
},
{
"featurename": "nodejs-full-i18n",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:3074",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.17.3). (BZ#1978203) Security Fix(es): * nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl() (CVE-2021-23362) * nodejs-ssri: Regular expression DoS (ReDoS) when parsing malicious SRI in strict mode (CVE-2021-27290) * libuv: out-of-bounds read in uv__idna_toascii() can lead to information disclosures or crashes (CVE-2021-22918) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2021:3074",
"severity": "Medium",
"fixedby": "1:14.17.3-2.module+el8.4.0+11738+3bd42762"
},
{
"featurename": "nodejs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:0551",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.15.4). Security Fix(es): * nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS (CVE-2020-7754) * nodejs-y18n: prototype pollution vulnerability (CVE-2020-7774) * nodejs-ini: prototype pollution via malicious INI file (CVE-2020-7788) * nodejs: use-after-free in the TLS implementation (CVE-2020-8265) * c-ares: ares_parse{a,aaaa}reply() insufficient naddrttls validation DoS (CVE-2020-8277) * nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366) * nodejs: HTTP request smuggling via two copies of a header field in an http request (CVE-2020-8287) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * yarn install crashes with nodejs:14 on aarch64 (BZ#1916465)",
"link": "https://access.redhat.com/errata/RHSA-2021:0551",
"severity": "Medium",
"fixedby": "1:14.15.4-2.module+el8.3.0+9635+ffdf8381"
},
{
"featurename": "nodejs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2022:0350",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.18.2), nodejs-nodemon (2.0.15). (BZ#2027609) Security Fix(es): * nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) * nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788) * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) * nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) * normalize-url: ReDoS for data URLs (CVE-2021-33502) * nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37701) * nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37712) * llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959) * llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2022:0350",
"severity": "Medium",
"fixedby": "1:14.18.2-2.module+el8.5.0+13644+8d46dafd"
},
{
"featurename": "nodejs-docs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:5171",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (16.13.1), nodejs-nodemon (2.0.15). (BZ#2027610) Security Fix(es): * nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) * nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788) * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) * nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) * normalize-url: ReDoS for data URLs (CVE-2021-33502) * llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959) * llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2021:5171",
"severity": "Medium",
"fixedby": "1:16.13.1-3.module+el8.5.0+13548+45d748af"
},
{
"featurename": "nodejs-docs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:3074",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.17.3). (BZ#1978203) Security Fix(es): * nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl() (CVE-2021-23362) * nodejs-ssri: Regular expression DoS (ReDoS) when parsing malicious SRI in strict mode (CVE-2021-27290) * libuv: out-of-bounds read in uv__idna_toascii() can lead to information disclosures or crashes (CVE-2021-22918) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2021:3074",
"severity": "Medium",
"fixedby": "1:14.17.3-2.module+el8.4.0+11738+3bd42762"
},
{
"featurename": "nodejs-full-i18n",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:5171",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (16.13.1), nodejs-nodemon (2.0.15). (BZ#2027610) Security Fix(es): * nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) * nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788) * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) * nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) * normalize-url: ReDoS for data URLs (CVE-2021-33502) * llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959) * llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2021:5171",
"severity": "Medium",
"fixedby": "1:16.13.1-3.module+el8.5.0+13548+45d748af"
},
{
"featurename": "npm",
"featureversion": "1:6.14.14-1.12.22.5.1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2022:0350",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.18.2), nodejs-nodemon (2.0.15). (BZ#2027609) Security Fix(es): * nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) * nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788) * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) * nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) * normalize-url: ReDoS for data URLs (CVE-2021-33502) * nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37701) * nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37712) * llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959) * llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2022:0350",
"severity": "Medium",
"fixedby": "1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd"
},
{
"featurename": "nodejs-docs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:0551",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.15.4). Security Fix(es): * nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS (CVE-2020-7754) * nodejs-y18n: prototype pollution vulnerability (CVE-2020-7774) * nodejs-ini: prototype pollution via malicious INI file (CVE-2020-7788) * nodejs: use-after-free in the TLS implementation (CVE-2020-8265) * c-ares: ares_parse{a,aaaa}_reply() insufficient naddrttls validation DoS (CVE-2020-8277) * nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366) * nodejs: HTTP request smuggling via two copies of a header field in an http request (CVE-2020-8287) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * yarn install crashes with nodejs:14 on aarch64 (BZ#1916465)",
"link": "https://access.redhat.com/errata/RHSA-2021:0551",
"severity": "Medium",
"fixedby": "1:14.15.4-2.module+el8.3.0+9635+ffdf8381"
},
{
"featurename": "nodejs-docs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2022:0350",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.18.2), nodejs-nodemon (2.0.15). (BZ#2027609) Security Fix(es): * nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) * nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788) * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) * nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) * normalize-url: ReDoS for data URLs (CVE-2021-33502) * nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37701) * nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37712) * llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959) * llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2022:0350",
"severity": "Medium",
"fixedby": "1:14.18.2-2.module+el8.5.0+13644+8d46dafd"
},
{
"featurename": "nodejs-nodemon",
"featureversion": "2.0.3-1.module+el8.4.0+11732+c668cc9f",
"vulnerability": "RHSA-2021:5171",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (16.13.1), nodejs-nodemon (2.0.15). (BZ#2027610) Security Fix(es): * nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) * nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788) * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) * nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) * normalize-url: ReDoS for data URLs (CVE-2021-33502) * llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959) * llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2021:5171",
"severity": "Medium",
"fixedby": "0:2.0.15-1.module+el8.5.0+13548+45d748af"
},
{
"featurename": "nodejs-nodemon",
"featureversion": "2.0.3-1.module+el8.4.0+11732+c668cc9f",
"vulnerability": "RHSA-2022:0350",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.18.2), nodejs-nodemon (2.0.15). (BZ#2027609) Security Fix(es): * nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) * nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788) * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) * nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) * normalize-url: ReDoS for data URLs (CVE-2021-33502) * nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37701) * nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37712) * llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959) * llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2022:0350",
"severity": "Medium",
"fixedby": "0:2.0.15-1.module+el8.5.0+13504+a2e74d91"
}
]
}clair found vulnerabilities
- For nodejs-12, actual errata link is "https://access.redhat.com/errata/RHSA-2021:3623". Please notice that featureversion marked in above report is actually the version which fixes the CVE for nodejs-12
arminc
