From ac33e1891d0a82966bea4a3901c3669f0fa28240 Mon Sep 17 00:00:00 2001 From: Vladimir de Turckheim Date: Mon, 26 Sep 2022 10:27:43 +0200 Subject: [PATCH] doc: add vulnerabilities (and updates) for September 2022 security releases (#835) --- vuln/core/100.json | 7 +++++++ vuln/core/101.json | 7 +++++++ vuln/core/94.json | 4 ++-- vuln/core/96.json | 4 ++-- vuln/core/97.json | 4 ++-- vuln/core/99.json | 4 ++-- 6 files changed, 22 insertions(+), 8 deletions(-) create mode 100644 vuln/core/100.json create mode 100644 vuln/core/101.json diff --git a/vuln/core/100.json b/vuln/core/100.json new file mode 100644 index 00000000..28ea60af --- /dev/null +++ b/vuln/core/100.json @@ -0,0 +1,7 @@ +{ + "cve": ["CVE-2022-35256"], + "vulnerable": "14.x || 16.x || 18.x", + "patched": "14.20.1 || 16.17.1 || 18.9.1", + "ref": "https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/", + "overview": "The llhttp parser in the http module in Node.js v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling." +} diff --git a/vuln/core/101.json b/vuln/core/101.json new file mode 100644 index 00000000..c0cdd6a0 --- /dev/null +++ b/vuln/core/101.json @@ -0,0 +1,7 @@ +{ + "cve": ["CVE-2022-35255"], + "vulnerable": "18.x", + "patched": "18.9.1", + "ref": "https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/", + "overview": "Node.js made calls to EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. However, it does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail." +} diff --git a/vuln/core/94.json b/vuln/core/94.json index cc08f54e..23f430d3 100644 --- a/vuln/core/94.json +++ b/vuln/core/94.json @@ -1,7 +1,7 @@ { "cve": ["CVE-2022-32215"], "vulnerable": "14.x || 16.x || 18.x", - "patched": "14.20.0 || 16.20.0 || 18.5.0", - "ref": "https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/", + "patched": "14.20.1 || 16.17.1 || 18.9.1", + "ref": "https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/", "overview": "The llhttp parser in the http module in Node does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS)." } diff --git a/vuln/core/96.json b/vuln/core/96.json index 0d49e75c..12783232 100644 --- a/vuln/core/96.json +++ b/vuln/core/96.json @@ -1,7 +1,7 @@ { "cve": ["CVE-2022-32212"], "vulnerable": "14.x || 16.x || 18.x", - "patched": "14.20.0 || 16.20.0 || 18.5.0", - "ref": "https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/", + "patched": "14.20.1 || 16.17.1 || 18.9.1", + "ref": "https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/", "overview": "The IsAllowedHost check in https://github.com/nodejs/node/blob/fdf0a84e826d3a9ec0ce6f5a3f5adc967fe99408/src/inspector_socket.cc#L580 can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid or not. When an invalid IPv4 address is provided (for instance 10.0.2.555 is provided), the browser will make a DNS requests to the DNS server, providing a vector for an attacker-controlled DNS server to perform a rebinding attack and hence access the JSON file containing the WebSocket file.\n The fix we introduced in https://hackerone.com/reports/1069487 was not complete." } diff --git a/vuln/core/97.json b/vuln/core/97.json index 8b1547be..9ca060cd 100644 --- a/vuln/core/97.json +++ b/vuln/core/97.json @@ -1,7 +1,7 @@ { "cve": ["CVE-2022-32213"], "vulnerable": "14.x || 16.x || 18.x", - "patched": "14.20.0 || 16.20.0 || 18.5.0", - "ref": "https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/", + "patched": "14.20.1 || 16.17.1 || 18.9.1", + "ref": "https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/", "overview": "The llhttp parser in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS)." } diff --git a/vuln/core/99.json b/vuln/core/99.json index 014a93d1..732835f4 100644 --- a/vuln/core/99.json +++ b/vuln/core/99.json @@ -1,7 +1,7 @@ { "cve": ["CVE-2022-32222"], "vulnerable": "14.x || 16.x || 18.x", - "patched": "14.20.0 || 16.20.0 || 18.5.0", - "ref": "https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/", + "patched": "14.20.0 || 16.20.0 || 18.9.1", + "ref": "https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/", "overview": "On linux, versions of 18.x prior to Y used a default path for openssl.cnf that was within a path that might be accessible under some circumstances to a non-admin user instead of /etc/ssl as was the case in versions prior to the upgrade to OpenSSL 3." }