From 426737f4dc12860c088a6e4d896ec27002a92b0e Mon Sep 17 00:00:00 2001 From: RafaelGSS Date: Wed, 25 Jan 2023 11:28:19 -0300 Subject: [PATCH 1/2] vuln: normalize all core database --- processes/vuln_db.md | 2 +- vuln/core/100.json | 2 +- vuln/core/101.json | 2 +- vuln/core/102.json | 2 +- vuln/core/38.json | 3 ++- vuln/core/39.json | 2 +- vuln/core/44.json | 2 +- vuln/core/45.json | 2 +- vuln/core/46.json | 2 +- vuln/core/47.json | 2 +- vuln/core/48.json | 2 +- vuln/core/49.json | 2 +- vuln/core/50.json | 2 +- vuln/core/51.json | 2 +- vuln/core/52.json | 2 +- vuln/core/53.json | 2 +- vuln/core/55.json | 2 +- vuln/core/56.json | 2 +- vuln/core/57.json | 2 +- vuln/core/58.json | 2 +- vuln/core/59.json | 2 +- vuln/core/60.json | 4 ++-- vuln/core/61.json | 4 ++-- vuln/core/62.json | 2 +- vuln/core/69.json | 2 +- vuln/core/70.json | 4 ++-- vuln/core/71.json | 4 ++-- vuln/core/72.json | 4 ++-- vuln/core/73.json | 2 +- vuln/core/74.json | 2 +- vuln/core/75.json | 2 +- vuln/core/76.json | 2 +- vuln/core/77.json | 2 +- vuln/core/78.json | 2 +- vuln/core/79.json | 2 +- vuln/core/93.json | 2 +- vuln/core/94.json | 2 +- vuln/core/95.json | 2 +- vuln/core/96.json | 2 +- vuln/core/97.json | 2 +- vuln/core/98.json | 2 +- vuln/core/99.json | 2 +- 42 files changed, 48 insertions(+), 47 deletions(-) diff --git a/processes/vuln_db.md b/processes/vuln_db.md index 3908bf7f..f791bbb1 100644 --- a/processes/vuln_db.md +++ b/processes/vuln_db.md @@ -58,7 +58,7 @@ Detailed information on the [database references](https://github.com/nodejs/secu The Security WG employs a static code analysis tool that runs in CI for all pull requests to validate the correct structure when new vulnerabilities are introduced. -You may make use of the same tool which is available [here](https://github.com/nodejs/security-wg/blob/master/tools/vuln_valid/index.js) either in your own tooling setup or from this repository by running `npm test`. +You may make use of the same tool which is available [here](https://github.com/nodejs/security-wg/blob/main/tools/vuln_valid/index.js) either in your own tooling setup or from this repository by running `npm test`. ### Database structure changes diff --git a/vuln/core/100.json b/vuln/core/100.json index 28ea60af..0ba72632 100644 --- a/vuln/core/100.json +++ b/vuln/core/100.json @@ -1,7 +1,7 @@ { "cve": ["CVE-2022-35256"], "vulnerable": "14.x || 16.x || 18.x", - "patched": "14.20.1 || 16.17.1 || 18.9.1", + "patched": "^14.20.1 || ^16.17.1 || ^18.9.1", "ref": "https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/", "overview": "The llhttp parser in the http module in Node.js v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling." } diff --git a/vuln/core/101.json b/vuln/core/101.json index c0cdd6a0..8a6871de 100644 --- a/vuln/core/101.json +++ b/vuln/core/101.json @@ -1,7 +1,7 @@ { "cve": ["CVE-2022-35255"], "vulnerable": "18.x", - "patched": "18.9.1", + "patched": "^18.9.1", "ref": "https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/", "overview": "Node.js made calls to EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. However, it does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail." } diff --git a/vuln/core/102.json b/vuln/core/102.json index 47d87922..6290c489 100644 --- a/vuln/core/102.json +++ b/vuln/core/102.json @@ -1,7 +1,7 @@ { "cve": ["CVE-2022-43548"], "vulnerable": "14.x || 16.x || 18.x || 19.x", - "patched": "14.21.1 || 16.18.1 || 18.12.1 || 19.0.1", + "patched": "^14.21.1 || ^16.18.1 || ^18.12.1 || ^19.0.1", "ref": "https://nodejs.org/en/blog/vulnerability/november-2022-security-releases/", "overview": "The Node.js rebinding protector for --inspect still allows invalid IP address, specifically, the octal format." } diff --git a/vuln/core/38.json b/vuln/core/38.json index bfb3f5e2..4ea1236d 100644 --- a/vuln/core/38.json +++ b/vuln/core/38.json @@ -1,6 +1,7 @@ { "cve": [], - "vulnerable": "4.7.1 || 6.9.3", + "vulnerable": "4.x || 6.x", + "patched": "^4.7.2 || ^6.9.4", "description": "no shasum exists to verify downloads", "overview": "While promoting additional platforms for v4.7.1 and v6.9.3 after the release,\nthe tarballs on the release server were overwritten and now have different\nshasums.\n\n" } diff --git a/vuln/core/39.json b/vuln/core/39.json index f786f093..96c54d53 100644 --- a/vuln/core/39.json +++ b/vuln/core/39.json @@ -1,6 +1,6 @@ { "cve": [], - "vulnerable": "^4.1.0", + "vulnerable": "4.x", "patched": "^4.1.1", "description": "data leakage via reuse of memory space in TypedArrays", "ref": "https://github.com/nodejs/node/pull/2931", diff --git a/vuln/core/44.json b/vuln/core/44.json index 719811a5..9c3dfd65 100644 --- a/vuln/core/44.json +++ b/vuln/core/44.json @@ -2,7 +2,7 @@ "cve": [ "CVE-2017-15896" ], - "vulnerable": "^4.0.0 || ^6.0.0 || ^8.0.0 || ^9.0.0", + "vulnerable": "4.x || 6.x || 8.x || 9.x", "patched": "^4.8.7 || ^6.12.2 || ^8.9.3 || ^9.2.1" , "ref": "https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/", "overview": "Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake failure. The result was that an active network attacker could send application data to Node.js using the TLS or HTTP2 modules in a way that bypassed TLS authentication and encryption." diff --git a/vuln/core/45.json b/vuln/core/45.json index 1821edbd..00d0cbfe 100644 --- a/vuln/core/45.json +++ b/vuln/core/45.json @@ -2,7 +2,7 @@ "cve": [ "CVE-2017-15897" ], - "vulnerable": "^8.0.0 || ^9.0.0", + "vulnerable": "8.x || 9.x", "patched": "^8.9.3 || ^9.2.1" , "ref": "https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/", "overview": "Node.js had a bug in versions 8.X and 9.X which caused buffers to not be initialized when the encoding for the fill value did not match the encoding specified. For example, 'Buffer.alloc(0x100, \"This is not correctly encoded\", \"hex\");' The buffer implementation was updated such that the buffer will be initialized to all zeros in these cases." diff --git a/vuln/core/46.json b/vuln/core/46.json index 701c4c36..cac14caf 100644 --- a/vuln/core/46.json +++ b/vuln/core/46.json @@ -2,7 +2,7 @@ "cve": [ "CVE-2018-7158" ], - "vulnerable": "^4.0.0", + "vulnerable": "4.x", "patched": "^4.9.0", "ref": "https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/", "overview": "The `'path'` module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. The code in question was replaced in Node.js 6.x and later so this vulnerability only impacts all versions of Node.js 4.x. The regular expression, `splitPathRe`, used within the `'path'` module for the various path parsing functions, including `path.dirname()`, `path.extname()` and `path.parse()` was structured in such a way as to allow an attacker to craft a string, that when passed through one of these functions, could take a significant amount of time to evaluate, potentially leading to a full denial of service." diff --git a/vuln/core/47.json b/vuln/core/47.json index 72d9a9c6..ef14d206 100644 --- a/vuln/core/47.json +++ b/vuln/core/47.json @@ -2,7 +2,7 @@ "cve": [ "CVE-2018-7159" ], - "vulnerable": "^4.0.0 || ^6.0.0 || ^8.0.0 || ^9.0.0", + "vulnerable": "4.x || 6.x || 8.x || 9.x", "patched": "^4.9.0 || ^6.14.0 || ^8.11.0 || ^9.10.0", "ref": "https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/", "overview": "The HTTP parser in all current versions of Node.js ignores spaces in the `Content-Length` header, allowing input such as `Content-Length: 1 2` to be interpreted as having a value of `12`. The HTTP specification does not allow for spaces in the `Content-Length` value and the Node.js HTTP parser has been brought into line on this particular difference. The security risk of this flaw to Node.js users is considered to be VERY LOW as it is difficult, and may be impossible, to craft an attack that makes use of this flaw in a way that could not already be achieved by supplying an incorrect value for `Content-Length`. Vulnerabilities may exist in user-code that make incorrect assumptions about the potential accuracy of this value compared to the actual length of the data supplied. Node.js users crafting lower-level HTTP utilities are advised to re-check the length of any input supplied after parsing is complete." diff --git a/vuln/core/48.json b/vuln/core/48.json index 2019f6c0..5d85a773 100644 --- a/vuln/core/48.json +++ b/vuln/core/48.json @@ -2,7 +2,7 @@ "cve": [ "CVE-2018-7160" ], - "vulnerable": "^6.0.0 || ^8.0.0 || ^9.0.0", + "vulnerable": "6.x || 8.x || 9.x", "patched": "^6.14.0 || ^8.11.0 || ^9.10.0", "ref": "https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/", "overview": "The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. An attack is possible from malicious websites open in a web browser on the same computer, or another computer with network access to the computer running the Node.js process. A malicious website could use a DNS rebinding attack to trick the web browser to bypass same-origin-policy checks and to allow HTTP connections to localhost or to hosts on the local network. If a Node.js process with the debug port active is running on localhost or on a host on the local network, the malicious website could connect to it as a debugger, and get full code execution access." diff --git a/vuln/core/49.json b/vuln/core/49.json index 01588129..5d1c3fe6 100644 --- a/vuln/core/49.json +++ b/vuln/core/49.json @@ -2,7 +2,7 @@ "cve": [ "CVE-2018-7161" ], - "vulnerable": "^8.0.0 || ^9.0.0 || ^10.0.0", + "vulnerable": "8.x || 9.x || 10.x", "patched": "^8.11.3 || ^9.11.2 || ^10.4.1" , "ref": "https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/", "overview": "All versions of 8.x and later are vulnerable and the severity is HIGH. An attacker can cause a denial of service (DoS) by causing a node server providing an http2 server to crash. This can be accomplished by interacting with the http2 server in a manner that triggers a cleanup bug where objects are used in native code after they are no longer available. This has been addressed by updating the http2 implementation. Thanks to Jordan Zebor at F5 Networks for reporting this issue." diff --git a/vuln/core/50.json b/vuln/core/50.json index 9f61e63c..29a04a5d 100644 --- a/vuln/core/50.json +++ b/vuln/core/50.json @@ -2,7 +2,7 @@ "cve": [ "CVE-2018-7162" ], - "vulnerable": "^9.0.0 || ^10.0.0", + "vulnerable": "9.x || 10.x", "patched": "^9.11.2 || ^10.4.1" , "ref": "https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/", "overview": "All versions of 9.x and later are vulnerable and the severity is HIGH. An attacker can cause a denial of service (DoS) by causing a node process which provides an http server supporting TLS server to crash. This can be accomplished by sending duplicate/unexpected messages during the handshake. This vulnerability has been addressed by updating the TLS implementation. Thanks to Jordan Zebor at F5 Networks all of his help investigating this issue with the Node.js team." diff --git a/vuln/core/51.json b/vuln/core/51.json index bb10610f..80f61fb1 100644 --- a/vuln/core/51.json +++ b/vuln/core/51.json @@ -2,7 +2,7 @@ "cve": [ "CVE-2018-7164" ], - "vulnerable": "^9.7.x || ^10.0.0", + "vulnerable": "9.7.x || 10.x", "patched": "^9.11.2 || ^10.4.1" , "ref": "https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/", "overview": "Versions 9.7.0 and later are vulnerable and the severity is MEDIUM. A bug introduced in 9.7.0 increases the memory consumed when reading from the network into JavaScript using the net.Socket object directly as a stream. An attacker could use this cause a denial of service by sending tiny chunks of data in short succession. This vulnerability was restored by reverting to the prior behaviour." diff --git a/vuln/core/52.json b/vuln/core/52.json index cc68b191..2c300664 100644 --- a/vuln/core/52.json +++ b/vuln/core/52.json @@ -2,7 +2,7 @@ "cve": [ "CVE-2018-7167" ], - "vulnerable": "^6.0.0 || ^8.0.0 || ^9.0.0", + "vulnerable": "6.x || 8.x || 9.x", "patched": "^6.14.3 || ^8.11.3 || ^9.11.2" , "ref": "https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/", "overview": "Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a hang which could result in a Denial of Service." diff --git a/vuln/core/53.json b/vuln/core/53.json index 6a031c8b..e257fe57 100644 --- a/vuln/core/53.json +++ b/vuln/core/53.json @@ -2,7 +2,7 @@ "cve": [ "CVE-2018-7166" ], - "vulnerable": "10", + "vulnerable": "10.x", "patched": ">= 10.9.0", "publish_date": "2018-08-16", "author": "Сковорода Никита Андреевич (Nikita Skovoroda / @ChALkeR)", diff --git a/vuln/core/55.json b/vuln/core/55.json index eaf878ca..837bcbf7 100644 --- a/vuln/core/55.json +++ b/vuln/core/55.json @@ -2,7 +2,7 @@ "cve": [ "CVE-2018-12116" ], - "vulnerable": "6 || 8", + "vulnerable": "6.x || 8.x", "patched": "^6.15.0 || ^8.14.0", "publish_date": "2018-11-27", "author": "Matteo Collina", diff --git a/vuln/core/56.json b/vuln/core/56.json index ba815421..78a53e99 100644 --- a/vuln/core/56.json +++ b/vuln/core/56.json @@ -2,7 +2,7 @@ "cve": [ "CVE-2018-12120" ], - "vulnerable": "6", + "vulnerable": "6.x || 8.x", "patched": "^6.15.0 || ^8.14.0", "publish_date": "2018-11-27", "author": "Ben Noordhuis", diff --git a/vuln/core/57.json b/vuln/core/57.json index 0ca22682..4eac0f66 100644 --- a/vuln/core/57.json +++ b/vuln/core/57.json @@ -2,7 +2,7 @@ "cve": [ "CVE-2018-12121" ], - "vulnerable": "6 || 8 || 10 || 11", + "vulnerable": "6.x || 8.x || 10.x || 11.x", "patched": "^6.15.0 || ^8.14.0 || ^10.14.0 || ^11.3.0", "publish_date": "2018-11-27", "author": "Matteo Collina", diff --git a/vuln/core/58.json b/vuln/core/58.json index ad2d52c5..8fb10ae3 100644 --- a/vuln/core/58.json +++ b/vuln/core/58.json @@ -2,7 +2,7 @@ "cve": [ "CVE-2018-12122" ], - "vulnerable": "6 || 8 || 10 || 11", + "vulnerable": "6.x || 8.x || 10.x || 11.x", "patched": "^6.15.0 || ^8.14.0 || ^10.14.0 || ^11.3.0", "publish_date": "2018-11-27", "author": "Matteo Collina", diff --git a/vuln/core/59.json b/vuln/core/59.json index c16e57c3..156e9cca 100644 --- a/vuln/core/59.json +++ b/vuln/core/59.json @@ -2,7 +2,7 @@ "cve": [ "CVE-2018-12123" ], - "vulnerable": "6 || 8 || 10 || 11", + "vulnerable": "6.x || 8.x || 10.x || 11.x", "patched": "^6.15.0 || ^8.14.0 || ^10.14.0 || ^11.3.0", "publish_date": "2018-11-27", "author": "Matteo Collina", diff --git a/vuln/core/60.json b/vuln/core/60.json index 6e866767..b0460b29 100644 --- a/vuln/core/60.json +++ b/vuln/core/60.json @@ -2,7 +2,7 @@ "cve": [ "CVE-2019-5737" ], - "vulnerable": "6 || 8 || 10 || 11", + "vulnerable": "6.x || 8.x || 10.x || 11.x", "patched": "^6.17.0 || ^8.15.1 || ^10.15.2 || ^11.10.1", "publish_date": "2019-02-28", "author": "Matteo Collina", @@ -10,4 +10,4 @@ "ref": "https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/", "type": "CWE-400: Uncontrolled Resource Consumption / Denial of Service", "overview": "An attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep-alive mode and by sending headers very slowly thereby keeping the connection and associated resources alive for a long period of time. Attack potential is mitigated by the use of a load balancer or other proxy layer. This vulnerability is an extension of CVE-2018-12121, addressed in November and impacts all active release lines including 6, 8, 10 and 11." -} \ No newline at end of file +} diff --git a/vuln/core/61.json b/vuln/core/61.json index 3b06ea25..3caa4045 100644 --- a/vuln/core/61.json +++ b/vuln/core/61.json @@ -2,7 +2,7 @@ "cve": [ "CVE-2019-5739" ], - "vulnerable": "6", + "vulnerable": "6.x", "patched": "^6.17.0", "publish_date": "2019-02-28", "author": "Matteo Collina", @@ -10,4 +10,4 @@ "ref": "https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/", "type": "CWE-400: Uncontrolled Resource Consumption / Denial of Service", "overview": "Keep-alive HTTP and HTTPS connections can remain open and inactive for up to 2 minutes in Node.js 6.16.0 and earlier. Node.js 8.0.0 introduced a dedicated server.keepAliveTimeout which defaults to 5 seconds. The behavior in Node.js 6.16.0 and earlier is a potential Denial of Service (DoS) attack vector. Node.js 6.17.0 introduces server.keepAliveTimeout and the 5-second default." -} \ No newline at end of file +} diff --git a/vuln/core/62.json b/vuln/core/62.json index 01667252..39f9f3e2 100644 --- a/vuln/core/62.json +++ b/vuln/core/62.json @@ -9,7 +9,7 @@ "CVE-2019-9517", "CVE-2019-9518" ], - "vulnerable": "8 || 10 || 12", + "vulnerable": "8.x || 10.x || 12.x", "patched": "^8.16.1 || ^10.16.3 || ^12.8.1", "publish_date": "2019-08-15", "author": "Sam Roberts", diff --git a/vuln/core/69.json b/vuln/core/69.json index 5269ae41..ef7d6059 100644 --- a/vuln/core/69.json +++ b/vuln/core/69.json @@ -1,6 +1,6 @@ { "cve": ["CVE-2020-8277"], - "vulnerable": " 12.6.3 || 14.13.0 || 15.x", + "vulnerable": " 12.x || 14.x || 15.x", "patched": " ^12.19.1 || ^14.15.1 || 15.2.1", "ref": "https://nodejs.org/en/blog/vulnerability/november-2020-security-releases/", "overview": "Denial of Service through DNS request" diff --git a/vuln/core/70.json b/vuln/core/70.json index 8250ffd1..b0eb8ba7 100644 --- a/vuln/core/70.json +++ b/vuln/core/70.json @@ -1,7 +1,7 @@ { "cve": ["CVE-2020-8265"], - "vulnerable": " 10.x || 12.x || 14.x || 15.x", - "patched": " ^10.23.1 || ^12.20.1 || 14.15.4, || 15.5.1", + "vulnerable": "10.x || 12.x || 14.x || 15.x", + "patched": "^10.23.1 || ^12.20.1 || ^14.15.4 || ^15.5.1", "ref": "https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/", "overview": "use-after-free in TLSWrap - affected Node.js versions are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits." } diff --git a/vuln/core/71.json b/vuln/core/71.json index 37a3d552..2016279a 100644 --- a/vuln/core/71.json +++ b/vuln/core/71.json @@ -1,7 +1,7 @@ { "cve": ["CVE-2020-8287"], - "vulnerable": " 10.x || 12.x || 14.x || 15.x", - "patched": " ^10.23.1 || ^12.20.1 || 14.15.4, || 15.5.1", + "vulnerable": "10.x || 12.x || 14.x || 15.x", + "patched": "^10.23.1 || ^12.20.1 || ^14.15.4 || ^15.5.1", "ref": "https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/", "overview": "HTTP Request Smuggling in nodejs - Affected versions of Node.js allow two copies of a header field in a http request. For example, two Transfer-Encoding header fields. In this case Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling (https://cwe.mitre.org/data/definitions/444.html)" } diff --git a/vuln/core/72.json b/vuln/core/72.json index 0f848ba9..3623440d 100644 --- a/vuln/core/72.json +++ b/vuln/core/72.json @@ -1,7 +1,7 @@ { "cve": ["CVE-2020-1971"], - "vulnerable": " 10.x || 12.x || 14.x || 15.x", - "patched": " ^10.23.1 || ^12.20.1 || 14.15.4, || 15.5.0", + "vulnerable": "10.x || 12.x || 14.x || 15.x", + "patched": "^10.23.1 || ^12.20.1 || ^14.15.4 || ^15.5.0", "ref": "https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/", "overview": "OpenSSL - EDIPARTYNAME NULL pointer de-reference - This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20201208.txt" } diff --git a/vuln/core/73.json b/vuln/core/73.json index 18dff1e3..b303e88a 100644 --- a/vuln/core/73.json +++ b/vuln/core/73.json @@ -1,7 +1,7 @@ { "cve": ["CVE-2021-22883"], "vulnerable": " 10.x || 12.x || 14.x || 15.x", - "patched": " ^10.24.0 || ^12.21.0 || 14.16.0, || 15.10.0", + "patched": " ^10.24.0 || ^12.21.0 || ^14.16.0 || ^15.10.0", "ref": "https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/", "overview": "HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion - Affected Node.js versions are vulnerable to denial of service attacks when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory." } diff --git a/vuln/core/74.json b/vuln/core/74.json index 3a8eafa7..b2fa986b 100644 --- a/vuln/core/74.json +++ b/vuln/core/74.json @@ -1,7 +1,7 @@ { "cve": ["CVE-2021-22884"], "vulnerable": " 10.x || 12.x || 14.x || 15.x", - "patched": " ^10.24.0 || ^12.21.0 || 14.16.0, || 15.10.0", + "patched": " ^10.24.0 || ^12.21.0 || ^14.16.0 || ^15.10.0", "ref": "https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/", "overview": "DNS rebinding in --inspect - Affected Node.js versions are vulnerable to denial of service attacks when the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160." } diff --git a/vuln/core/75.json b/vuln/core/75.json index 3e41aec8..8cad6aaf 100644 --- a/vuln/core/75.json +++ b/vuln/core/75.json @@ -1,7 +1,7 @@ { "cve": ["CVE-2021-23840"], "vulnerable": " 10.x || 12.x || 14.x || 15.x", - "patched": " ^10.24.0 || ^12.21.0 || 14.16.0, || 15.10.0", + "patched": " ^10.24.0 || ^12.21.0 || ^14.16.0 || ^15.10.0", "ref": "https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/", "overview": "OpenSSL - Integer overflow in CipherUpdate - This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210216.txt" } diff --git a/vuln/core/76.json b/vuln/core/76.json index e4960419..096f7cb8 100644 --- a/vuln/core/76.json +++ b/vuln/core/76.json @@ -1,7 +1,7 @@ { "cve": ["CVE-2021-3450"], "vulnerable": " 10.x || 12.x || 14.x || 15.x", - "patched": " ^10.24.1 || ^12.22.1 || 14.16.1, || 15.14.0", + "patched": " ^10.24.1 || ^12.22.1 || ^14.16.1 || ^15.14.0", "ref": "https://nodejs.org/en/blog/vulnerability/april-2021-security-releases/", "overview": "This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt" } diff --git a/vuln/core/77.json b/vuln/core/77.json index 8d6c0dcc..c353be37 100644 --- a/vuln/core/77.json +++ b/vuln/core/77.json @@ -1,7 +1,7 @@ { "cve": ["CVE-2021-3449"], "vulnerable": " 10.x || 12.x || 14.x || 15.x", - "patched": " ^10.24.1 || ^12.22.1 || 14.16.1, || 15.14.0", + "patched": " ^10.24.1 || ^12.22.1 || ^14.16.1 || ^15.14.0", "ref": "https://nodejs.org/en/blog/vulnerability/april-2021-security-releases/", "overview": "This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt" } diff --git a/vuln/core/78.json b/vuln/core/78.json index af8d057c..3e0d1bfb 100644 --- a/vuln/core/78.json +++ b/vuln/core/78.json @@ -1,7 +1,7 @@ { "cve": ["CVE-2020-7774"], "vulnerable": " 10.x || 12.x || 14.x", - "patched": " ^10.24.1 || ^12.22.1 || 14.16.1", + "patched": " ^10.24.1 || ^12.22.1 || ^14.16.1", "ref": "https://nodejs.org/en/blog/vulnerability/april-2021-security-releases/", "overview": "This is a vulnerability in the y18n npm module which may be exploited by prototype pollution. You can read more about it in https://github.com/advisories/GHSA-c4w7-xm78-47vh" } diff --git a/vuln/core/79.json b/vuln/core/79.json index 3a1a8167..14d14ad3 100644 --- a/vuln/core/79.json +++ b/vuln/core/79.json @@ -1,7 +1,7 @@ { "cve": ["CVE-2021-22930"], "vulnerable": " 12.x || 14.x || 16.x", - "patched": " ^12.22.4 || ^14.17.4 || 16.6.0", + "patched": " ^12.22.4 || ^14.17.4 || ^16.6.0", "ref": "https://nodejs.org/en/blog/vulnerability/july-2021-security-releases-2/", "overview": "Node.js before is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior. You can read more about it in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22930" } diff --git a/vuln/core/93.json b/vuln/core/93.json index 23dee8b8..2a855ac0 100644 --- a/vuln/core/93.json +++ b/vuln/core/93.json @@ -1,7 +1,7 @@ { "cve": ["CVE-2022-0778"], "vulnerable": "12.x || 14.x || 16.x || 17.x", - "patched": "12.22.11 || 14.19.1 || 16.14.2 || 17.7.2", + "patched": "^12.22.11 || ^14.19.1 || ^16.14.2 || ^17.7.2", "ref": "https://nodejs.org/en/blog/vulnerability/mar-2022-security-releases/", "overview": "This is a vulnerability in OpenSSL: Infinite loop in BN_mod_sqrt() reachable when parsing certificates. More details are available at https://www.openssl.org/news/secadv/20220315.txt." } diff --git a/vuln/core/94.json b/vuln/core/94.json index 23f430d3..a1647d3a 100644 --- a/vuln/core/94.json +++ b/vuln/core/94.json @@ -1,7 +1,7 @@ { "cve": ["CVE-2022-32215"], "vulnerable": "14.x || 16.x || 18.x", - "patched": "14.20.1 || 16.17.1 || 18.9.1", + "patched": "^14.20.1 || ^16.17.1 || ^18.9.1", "ref": "https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/", "overview": "The llhttp parser in the http module in Node does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS)." } diff --git a/vuln/core/95.json b/vuln/core/95.json index d49a9b0e..afc3c68d 100644 --- a/vuln/core/95.json +++ b/vuln/core/95.json @@ -1,7 +1,7 @@ { "cve": ["CVE-2022-32214"], "vulnerable": "14.x || 16.x || 18.x", - "patched": "14.20.0 || 16.20.0 || 18.5.0", + "patched": "^14.20.0 || ^16.20.0 || ^18.5.0", "ref": "https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/", "overview": "The llhttp parser in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS)." } diff --git a/vuln/core/96.json b/vuln/core/96.json index 12783232..0b4afc32 100644 --- a/vuln/core/96.json +++ b/vuln/core/96.json @@ -1,7 +1,7 @@ { "cve": ["CVE-2022-32212"], "vulnerable": "14.x || 16.x || 18.x", - "patched": "14.20.1 || 16.17.1 || 18.9.1", + "patched": "^14.20.1 || ^16.17.1 || ^18.9.1", "ref": "https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/", "overview": "The IsAllowedHost check in https://github.com/nodejs/node/blob/fdf0a84e826d3a9ec0ce6f5a3f5adc967fe99408/src/inspector_socket.cc#L580 can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid or not. When an invalid IPv4 address is provided (for instance 10.0.2.555 is provided), the browser will make a DNS requests to the DNS server, providing a vector for an attacker-controlled DNS server to perform a rebinding attack and hence access the JSON file containing the WebSocket file.\n The fix we introduced in https://hackerone.com/reports/1069487 was not complete." } diff --git a/vuln/core/97.json b/vuln/core/97.json index 9ca060cd..b7362aa3 100644 --- a/vuln/core/97.json +++ b/vuln/core/97.json @@ -1,7 +1,7 @@ { "cve": ["CVE-2022-32213"], "vulnerable": "14.x || 16.x || 18.x", - "patched": "14.20.1 || 16.17.1 || 18.9.1", + "patched": "^14.20.1 || ^16.17.1 || ^18.9.1", "ref": "https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/", "overview": "The llhttp parser in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS)." } diff --git a/vuln/core/98.json b/vuln/core/98.json index ab0882a6..e2e62bbd 100644 --- a/vuln/core/98.json +++ b/vuln/core/98.json @@ -1,7 +1,7 @@ { "cve": ["CVE-2022-32223"], "vulnerable": "14.x || 16.x || 18.x", - "patched": "14.20.0 || 16.20.0 || 18.5.0", + "patched": "^14.20.0 || ^16.20.0 || ^18.5.0", "ref": "https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/", "overview": "Node.js is vulnerable to Hijack Execution Flow: DLL Hijacking under certain conditions on Windows platforms.\nThis vulnerability can be exploited if the victim has the following dependencies on a Windows machine:\n* OpenSSL has been installed and “C:\\Program Files\\Common Files\\SSL\\openssl.cnf” exists.\n\nWhenever the above conditions are present, `node.exe` will search for `providers.dll` in the current user directory.\nAfter that, `node.exe` will try to search for `providers.dll` by the DLL Search Order in Windows.\n\nIt is possible for an attacker to place the malicious file `providers.dll` under a variety of paths and exploit this vulnerability." } diff --git a/vuln/core/99.json b/vuln/core/99.json index 732835f4..d7e11c8c 100644 --- a/vuln/core/99.json +++ b/vuln/core/99.json @@ -1,7 +1,7 @@ { "cve": ["CVE-2022-32222"], "vulnerable": "14.x || 16.x || 18.x", - "patched": "14.20.0 || 16.20.0 || 18.9.1", + "patched": "^14.20.0 || ^16.20.0 || ^18.9.1", "ref": "https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/", "overview": "On linux, versions of 18.x prior to Y used a default path for openssl.cnf that was within a path that might be accessible under some circumstances to a non-admin user instead of /etc/ssl as was the case in versions prior to the upgrade to OpenSSL 3." } From ee3d501bfa38ba7a475d0f7d2572937c7e32a9b8 Mon Sep 17 00:00:00 2001 From: RafaelGSS Date: Wed, 25 Jan 2023 11:28:39 -0300 Subject: [PATCH 2/2] workflow: include validate vulnerability Signed-off-by: RafaelGSS --- .github/workflows/validate-vulnerability.yml | 25 ++++++++++++++++++++ tools/vuln_valid/vulnValidate.js | 8 +++---- 2 files changed, 29 insertions(+), 4 deletions(-) create mode 100644 .github/workflows/validate-vulnerability.yml diff --git a/.github/workflows/validate-vulnerability.yml b/.github/workflows/validate-vulnerability.yml new file mode 100644 index 00000000..9c0c1bc5 --- /dev/null +++ b/.github/workflows/validate-vulnerability.yml @@ -0,0 +1,25 @@ +name: Validate Vulnerability + +on: + pull_request: + paths: + - 'vuln/**/*.json' + +jobs: + validate: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + + - name: Use Node.js + uses: actions/setup-node@v3 + with: + node-version: 18 + + - name: Install + run: | + npm install + + - name: Run validator + run: | + npm run validate diff --git a/tools/vuln_valid/vulnValidate.js b/tools/vuln_valid/vulnValidate.js index 6d6c5387..c40af111 100644 --- a/tools/vuln_valid/vulnValidate.js +++ b/tools/vuln_valid/vulnValidate.js @@ -3,7 +3,6 @@ const joi = require("joi").extend(require("joi-extension-semver")); const path = require("path"); const fs = require("fs"); -const vulnPaths = require("../../vuln").paths; const coreModel = joi.object().keys({ cve: joi .array() @@ -117,16 +116,17 @@ function validateVuln(filePath, model) { const vuln = JSON.parse(fs.readFileSync(filePath)); const result = joi.validate(vuln, model); if (result.error) { - console.error(result.error); + console.error(filePath, result.error); throw result.error; } } function validate(dir, model) { - fs.readdirSync(dir).forEach(name => { + const files = fs.readdirSync(dir); + for (const name of files) { const filePath = path.join(dir, name); validateVuln(filePath, model); - }); + } } module.exports = {