nodejs · RafaelGSS · Jan 25, 2023 · Jan 25, 2023 · Jan 25, 2023
diff --git a/.github/workflows/validate-vulnerability.yml b/.github/workflows/validate-vulnerability.yml
@@ -0,0 +1,25 @@
+name: Validate Vulnerability
+
+on:
+  pull_request:
+    paths:
+      - 'vuln/**/*.json'
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Use Node.js
+        uses: actions/setup-node@v3
+        with:
+          node-version: 18
+
+      - name: Install
+        run: |
+          npm install
+
+      - name: Run validator
+        run: |
+          npm run validate
@@ -58,7 +58,7 @@ Detailed information on the [database references](https://github.com/nodejs/secu
 
 The Security WG employs a static code analysis tool that runs in CI for all pull requests to validate the correct structure when new vulnerabilities are introduced.
 
-You may make use of the same tool which is available [here](https://github.com/nodejs/security-wg/blob/master/tools/vuln_valid/index.js) either in your own tooling setup or from this repository by running `npm test`.
+You may make use of the same tool which is available [here](https://github.com/nodejs/security-wg/blob/main/tools/vuln_valid/index.js) either in your own tooling setup or from this repository by running `npm test`.
 
 
 ### Database structure changes

diff --git a/tools/vuln_valid/vulnValidate.js b/tools/vuln_valid/vulnValidate.js
@@ -3,7 +3,6 @@ const joi = require("joi").extend(require("joi-extension-semver"));
 const path = require("path");
 const fs = require("fs");
 
-const vulnPaths = require("../../vuln").paths;
 const coreModel = joi.object().keys({
   cve: joi
     .array()
@@ -117,16 +116,17 @@ function validateVuln(filePath, model) {
   const vuln = JSON.parse(fs.readFileSync(filePath));
   const result = joi.validate(vuln, model);
   if (result.error) {
-    console.error(result.error);
+    console.error(filePath, result.error);
     throw result.error;
   }
 }
 
 function validate(dir, model) {
-  fs.readdirSync(dir).forEach(name => {
+ const files = fs.readdirSync(dir);
+  for (const name of files) {
     const filePath = path.join(dir, name);
     validateVuln(filePath, model);
-  });
+  }
 }
 
 module.exports = {

@@ -1,7 +1,7 @@
 {
   "cve": ["CVE-2022-35256"],
   "vulnerable": "14.x || 16.x || 18.x",
-  "patched": "14.20.1 || 16.17.1 || 18.9.1",
+  "patched": "^14.20.1 || ^16.17.1 || ^18.9.1",
   "ref": "https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/",
   "overview": "The llhttp parser in the http module in Node.js v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling."
 }
@@ -1,7 +1,7 @@
 {
   "cve": ["CVE-2022-35255"],
   "vulnerable": "18.x",
-  "patched": "18.9.1",
+  "patched": "^18.9.1",
   "ref": "https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/",
   "overview": "Node.js made calls to EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. However, it does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail."
 }
@@ -1,7 +1,7 @@
 {
   "cve": ["CVE-2022-43548"],
   "vulnerable": "14.x || 16.x || 18.x || 19.x",
-  "patched": "14.21.1 || 16.18.1 || 18.12.1 || 19.0.1",
+  "patched": "^14.21.1 || ^16.18.1 || ^18.12.1 || ^19.0.1",
   "ref": "https://nodejs.org/en/blog/vulnerability/november-2022-security-releases/",
   "overview": "The Node.js rebinding protector for --inspect still allows invalid IP address, specifically, the octal format."
 }
@@ -1,6 +1,7 @@
 {
   "cve": [],
-  "vulnerable": "4.7.1 || 6.9.3",
+  "vulnerable": "4.x || 6.x",
+  "patched": "^4.7.2 || ^6.9.4",
   "description": "no shasum exists to verify downloads",
   "overview": "While promoting additional platforms for v4.7.1 and v6.9.3 after the release,\nthe tarballs on the release server were overwritten and now have different\nshasums.\n\n"
 }
@@ -1,6 +1,6 @@
 {
   "cve": [],
-  "vulnerable": "^4.1.0",
+  "vulnerable": "4.x",
   "patched": "^4.1.1",
   "description": "data leakage via reuse of memory space in TypedArrays",
   "ref": "https://github.com/nodejs/node/pull/2931",

@@ -2,7 +2,7 @@
   "cve": [
     "CVE-2017-15896"
   ],
-  "vulnerable": "^4.0.0 || ^6.0.0  || ^8.0.0 || ^9.0.0",
+  "vulnerable": "4.x || 6.x  || 8.x || 9.x",
   "patched": "^4.8.7 || ^6.12.2 || ^8.9.3 || ^9.2.1" ,
   "ref": "https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/",
   "overview": "Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake failure. The result was that an active network attacker could send application data to Node.js using the TLS or HTTP2 modules in a way that bypassed TLS authentication and encryption."

@@ -2,7 +2,7 @@
   "cve": [
     "CVE-2017-15897"
   ],
-  "vulnerable": "^8.0.0 || ^9.0.0",
+  "vulnerable": "8.x || 9.x",
   "patched": "^8.9.3 || ^9.2.1" ,
   "ref": "https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/",
   "overview": "Node.js had a bug in versions 8.X and 9.X which caused buffers to not be initialized when the encoding for the fill value did not match the encoding specified. For example, 'Buffer.alloc(0x100, \"This is not correctly encoded\", \"hex\");' The buffer implementation was updated such that the buffer will be initialized to all zeros in these cases."

@@ -2,7 +2,7 @@
   "cve": [
     "CVE-2018-7158"
   ],
-  "vulnerable": "^4.0.0",
+  "vulnerable": "4.x",
   "patched": "^4.9.0",
   "ref": "https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/",
   "overview": "The `'path'` module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. The code in question was replaced in Node.js 6.x and later so this vulnerability only impacts all versions of Node.js 4.x. The regular expression, `splitPathRe`, used within the `'path'` module for the various path parsing functions, including `path.dirname()`, `path.extname()` and `path.parse()` was structured in such a way as to allow an attacker to craft a string, that when passed through one of these functions, could take a significant amount of time to evaluate, potentially leading to a full denial of service."

@@ -2,7 +2,7 @@
   "cve": [
     "CVE-2018-7159"
   ],
-  "vulnerable": "^4.0.0 || ^6.0.0 || ^8.0.0 || ^9.0.0",
+  "vulnerable": "4.x || 6.x || 8.x || 9.x",
   "patched": "^4.9.0 || ^6.14.0 || ^8.11.0 || ^9.10.0",
   "ref": "https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/",
   "overview": "The HTTP parser in all current versions of Node.js ignores spaces in the `Content-Length` header, allowing input such as `Content-Length: 1 2` to be interpreted as having a value of `12`. The HTTP specification does not allow for spaces in the `Content-Length` value and the Node.js HTTP parser has been brought into line on this particular difference. The security risk of this flaw to Node.js users is considered to be VERY LOW as it is difficult, and may be impossible, to craft an attack that makes use of this flaw in a way that could not already be achieved by supplying an incorrect value for `Content-Length`. Vulnerabilities may exist in user-code that make incorrect assumptions about the potential accuracy of this value compared to the actual length of the data supplied. Node.js users crafting lower-level HTTP utilities are advised to re-check the length of any input supplied after parsing is complete."

@@ -2,7 +2,7 @@
   "cve": [
     "CVE-2018-7160"
   ],
-  "vulnerable": "^6.0.0 || ^8.0.0 || ^9.0.0",
+  "vulnerable": "6.x || 8.x || 9.x",
   "patched": "^6.14.0 || ^8.11.0 || ^9.10.0",
   "ref": "https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/",
   "overview": "The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. An attack is possible from malicious websites open in a web browser on the same computer, or another computer with network access to the computer running the Node.js process. A malicious website could use a DNS rebinding attack to trick the web browser to bypass same-origin-policy checks and to allow HTTP connections to localhost or to hosts on the local network. If a Node.js process with the debug port active is running on localhost or on a host on the local network, the malicious website could connect to it as a debugger, and get full code execution access."

@@ -2,7 +2,7 @@
   "cve": [
     "CVE-2018-7161"
   ],
-  "vulnerable": "^8.0.0 || ^9.0.0 || ^10.0.0",
+  "vulnerable": "8.x || 9.x || 10.x",
   "patched": "^8.11.3 || ^9.11.2 || ^10.4.1" ,
   "ref": "https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/",
   "overview": "All versions of 8.x and later are vulnerable and the severity is HIGH. An attacker can cause a denial of service (DoS) by causing a node server providing an http2 server to crash. This can be accomplished by interacting with the http2 server in a manner that triggers a cleanup bug where objects are used in native code after they are no longer available. This has been addressed by updating the http2 implementation. Thanks to Jordan Zebor at F5 Networks for reporting this issue."

@@ -2,7 +2,7 @@
   "cve": [
     "CVE-2018-7162"
   ],
-  "vulnerable": "^9.0.0 || ^10.0.0",
+  "vulnerable": "9.x || 10.x",
   "patched": "^9.11.2 || ^10.4.1" ,
   "ref": "https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/",
   "overview": "All versions of 9.x and later are vulnerable and the severity is HIGH. An attacker can cause a denial of service (DoS) by causing a node process which provides an http server supporting TLS server to crash. This can be accomplished by sending duplicate/unexpected messages during the handshake. This vulnerability has been addressed by updating the TLS implementation. Thanks to Jordan Zebor at F5 Networks all of his help investigating this issue with the Node.js team."

@@ -2,7 +2,7 @@
   "cve": [
     "CVE-2018-7164"
   ],
-  "vulnerable": "^9.7.x || ^10.0.0",
+  "vulnerable": "9.7.x || 10.x",
   "patched": "^9.11.2 || ^10.4.1" ,
   "ref": "https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/",
   "overview": "Versions 9.7.0 and later are vulnerable and the severity is MEDIUM. A bug introduced in 9.7.0 increases the memory consumed when reading from the network into JavaScript using the net.Socket object directly as a stream. An attacker could use this cause a denial of service by sending tiny chunks of data in short succession. This vulnerability was restored by reverting to the prior behaviour."

@@ -2,7 +2,7 @@
   "cve": [
     "CVE-2018-7167"
   ],
-  "vulnerable": "^6.0.0 || ^8.0.0 || ^9.0.0",
+  "vulnerable": "6.x || 8.x || 9.x",
   "patched": "^6.14.3 || ^8.11.3 || ^9.11.2" ,
   "ref": "https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/",
   "overview": "Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a hang which could result in a Denial of Service."

@@ -2,7 +2,7 @@
   "cve": [
     "CVE-2018-7166"
   ],
-  "vulnerable": "10",
+  "vulnerable": "10.x",
   "patched": ">= 10.9.0",
   "publish_date": "2018-08-16",
   "author": "Сковорода Никита Андреевич (Nikita Skovoroda / @ChALkeR)",

@@ -2,7 +2,7 @@
   "cve": [
     "CVE-2018-12116"
   ],
-  "vulnerable": "6 || 8",
+  "vulnerable": "6.x || 8.x",
   "patched": "^6.15.0 || ^8.14.0",
   "publish_date": "2018-11-27",
   "author": "Matteo Collina",

@@ -2,7 +2,7 @@
   "cve": [
     "CVE-2018-12120"
   ],
-  "vulnerable": "6",
+  "vulnerable": "6.x || 8.x",
   "patched": "^6.15.0 || ^8.14.0",
   "publish_date": "2018-11-27",
   "author": "Ben Noordhuis",

@@ -2,7 +2,7 @@
   "cve": [
     "CVE-2018-12121"
   ],
-  "vulnerable": "6 || 8 || 10 || 11",
+  "vulnerable": "6.x || 8.x || 10.x || 11.x",
   "patched": "^6.15.0 || ^8.14.0 || ^10.14.0 || ^11.3.0",
   "publish_date": "2018-11-27",
   "author": "Matteo Collina",

@@ -2,7 +2,7 @@
   "cve": [
     "CVE-2018-12122"
   ],
-  "vulnerable": "6 || 8 || 10 || 11",
+  "vulnerable": "6.x || 8.x || 10.x || 11.x",
   "patched": "^6.15.0 || ^8.14.0 || ^10.14.0 || ^11.3.0",
   "publish_date": "2018-11-27",
   "author": "Matteo Collina",

@@ -2,7 +2,7 @@
   "cve": [
     "CVE-2018-12123"
   ],
-  "vulnerable": "6 || 8 || 10 || 11",
+  "vulnerable": "6.x || 8.x || 10.x || 11.x",
   "patched": "^6.15.0 || ^8.14.0 || ^10.14.0 || ^11.3.0",
   "publish_date": "2018-11-27",
   "author": "Matteo Collina",

@@ -2,12 +2,12 @@
   "cve": [
     "CVE-2019-5737"
   ],
-  "vulnerable": "6 || 8 || 10 || 11",
+  "vulnerable": "6.x || 8.x || 10.x || 11.x",
   "patched": "^6.17.0 || ^8.15.1 || ^10.15.2 || ^11.10.1",
   "publish_date": "2019-02-28",
   "author": "Matteo Collina",
   "reported_by": "Marco Pracucci",
   "ref": "https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/",
   "type": "CWE-400: Uncontrolled Resource Consumption / Denial of Service",
   "overview": "An attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep-alive mode and by sending headers very slowly thereby keeping the connection and associated resources alive for a long period of time. Attack potential is mitigated by the use of a load balancer or other proxy layer. This vulnerability is an extension of CVE-2018-12121, addressed in November and impacts all active release lines including 6, 8, 10 and 11."
-}
+}
@@ -2,12 +2,12 @@
   "cve": [
     "CVE-2019-5739"
   ],
-  "vulnerable": "6",
+  "vulnerable": "6.x",
   "patched": "^6.17.0",
   "publish_date": "2019-02-28",
   "author": "Matteo Collina",
   "reported_by": "Timur Shemsedinov",
   "ref": "https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/",
   "type": "CWE-400: Uncontrolled Resource Consumption / Denial of Service",
   "overview": "Keep-alive HTTP and HTTPS connections can remain open and inactive for up to 2 minutes in Node.js 6.16.0 and earlier. Node.js 8.0.0 introduced a dedicated server.keepAliveTimeout which defaults to 5 seconds. The behavior in Node.js 6.16.0 and earlier is a potential Denial of Service (DoS) attack vector. Node.js 6.17.0 introduces server.keepAliveTimeout and the 5-second default."
-}
+}
@@ -9,7 +9,7 @@
     "CVE-2019-9517",
     "CVE-2019-9518"
   ],
-  "vulnerable": "8 || 10 || 12",
+  "vulnerable": "8.x || 10.x || 12.x",
   "patched": "^8.16.1 || ^10.16.3 || ^12.8.1",
   "publish_date": "2019-08-15",
   "author": "Sam Roberts",

@@ -1,6 +1,6 @@
 {
   "cve": ["CVE-2020-8277"],
-  "vulnerable": " 12.6.3 || 14.13.0 || 15.x",
+  "vulnerable": " 12.x || 14.x || 15.x",
   "patched": " ^12.19.1 || ^14.15.1 || 15.2.1",
   "ref": "https://nodejs.org/en/blog/vulnerability/november-2020-security-releases/",
   "overview": "Denial of Service through DNS request"

@@ -1,7 +1,7 @@
 {
   "cve": ["CVE-2020-8265"],
-  "vulnerable": " 10.x || 12.x || 14.x || 15.x",
-  "patched": " ^10.23.1 || ^12.20.1 || 14.15.4, || 15.5.1",
+  "vulnerable": "10.x || 12.x || 14.x || 15.x",
+  "patched": "^10.23.1 || ^12.20.1 || ^14.15.4 || ^15.5.1",
   "ref": "https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/",
   "overview": "use-after-free in TLSWrap - affected Node.js versions are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits."
 }
@@ -1,7 +1,7 @@
 {
   "cve": ["CVE-2020-8287"],
-  "vulnerable": " 10.x || 12.x || 14.x || 15.x",
-  "patched": " ^10.23.1 || ^12.20.1 || 14.15.4, || 15.5.1",
+  "vulnerable": "10.x || 12.x || 14.x || 15.x",
+  "patched": "^10.23.1 || ^12.20.1 || ^14.15.4 || ^15.5.1",
   "ref": "https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/",
   "overview": "HTTP Request Smuggling in nodejs - Affected versions of Node.js allow two copies of a header field in a http request. For example, two Transfer-Encoding header fields. In this case Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling (https://cwe.mitre.org/data/definitions/444.html)"
 }
@@ -1,7 +1,7 @@
 {
   "cve": ["CVE-2020-1971"],
-  "vulnerable": " 10.x || 12.x || 14.x || 15.x",
-  "patched": " ^10.23.1 || ^12.20.1 || 14.15.4, || 15.5.0",
+  "vulnerable": "10.x || 12.x || 14.x || 15.x",
+  "patched": "^10.23.1 || ^12.20.1 || ^14.15.4 || ^15.5.0",
   "ref": "https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/",
   "overview": "OpenSSL - EDIPARTYNAME NULL pointer de-reference - This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20201208.txt"
 }
@@ -1,7 +1,7 @@
 {
   "cve": ["CVE-2021-22883"],
   "vulnerable": " 10.x || 12.x || 14.x || 15.x",
-  "patched": " ^10.24.0 || ^12.21.0 || 14.16.0, || 15.10.0",
+  "patched": " ^10.24.0 || ^12.21.0 || ^14.16.0 || ^15.10.0",
   "ref": "https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/",
   "overview": "HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion - Affected Node.js versions are vulnerable to denial of service attacks when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory."
 }
@@ -1,7 +1,7 @@
 {
   "cve": ["CVE-2021-22884"],
   "vulnerable": " 10.x || 12.x || 14.x || 15.x",
-  "patched": " ^10.24.0 || ^12.21.0 || 14.16.0, || 15.10.0",
+  "patched": " ^10.24.0 || ^12.21.0 || ^14.16.0 || ^15.10.0",
   "ref": "https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/",
   "overview": "DNS rebinding in --inspect - Affected Node.js versions are vulnerable to denial of service attacks when the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160."
 }
@@ -1,7 +1,7 @@
 {
   "cve": ["CVE-2021-23840"],
   "vulnerable": " 10.x || 12.x || 14.x || 15.x",
-  "patched": " ^10.24.0 || ^12.21.0 || 14.16.0, || 15.10.0",
+  "patched": " ^10.24.0 || ^12.21.0 || ^14.16.0 || ^15.10.0",
   "ref": "https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/",
   "overview": "OpenSSL - Integer overflow in CipherUpdate - This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210216.txt"
 }
@@ -1,7 +1,7 @@
 {
   "cve": ["CVE-2021-3450"],
   "vulnerable": " 10.x || 12.x || 14.x || 15.x",
-  "patched": " ^10.24.1 || ^12.22.1 || 14.16.1, || 15.14.0",
+  "patched": " ^10.24.1 || ^12.22.1 || ^14.16.1 || ^15.14.0",
   "ref": "https://nodejs.org/en/blog/vulnerability/april-2021-security-releases/",
   "overview": "This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt"
 }
@@ -1,7 +1,7 @@
 {
   "cve": ["CVE-2021-3449"],
   "vulnerable": " 10.x || 12.x || 14.x || 15.x",
-  "patched": " ^10.24.1 || ^12.22.1 || 14.16.1, || 15.14.0",
+  "patched": " ^10.24.1 || ^12.22.1 || ^14.16.1 || ^15.14.0",
   "ref": "https://nodejs.org/en/blog/vulnerability/april-2021-security-releases/",
   "overview": "This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt"
 }