1. Home
  2. Security Advisories
  3. FreeBSD
  4. FREEBSD:B9210706-FEB0-11EC-81FA-1C697A616631

[FREEBSD:B9210706-FEB0-11EC-81FA-1C697A616631] Node.js -- July 7th 2022 Security Releases

Severity High
Affected Packages 3
CVEs 6
Info Packages References Vulnerabilities

Node.js reports:

  HTTP Request Smuggling - Flawed Parsing of Transfer-Encoding
  (Medium)(CVE-2022-32213)
  The llhttp parser in the http module does not correctly parse and
  validate Transfer-Encoding headers. This can lead to HTTP Request
  Smuggling (HRS).
  HTTP Request Smuggling - Improper Delimiting of Header Fields
  (Medium)(CVE-2022-32214)
  The llhttp parser in the http module does not strictly use the CRLF
  sequence to delimit HTTP requests. This can lead to HTTP Request
  Smuggling (HRS).
  HTTP Request Smuggling - Incorrect Parsing of Multi-line
  Transfer-Encoding (Medium)(CVE-2022-32215)
  The llhttp parser in the http module does not correctly handle
  multi-line Transfer-Encoding headers. This can lead to HTTP Request
  Smuggling (HRS).
  DNS rebinding in --inspect via invalid IP addresses
  (High)(CVE-2022-32212)
  The IsAllowedHost check can easily be bypassed because IsIPAddress
  does not properly check if an IP address is invalid or not. When an
  invalid IPv4 address is provided (for instance 10.0.2.555 is
  provided), browsers (such as Firefox) will make DNS requests to the
  DNS server, providing a vector for an attacker-controlled DNS server
  or a MITM who can spoof DNS responses to perform a rebinding attack
  and hence connect to the WebSocket debugger, allowing for arbitrary
  code execution. This is a bypass of CVE-2021-22884.
  Attempt to read openssl.cnf from /home/iojs/build/ upon startup
  (Medium)(CVE-2022-32222)
  When Node.js starts on linux based systems, it attempts to read
  /home/iojs/build/ws/out/Release/obj.target/deps/openssl/openssl.cnf,
  which ordinarily doesn't exist. On some shared systems an attacker may
  be able create this file and therefore affect the default OpenSSL
  configuration for other users.
  OpenSSL - AES OCB fails to encrypt some bytes
  (Medium)(CVE-2022-2097)
  AES OCB mode for 32-bit x86 platforms using the AES-NI assembly
  optimised implementation will not encrypt the entirety of the data
  under some circumstances. This could reveal sixteen bytes of data that
  was preexisting in the memory that wasn't written. In the special case
  of "in place" encryption, sixteen bytes of the plaintext would be
  revealed.  Since OpenSSL does not support OCB based cipher suites for
  TLS and DTLS, they are both unaffected.
Package Affected Version
pkg:freebsd/node16 < 16.16.0
pkg:freebsd/node14 < 14.20.0
pkg:freebsd/node < 14.20.0
ID
FREEBSD:B9210706-FEB0-11EC-81FA-1C697A616631
Severity
high
Severity from
CVE-2022-32212
URL
http://vuxml.freebsd.org/freebsd/b9210706-feb0-11ec-81fa-1c697a616631.html
Published
2022-07-05T00:00:00
(2 years ago)
Modified
2022-07-08T00:00:00
(2 years ago)
Rights
FreeBSD VuXML Security Team
Other Advisories
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:freebsd/node16 node16 < 16.16.0
Affected pkg:freebsd/node14 node14 < 14.20.0
Affected pkg:freebsd/node node < 14.20.0
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date