Log - Arch Linux

AVG-2852 edited at 04 Apr 2024 12:38:11

Status

-	Vulnerable
+	Fixed

AVG-2853 edited at 03 Apr 2024 20:15:54

Status

-	Vulnerable
+	Fixed

CVE-2024-27982 edited at 03 Apr 2024 16:03:53

References

	https://nodejs.org/en/blog/vulnerability/april-2024-security-releases/#http-request-smuggling-via-content-length-obfuscation---cve-2024-27982---medium
+	https://github.com/nodejs/node/commit/1a65e98e22
+	https://github.com/nodejs/node/commit/5e34540a96
+	https://github.com/nodejs/node/commit/5d4d5848cf

Notes

+	This vulnerability affects all users in all active release lines: 18.x, 20.x and, 21.x.

CVE-2024-27983 edited at 03 Apr 2024 16:01:52

References

	https://nodejs.org/en/blog/vulnerability/april-2024-security-releases/#assertion-failed-in-nodehttp2http2sessionhttp2session-leads-to-http2-server-crash-cve-2024-27983---high
+	https://github.com/nodejs/node/commit/3bd39fb474
+	https://github.com/nodejs/node/commit/ba1ae6d188
+	https://github.com/nodejs/node/commit/0fb816dbcc

AVG-2854 created at 03 Apr 2024 15:53:32

Packages

+	nodejs-lts-hydrogen

Issues

+	CVE-2024-27982
+	CVE-2024-27983

Status

+	Vulnerable

Severity

High

Affected

18.18.2-2

Fixed

18.20.1-1

Ticket

Advisory qualified

Yes

References

+	https://nodejs.org/en/blog/vulnerability/april-2024-security-releases/
+	https://github.com/nodejs/node/releases/tag/v18.20.1

Notes

AVG-2852 edited at 03 Apr 2024 15:51:57

References

	https://nodejs.org/en/blog/vulnerability/april-2024-security-releases/
+	https://github.com/nodejs/node/releases/tag/v21.7.2

AVG-2853 created at 03 Apr 2024 15:51:33

Packages

+	nodejs-lts-iron

Issues

+	CVE-2024-27982
+	CVE-2024-27983

Status

+	Vulnerable

Severity

High

Affected

20.11.1-1

Fixed

20.12.1-1

Ticket

Advisory qualified

Yes

References

+	https://nodejs.org/en/blog/vulnerability/april-2024-security-releases/
+	https://github.com/nodejs/node/releases/tag/v20.12.1

Notes

AVG-2852 created at 03 Apr 2024 15:48:47

Packages

nodejs

Issues

+	CVE-2024-27982
+	CVE-2024-27983

Status

+	Vulnerable

Severity

High

Affected

21.7.1-1

Fixed

21.7.2-1

Ticket

Advisory qualified

Yes

References

+	https://nodejs.org/en/blog/vulnerability/april-2024-security-releases/

Notes

CVE-2024-27982 created at 03 Apr 2024 15:44:01

Severity

Medium

Remote

Type

+	Insufficient validation

Description

+	The team has identified a vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in a second request within the body of the first.
+
+	Impacts: This vulnerability affects all users in all active release lines: 18.x, 20.x and, 21.x.

References

+	https://nodejs.org/en/blog/vulnerability/april-2024-security-releases/#http-request-smuggling-via-content-length-obfuscation---cve-2024-27982---medium

Notes

CVE-2024-27983 created at 03 Apr 2024 15:39:25

Severity

High

Remote

Type

+	Denial of service

Description

+	An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.
+
+	This vulnerability affects all users in all active release lines: 18.x, 20.x and, 21.x

References

+	https://nodejs.org/en/blog/vulnerability/april-2024-security-releases/#assertion-failed-in-nodehttp2http2sessionhttp2session-leads-to-http2-server-crash-cve-2024-27983---high

Notes

+	This vulnerability affects all users in all active release lines: 18.x, 20.x and, 21.x