Clair scanner is reporting list of CVEs against image registry.access.redhat.com/ubi8/nodejs-12 and pointing to nodejs-14 advisory. So there are two issues I see here:
For nodejs image, it should consider the version of nodejs while comparing for known CVE. I get below report by clair for and image which has registry.access.redhat.com/ubi8/nodejs-12 as its base image
){
"image": ".com/test:2.6.1-dockerimg.63dd7052",
"unapproved": [
"RHSA-2021:5171",
"RHSA-2021:3666",
"RHSA-2022:0350",
"RHSA-2021:5171",
"RHSA-2021:3074",
"RHSA-2021:3666",
"RHSA-2021:0744",
"RHSA-2021:0551",
"RHSA-2022:0350",
"RHSA-2021:5171",
"RHSA-2021:3074",
"RHSA-2021:3666",
"RHSA-2021:0744",
"RHSA-2021:0551",
"RHSA-2022:0350",
"RHSA-2021:5171",
"RHSA-2021:3074",
"RHSA-2021:3666",
"RHSA-2021:0744",
"RHSA-2021:0551",
"RHSA-2022:0350",
"RHSA-2021:5171",
"RHSA-2022:0350"
],
"vulnerabilities": [
{
"featurename": "nodejs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:3666",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix(es): nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22930) nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22940) c-ares: Missing input validation of host names may lead to domain hijacking (CVE-2021-3672) nodejs: Improper handling of untypical characters in domain names (CVE-2021-22931) nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite (CVE-2021-32803) nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite (CVE-2021-32804) nodejs: Incomplete validation of tls rejectUnauthorized parameter (CVE-2021-22939) nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe (CVE-2021-23343) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): nodejs:14/nodejs: Make FIPS options always available (BZ#1993924)",
"link": "https://access.redhat.com/errata/RHSA-2021:3666[](test)",
"severity": "High",
"fixedby": "1:14.17.5-1.module+el8.4.0+12247+e2879e58"
},
{
"featurename": "npm",
"featureversion": "1:6.14.14-1.12.22.5.1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:3666",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix(es): nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22930) nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22940) c-ares: Missing input validation of host names may lead to domain hijacking (CVE-2021-3672) nodejs: Improper handling of untypical characters in domain names (CVE-2021-22931) nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite (CVE-2021-32803) nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite (CVE-2021-32804) nodejs: Incomplete validation of tls rejectUnauthorized parameter (CVE-2021-22939) nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe (CVE-2021-23343) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): nodejs:14/nodejs: Make FIPS options always available (BZ#1993924)",
"link": "https://access.redhat.com/errata/RHSA-2021:3666[](test)",
"severity": "High",
"fixedby": "1:6.14.14-1.14.17.5.1.module+el8.4.0+12247+e2879e58"
},
{
"featurename": "nodejs-docs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:0744",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.16.0). Security Fix(es): nodejs: HTTP2 'unknownProtocol' cause DoS by resource exhaustion (CVE-2021-22883) nodejs: DNS rebinding in --inspect (CVE-2021-22884) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): Node.js should not be built with \"--debug-nghttp2\" (BZ#1932427)",
"link": "https://access.redhat.com/errata/RHSA-2021:0744[](test)",
"severity": "High",
"fixedby": "1:14.16.0-2.module+el8.3.0+10180+b92e1eb6"
},
{
"featurename": "nodejs-docs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:3666",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix(es): nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22930) nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22940) c-ares: Missing input validation of host names may lead to domain hijacking (CVE-2021-3672) nodejs: Improper handling of untypical characters in domain names (CVE-2021-22931) nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite (CVE-2021-32803) nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite (CVE-2021-32804) nodejs: Incomplete validation of tls rejectUnauthorized parameter (CVE-2021-22939) nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe (CVE-2021-23343) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): nodejs:14/nodejs: Make FIPS options always available (BZ#1993924)",
"link": "https://access.redhat.com/errata/RHSA-2021:3666[](test)",
"severity": "High",
"fixedby": "1:14.17.5-1.module+el8.4.0+12247+e2879e58"
},
{
"featurename": "nodejs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:0744",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.16.0). Security Fix(es): nodejs: HTTP2 'unknownProtocol' cause DoS by resource exhaustion (CVE-2021-22883) nodejs: DNS rebinding in --inspect (CVE-2021-22884) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): Node.js should not be built with \"--debug-nghttp2\" (BZ#1932427)",
"link": "https://access.redhat.com/errata/RHSA-2021:0744[]((test)",
"severity": "High",
"fixedby": "1:14.16.0-2.module+el8.3.0+10180+b92e1eb6"
},
{
"featurename": "nodejs-full-i18n",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:3666",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix(es): nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22930) nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22940) c-ares: Missing input validation of host names may lead to domain hijacking (CVE-2021-3672) nodejs: Improper handling of untypical characters in domain names (CVE-2021-22931) nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite (CVE-2021-32803) nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite (CVE-2021-32804) nodejs: Incomplete validation of tls rejectUnauthorized parameter (CVE-2021-22939) nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe (CVE-2021-23343) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): nodejs:14/nodejs: Make FIPS options always available (BZ#1993924)",
"link": "https://access.redhat.com/errata/RHSA-2021:3666[](test)",
"severity": "High",
"fixedby": "1:14.17.5-1.module+el8.4.0+12247+e2879e58"
},
{
"featurename": "nodejs-full-i18n",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:0744",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.16.0). Security Fix(es): nodejs: HTTP2 'unknownProtocol' cause DoS by resource exhaustion (CVE-2021-22883) nodejs: DNS rebinding in --inspect (CVE-2021-22884) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): Node.js should not be built with \"--debug-nghttp2\" (BZ#1932427)",
"link": "https://access.redhat.com/errata/RHSA-2021:0744[](test)",
"severity": "High",
"fixedby": "1:14.16.0-2.module+el8.3.0+10180+b92e1eb6"
},
{
"featurename": "npm",
"featureversion": "1:6.14.14-1.12.22.5.1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:5171",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (16.13.1), nodejs-nodemon (2.0.15). (BZ#2027610) Security Fix(es): nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788) nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) normalize-url: ReDoS for data URLs (CVE-2021-33502) llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959) llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2021:5171[](test)",
"severity": "Medium",
"fixedby": "1:8.1.2-1.16.13.1.3.module+el8.5.0+13548+45d748af"
},
{
"featurename": "nodejs-full-i18n",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2022:0350",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.18.2), nodejs-nodemon (2.0.15). (BZ#2027609) Security Fix(es): nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788) nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) normalize-url: ReDoS for data URLs (CVE-2021-33502) nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37701) nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37712) llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959) llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2022:0350[](test)",
"severity": "Medium",
"fixedby": "1:14.18.2-2.module+el8.5.0+13644+8d46dafd"
},
{
"featurename": "nodejs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:5171",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (16.13.1), nodejs-nodemon (2.0.15). (BZ#2027610) Security Fix(es): nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788) nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) normalize-url: ReDoS for data URLs (CVE-2021-33502) llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959) llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2021:5171[](test)",
"severity": "Medium",
"fixedby": "1:16.13.1-3.module+el8.5.0+13548+45d748af"
},
{
"featurename": "nodejs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:3074",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.17.3). (BZ#1978203) Security Fix(es): nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl() (CVE-2021-23362) nodejs-ssri: Regular expression DoS (ReDoS) when parsing malicious SRI in strict mode (CVE-2021-27290) libuv: out-of-bounds read in uv__idna_toascii() can lead to information disclosures or crashes (CVE-2021-22918) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2021:3074[](test)",
"severity": "Medium",
"fixedby": "1:14.17.3-2.module+el8.4.0+11738+3bd42762"
},
{
"featurename": "nodejs-full-i18n",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:0551",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.15.4). Security Fix(es): nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS (CVE-2020-7754) nodejs-y18n: prototype pollution vulnerability (CVE-2020-7774) nodejs-ini: prototype pollution via malicious INI file (CVE-2020-7788) nodejs: use-after-free in the TLS implementation (CVE-2020-8265) c-ares: aresparse{a,aaaa}_reply() insufficient naddrttls validation DoS (CVE-2020-8277) nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366) nodejs: HTTP request smuggling via two copies of a header field in an http request (CVE-2020-8287) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): yarn install crashes with nodejs:14 on aarch64 (BZ#1916465)",
"link": "https://access.redhat.com/errata/RHSA-2021:0551[](test)",
"severity": "Medium",
"fixedby": "1:14.15.4-2.module+el8.3.0+9635+ffdf8381"
},
{
"featurename": "nodejs-full-i18n",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:3074",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.17.3). (BZ#1978203) Security Fix(es): nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl() (CVE-2021-23362) nodejs-ssri: Regular expression DoS (ReDoS) when parsing malicious SRI in strict mode (CVE-2021-27290) libuv: out-of-bounds read in uvidna_toascii() can lead to information disclosures or crashes (CVE-2021-22918) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2021:3074[](test)",
"severity": "Medium",
"fixedby": "1:14.17.3-2.module+el8.4.0+11738+3bd42762"
},
{
"featurename": "nodejs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:0551",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.15.4). Security Fix(es): nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS (CVE-2020-7754) nodejs-y18n: prototype pollution vulnerability (CVE-2020-7774) nodejs-ini: prototype pollution via malicious INI file (CVE-2020-7788) nodejs: use-after-free in the TLS implementation (CVE-2020-8265) c-ares: aresparse{a,aaaa}_reply() insufficient naddrttls validation DoS (CVE-2020-8277) nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366) nodejs: HTTP request smuggling via two copies of a header field in an http request (CVE-2020-8287) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): yarn install crashes with nodejs:14 on aarch64 (BZ#1916465)",
"link": "https://access.redhat.com/errata/RHSA-2021:0551[](test)",
"severity": "Medium",
"fixedby": "1:14.15.4-2.module+el8.3.0+9635+ffdf8381"
},
{
"featurename": "nodejs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2022:0350",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.18.2), nodejs-nodemon (2.0.15). (BZ#2027609) Security Fix(es): nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788) nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) normalize-url: ReDoS for data URLs (CVE-2021-33502) nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37701) nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37712) llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959) llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2022:0350[](test)",
"severity": "Medium",
"fixedby": "1:14.18.2-2.module+el8.5.0+13644+8d46dafd"
},
{
"featurename": "nodejs-docs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:5171",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (16.13.1), nodejs-nodemon (2.0.15). (BZ#2027610) Security Fix(es): nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788) nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) normalize-url: ReDoS for data URLs (CVE-2021-33502) llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959) llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2021:5171[](test)",
"severity": "Medium",
"fixedby": "1:16.13.1-3.module+el8.5.0+13548+45d748af"
},
{
"featurename": "nodejs-docs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:3074",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.17.3). (BZ#1978203) Security Fix(es): nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl() (CVE-2021-23362) nodejs-ssri: Regular expression DoS (ReDoS) when parsing malicious SRI in strict mode (CVE-2021-27290) * libuv: out-of-bounds read in uvidna_toascii() can lead to information disclosures or crashes (CVE-2021-22918) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2021:3074[](test)",
"severity": "Medium",
"fixedby": "1:14.17.3-2.module+el8.4.0+11738+3bd42762"
},
{
"featurename": "nodejs-full-i18n",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:5171",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (16.13.1), nodejs-nodemon (2.0.15). (BZ#2027610) Security Fix(es): nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788) nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) normalize-url: ReDoS for data URLs (CVE-2021-33502) llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959) llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2021:5171[](test)",
"severity": "Medium",
"fixedby": "1:16.13.1-3.module+el8.5.0+13548+45d748af"
},
{
"featurename": "npm",
"featureversion": "1:6.14.14-1.12.22.5.1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2022:0350",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.18.2), nodejs-nodemon (2.0.15). (BZ#2027609) Security Fix(es): nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788) nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) normalize-url: ReDoS for data URLs (CVE-2021-33502) nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37701) nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37712) llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959) llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2022:0350[](test)",
"severity": "Medium",
"fixedby": "1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd"
},
{
"featurename": "nodejs-docs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:0551",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.15.4). Security Fix(es): nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS (CVE-2020-7754) nodejs-y18n: prototype pollution vulnerability (CVE-2020-7774) nodejs-ini: prototype pollution via malicious INI file (CVE-2020-7788) nodejs: use-after-free in the TLS implementation (CVE-2020-8265) c-ares: aresparse{a,aaaa}_reply() insufficient naddrttls validation DoS (CVE-2020-8277) nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366) nodejs: HTTP request smuggling via two copies of a header field in an http request (CVE-2020-8287) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): yarn install crashes with nodejs:14 on aarch64 (BZ#1916465)",
"link": "https://access.redhat.com/errata/RHSA-2021:0551[](test)",
"severity": "Medium",
"fixedby": "1:14.15.4-2.module+el8.3.0+9635+ffdf8381"
},
{
"featurename": "nodejs-docs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2022:0350",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.18.2), nodejs-nodemon (2.0.15). (BZ#2027609) Security Fix(es): nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788) nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) normalize-url: ReDoS for data URLs (CVE-2021-33502) nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37701) nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37712) llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959) llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2022:0350[](test)",
"severity": "Medium",
"fixedby": "1:14.18.2-2.module+el8.5.0+13644+8d46dafd"
},
{
"featurename": "nodejs-nodemon",
"featureversion": "2.0.3-1.module+el8.4.0+11732+c668cc9f",
"vulnerability": "RHSA-2021:5171",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (16.13.1), nodejs-nodemon (2.0.15). (BZ#2027610) Security Fix(es): nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788) nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) normalize-url: ReDoS for data URLs (CVE-2021-33502) llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959) llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2021:5171[](test)",
"severity": "Medium",
"fixedby": "0:2.0.15-1.module+el8.5.0+13548+45d748af"
},
{
"featurename": "nodejs-nodemon",
"featureversion": "2.0.3-1.module+el8.4.0+11732+c668cc9f",
"vulnerability": "RHSA-2022:0350",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.18.2), nodejs-nodemon (2.0.15). (BZ#2027609) Security Fix(es): nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788) nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) normalize-url: ReDoS for data URLs (CVE-2021-33502) nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37701) nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37712) llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959) * llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2022:0350[](test)",
"severity": "Medium",
"fixedby": "0:2.0.15-1.module+el8.5.0+13504+a2e74d91"
}
]
}clair found vulnerabilities
For nodejs-12, actual errata link is "https://access.redhat.com/errata/RHSA-2021:3623". Please notice that featureversion marked in above report is actually the version which fixes the CVE for nodejs-12
Clair scanner is reporting list of CVEs against image registry.access.redhat.com/ubi8/nodejs-12 and pointing to nodejs-14 advisory. So there are two issues I see here:
){ "image": ".com/test:2.6.1-dockerimg.63dd7052",
"unapproved": [
"RHSA-2021:5171",
"RHSA-2021:3666",
"RHSA-2022:0350",
"RHSA-2021:5171",
"RHSA-2021:3074",
"RHSA-2021:3666",
"RHSA-2021:0744",
"RHSA-2021:0551",
"RHSA-2022:0350",
"RHSA-2021:5171",
"RHSA-2021:3074",
"RHSA-2021:3666",
"RHSA-2021:0744",
"RHSA-2021:0551",
"RHSA-2022:0350",
"RHSA-2021:5171",
"RHSA-2021:3074",
"RHSA-2021:3666",
"RHSA-2021:0744",
"RHSA-2021:0551",
"RHSA-2022:0350",
"RHSA-2021:5171",
"RHSA-2022:0350"
],
"vulnerabilities": [
{
"featurename": "nodejs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:3666",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix(es): nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22930) nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22940) c-ares: Missing input validation of host names may lead to domain hijacking (CVE-2021-3672) nodejs: Improper handling of untypical characters in domain names (CVE-2021-22931) nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite (CVE-2021-32803) nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite (CVE-2021-32804) nodejs: Incomplete validation of tls rejectUnauthorized parameter (CVE-2021-22939) nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe (CVE-2021-23343) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): nodejs:14/nodejs: Make FIPS options always available (BZ#1993924)",
"link": "https://access.redhat.com/errata/RHSA-2021:3666[](test)",
"severity": "High",
"fixedby": "1:14.17.5-1.module+el8.4.0+12247+e2879e58"
},
{
"featurename": "npm",
"featureversion": "1:6.14.14-1.12.22.5.1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:3666",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix(es): nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22930) nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22940) c-ares: Missing input validation of host names may lead to domain hijacking (CVE-2021-3672) nodejs: Improper handling of untypical characters in domain names (CVE-2021-22931) nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite (CVE-2021-32803) nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite (CVE-2021-32804) nodejs: Incomplete validation of tls rejectUnauthorized parameter (CVE-2021-22939) nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe (CVE-2021-23343) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): nodejs:14/nodejs: Make FIPS options always available (BZ#1993924)",
"link": "https://access.redhat.com/errata/RHSA-2021:3666[](test)",
"severity": "High",
"fixedby": "1:6.14.14-1.14.17.5.1.module+el8.4.0+12247+e2879e58"
},
{
"featurename": "nodejs-docs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:0744",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.16.0). Security Fix(es): nodejs: HTTP2 'unknownProtocol' cause DoS by resource exhaustion (CVE-2021-22883) nodejs: DNS rebinding in --inspect (CVE-2021-22884) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): Node.js should not be built with \"--debug-nghttp2\" (BZ#1932427)",
"link": "https://access.redhat.com/errata/RHSA-2021:0744[](test)",
"severity": "High",
"fixedby": "1:14.16.0-2.module+el8.3.0+10180+b92e1eb6"
},
{
"featurename": "nodejs-docs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:3666",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix(es): nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22930) nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22940) c-ares: Missing input validation of host names may lead to domain hijacking (CVE-2021-3672) nodejs: Improper handling of untypical characters in domain names (CVE-2021-22931) nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite (CVE-2021-32803) nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite (CVE-2021-32804) nodejs: Incomplete validation of tls rejectUnauthorized parameter (CVE-2021-22939) nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe (CVE-2021-23343) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): nodejs:14/nodejs: Make FIPS options always available (BZ#1993924)",
"link": "https://access.redhat.com/errata/RHSA-2021:3666[](test)",
"severity": "High",
"fixedby": "1:14.17.5-1.module+el8.4.0+12247+e2879e58"
},
{
"featurename": "nodejs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:0744",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.16.0). Security Fix(es): nodejs: HTTP2 'unknownProtocol' cause DoS by resource exhaustion (CVE-2021-22883) nodejs: DNS rebinding in --inspect (CVE-2021-22884) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): Node.js should not be built with \"--debug-nghttp2\" (BZ#1932427)",
"link": "https://access.redhat.com/errata/RHSA-2021:0744[]((test)",
"severity": "High",
"fixedby": "1:14.16.0-2.module+el8.3.0+10180+b92e1eb6"
},
{
"featurename": "nodejs-full-i18n",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:3666",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix(es): nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22930) nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22940) c-ares: Missing input validation of host names may lead to domain hijacking (CVE-2021-3672) nodejs: Improper handling of untypical characters in domain names (CVE-2021-22931) nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite (CVE-2021-32803) nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite (CVE-2021-32804) nodejs: Incomplete validation of tls rejectUnauthorized parameter (CVE-2021-22939) nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe (CVE-2021-23343) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): nodejs:14/nodejs: Make FIPS options always available (BZ#1993924)",
"link": "https://access.redhat.com/errata/RHSA-2021:3666[](test)",
"severity": "High",
"fixedby": "1:14.17.5-1.module+el8.4.0+12247+e2879e58"
},
{
"featurename": "nodejs-full-i18n",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:0744",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.16.0). Security Fix(es): nodejs: HTTP2 'unknownProtocol' cause DoS by resource exhaustion (CVE-2021-22883) nodejs: DNS rebinding in --inspect (CVE-2021-22884) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): Node.js should not be built with \"--debug-nghttp2\" (BZ#1932427)",
"link": "https://access.redhat.com/errata/RHSA-2021:0744[](test)",
"severity": "High",
"fixedby": "1:14.16.0-2.module+el8.3.0+10180+b92e1eb6"
},
{
"featurename": "npm",
"featureversion": "1:6.14.14-1.12.22.5.1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:5171",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (16.13.1), nodejs-nodemon (2.0.15). (BZ#2027610) Security Fix(es): nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788) nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) normalize-url: ReDoS for data URLs (CVE-2021-33502) llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959) llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2021:5171[](test)",
"severity": "Medium",
"fixedby": "1:8.1.2-1.16.13.1.3.module+el8.5.0+13548+45d748af"
},
{
"featurename": "nodejs-full-i18n",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2022:0350",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.18.2), nodejs-nodemon (2.0.15). (BZ#2027609) Security Fix(es): nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788) nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) normalize-url: ReDoS for data URLs (CVE-2021-33502) nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37701) nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37712) llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959) llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2022:0350[](test)",
"severity": "Medium",
"fixedby": "1:14.18.2-2.module+el8.5.0+13644+8d46dafd"
},
{
"featurename": "nodejs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:5171",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (16.13.1), nodejs-nodemon (2.0.15). (BZ#2027610) Security Fix(es): nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788) nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) normalize-url: ReDoS for data URLs (CVE-2021-33502) llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959) llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2021:5171[](test)",
"severity": "Medium",
"fixedby": "1:16.13.1-3.module+el8.5.0+13548+45d748af"
},
{
"featurename": "nodejs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:3074",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.17.3). (BZ#1978203) Security Fix(es): nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl() (CVE-2021-23362) nodejs-ssri: Regular expression DoS (ReDoS) when parsing malicious SRI in strict mode (CVE-2021-27290) libuv: out-of-bounds read in uv__idna_toascii() can lead to information disclosures or crashes (CVE-2021-22918) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2021:3074[](test)",
"severity": "Medium",
"fixedby": "1:14.17.3-2.module+el8.4.0+11738+3bd42762"
},
{
"featurename": "nodejs-full-i18n",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:0551",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.15.4). Security Fix(es): nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS (CVE-2020-7754) nodejs-y18n: prototype pollution vulnerability (CVE-2020-7774) nodejs-ini: prototype pollution via malicious INI file (CVE-2020-7788) nodejs: use-after-free in the TLS implementation (CVE-2020-8265) c-ares: aresparse{a,aaaa}_reply() insufficient naddrttls validation DoS (CVE-2020-8277) nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366) nodejs: HTTP request smuggling via two copies of a header field in an http request (CVE-2020-8287) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): yarn install crashes with nodejs:14 on aarch64 (BZ#1916465)",
"link": "https://access.redhat.com/errata/RHSA-2021:0551[](test)",
"severity": "Medium",
"fixedby": "1:14.15.4-2.module+el8.3.0+9635+ffdf8381"
},
{
"featurename": "nodejs-full-i18n",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:3074",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.17.3). (BZ#1978203) Security Fix(es): nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl() (CVE-2021-23362) nodejs-ssri: Regular expression DoS (ReDoS) when parsing malicious SRI in strict mode (CVE-2021-27290) libuv: out-of-bounds read in uvidna_toascii() can lead to information disclosures or crashes (CVE-2021-22918) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2021:3074[](test)",
"severity": "Medium",
"fixedby": "1:14.17.3-2.module+el8.4.0+11738+3bd42762"
},
{
"featurename": "nodejs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:0551",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.15.4). Security Fix(es): nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS (CVE-2020-7754) nodejs-y18n: prototype pollution vulnerability (CVE-2020-7774) nodejs-ini: prototype pollution via malicious INI file (CVE-2020-7788) nodejs: use-after-free in the TLS implementation (CVE-2020-8265) c-ares: aresparse{a,aaaa}_reply() insufficient naddrttls validation DoS (CVE-2020-8277) nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366) nodejs: HTTP request smuggling via two copies of a header field in an http request (CVE-2020-8287) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): yarn install crashes with nodejs:14 on aarch64 (BZ#1916465)",
"link": "https://access.redhat.com/errata/RHSA-2021:0551[](test)",
"severity": "Medium",
"fixedby": "1:14.15.4-2.module+el8.3.0+9635+ffdf8381"
},
{
"featurename": "nodejs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2022:0350",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.18.2), nodejs-nodemon (2.0.15). (BZ#2027609) Security Fix(es): nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788) nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) normalize-url: ReDoS for data URLs (CVE-2021-33502) nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37701) nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37712) llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959) llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2022:0350[](test)",
"severity": "Medium",
"fixedby": "1:14.18.2-2.module+el8.5.0+13644+8d46dafd"
},
{
"featurename": "nodejs-docs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:5171",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (16.13.1), nodejs-nodemon (2.0.15). (BZ#2027610) Security Fix(es): nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788) nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) normalize-url: ReDoS for data URLs (CVE-2021-33502) llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959) llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2021:5171[](test)",
"severity": "Medium",
"fixedby": "1:16.13.1-3.module+el8.5.0+13548+45d748af"
},
{
"featurename": "nodejs-docs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:3074",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.17.3). (BZ#1978203) Security Fix(es): nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl() (CVE-2021-23362) nodejs-ssri: Regular expression DoS (ReDoS) when parsing malicious SRI in strict mode (CVE-2021-27290) * libuv: out-of-bounds read in uvidna_toascii() can lead to information disclosures or crashes (CVE-2021-22918) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2021:3074[](test)",
"severity": "Medium",
"fixedby": "1:14.17.3-2.module+el8.4.0+11738+3bd42762"
},
{
"featurename": "nodejs-full-i18n",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:5171",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (16.13.1), nodejs-nodemon (2.0.15). (BZ#2027610) Security Fix(es): nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788) nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) normalize-url: ReDoS for data URLs (CVE-2021-33502) llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959) llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2021:5171[](test)",
"severity": "Medium",
"fixedby": "1:16.13.1-3.module+el8.5.0+13548+45d748af"
},
{
"featurename": "npm",
"featureversion": "1:6.14.14-1.12.22.5.1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2022:0350",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.18.2), nodejs-nodemon (2.0.15). (BZ#2027609) Security Fix(es): nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788) nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) normalize-url: ReDoS for data URLs (CVE-2021-33502) nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37701) nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37712) llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959) llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2022:0350[](test)",
"severity": "Medium",
"fixedby": "1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd"
},
{
"featurename": "nodejs-docs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2021:0551",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.15.4). Security Fix(es): nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS (CVE-2020-7754) nodejs-y18n: prototype pollution vulnerability (CVE-2020-7774) nodejs-ini: prototype pollution via malicious INI file (CVE-2020-7788) nodejs: use-after-free in the TLS implementation (CVE-2020-8265) c-ares: aresparse{a,aaaa}_reply() insufficient naddrttls validation DoS (CVE-2020-8277) nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366) nodejs: HTTP request smuggling via two copies of a header field in an http request (CVE-2020-8287) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): yarn install crashes with nodejs:14 on aarch64 (BZ#1916465)",
"link": "https://access.redhat.com/errata/RHSA-2021:0551[](test)",
"severity": "Medium",
"fixedby": "1:14.15.4-2.module+el8.3.0+9635+ffdf8381"
},
{
"featurename": "nodejs-docs",
"featureversion": "1:12.22.5-1.module+el8.4.0+12242+af52a4c7",
"vulnerability": "RHSA-2022:0350",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.18.2), nodejs-nodemon (2.0.15). (BZ#2027609) Security Fix(es): nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788) nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) normalize-url: ReDoS for data URLs (CVE-2021-33502) nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37701) nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37712) llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959) llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2022:0350[](test)",
"severity": "Medium",
"fixedby": "1:14.18.2-2.module+el8.5.0+13644+8d46dafd"
},
{
"featurename": "nodejs-nodemon",
"featureversion": "2.0.3-1.module+el8.4.0+11732+c668cc9f",
"vulnerability": "RHSA-2021:5171",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (16.13.1), nodejs-nodemon (2.0.15). (BZ#2027610) Security Fix(es): nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788) nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) normalize-url: ReDoS for data URLs (CVE-2021-33502) llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959) llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2021:5171[](test)",
"severity": "Medium",
"fixedby": "0:2.0.15-1.module+el8.5.0+13548+45d748af"
},
{
"featurename": "nodejs-nodemon",
"featureversion": "2.0.3-1.module+el8.4.0+11732+c668cc9f",
"vulnerability": "RHSA-2022:0350",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.18.2), nodejs-nodemon (2.0.15). (BZ#2027609) Security Fix(es): nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788) nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) normalize-url: ReDoS for data URLs (CVE-2021-33502) nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37701) nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37712) llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959) * llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2022:0350[](test)",
"severity": "Medium",
"fixedby": "0:2.0.15-1.module+el8.5.0+13504+a2e74d91"
}
]
}clair found vulnerabilities