search

wazuh / wazuh-qa

Wazuh - Quality Assurance
GNU General Public License v2.0
65 stars 32 forks source link

Research vulnerability Packages used by E2E Vulnerability Detection tests #4943

Closed Rebits closed 8 months ago

Rebits commented 8 months ago

Description

During Vulnerability Detection configuration change not updated in E2E tests, it was discovered that used vulnerable packages does not trigger expected vulnerabilities in the environment.

More information in https://github.com/wazuh/wazuh/issues/21789#issuecomment-1932540280

Further research is required.

santipadilla commented 8 months ago

To perform this vulnerability analysis and research we have used the following environment:

Manager

System information
```console root@ip-172-31-8-216:/home/qa# cat /etc/*release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=22.04 DISTRIB_CODENAME=jammy DISTRIB_DESCRIPTION="Ubuntu 22.04 LTS" PRETTY_NAME="Ubuntu 22.04 LTS" NAME="Ubuntu" VERSION_ID="22.04" VERSION="22.04 LTS (Jammy Jellyfish)" VERSION_CODENAME=jammy ID=ubuntu ID_LIKE=debian HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" UBUNTU_CODENAME=jammy ```
Manager version
```console root@ip-172-31-8-216:/home/qa# /var/ossec/bin/wazuh-control info WAZUH_VERSION="v4.8.0" WAZUH_REVISION="40803" WAZUH_TYPE="server" ```
Manager status
```console root@ip-172-31-8-216:/home/qa# systemctl status wazuh-manager -l ● wazuh-manager.service - Wazuh manager Loaded: loaded (/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: enabled) Active: active (exited) since Mon 2024-02-12 10:28:15 UTC; 2h 29min ago CPU: 59.130s Feb 12 10:28:09 ip-172-31-8-216 env[66989]: Started wazuh-syscheckd... Feb 12 10:28:10 ip-172-31-8-216 env[66989]: Started wazuh-remoted... Feb 12 10:28:11 ip-172-31-8-216 env[66989]: Started wazuh-logcollector... Feb 12 10:28:12 ip-172-31-8-216 env[66989]: Started wazuh-monitord... Feb 12 10:28:12 ip-172-31-8-216 env[67303]: 2024/02/12 10:28:12 wazuh-modulesd:router: INFO: Loaded router > Feb 12 10:28:12 ip-172-31-8-216 env[67303]: 2024/02/12 10:28:12 wazuh-modulesd:content_manager: INFO: Loade> Feb 12 10:28:13 ip-172-31-8-216 env[66989]: Started wazuh-modulesd... Feb 12 10:28:13 ip-172-31-8-216 env[66989]: Started wazuh-clusterd... Feb 12 10:28:15 ip-172-31-8-216 env[66989]: Completed. Feb 12 10:28:15 ip-172-31-8-216 systemd[1]: Started Wazuh manager. ```

CentOS 7 Agent

System information
```console [root@ip-172-31-12-149 qa]# cat /etc/*release CentOS Linux release 7.9.2009 (Core) NAME="CentOS Linux" VERSION="7 (Core)" ID="centos" ID_LIKE="rhel fedora" VERSION_ID="7" PRETTY_NAME="CentOS Linux 7 (Core)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:centos:centos:7" HOME_URL="https://www.centos.org/" BUG_REPORT_URL="https://bugs.centos.org/" CENTOS_MANTISBT_PROJECT="CentOS-7" CENTOS_MANTISBT_PROJECT_VERSION="7" REDHAT_SUPPORT_PRODUCT="centos" REDHAT_SUPPORT_PRODUCT_VERSION="7" CentOS Linux release 7.9.2009 (Core) CentOS Linux release 7.9.2009 (Core) ```
Agent version
```console [root@ip-172-31-12-149 qa]# /var/ossec/bin/wazuh-control info WAZUH_VERSION="v4.8.0" WAZUH_REVISION="40803" WAZUH_TYPE="agent" ```
Agent status
```console [root@ip-172-31-12-149 qa]# systemctl status wazuh-agent -l ● wazuh-agent.service - Wazuh agent Loaded: loaded (/usr/lib/systemd/system/wazuh-agent.service; enabled; vendor preset: disabled) Active: active (running) since lun 2024-02-12 10:33:37 UTC; 2h 28min ago CGroup: /system.slice/wazuh-agent.service ├─10287 /var/ossec/bin/wazuh-execd ├─10308 /var/ossec/bin/wazuh-agentd ├─10326 /var/ossec/bin/wazuh-syscheckd ├─10345 /var/ossec/bin/wazuh-logcollector └─10366 /var/ossec/bin/wazuh-modulesd feb 12 10:33:30 ip-172-31-12-149.ec2.internal systemd[1]: Stopped Wazuh agent. feb 12 10:33:30 ip-172-31-12-149.ec2.internal systemd[1]: Starting Wazuh agent... feb 12 10:33:30 ip-172-31-12-149.ec2.internal env[10260]: Starting Wazuh v4.8.0... feb 12 10:33:31 ip-172-31-12-149.ec2.internal env[10260]: Started wazuh-execd... feb 12 10:33:32 ip-172-31-12-149.ec2.internal env[10260]: Started wazuh-agentd... feb 12 10:33:33 ip-172-31-12-149.ec2.internal env[10260]: Started wazuh-syscheckd... feb 12 10:33:34 ip-172-31-12-149.ec2.internal env[10260]: Started wazuh-logcollector... feb 12 10:33:35 ip-172-31-12-149.ec2.internal env[10260]: Started wazuh-modulesd... feb 12 10:33:37 ip-172-31-12-149.ec2.internal env[10260]: Completed. feb 12 10:33:37 ip-172-31-12-149.ec2.internal systemd[1]: Started Wazuh agent. ```

Windows 11 Agent

System information
```console PS C:\Users\qa> systeminfo | findstr /B /C:"OS Name" /B /C:"OS Version" OS Name: Microsoft Windows 11 Pro OS Version: 10.0.22621 N/A Build 22621 ```
Agent version
```console PS C:\Users\qa> (Get-Command "C:\Program Files (x86)\ossec-agent\wazuh-agent.exe").FileVersionInfo ProductVersion FileVersion FileName -------------- ----------- -------- v4.8.0 v4.8.0 C:\Program Files (x86)\ossec-agent\wazuh-agent.exe ```
Agent status
```console PS C:\Users\qa> Get-service wazuh Status Name DisplayName ------ ---- ----------- Running WazuhSvc wazuh ```

Ubuntu 22 Agent

System information
```console root@ip-172-31-3-1:/home/qa# cat /etc/*release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=22.04 DISTRIB_CODENAME=jammy DISTRIB_DESCRIPTION="Ubuntu 22.04 LTS" PRETTY_NAME="Ubuntu 22.04 LTS" NAME="Ubuntu" VERSION_ID="22.04" VERSION="22.04 LTS (Jammy Jellyfish)" VERSION_CODENAME=jammy ID=ubuntu ID_LIKE=debian HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" UBUNTU_CODENAME=jammy ```
Agent version
```console root@ip-172-31-3-1:/home/qa# /var/ossec/bin/wazuh-control info WAZUH_VERSION="v4.8.0" WAZUH_REVISION="40803" WAZUH_TYPE="agent" ```
Agent status
```console root@ip-172-31-3-1:/home/qa# systemctl status wazuh-agent -l ● wazuh-agent.service - Wazuh agent Loaded: loaded (/lib/systemd/system/wazuh-agent.service; enabled; vendor preset: enabled) Active: active (running) since Mon 2024-02-19 11:23:06 UTC; 2h 1min ago Process: 10830 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/S> Tasks: 32 (limit: 4623) Memory: 20.3M CPU: 47.476s CGroup: /system.slice/wazuh-agent.service ├─10852 /var/ossec/bin/wazuh-execd ├─10863 /var/ossec/bin/wazuh-agentd ├─10877 /var/ossec/bin/wazuh-syscheckd ├─10891 /var/ossec/bin/wazuh-logcollector └─10908 /var/ossec/bin/wazuh-modulesd Feb 19 11:22:59 ip-172-31-3-1 systemd[1]: Starting Wazuh agent... Feb 19 11:22:59 ip-172-31-3-1 env[10830]: Starting Wazuh v4.8.0... Feb 19 11:23:00 ip-172-31-3-1 env[10830]: Started wazuh-execd... Feb 19 11:23:01 ip-172-31-3-1 env[10830]: Started wazuh-agentd... Feb 19 11:23:02 ip-172-31-3-1 env[10830]: Started wazuh-syscheckd... Feb 19 11:23:03 ip-172-31-3-1 env[10830]: Started wazuh-logcollector... Feb 19 11:23:04 ip-172-31-3-1 env[10830]: Started wazuh-modulesd... Feb 19 11:23:06 ip-172-31-3-1 env[10830]: Completed. Feb 19 11:23:06 ip-172-31-3-1 systemd[1]: Started Wazuh agent. ```

macOS Sonoma Agent

System information
```console sh-3.2# sw_vers ProductName: macOS ProductVersion: 14.0 BuildVersion: 23A344 ```
Agent version
```console sh-3.2# /Library/Ossec/bin/wazuh-control info WAZUH_VERSION="v4.8.0" WAZUH_REVISION="40803" WAZUH_TYPE="agent" ```
Agent status
```console sh-3.2# sudo /Library/Ossec/bin/wazuh-control status wazuh-modulesd is running... wazuh-logcollector is running... wazuh-syscheckd is running... wazuh-agentd is running... wazuh-execd is running... ```
santipadilla commented 8 months ago

CentOS 7 Agent

We have tested with the installation of different packages with vulnerabilities to check that they are detected. The version of the installed packages is the default version.

Mercurial

Installation of a vulnerable package
```console [root@ip-172-31-12-149 qa]# yum install mercurial Loaded plugins: fastestmirror Determining fastest mirrors epel/x86_64/metalink | 25 kB 00:00:00 * base: download.cf.centos.org * epel: d2lzkl7pfhq30w.cloudfront.net * extras: download.cf.centos.org * updates: download.cf.centos.org base | 3.6 kB 00:00:00 epel | 4.7 kB 00:00:00 extras | 2.9 kB 00:00:00 updates | 2.9 kB 00:00:00 (1/5): epel/x86_64/group_gz | 100 kB 00:00:00 (2/5): epel/x86_64/primary_db | 7.0 MB 00:00:00 (3/5): epel/x86_64/updateinfo | 1.0 MB 00:00:00 (4/5): extras/7/x86_64/primary_db | 250 kB 00:00:00 (5/5): updates/7/x86_64/primary_db | 25 MB 00:00:00 Resolving Dependencies --> Running transaction check ---> Package mercurial.x86_64 0:2.6.2-11.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved =========================================================================================================================================================================== Package Arch Version Repository Size =========================================================================================================================================================================== Installing: mercurial x86_64 2.6.2-11.el7 base 2.6 M Transaction Summary =========================================================================================================================================================================== Install 1 Package Total download size: 2.6 M Installed size: 12 M Is this ok [y/d/N]: y Downloading packages: mercurial-2.6.2-11.el7.x86_64.rpm | 2.6 MB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : mercurial-2.6.2-11.el7.x86_64 1/1 Verifying : mercurial-2.6.2-11.el7.x86_64 1/1 Installed: mercurial.x86_64 0:2.6.2-11.el7 Complete! ```
Vulnerability scanning
```console root@ip-172-31-8-216:/home/qa# grep -i "mercurial" /var/ossec/logs/alerts/alerts.json {"timestamp":"2024-02-12T12:36:02.997+0000","rule":{"level":10,"description":"CVE-2014-9390 affects perl-Git","id":"23505","firedtimes":3422,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"agent1","ip":"172.31.12.149"},"manager":{"name":"ip-172-31-8-216"},"id":"1707741362.42522073","cluster":{"name":"wazuh","node":"master"},"decoder":{"name":"json"},"data":{"vulnerability":{"assigner":"mitre","cve":"CVE-2014-9390","cvss":{"cvss2":{"base_score":"7.500000","vector":{"access_complexity":"LOW","authentication":"NONE","availability":"PARTIAL","confidentiality_impact":"PARTIAL","integrity_impact":"PARTIAL"}}},"cwe_reference":"CWE-20","enumeration":"CVE","package":{"architecture":"noarch","condition":"Package default status","name":"perl-Git","source":" ","version":"1.8.3.1-25.el7_9"},"published":"2020-02-12T02:15:10Z","rationale":"Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem.","reference":"http://article.gmane.org/gmane.linux.kernel/1853266, https://news.ycombinator.com/item?id=8769667, https://libgit2.org/security/, http://mercurial.selenic.com/wiki/WhatsNew, http://git-blame.blogspot.com/2014/12/git-1856-195-205-214-and-221-and.html, https://github.com/libgit2/libgit2/commit/928429c5c96a701bcbcafacb2421a82602b36915, http://securitytracker.com/id?1031404, http://support.apple.com/kb/HT204147, https://github.com/blog/1938-git-client-vulnerability-announced","severity":"High","status":"Active","title":"CVE-2014-9390 affects perl-Git","type":"Packages","updated":"2021-05-17T19:54:37Z"}},"location":"vulnerability-detector"} {"timestamp":"2024-02-12T12:36:38.063+0000","rule":{"level":10,"description":"CVE-2014-9390 affects git","id":"23505","firedtimes":4561,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"agent1","ip":"172.31.12.149"},"manager":{"name":"ip-172-31-8-216"},"id":"1707741398.53599876","cluster":{"name":"wazuh","node":"master"},"decoder":{"name":"json"},"data":{"vulnerability":{"assigner":"mitre","cve":"CVE-2014-9390","cvss":{"cvss2":{"base_score":"7.500000","vector":{"access_complexity":"LOW","authentication":"NONE","availability":"PARTIAL","confidentiality_impact":"PARTIAL","integrity_impact":"PARTIAL"}}},"cwe_reference":"CWE-20","enumeration":"CVE","package":{"architecture":"x86_64","condition":"Package default status","name":"git","source":" ","version":"1.8.3.1-25.el7_9"},"published":"2020-02-12T02:15:10Z","rationale":"Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem.","reference":"http://article.gmane.org/gmane.linux.kernel/1853266, https://news.ycombinator.com/item?id=8769667, https://libgit2.org/security/, http://mercurial.selenic.com/wiki/WhatsNew, http://git-blame.blogspot.com/2014/12/git-1856-195-205-214-and-221-and.html, https://github.com/libgit2/libgit2/commit/928429c5c96a701bcbcafacb2421a82602b36915, http://securitytracker.com/id?1031404, http://support.apple.com/kb/HT204147, https://github.com/blog/1938-git-client-vulnerability-announced","severity":"High","status":"Active","title":"CVE-2014-9390 affects git","type":"Packages","updated":"2021-05-17T19:54:37Z"}},"location":"vulnerability-detector"} {"timestamp":"2024-02-12T12:41:49.053+0000","rule":{"level":7,"description":"New Yum package installed.","id":"2932","firedtimes":10,"mail":false,"groups":["syslog","yum","config_changed"],"pci_dss":["10.6.1","10.2.7"],"gpg13":["4.10"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14"],"tsc":["CC7.2","CC7.3","CC6.8","CC8.1"]},"agent":{"id":"005","name":"agent1","ip":"172.31.12.149"},"manager":{"name":"ip-172-31-8-216"},"id":"1707741709.67471165","cluster":{"name":"wazuh","node":"master"},"full_log":"Feb 12 12:41:47 ip-172-31-12-149 yum[13555]: Installed: mercurial-2.6.2-11.el7.x86_64","predecoder":{"program_name":"yum","timestamp":"Feb 12 12:41:47","hostname":"ip-172-31-12-149"},"decoder":{},"location":"/var/log/messages"} root@ip-172-31-8-216:/home/qa# ```
Summary
The alerts.json output does not directly mention any of the specific CVEs listed on the [vulnerability for Mercurial 2.6.2](https://www.cvedetails.com/vulnerability-list/vendor_id-8291/product_id-14386/version_id-1216681/Mercurial-Mercurial-2.6.2.html). The alerts related to perl-Git and git are triggered, which is mentioned as affecting both Git and Mercurial before version 3.2.3 in certain contexts. However, this CVE is related to Git and its interaction with Mercurial, not a direct vulnerability in Mercurial itself.

Nmap

Installation of a vulnerable package
```console [root@ip-172-31-12-149 qa]# yum install nmap Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: download.cf.centos.org * epel: d2lzkl7pfhq30w.cloudfront.net * extras: download.cf.centos.org * updates: download.cf.centos.org Resolving Dependencies --> Running transaction check ---> Package nmap.x86_64 2:6.40-19.el7 will be installed --> Processing Dependency: nmap-ncat = 2:6.40-19.el7 for package: 2:nmap-6.40-19.el7.x86_64 --> Processing Dependency: libpcap.so.1()(64bit) for package: 2:nmap-6.40-19.el7.x86_64 --> Running transaction check ---> Package libpcap.x86_64 14:1.5.3-13.el7_9 will be installed ---> Package nmap-ncat.x86_64 2:6.40-19.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================================================================================================ Package Arch Version Repository Size ============================================================================================================================================================================================================ Installing: nmap x86_64 2:6.40-19.el7 base 3.9 M Installing for dependencies: libpcap x86_64 14:1.5.3-13.el7_9 updates 139 k nmap-ncat x86_64 2:6.40-19.el7 base 206 k Transaction Summary ============================================================================================================================================================================================================ Install 1 Package (+2 Dependent packages) Total download size: 4.3 M Installed size: 17 M Is this ok [y/d/N]: y Downloading packages: (1/3): libpcap-1.5.3-13.el7_9.x86_64.rpm | 139 kB 00:00:00 (2/3): nmap-ncat-6.40-19.el7.x86_64.rpm | 206 kB 00:00:00 (3/3): nmap-6.40-19.el7.x86_64.rpm | 3.9 MB 00:00:00 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Total 9.8 MB/s | 4.3 MB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : 14:libpcap-1.5.3-13.el7_9.x86_64 1/3 Installing : 2:nmap-ncat-6.40-19.el7.x86_64 2/3 Installing : 2:nmap-6.40-19.el7.x86_64 3/3 Verifying : 2:nmap-ncat-6.40-19.el7.x86_64 1/3 Verifying : 14:libpcap-1.5.3-13.el7_9.x86_64 2/3 Verifying : 2:nmap-6.40-19.el7.x86_64 3/3 Installed: nmap.x86_64 2:6.40-19.el7 Dependency Installed: libpcap.x86_64 14:1.5.3-13.el7_9 nmap-ncat.x86_64 2:6.40-19.el7 Complete! ```
Vulnerability scanning
```console root@ip-172-31-8-216:/home/qa# grep -i "Nmap" /var/ossec/logs/alerts/alerts.json {"timestamp":"2024-02-12T12:19:41.691+0000","rule":{"level":7,"description":"New Yum package installed.","id":"2932","firedtimes":8,"mail":false,"groups":["syslog","yum","config_changed"],"pci_dss":["10.6.1","10.2.7"],"gpg13":["4.10"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14"],"tsc":["CC7.2","CC7.3","CC6.8","CC8.1"]},"agent":{"id":"005","name":"agent1","ip":"172.31.12.149"},"manager":{"name":"ip-172-31-8-216"},"id":"1707740381.3518466","cluster":{"name":"wazuh","node":"master"},"full_log":"Feb 12 12:19:41 ip-172-31-12-149 yum[13479]: Installed: 2:nmap-ncat-6.40-19.el7.x86_64","predecoder":{"program_name":"yum","timestamp":"Feb 12 12:19:41","hostname":"ip-172-31-12-149"},"decoder":{},"location":"/var/log/messages"} {"timestamp":"2024-02-12T12:19:43.693+0000","rule":{"level":7,"description":"New Yum package installed.","id":"2932","firedtimes":9,"mail":false,"groups":["syslog","yum","config_changed"],"pci_dss":["10.6.1","10.2.7"],"gpg13":["4.10"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14"],"tsc":["CC7.2","CC7.3","CC6.8","CC8.1"]},"agent":{"id":"005","name":"agent1","ip":"172.31.12.149"},"manager":{"name":"ip-172-31-8-216"},"id":"1707740383.3518865","cluster":{"name":"wazuh","node":"master"},"full_log":"Feb 12 12:19:42 ip-172-31-12-149 yum[13479]: Installed: 2:nmap-6.40-19.el7.x86_64","predecoder":{"program_name":"yum","timestamp":"Feb 12 12:19:42","hostname":"ip-172-31-12-149"},"decoder":{},"location":"/var/log/messages"} root@ip-172-31-8-216:/home/qa# grep -i "CVE-2018-15173" /var/ossec/logs/alerts/alerts.json root@ip-172-31-8-216:/home/qa# ```
Summary
Wazuh has logged the installation of the Nmap package and its associated nmap-ncat package on the agent with ID 005 named agent1. These logs are categorized under the rule with ID 2932, which is associated with the event of a new Yum package being installed. This rule triggers an alert with a level of 7, indicating a noteworthy event related to system configuration changes. However, when we searched for the specific CVE (Only existing [vulnerability in the installed nmap version 6.40](https://www.cvedetails.com/vulnerability-list/vendor_id-12932/product_id-26385/version_id-1271559/Nmap-Nmap-6.40.html)), there were no results found in the alerts.json file.

MySQL

Installation of a vulnerable package
```console [root@ip-172-31-3-73 qa]# tar -xvf MySQL-5.5.23-1.el6.x86_64.tar MySQL-client-5.5.23-1.el6.x86_64.rpm MySQL-devel-5.5.23-1.el6.x86_64.rpm MySQL-embedded-5.5.23-1.el6.x86_64.rpm MySQL-server-5.5.23-1.el6.x86_64.rpm MySQL-shared-5.5.23-1.el6.x86_64.rpm MySQL-test-5.5.23-1.el6.x86_64.rpm [root@ip-172-31-3-73 qa]# ls MySQL-5.5.23-1.el6.x86_64.tar MySQL-server-5.5.23-1.el6.x86_64.rpm MySQL-client-5.5.23-1.el6.x86_64.rpm MySQL-shared-5.5.23-1.el6.x86_64.rpm MySQL-devel-5.5.23-1.el6.x86_64.rpm MySQL-test-5.5.23-1.el6.x86_64.rpm MySQL-embedded-5.5.23-1.el6.x86_64.rpm [root@ip-172-31-3-73 qa]# rpm -i MySQL-server-5.5.23-1.el6.x86_64.rpm PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER ! To do so, start the server, then issue the following commands: /usr/bin/mysqladmin -u root password 'new-password' /usr/bin/mysqladmin -u root -h ip-172-31-3-73.ec2.internal password 'new-password' Alternatively you can run: /usr/bin/mysql_secure_installation which will also give you the option of removing the test databases and anonymous user created by default. This is strongly recommended for production servers. See the manual for more instructions. Please report any problems with the /usr/bin/mysqlbug script! [root@ip-172-31-3-73 qa]# rpm -i MySQL-client-5.5.23-1.el6.x86_64.rpm [root@ip-172-31-3-73 qa]# mysql --version mysql Ver 14.14 Distrib 5.5.23, for Linux (x86_64) using readline 5.1 ```
Vulnerability scanning
```console root@ip-172-31-3-172:/home/qa# grep '"name":"agent1"' /var/ossec/logs/alerts/alerts.json | grep -i "MySQL" {"timestamp":"2024-02-14T13:12:52.198+0000","rule":{"level":8,"description":"New user added to the system.","id":"5902","mitre":{"id":["T1136"],"tactic":["Persistence"],"technique":["Create Account"]},"firedtimes":1,"mail":false,"groups":["syslog","adduser"],"pci_dss":["10.2.7","10.2.5","8.1.2"],"gpg13":["4.13"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b","164.312.a.2.I","164.312.a.2.II"],"nist_800_53":["AU.14","AC.7","AC.2","IA.4"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"016","name":"agent1","ip":"172.31.3.73"},"manager":{"name":"ip-172-31-3-172"},"id":"1707916372.229214300","cluster":{"name":"wazuh","node":"master"},"full_log":"Feb 14 13:12:52 ip-172-31-3-73 useradd[15618]: new user: name=mysql, UID=996, GID=993, home=/var/lib/mysql, shell=/bin/bash","predecoder":{"program_name":"useradd","timestamp":"Feb 14 13:12:52","hostname":"ip-172-31-3-73"},"decoder":{"parent":"useradd","name":"useradd"},"data":{"dstuser":"mysql","uid":"996","gid":"993","home":"/var/lib/mysql","shell":"/bin/bash"},"location":"/var/log/secure"} ```
Summary
No vulnerability alert appears with the installation of mysql 5.5.23 versions on the CentOS 7 agent, only the alert appears when the user is added. We have waited the stipulated time for the alerts to appear and no vulnerability appears.
Rebits commented 8 months ago

Meeting with @santipadilla

Regarding the issue https://github.com/wazuh/wazuh-qa/issues/4898, we've discovered that the node package is well-suited for conducting E2E tests on Windows 11 endpoints. Our next step is to ensure that this compatibility extends across all proposed test cases, akin to the evaluation conducted in https://github.com/wazuh/wazuh-qa/issues/4529. @santipadilla will oversee this verification process.

Additionally, we've assessed the compatibility of the MySQL package on CentOS.

It's imperative that we conduct thorough research to determine if the proposed packages are suitable for End-to-End vulnerability assessment tests.

santipadilla commented 8 months ago

Windows 11 Agent

The different versions of node have been installed from its official repository https://nodejs.org/dist/.

Node

E2E-VD-3: Installation of a vulnerable package

Installed package version
```console C:\Users\qa>node -v v17.0.1 ```
Vulnerability scanning
```console root@ip-172-31-2-204:/home/qa# grep '"name":"agent2"' /var/ossec/logs/alerts/alerts.json | grep -i "Node.js" {"timestamp":"2024-02-13T12:51:31.293+0000","rule":{"level":5,"description":"Windows: Application Installed.","id":"18147","firedtimes":1,"mail":false,"groups":["windows"],"pci_dss":["10.6.2"]},"agent":{"id":"015","name":"agent2","ip":"172.31.7.148"},"manager":{"name":"ip-172-31-2-204"},"id":"1707828691.6313197","cluster":{"name":"wazuh","node":"manager2"},"full_log":"2024 Feb 13 04:51:29 WinEvtLog: Application: INFORMATION(11707): MsiInstaller: qa: DESKTOP-AQ2R8SM: DESKTOP-AQ2R8SM: Product: Node.js -- Installation completed successfully. (NULL) (NULL) (NULL) (NULL) (NULL) ? ","predecoder":{"program_name":"WinEvtLog","timestamp":"2024 Feb 13 04:51:29"},"decoder":{"parent":"windows","name":"windows"},"data":{"dstuser":"qa","id":"11707","status":"INFORMATION","extra_data":"MsiInstaller","system_name":"DESKTOP-AQ2R8SM","type":"Application"},"location":"WinEvtLog"} {"timestamp":"2024-02-13T12:52:42.250+0000","rule":{"level":7,"description":"CVE-2021-4044 affects Node.js","id":"23504","firedtimes":2,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"015","name":"agent2","ip":"172.31.7.148"},"manager":{"name":"ip-172-31-2-204"},"id":"1707828762.6320973","cluster":{"name":"wazuh","node":"manager2"},"decoder":{"name":"json"},"data":{"vulnerability":{"assigner":"openssl","cve":"CVE-2021-4044","cvss":{"cvss2":{"base_score":"5","vector":{"access_complexity":"LOW","authentication":"NONE","availability":"PARTIAL","confidentiality_impact":"NONE","integrity_impact":"NONE"}}},"cwe_reference":"CWE-835","enumeration":"CVE","package":{"architecture":"x86_64","condition":"Package less than 17.3.0","name":"Node.js","source":" ","version":"17.0.1"},"published":"2021-12-14T19:15:07Z","rationale":"Internally libssl in OpenSSL calls X509_verify_cert() on the client side to verify a certificate supplied by a server. That function may return a negative return value to indicate an internal error (for example out of memory). Such a negative return value is mishandled by OpenSSL and will cause an IO function (such as SSL_connect() or SSL_do_handshake()) to not indicate success and a subsequent call to SSL_get_error() to return the value SSL_ERROR_WANT_RETRY_VERIFY. This return value is only supposed to be returned by OpenSSL if the application has previously called SSL_CTX_set_cert_verify_callback(). Since most applications do not do this the SSL_ERROR_WANT_RETRY_VERIFY return value from SSL_get_error() will be totally unexpected and applications may not behave correctly as a result. The exact behaviour will depend on the application but it could result in crashes, infinite loops or other similar incorrect responses. This issue is made more serious in combination with a separate bug in OpenSSL 3.0 that will cause X509_verify_cert() to indicate an internal error when processing a certificate chain. This will occur where a certificate does not include the Subject Alternative Name extension but where a Certificate Authority has enforced name constraints. This issue can occur even with valid chains. By combining the two issues an attacker could induce incorrect, application dependent behaviour. Fixed in OpenSSL 3.0.1 (Affected 3.0.0).","reference":"https://security.netapp.com/advisory/ntap-20211229-0003/, https://www.openssl.org/news/secadv/20211214.txt, https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=758754966791c537ea95241438454aa86f91f256","severity":"Medium","status":"Active","title":"CVE-2021-4044 affects Node.js","type":"Packages","updated":"2023-11-09T14:44:33Z"}},"location":"vulnerability-detector"} ```

E2E-VD-4: Updating a vulnerable package that remains vulnerable to the same CVE

Installed package version
```console C:\Users\qa>node -v v17.1.0 ```
Vulnerability scanning
```console {"timestamp":"2024-02-14T10:02:38.533+0000","rule":{"level":5,"description":"Windows: Application Installed.","id":"18147","firedtimes":1,"mail":false,"groups":["windows"],"pci_dss":["10.6.2"]},"agent":{"id":"015","name":"agent2","ip":"172.31.4.103"},"manager":{"name":"ip-172-31-8-191"},"id":"1707904958.4346296","cluster":{"name":"wazuh","node":"manager2"},"full_log":"2024 Feb 14 02:02:36 WinEvtLog: Application: INFORMATION(11707): MsiInstaller: qa: DESKTOP-AQ2R8SM: DESKTOP-AQ2R8SM: Product: Node.js -- Installation completed successfully. (NULL) (NULL) (NULL) (NULL) (NULL) ? ","predecoder":{"program_name":"WinEvtLog","timestamp":"2024 Feb 14 02:02:36"},"decoder":{"parent":"windows","name":"windows"},"data":{"dstuser":"qa","id":"11707","status":"INFORMATION","extra_data":"MsiInstaller","system_name":"DESKTOP-AQ2R8SM","type":"Application"},"location":"WinEvtLog"} {"timestamp":"2024-02-14T10:05:34.671+0000","rule":{"level":3,"description":"The CVE-2021-4044 that affected Node.js was solved due to a package removal/update or a system upgrade","id":"23502","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"015","name":"","ip":"172.31.4.103"},"manager":{"name":"ip-172-31-8-191"},"id":"1707905134.4347343","cluster":{"name":"wazuh","node":"manager2"},"decoder":{"name":"json"},"data":{"vulnerability":{"cve":"CVE-2021-4044","cvss":{"cvss2":{"base_score":"5"}},"enumeration":"CVE","package":{"architecture":"x86_64","name":"Node.js","version":"17.0.1"},"published":"2021-12-14T19:15:07Z","reference":"https://security.netapp.com/advisory/ntap-20211229-0003/, https://www.openssl.org/news/secadv/20211214.txt, https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=758754966791c537ea95241438454aa86f91f256","severity":"Medium","status":"Solved","title":"CVE-2021-4044 affecting Node.js was solved","type":"Packages","updated":"2023-11-09T14:44:33Z"}},"location":"vulnerability-detector"} {"timestamp":"2024-02-14T10:05:39.103+0000","rule":{"level":7,"description":"CVE-2021-4044 affects Node.js","id":"23504","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"015","name":"agent2","ip":"172.31.4.103"},"manager":{"name":"ip-172-31-8-191"},"id":"1707905139.4348920","cluster":{"name":"wazuh","node":"manager2"},"decoder":{"name":"json"},"data":{"vulnerability":{"assigner":"openssl","cve":"CVE-2021-4044","cvss":{"cvss2":{"base_score":"5","vector":{"access_complexity":"LOW","authentication":"NONE","availability":"PARTIAL","confidentiality_impact":"NONE","integrity_impact":"NONE"}}},"cwe_reference":"CWE-835","enumeration":"CVE","package":{"architecture":"x86_64","condition":"Package less than 17.3.0","name":"Node.js","source":" ","version":"17.1.0"},"published":"2021-12-14T19:15:07Z","rationale":"Internally libssl in OpenSSL calls X509_verify_cert() on the client side to verify a certificate supplied by a server. That function may return a negative return value to indicate an internal error (for example out of memory). Such a negative return value is mishandled by OpenSSL and will cause an IO function (such as SSL_connect() or SSL_do_handshake()) to not indicate success and a subsequent call to SSL_get_error() to return the value SSL_ERROR_WANT_RETRY_VERIFY. This return value is only supposed to be returned by OpenSSL if the application has previously called SSL_CTX_set_cert_verify_callback(). Since most applications do not do this the SSL_ERROR_WANT_RETRY_VERIFY return value from SSL_get_error() will be totally unexpected and applications may not behave correctly as a result. The exact behaviour will depend on the application but it could result in crashes, infinite loops or other similar incorrect responses. This issue is made more serious in combination with a separate bug in OpenSSL 3.0 that will cause X509_verify_cert() to indicate an internal error when processing a certificate chain. This will occur where a certificate does not include the Subject Alternative Name extension but where a Certificate Authority has enforced name constraints. This issue can occur even with valid chains. By combining the two issues an attacker could induce incorrect, application dependent behaviour. Fixed in OpenSSL 3.0.1 (Affected 3.0.0).","reference":"https://security.netapp.com/advisory/ntap-20211229-0003/, https://www.openssl.org/news/secadv/20211214.txt, https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=758754966791c537ea95241438454aa86f91f256","severity":"Medium","status":"Active","title":"CVE-2021-4044 affects Node.js","type":"Packages","updated":"2023-11-09T14:44:33Z"}},"location":"vulnerability-detector"} ```

E2E-VD-5: Updating a vulnerable package that becomes vulnerable to another CVE

Installed package version
```console C:\Users\qa>node -v v18.0.0 ```
Vulnerability scanning
```console {"timestamp":"2024-02-14T10:10:55.238+0000","rule":{"level":5,"description":"Windows: Application Installed.","id":"18147","firedtimes":2,"mail":false,"groups":["windows"],"pci_dss":["10.6.2"]},"agent":{"id":"015","name":"agent2","ip":"172.31.4.103"},"manager":{"name":"ip-172-31-8-191"},"id":"1707905455.6470619","cluster":{"name":"wazuh","node":"manager2"},"full_log":"2024 Feb 14 02:10:54 WinEvtLog: Application: INFORMATION(11707): MsiInstaller: qa: DESKTOP-AQ2R8SM: DESKTOP-AQ2R8SM: Product: Node.js -- Installation completed successfully. (NULL) (NULL) (NULL) (NULL) (NULL) ? ","predecoder":{"program_name":"WinEvtLog","timestamp":"2024 Feb 14 02:10:54"},"decoder":{"parent":"windows","name":"windows"},"data":{"dstuser":"qa","id":"11707","status":"INFORMATION","extra_data":"MsiInstaller","system_name":"DESKTOP-AQ2R8SM","type":"Application"},"location":"WinEvtLog"} {"timestamp":"2024-02-14T10:11:18.390+0000","rule":{"level":10,"description":"CVE-2023-38552 affects Node.js","id":"23505","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"015","name":"agent2","ip":"172.31.4.103"},"manager":{"name":"ip-172-31-8-191"},"id":"1707905478.6471018","cluster":{"name":"wazuh","node":"manager2"},"decoder":{"name":"json"},"data":{"vulnerability":{"assigner":"hackerone","cve":"CVE-2023-38552","cvss":{"cvss3":{"base_score":"7.500000","vector":{"availability":"NONE","confidentiality_impact":"NONE","integrity_impact":"HIGH","privileges_required":"NONE","scope":"UNCHANGED","user_interaction":"NONE"}}},"cwe_reference":"CWE-345","enumeration":"CVE","package":{"architecture":"x86_64","condition":"Package less than or equal to 18.18.1","name":"Node.js","source":" ","version":"18.0.0"},"published":"2023-10-18T04:15:11Z","rationale":"When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation and return a forged checksum to the node's policy implementation, thus effectively disabling the integrity check. Impacts: This vulnerability affects all users using the experimental policy mechanism in all active release lines: 18.x and, 20.x. Please note that at the time this CVE was issued, the policy mechanism is an experimental feature of Node.js.","reference":"https://hackerone.com/reports/2094235, https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/, https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/, https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/, https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/, https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/, https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/, https://security.netapp.com/advisory/ntap-20231116-0013/","severity":"High","status":"Active","title":"CVE-2023-38552 affects Node.js","type":"Packages","updated":"2023-11-16T16:15:30Z"}},"location":"vulnerability-detector"} {"timestamp":"2024-02-14T10:11:18.400+0000","rule":{"level":10,"description":"CVE-2023-32006 affects Node.js","id":"23505","firedtimes":2,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"015","name":"agent2","ip":"172.31.4.103"},"manager":{"name":"ip-172-31-8-191"},"id":"1707905478.6475667","cluster":{"name":"wazuh","node":"manager2"},"decoder":{"name":"json"},"data":{"vulnerability":{"assigner":"hackerone","cve":"CVE-2023-32006","cvss":{"cvss3":{"base_score":"8.800000","vector":{"availability":"HIGH","confidentiality_impact":"HIGH","integrity_impact":"HIGH","privileges_required":"LOW","scope":"UNCHANGED","user_interaction":"NONE"}}},"enumeration":"CVE","package":{"architecture":"x86_64","condition":"Package less than or equal to 18.17.0","name":"Node.js","source":" ","version":"18.0.0"},"published":"2023-08-15T16:15:11Z","rationale":"The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.","reference":"https://hackerone.com/reports/2043807, https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JQPELKG2LVTADSB7ME73AV4DXQK47PWK/, https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PBOZE2QZIBLFFTYWYN23FGKN6HULZ6HX/, https://security.netapp.com/advisory/ntap-20230915-0009/","severity":"High","status":"Active","title":"CVE-2023-32006 affects Node.js","type":"Packages","updated":"2023-09-15T14:15:10Z"}},"location":"vulnerability-detector"} {"timestamp":"2024-02-14T10:11:18.411+0000","rule":{"level":10,"description":"CVE-2023-30590 affects Node.js","id":"23505","firedtimes":3,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"015","name":"agent2","ip":"172.31.4.103"},"manager":{"name":"ip-172-31-8-191"},"id":"1707905478.6479020","cluster":{"name":"wazuh","node":"manager2"},"decoder":{"name":"json"},"data":{"vulnerability":{"assigner":"hackerone","cve":"CVE-2023-30590","cvss":{"cvss3":{"base_score":"7.500000","vector":{"availability":"NONE","confidentiality_impact":"NONE","integrity_impact":"HIGH","privileges_required":"NONE","scope":"UNCHANGED","user_interaction":"NONE"}}},"enumeration":"CVE","package":{"architecture":"x86_64","condition":"Package less than 18.16.1","name":"Node.js","source":" ","version":"18.0.0"},"published":"2023-11-28T20:15:07Z","rationale":"The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet, but the function is also needed to compute the corresponding public key after calling setPrivateKey(). However, the documentation says this API call: \"Generates private and public Diffie-Hellman key values\". The documented behavior is very different from the actual behavior, and this difference could easily lead to security issues in applications that use these APIs as the DiffieHellman may be used as the basis for application-level security, implications are consequently broad.","reference":"https://nodejs.org/en/blog/vulnerability/june-2023-security-releases","severity":"High","status":"Active","title":"CVE-2023-30590 affects Node.js","type":"Packages","updated":"2023-12-04T17:39:07Z"}},"location":"vulnerability-detector"} {"timestamp":"2024-02-14T10:11:18.421+0000","rule":{"level":10,"description":"CVE-2023-30589 affects Node.js","id":"23505","firedtimes":4,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"015","name":"agent2","ip":"172.31.4.103"},"manager":{"name":"ip-172-31-8-191"},"id":"1707905478.6482341","cluster":{"name":"wazuh","node":"manager2"},"decoder":{"name":"json"},"data":{"vulnerability":{"assigner":"hackerone","cve":"CVE-2023-30589","cvss":{"cvss3":{"base_score":"7.500000","vector":{"availability":"NONE","confidentiality_impact":"NONE","integrity_impact":"HIGH","privileges_required":"NONE","scope":"UNCHANGED","user_interaction":"NONE"}}},"enumeration":"CVE","package":{"architecture":"x86_64","condition":"Package less than 18.16.1","name":"Node.js","source":" ","version":"18.0.0"},"published":"2023-07-01T00:15:10Z","rationale":"The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).\r \r The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20\r","reference":"https://hackerone.com/reports/2001873, https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HMEELCREWMRT6NS7HWXLA6XFLLMO36HE/, https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UEJWL67XR67JAGEL2ZK22NA3BRKNMZNY/, https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VEEQIN5242K5NBE2CZ4DYTNA5B4YTYE5/, https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VKFMKD4MJZIKFQJAAJ4VZ2FHIJ764A76/, https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IV326O2X4BE3SINX5FJHMAKVHUAA4ZYF/, https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VCVG4TQRGTK4LKAZKVEQAUEJM7DUACYE/, https://security.netapp.com/advisory/ntap-20230803-0009/","severity":"High","status":"Active","title":"CVE-2023-30589 affects Node.js","type":"Packages","updated":"2023-12-12T14:33:56Z"}},"location":"vulnerability-detector"} {"timestamp":"2024-02-14T10:11:18.431+0000","rule":{"level":10,"description":"CVE-2023-30585 affects Node.js","id":"23505","firedtimes":5,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"015","name":"agent2","ip":"172.31.4.103"},"manager":{"name":"ip-172-31-8-191"},"id":"1707905478.6486769","cluster":{"name":"wazuh","node":"manager2"},"decoder":{"name":"json"},"data":{"vulnerability":{"assigner":"hackerone","cve":"CVE-2023-30585","cvss":{"cvss3":{"base_score":"7.500000","vector":{"availability":"NONE","confidentiality_impact":"NONE","integrity_impact":"HIGH","privileges_required":"NONE","scope":"UNCHANGED","user_interaction":"NONE"}}},"enumeration":"CVE","package":{"architecture":"x86_64","condition":"Package less than 18.16.1","name":"Node.js","source":" ","version":"18.0.0"},"published":"2023-11-28T02:15:42Z","rationale":"A vulnerability has been identified in the Node.js (.msi version) installation process, specifically affecting Windows users who install Node.js using the .msi installer. This vulnerability emerges during the repair operation, where the \"msiexec.exe\" process, running under the NT AUTHORITY\\SYSTEM context, attempts to read the %USERPROFILE% environment variable from the current user's registry. The issue arises when the path referenced by the %USERPROFILE% environment variable does not exist. In such cases, the \"msiexec.exe\" process attempts to create the specified path in an unsafe manner, potentially leading to the creation of arbitrary folders in arbitrary locations. The severity of this vulnerability is heightened by the fact that the %USERPROFILE% environment variable in the Windows registry can be modified by standard (or \"non-privileged\") users. Consequently, unprivileged actors, including malicious entities or trojans, can manipulate the environment variable key to deceive the privileged \"msiexec.exe\" process. This manipulation can result in the creation of folders in unintended and potentially malicious locations. It is important to note that this vulnerability is specific to Windows users who install Node.js using the .msi installer. Users who opt for other installation methods are not affected by this particular issue.","reference":"https://nodejs.org/en/blog/vulnerability/june-2023-security-releases","severity":"High","status":"Active","title":"CVE-2023-30585 affects Node.js","type":"Packages","updated":"2023-12-02T04:39:59Z"}},"location":"vulnerability-detector"} {"timestamp":"2024-02-14T10:11:18.442+0000","rule":{"level":10,"description":"CVE-2022-3602 affects Node.js","id":"23505","firedtimes":6,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"015","name":"agent2","ip":"172.31.4.103"},"manager":{"name":"ip-172-31-8-191"},"id":"1707905478.6491465","cluster":{"name":"wazuh","node":"manager2"},"decoder":{"name":"json"},"data":{"vulnerability":{"assigner":"openssl","cve":"CVE-2022-3602","cvss":{"cvss3":{"base_score":"7.500000","vector":{"availability":"HIGH","confidentiality_impact":"NONE","integrity_impact":"NONE","privileges_required":"NONE","scope":"UNCHANGED","user_interaction":"NONE"}}},"cwe_reference":"CWE-787","enumeration":"CVE","package":{"architecture":"x86_64","condition":"Package less than 18.11.0","name":"Node.js","source":" ","version":"18.0.0"},"published":"2022-11-01T18:15:10Z","rationale":"A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution. The risk may be further mitigated based on stack layout for any given platform/compiler. Pre-announcements of CVE-2022-3602 described this issue as CRITICAL. Further analysis based on some of the mitigating factors described above have led this to be downgraded to HIGH. Users are still encouraged to upgrade to a new version as soon as possible. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Fixed in OpenSSL 3.0.7 (Affected 3.0.0,3.0.1,3.0.2,3.0.3,3.0.4,3.0.5,3.0.6).","reference":"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=fe3b639dc19b325846f4f6801f2f4604f56e3de3, https://security.gentoo.org/glsa/202211-01, http://www.openwall.com/lists/oss-security/2022/11/01/15, http://www.openwall.com/lists/oss-security/2022/11/01/16, http://www.openwall.com/lists/oss-security/2022/11/01/17, http://www.openwall.com/lists/oss-security/2022/11/01/18, http://www.openwall.com/lists/oss-security/2022/11/01/19, http://www.openwall.com/lists/oss-security/2022/11/01/20, http://www.openwall.com/lists/oss-security/2022/11/01/21, http://www.openwall.com/lists/oss-security/2022/11/01/24, http://www.openwall.com/lists/oss-security/2022/11/02/1, http://www.openwall.com/lists/oss-security/2022/11/02/10, http://www.openwall.com/lists/oss-security/2022/11/02/11, http://www.openwall.com/lists/oss-security/2022/11/02/12, http://www.openwall.com/lists/oss-security/2022/11/02/13, http://www.openwall.com/lists/oss-security/2022/11/02/14, http://www.openwall.com/lists/oss-security/2022/11/02/15, http://www.openwall.com/lists/oss-security/2022/11/02/2, http://www.openwall.com/lists/oss-security/2022/11/02/3, http://www.openwall.com/lists/oss-security/2022/11/02/5, http://www.openwall.com/lists/oss-security/2022/11/02/6, http://www.openwall.com/lists/oss-security/2022/11/02/7, http://www.openwall.com/lists/oss-security/2022/11/02/9, http://www.openwall.com/lists/oss-security/2022/11/03/1, http://www.openwall.com/lists/oss-security/2022/11/03/10, http://www.openwall.com/lists/oss-security/2022/11/03/11, http://www.openwall.com/lists/oss-security/2022/11/03/2, http://www.openwall.com/lists/oss-security/2022/11/03/3, http://www.openwall.com/lists/oss-security/2022/11/03/5, http://www.openwall.com/lists/oss-security/2022/11/03/6, http://www.openwall.com/lists/oss-security/2022/11/03/7, http://www.openwall.com/lists/oss-security/2022/11/03/9, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/63YRPWPUSX3MBHNPIEJZDKQT6YA7UF6S/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DWP23EZYOBDJQP7HP4YU7W2ABU2YDITS/, https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0023, https://security.netapp.com/advisory/ntap-20221102-0001/, https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-W9sdCc2a, http://packetstormsecurity.com/files/169687/OpenSSL-Security-Advisory-20221101.html, https://www.kb.cert.org/vuls/id/794340, https://www.openssl.org/news/secadv/20221101.txt","severity":"High","status":"Active","title":"CVE-2022-3602 affects Node.js","type":"Packages","updated":"2023-08-08T14:21:49Z"}},"location":"vulnerability-detector"} {"timestamp":"2024-02-14T10:11:18.452+0000","rule":{"level":13,"description":"CVE-2023-32002 affects Node.js","id":"23506","firedtimes":1,"mail":true,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"015","name":"agent2","ip":"172.31.4.103"},"manager":{"name":"ip-172-31-8-191"},"id":"1707905478.6501039","cluster":{"name":"wazuh","node":"manager2"},"decoder":{"name":"json"},"data":{"vulnerability":{"assigner":"hackerone","cve":"CVE-2023-32002","cvss":{"cvss3":{"base_score":"9.800000","vector":{"availability":"HIGH","confidentiality_impact":"HIGH","integrity_impact":"HIGH","privileges_required":"NONE","scope":"UNCHANGED","user_interaction":"NONE"}}},"enumeration":"CVE","package":{"architecture":"x86_64","condition":"Package less than or equal to 18.17.0","name":"Node.js","source":" ","version":"18.0.0"},"published":"2023-08-21T17:15:47Z","rationale":"The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.","reference":"https://hackerone.com/reports/1960870, https://security.netapp.com/advisory/ntap-20230915-0009/","severity":"Critical","status":"Active","title":"CVE-2023-32002 affects Node.js","type":"Packages","updated":"2023-09-15T14:15:09Z"}},"location":"vulnerability-detector"} {"timestamp":"2024-02-14T10:11:18.462+0000","rule":{"level":7,"description":"CVE-2022-32222 affects Node.js","id":"23504","firedtimes":2,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"015","name":"agent2","ip":"172.31.4.103"},"manager":{"name":"ip-172-31-8-191"},"id":"1707905478.6503846","cluster":{"name":"wazuh","node":"manager2"},"decoder":{"name":"json"},"data":{"vulnerability":{"assigner":"hackerone","cve":"CVE-2022-32222","cvss":{"cvss3":{"base_score":"5.300000","vector":{"availability":"NONE","confidentiality_impact":"NONE","integrity_impact":"LOW","privileges_required":"NONE","scope":"UNCHANGED","user_interaction":"NONE"}}},"cwe_reference":"CWE-310","enumeration":"CVE","package":{"architecture":"x86_64","condition":"Package less than 18.5.0","name":"Node.js","source":" ","version":"18.0.0"},"published":"2022-07-14T15:15:08Z","rationale":"A cryptographic vulnerability exists on Node.js on linux in versions of 18.x prior to 18.40.0 which allowed a default path for openssl.cnf that might be accessible under some circumstances to a non-admin user instead of /etc/ssl as was the case in versions prior to the upgrade to OpenSSL 3.","reference":"https://hackerone.com/reports/1695596","severity":"Medium","status":"Active","title":"CVE-2022-32222 affects Node.js","type":"Packages","updated":"2023-07-24T13:16:33Z"}},"location":"vulnerability-detector"} {"timestamp":"2024-02-14T10:11:18.472+0000","rule":{"level":10,"description":"CVE-2022-43548 affects Node.js","id":"23505","firedtimes":7,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"015","name":"agent2","ip":"172.31.4.103"},"manager":{"name":"ip-172-31-8-191"},"id":"1707905478.6506390","cluster":{"name":"wazuh","node":"manager2"},"decoder":{"name":"json"},"data":{"vulnerability":{"assigner":"hackerone","cve":"CVE-2022-43548","cvss":{"cvss3":{"base_score":"8.100000","vector":{"availability":"HIGH","confidentiality_impact":"HIGH","integrity_impact":"HIGH","privileges_required":"NONE","scope":"UNCHANGED","user_interaction":"NONE"}}},"cwe_reference":"CWE-78","enumeration":"CVE","package":{"architecture":"x86_64","condition":"Package less than or equal to 18.11.0","name":"Node.js","source":" ","version":"18.0.0"},"published":"2022-12-05T22:15:10Z","rationale":"A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.The fix for this issue in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212 was incomplete and this new CVE is to complete the fix.","reference":"https://lists.debian.org/debian-lts-announce/2023/02/msg00038.html, https://nodejs.org/en/blog/vulnerability/november-2022-security-releases/, https://security.netapp.com/advisory/ntap-20230120-0004/, https://www.debian.org/security/2023/dsa-5326, https://security.netapp.com/advisory/ntap-20230427-0007/","severity":"High","status":"Active","title":"CVE-2022-43548 affects Node.js","type":"Packages","updated":"2023-04-27T15:15:09Z"}},"location":"vulnerability-detector"} {"timestamp":"2024-02-14T10:11:18.483+0000","rule":{"level":7,"description":"CVE-2023-23920 affects Node.js","id":"23504","firedtimes":3,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"015","name":"agent2","ip":"172.31.4.103"},"manager":{"name":"ip-172-31-8-191"},"id":"1707905478.6509793","cluster":{"name":"wazuh","node":"manager2"},"decoder":{"name":"json"},"data":{"vulnerability":{"assigner":"hackerone","cve":"CVE-2023-23920","cvss":{"cvss3":{"base_score":"4.200000","vector":{"availability":"NONE","confidentiality_impact":"NONE","integrity_impact":"HIGH","privileges_required":"HIGH","scope":"UNCHANGED","user_interaction":"REQUIRED"}}},"cwe_reference":"CWE-426","enumeration":"CVE","package":{"architecture":"x86_64","condition":"Package less than or equal to 18.11.0","name":"Node.js","source":" ","version":"18.0.0"},"published":"2023-02-23T20:15:14Z","rationale":"An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges.","reference":"https://lists.debian.org/debian-lts-announce/2023/02/msg00038.html, https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/, https://security.netapp.com/advisory/ntap-20230316-0008/, https://www.debian.org/security/2023/dsa-5395","severity":"Medium","status":"Active","title":"CVE-2023-23920 affects Node.js","type":"Packages","updated":"2023-05-03T04:15:09Z"}},"location":"vulnerability-detector"} {"timestamp":"2024-02-14T10:11:18.494+0000","rule":{"level":10,"description":"CVE-2022-32212 affects Node.js","id":"23505","firedtimes":8,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"015","name":"agent2","ip":"172.31.4.103"},"manager":{"name":"ip-172-31-8-191"},"id":"1707905478.6512623","cluster":{"name":"wazuh","node":"manager2"},"decoder":{"name":"json"},"data":{"vulnerability":{"assigner":"hackerone","cve":"CVE-2022-32212","cvss":{"cvss3":{"base_score":"8.100000","vector":{"availability":"HIGH","confidentiality_impact":"HIGH","integrity_impact":"HIGH","privileges_required":"NONE","scope":"UNCHANGED","user_interaction":"NONE"}}},"cwe_reference":"CWE-284","enumeration":"CVE","package":{"architecture":"x86_64","condition":"Package less than 18.5.0","name":"Node.js","source":" ","version":"18.0.0"},"published":"2022-07-14T15:15:08Z","rationale":"A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.","reference":"https://hackerone.com/reports/1632921","severity":"High","status":"Active","title":"CVE-2022-32212 affects Node.js","type":"Packages","updated":"2023-02-23T20:15:12Z"}},"location":"vulnerability-detector"} {"timestamp":"2024-02-14T10:11:18.504+0000","rule":{"level":10,"description":"CVE-2023-23919 affects Node.js","id":"23505","firedtimes":9,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"015","name":"agent2","ip":"172.31.4.103"},"manager":{"name":"ip-172-31-8-191"},"id":"1707905478.6515162","cluster":{"name":"wazuh","node":"manager2"},"decoder":{"name":"json"},"data":{"vulnerability":{"assigner":"hackerone","cve":"CVE-2023-23919","cvss":{"cvss3":{"base_score":"7.500000","vector":{"availability":"HIGH","confidentiality_impact":"NONE","integrity_impact":"NONE","privileges_required":"NONE","scope":"UNCHANGED","user_interaction":"NONE"}}},"cwe_reference":"CWE-310","enumeration":"CVE","package":{"architecture":"x86_64","condition":"Package less than or equal to 18.11.0","name":"Node.js","source":" ","version":"18.0.0"},"published":"2023-02-23T20:15:13Z","rationale":"A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases did does not clear the OpenSSL error stack after operations that may set it. This may lead to false positive errors during subsequent cryptographic operations that happen to be on the same thread. This in turn could be used to cause a denial of service.","reference":"https://hackerone.com/reports/1808596, https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/, https://security.netapp.com/advisory/ntap-20230316-0008/","severity":"High","status":"Active","title":"CVE-2023-23919 affects Node.js","type":"Packages","updated":"2023-03-16T16:15:11Z"}},"location":"vulnerability-detector"} {"timestamp":"2024-02-14T10:11:18.514+0000","rule":{"level":7,"description":"CVE-2022-32214 affects Node.js","id":"23504","firedtimes":4,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"015","name":"agent2","ip":"172.31.4.103"},"manager":{"name":"ip-172-31-8-191"},"id":"1707905478.6518131","cluster":{"name":"wazuh","node":"manager2"},"decoder":{"name":"json"},"data":{"vulnerability":{"assigner":"hackerone","cve":"CVE-2022-32214","cvss":{"cvss3":{"base_score":"6.500000","vector":{"availability":"NONE","confidentiality_impact":"LOW","integrity_impact":"LOW","privileges_required":"NONE","scope":"UNCHANGED","user_interaction":"NONE"}}},"cwe_reference":"CWE-444","enumeration":"CVE","package":{"architecture":"x86_64","condition":"Package less than 18.5.0","name":"Node.js","source":" ","version":"18.0.0"},"published":"2022-07-14T15:15:08Z","rationale":"The llhttp parser

E2E-VD-6: Updating a vulnerable package that becomes vulnerable to another CVE and retains the previous one

Installed package version
```console C:\Users\qa>node -v v18.1.0 ```
Vulnerability scanning
```console {"timestamp":"2024-02-14T10:29:38.447+0000","rule":{"level":5,"description":"Windows: Application Installed.","id":"18147","firedtimes":3,"mail":false,"groups":["windows"],"pci_dss":["10.6.2"]},"agent":{"id":"015","name":"agent2","ip":"172.31.4.103"},"manager":{"name":"ip-172-31-8-191"},"id":"1707906578.6578139","cluster":{"name":"wazuh","node":"manager2"},"full_log":"2024 Feb 14 02:29:36 WinEvtLog: Application: INFORMATION(11707): MsiInstaller: qa: DESKTOP-AQ2R8SM: DESKTOP-AQ2R8SM: Product: Node.js -- Installation completed successfully. (NULL) (NULL) (NULL) (NULL) (NULL) ? ","predecoder":{"program_name":"WinEvtLog","timestamp":"2024 Feb 14 02:29:36"},"decoder":{"parent":"windows","name":"windows"},"data":{"dstuser":"qa","id":"11707","status":"INFORMATION","extra_data":"MsiInstaller","system_name":"DESKTOP-AQ2R8SM","type":"Application"},"location":"WinEvtLog"} {"timestamp":"2024-02-14T10:29:52.293+0000","rule":{"level":10,"description":"CVE-2023-38552 affects Node.js","id":"23505","firedtimes":14,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"015","name":"agent2","ip":"172.31.4.103"},"manager":{"name":"ip-172-31-8-191"},"id":"1707906592.6578538","cluster":{"name":"wazuh","node":"manager2"},"decoder":{"name":"json"},"data":{"vulnerability":{"assigner":"hackerone","cve":"CVE-2023-38552","cvss":{ "cvss3":{"base_score":"7.500000","vector":{"availability":"NONE","confidentiality_impact" :"NONE","integrity_impact":"HIGH","privileges_required":"NONE","scope":"UNCHANGED","user_interaction":"NONE"}}},"cwe_reference":"CWE-345","enumeration":"CVE","package":{"architecture":"x86_64","condition":"Package less than or equal to 18.18.1","name":"Node.js","source":" ","version":"18.1.0"},"published":"2023-10-18T04:15:11Z","rationale":"When the Node .js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation and return a forged checksum to the node's policy implementation, thus effectively disabling the integrity check. Impacts: This vulnerability affects all users using the experimental policy mechanism in all active release lines: 18.x and, 20.x. Please note that at the time this CVE was issued, the policy mechanism is an experimental feature of Node.js.","reference":"https://hackerone.com/reports/2094235, https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/, https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/, https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/, https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/, https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/, https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/, https://security.netapp.com/advisory/ntap-20231116-0013/","severity":"High","status":"Active","title":"CVE-2023-38552 affects Node.js","type":"Packages","updated":"2023-11-16T16:15:30Z"}},"location": "vulnerability-detector"} {"timestamp":"2024-02-14T10:29:52.304+0000","rule":{"level":10,"description":"CVE-2023-32006 affects Node.js","id":"23505","firedtimes":15,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"015","name":"agent2","ip":"172.31.4.103"},"manager":{"name":"ip-172-31-8-191"},"id":"1707906592.6583187","cluster":{"name":"wazuh","node":"manager2"},"decoder":{"name":"json"},"data":{"vulnerability":{"assigner":"hackerone","cve":"CVE-2023-32006","cvss":{ "cvss3":{"base_score":"8.800000","vector":{"availability":"HIGH","confidentiality_impact" :"HIGH","integrity_impact":"HIGH","privileges_required":"LOW","scope":"UNCHANGED","user_interaction":"NONE"}}},"enumeration":"CVE","package":{"architecture":"x86_64","condition": "Package less than or equal to 18.17.0","name":"Node.js","source":" ","version":"18.1.0"} ,"published":"2023-08-15T16:15:11Z","rationale":"The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.","reference":"https://hackerone.com/reports/2043807, https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JQPELKG2LVTADSB7ME73AV4DXQK47PWK/, https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PBOZE2QZIBLFFTYWYN23FGKN6HULZ6HX/, https://security.netapp.com/advisory/ntap-20230915-0009/","severity":"High","status":"Active","title":"CVE-2023-32006 affects Node.js","type":"Packages","updated":"2023-09-15T14:15:10Z"}},"location":"vulnerability-detector"} {"timestamp":"2024-02-14T10:29:52.314+0000","rule":{"level":10,"description":"CVE-2023-30590 affects Node.js","id":"23505","firedtimes":16,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"015","name":"agent2","ip":"172.31.4.103"},"manager":{"name":"ip-172-31-8-191"},"id":"1707906592.6586540","cluster":{"name":"wazuh","node":"manager2"},"decoder":{"name ":"json"},"data":{"vulnerability":{"assigner":"hackerone","cve":"CVE-2023-30590","cvss":{ "cvss3":{"base_score":"7.500000","vector":{"availability":"NONE","confidentiality_impact" :"NONE","integrity_impact":"HIGH","privileges_required":"NONE","scope":"UNCHANGED","user_ interaction":"NONE"}}},"enumeration":"CVE","package":{"architecture":"x86_64","condition" :"Package less than 18.16.1","name":"Node.js","source":" ","version":"18.1.0"},"published ":"2023-11-28T20:15:07Z","rationale":"The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet, but the function is also needed to compute the corresponding public key after calling setPrivateKey(). However, the documentation says this API call: \"Generates private and public Diffie-Hellman key values\". The documented behavior is very different from the actual behavior, and this difference could easily lead to security issues in applications that use these APIs as the DiffieHellman may be used as the basis for application-level security, implications are consequently broad."," reference":"https://nodejs.org/en/blog/vulnerability/june-2023-security-releases","severi ty":"High","status":"Active","title":"CVE-2023-30590 affects Node.js","type":"Packages"," updated":"2023-12-04T17:39:07Z"}},"location":"vulnerability-detector"} {"timestamp":"2024-02-14T10:29:52.325+0000","rule":{"level":10,"description":"CVE-2023-30 589 affects Node.js","id":"23505","firedtimes":17,"mail":false,"groups":["vulnerability-d etector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"ag ent":{"id":"015","name":"agent2","ip":"172.31.4.103"},"manager":{"name":"ip-172-31-8-191" },"id":"1707906592.6589861","cluster":{"name":"wazuh","node":"manager2"},"decoder":{"name ":"json"},"data":{"vulnerability":{"assigner":"hackerone","cve":"CVE-2023-30589","cvss":{ "cvss3":{"base_score":"7.500000","vector":{"availability":"NONE","confidentiality_impact" :"NONE","integrity_impact":"HIGH","privileges_required":"NONE","scope":"UNCHANGED","user_ interaction":"NONE"}}},"enumeration":"CVE","package":{"architecture":"x86_64","condition" :"Package less than 18.16.1","name":"Node.js","source":" ","version":"18.1.0"},"published ":"2023-07-01T00:15:10Z","rationale":"The llhttp parser in the http module in Node v20.2. 0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).\r \r The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20\r","reference":"https://hackerone.com/reports/2001873, https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HMEELCREWMRT6NS7HWXLA6XFLLMO36HE/, https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UEJWL67XR67JAGEL2ZK22NA3BRKNMZNY/, https://lists.fedoraproject.org /archives/list/package-announce@lists.fedoraproject.org/message/VEEQIN5242K5NBE2CZ4DYTNA5 B4YTYE5/, https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproj ect.org/message/VKFMKD4MJZIKFQJAAJ4VZ2FHIJ764A76/, https://lists.fedoraproject.org/archiv es/list/package-announce@lists.fedoraproject.org/message/IV326O2X4BE3SINX5FJHMAKVHUAA4ZYF /, https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org /message/VCVG4TQRGTK4LKAZKVEQAUEJM7DUACYE/, https://security.netapp.com/advisory/ntap-202 30803-0009/","severity":"High","status":"Active","title":"CVE-2023-30589 affects Node.js" ,"type":"Packages","updated":"2023-12-12T14:33:56Z"}},"location":"vulnerability-detector" } {"timestamp":"2024-02-14T10:29:52.335+0000","rule":{"level":10,"description":"CVE-2023-30 585 affects Node.js","id":"23505","firedtimes":18,"mail":false,"groups":["vulnerability-d etector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"ag ent":{"id":"015","name":"agent2","ip":"172.31.4.103"},"manager":{"name":"ip-172-31-8-191" },"id":"1707906592.6594289","cluster":{"name":"wazuh","node":"manager2"},"decoder":{"name ":"json"},"data":{"vulnerability":{"assigner":"hackerone","cve":"CVE-2023-30585","cvss":{ "cvss3":{"base_score":"7.500000","vector":{"availability":"NONE","confidentiality_impact" :"NONE","integrity_impact":"HIGH","privileges_required":"NONE","scope":"UNCHANGED","user_ interaction":"NONE"}}},"enumeration":"CVE","package":{"architecture":"x86_64","condition" :"Package less than 18.16.1","name":"Node.js","source":" ","version":"18.1.0"},"published ":"2023-11-28T02:15:42Z","rationale":"A vulnerability has been identified in the Node.js (.msi version) installation process, specifically affecting Windows users who install Nod e.js using the .msi installer. This vulnerability emerges during the repair operation, wh ere the \"msiexec.exe\" process, running under the NT AUTHORITY\\SYSTEM context, attempts to read the %USERPROFILE% environment variable from the current user's registry. The is sue arises when the path referenced by the %USERPROFILE% environment variable does not ex ist. In such cases, the \"msiexec.exe\" process attempts to create the specified path in an unsafe manner, potentially leading to the creation of arbitrary folders in arbitrary l ocations. The severity of this vulnerability is heightened by the fact that the %USERPRO FILE% environment variable in the Windows registry can be modified by standard (or \"non- privileged\") users. Consequently, unprivileged actors, including malicious entities or t rojans, can manipulate the environment variable key to deceive the privileged \"msiexec.e xe\" process. This manipulation can result in the creation of folders in unintended and p otentially malicious locations. It is important to note that this vulnerability is speci fic to Windows users who install Node.js using the .msi installer. Users who opt for othe r installation methods are not affected by this particular issue.","reference":"https://n odejs.org/en/blog/vulnerability/june-2023-security-releases","severity":"High","status":" Active","title":"CVE-2023-30585 affects Node.js","type":"Packages","updated":"2023-12-02T 04:39:59Z"}},"location":"vulnerability-detector"} {"timestamp":"2024-02-14T10:29:52.345+0000","rule":{"level":10,"description":"CVE-2022-36 02 affects Node.js","id":"23505","firedtimes":19,"mail":false,"groups":["vulnerability-de tector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"age nt":{"id":"015","name":"agent2","ip":"172.31.4.103"},"manager":{"name":"ip-172-31-8-191"} ,"id":"1707906592.6598985","cluster":{"name":"wazuh","node":"manager2"},"decoder":{"name" :"json"},"data":{"vulnerability":{"assigner":"openssl","cve":"CVE-2022-3602","cvss":{"cvs s3":{"base_score":"7.500000","vector":{"availability":"HIGH","confidentiality_impact":"NO NE","integrity_impact":"NONE","privileges_required":"NONE","scope":"UNCHANGED","user_inte raction":"NONE"}}},"cwe_reference":"CWE-787","enumeration":"CVE","package":{"architecture ":"x86_64","condition":"Package less than 18.11.0","name":"Node.js","source":" ","version ":"18.1.0"},"published":"2022-11-01T18:15:10Z","rationale":"A buffer overrun can be trigg ered in X.509 certificate verification, specifically in name constraint checking. Note th at this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate ver ification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This b uffer overflow could result in a crash (causing a denial of service) or potentially remot e code execution. Many platforms implement stack overflow protections which would mitigat e against the risk of remote code execution. The risk may be further mitigated based on s tack layout for any given platform/compiler. Pre-announcements of CVE-2022-3602 described this issue as CRITICAL. Further analysis based on some of the mitigating factors describ ed above have led this to be downgraded to HIGH. Users are still encouraged to upgrade to a new version as soon as possible. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests clie nt authentication and a malicious client connects. Fixed in OpenSSL 3.0.7 (Affected 3.0.0 ,3.0.1,3.0.2,3.0.3,3.0.4,3.0.5,3.0.6).","reference":"https://git.openssl.org/gitweb/?p=op enssl.git%3Ba=commitdiff%3Bh=fe3b639dc19b325846f4f6801f2f4604f56e3de3, https://security.g entoo.org/glsa/202211-01, http://www.openwall.com/lists/oss-security/2022/11/01/15, http: //www.openwall.com/lists/oss-security/2022/11/01/16, http://www.openwall.com/lists/oss-se curity/2022/11/01/17, http://www.openwall.com/lists/oss-security/2022/11/01/18, http://ww w.openwall.com/lists/oss-security/2022/11/01/19, http://www.openwall.com/lists/oss-securi ty/2022/11/01/20, http://www.openwall.com/lists/oss-security/2022/11/01/21, http://www.op enwall.com/lists/oss-security/2022/11/01/24, http://www.openwall.com/lists/oss-security/2 022/11/02/1, http://www.openwall.com/lists/oss-security/2022/11/02/10, http://www.openwal l.com/lists/oss-security/2022/11/02/11, http://www.openwall.com/lists/oss-security/2022/1 1/02/12, http://www.openwall.com/lists/oss-security/2022/11/02/13, http://www.openwall.co m/lists/oss-security/2022/11/02/14, http://www.openwall.com/lists/oss-security/2022/11/02 /15, http://www.openwall.com/lists/oss-security/2022/11/02/2, http://www.openwall.com/lis ts/oss-security/2022/11/02/3, http://www.openwall.com/lists/oss-security/2022/11/02/5, ht tp://www.openwall.com/lists/oss-security/2022/11/02/6, http://www.openwall.com/lists/oss- security/2022/11/02/7, http://www.openwall.com/lists/oss-security/2022/11/02/9, http://ww w.openwall.com/lists/oss-security/2022/11/03/1, http://www.openwall.com/lists/oss-securit y/2022/11/03/10, http://www.openwall.com/lists/oss-security/2022/11/03/11, http://www.ope nwall.com/lists/oss-security/2022/11/03/2, http://www.openwall.com/lists/oss-security/202 2/11/03/3, http://www.openwall.com/lists/oss-security/2022/11/03/5, http://www.openwall.c om/lists/oss-security/2022/11/03/6, http://www.openwall.com/lists/oss-security/2022/11/03 /7, http://www.openwall.com/lists/oss-security/2022/11/03/9, https://lists.fedoraproject. org/archives/list/package-announce%40lists.fedoraproject.org/message/63YRPWPUSX3MBHNPIEJZ DKQT6YA7UF6S/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fed oraproject.org/message/DWP23EZYOBDJQP7HP4YU7W2ABU2YDITS/, https://psirt.global.sonicwall. com/vuln-detail/SNWLID-2022-0023, https://security.netapp.com/advisory/ntap-20221102-0001 /, https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl -W9sdCc2a, http://packetstormsecurity.com/files/169687/OpenSSL-Security-Advisory-20221101 .html, https://www.kb.cert.org/vuls/id/794340, https://www.openssl.org/news/secadv/202211 01.txt","severity":"High","status":"Active","title":"CVE-2022-3602 affects Node.js","type ":"Packages","updated":"2023-08-08T14:21:49Z"}},"location":"vulnerability-detector"} {"timestamp":"2024-02-14T10:29:52.356+0000","rule":{"level":13,"description":"CVE-2023-32 002 affects Node.js","id":"23506","firedtimes":2,"mail":true,"groups":["vulnerability-det ector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agen t":{"id":"015","name":"agent2","ip":"172.31.4.103"},"manager":{"name":"ip-172-31-8-191"}, "id":"1707906592.6608559","cluster":{"name":"wazuh","node":"manager2"},"decoder":{"name": "json"},"data":{"vulnerability":{"assigner":"hackerone","cve":"CVE-2023-32002","cvss":{"c vss3":{"base_score":"9.800000","vector":{"availability":"HIGH","confidentiality_impact":" HIGH","integrity_impact":"HIGH","privileges_required":"NONE","scope":"UNCHANGED","user_in teraction":"NONE"}}},"enumeration":"CVE","package":{"architecture":"x86_64","condition":" Package less than or equal to 18.17.0","name":"Node.js","source":" ","version":"18.1.0"}, "published":"2023-08-21T17:15:47Z","rationale":"The use of `Module._load()` can bypass th e policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.","reference":"https://hackero ne.com/reports/1960870, https://security.netapp.com/advisory/ntap-20230915-0009/","severi ty":"Critical","status":"Active","title":"CVE-2023-32002 affects Node.js","type":"Package s","updated":"2023-09-15T14:15:09Z"}},"location":"vulnerability-detector"} {"timestamp":"2024-02-14T10:29:52.366+0000","rule":{"level":7,"description":"CVE-2022-322 22 affects Node.js","id":"23504","firedtimes":7,"mail":false,"groups":["vulnerability-det ector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agen t":{"id":"015","name":"agent2","ip":"172.31.4.103"},"manager":{"name":"ip-172-31-8-191"}, "id":"1707906592.6611366","cluster":{"name":"wazuh","node":"manager2"},"decoder":{"name": "json"},"data":{"vulnerability":{"assigner":"hackerone","cve":"CVE-2022-32222","cvss":{"c vss3":{"base_score":"5.300000","vector":{"availability":"NONE","confidentiality_impact":" NONE","integrity_impact":"LOW","privileges_required":"NONE","scope":"UNCHANGED","user_int eraction":"NONE"}}},"cwe_reference":"CWE-310","enumeration":"CVE","package":{"architectur e":"x86_64","condition":"Package less than 18.5.0","name":"Node.js","source":" ","version ":"18.1.0"},"published":"2022-07-14T15:15:08Z","rationale":"A cryptographic vulnerability exists on Node.js on linux in versions of 18.x prior to 18.40.0 which allowed a default path for openssl.cnf that might be accessible under some circumstances to a non-admin use r instead of /etc/ssl as was the case in versions prior to the upgrade to OpenSSL 3.","re ference":"https://hackerone.com/reports/1695596","severity":"Medium","status":"Active","t itle":"CVE-2022-32222 affects Node.js","type":"Packages","updated":"2023-07-24T13:16:33Z" }},"location":"vulnerability-detector"} {"timestamp":"2024-02-14T10:29:52.376+0000","rule":{"level":10,"description":"CVE-2022-43548 affects Node.js","id":"23505","firedtimes":20,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"015","name":"agent2","ip":"172.31.4.103"},"manager":{"name":"ip-172-31-8-191"},"id":"1707906592.6613910","cluster":{"name":"wazuh","node":"manager2"},"decoder":{"name":"json"},"data":{"vulnerability":{"assigner":"hackerone","cve":"CVE-2022-43548","cvss":{"cvss3":{"base_score":"8.100000","vector":{"availability":"HIGH","confidentiality_impact":"HIGH","integrity_impact":"HIGH","privileges_required":"NONE","scope":"UNCHANGED","user_interaction":"NONE"}}},"cwe_reference":"CWE-78","enumeration":"CVE","package":{"architecture":"x86_64","condition":"Package less than or equal to 18.11.0","name":"Node.js","source":" ","version":"18.1.0"},"published":"2022-12-05T22:15:10Z","rationale":"A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.The fix for this issue in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212 was incomplete and this new CVE is to complete the fix.","reference":"https://lists.debian.org/debian-lts-announce/2023/02/msg00038.html, https://nodejs.org/en/blog/vulnerability/november-2022-security-releases/, https://security.netapp.com/advisory/ntap-20230120-0004/, https://www.debian.org/security/2023/dsa-5326, https://security.netapp.com/advisoryntap-20230427-0007","severity":"High","status":"Active","title":"CVE-2022-43548 affects Node.js","type":"Packages","updated":"2023-04-27T15:15:09Z"}},"location":"vulnerability-detector"} {"timestamp":"2024-02-14T10:29:52.386+0000","rule":{"level":7,"description":"CVE-2023-23920 affects Node.js","id":"23504","firedtimes":8,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"015","name":"agent2","ip":"172.31.4.103"},"manager":{"name":"ip-172-31-8-191"},"id":"1707906592.6617313","cluster":{"name":"wazuh","node":"manager2"},"decoder":{"name":"json"},"data":{"vulnerability":{"assigner":"hackerone","cve":"CVE-2023-23920","cvss":{"cvss3":{"base_score":"4.200000","vector":{"availability":"NONE","confidentiality_impact":"NONE","integrity_impact":"HIGH","privileges_required":"HIGH","scope":"UNCHANGED","user_interaction":"REQUIRED"}}},"cwe_reference":"CWE-426","enumeration":"CVE","package":{"architecture":"x86_64","condition":"Package less than or equal to 18.11.0","name":"Node.js","source":" ","version":"18.1.0"},"published":"2023-02-23T20:15:14Z","rationale":"An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges.","reference":"https://lists.debian.org/debian-lts-announce/2023/02/msg00038.html, https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/, https://security.netapp.com/advisory/ntap-20230316-0008/, https://www.debian.org/security/2023/dsa-5395","severity":"Medium","status":"Active","title":"CVE-2023-23920 affects Node.js","type":"Packages","updated":"2023-05-03T04:15:09Z"}},"location":"vulnerability-detector"} {"timestamp":"2024-02-14T10:29:52.397+0000","rule":{"level":10,"description":"CVE-2022-32212 affects Node.js","id":"23505","firedtimes":21,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"015","name":"agent2","ip":"172.31.4.103"},"manager":{"name":"ip-172-31-8-191"},"id":"1707906592.6620143","cluster":{"name":"wazuh","node":"manager2"},"decoder":{"name":"json"},"data":{"vulnerability":{"assigner":"hackerone","cve":"CVE-2022-32212","cvss":{"cvss3":{"base_score":"8.100000","vector":{"availability":"HIGH","confidentiality_impact":"HIGH","integrity_impact":"HIGH","privileges_required":"NONE","scope":"UNCHANGED","user_interaction":"NONE"}}},"cwe_reference":"CWE-284","enumeration":"CVE","package":{"architecture":"x86_64","condition":"Package less than 18.5.0","name":"Node.js","source":" ","version":"18.1.0"},"published":"2022-07-14T15:15:08Z","rationale":"A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.","reference":"https://hackerone.com/reports/1632921","severity":"High","status":"Active","title":"CVE-2022-32212 affects Node.js","type":"Packages","updated":"2023-02-23T20:15:12Z"}},"location":"vulnerability-detector"} {"timestamp":"2024-02-14T10:29:52.407+0000","rule":{"level":10,"description":"CVE-2023-23919 affects Node.js","id":"23505","firedtimes":22,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"015","name":"agent2","ip":"172.31.4.103"},"manager":{"name":"ip-172-31-8-191"},"id":"1707906592.6622682","cluster":{"name":"wazuh","node":"manager2"},"decoder":{"name":"json"},"data":{"vulnerability":{"assigner":"hackerone","cve":"CVE-2023-23919","cvss":{"cvss3":{"base_score":"7.500000","vector":{"availability":"HIGH","confidentiality_impact":"NONE","integrity_impact":"NONE","privileges_required":"NONE","scope":"UNCHANGED","user_interaction":"NONE"}}},"cwe_reference":"CWE-310","enumeration":"CVE","package":{"architecture":"x86_64","condition":"Package less than or equal to 18.11.0","name":"Node.js","source":" ","version":"18.1.0"},"published":"2023-02-23T20:15:13Z","rationale":"A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases did does not clear the OpenSSL error stack after operations that may set it. This may lead to false positive errors during subsequent cryptographic operations that happen to be on the same thread. This in turn could be used to cause a denial of service.","reference":"https://hackerone.com/reports/1808596, https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/, https://security.netapp.com/advisory/ntap-20230316-0008/","severity":"High","status":"Active","title":"CVE-2023-23919 affects Node.js","type":"Packages","updated":"2023-03-16T16:15:11Z"}},"location":"vulnerability-detector"} {"timestamp":"2024-02-14T10:29:52.418+0000","rule":{"level":7,"description":"CVE-2022-32214 affects Node.js","id":"23504","firedtimes":9,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"015","name":"agent2","ip":"172.31.4.103"},"manager":{"name":"ip-172-31-8-191"},"id":"1707906592.6625651","cluster":{"name":"wazuh","node":"manager2"},"decoder":{"name":"json"},"data":{"vulnerability":{"assigner":"hackerone","cve":"CVE-2022-32214","cvss":{"cvss3":{"base_score":"6.500000","vector":{"availability":"NONE","confidentiality_impact":"LOW","integrity_impact":"LOW","privileges_required":"NONE","scope":"UNCHANGED","user_interaction":"NONE"}}},"cwe_reference":"CWE-444","enumeration":"CVE","package":{"architecture":"x86_64","condition":"Package less than 18.5.0","name":"Node.js","source":" ","version":"18.1.0"},"published":"2022-07-14T15:15:08Z","rationale":"The llhttp parser

E2E-VD-7: Updating a vulnerable package that ceases to be vulnerable

Installed package version
```console C:\Users\qa>node -v v19.5.0 ```
Vulnerability scanning
```console root@ip-172-31-2-204:/home/qa# grep '"name":"agent2"' /var/ossec/logs/alerts/alerts.json | grep -i "Node.js" {"timestamp":"2024-02-14T11:05:51.559+0000","rule":{"level":5,"description":"Windows: Application Installed.","id":"18147","firedtimes":1,"mail":false,"groups":["windows"],"pci_dss":["10.6.2"]},"agent":{"id":"015","name":"agent2","ip":"172.31.4.103"},"manager":{"name":"ip-172-31-8-191"},"id":"1707908751.6720165","cluster":{"name":"wazuh","node":"manager2"},"full_log":"2024 Feb 14 03:05:49 WinEvtLog: Application: INFORMATION(11707): MsiInstaller: qa: DESKTOP-AQ2R8SM: DESKTOP-AQ2R8SM: Product: Node.js -- Installation completed successfully. (NULL) (NULL) (NULL) (NULL) (NULL) ? ","predecoder":{"program_name":"WinEvtLog","timestamp":"2024 Feb 14 03:05:49"},"decoder":{"parent":"windows","name":"windows"},"data":{"dstuser":"qa","id":"11707","status":"INFORMATION","extra_data":"MsiInstaller","system_name":"DESKTOP-AQ2R8SM","type":"Application"},"location":"WinEvtLog"} {"timestamp":"2024-02-14T11:06:24.142+0000","rule":{"level":3,"description":"The CVE-2023-30581 that affected Node.js was solved due to a package removal/update or a system upgrade","id":"23502","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"015","name":"agent2","ip":"172.31.4.103"},"manager":{"name":"ip-172-31-8-191"},"id":"1707908784.6720564","cluster":{"name":"wazuh","node":"manager2"},"decoder":{"name":"json"},"data":{"vulnerability":{"cve":"CVE-2023-30581","cvss":{"cvss3":{"base_score":"7.500000"}},"enumeration":"CVE","package":{"architecture":"x86_64","name":"Node.js","version":"18.1.0"},"published":"2023-11-23T00:15:07Z","reference":"https://nodejs.org/en/blog/vulnerability/june-2023-security-releases","severity":"High","status":"Solved","title":"CVE-2023-30581 affecting Node.js was solved","type":"Packages","updated":"2023-12-11T20:49:02Z"}},"location":"vulnerability-detector"} {"timestamp":"2024-02-14T11:06:24.153+0000","rule":{"level":3,"description":"The CVE-2022-32215 that affected Node.js was solved due to a package removal/update or a system upgrade","id":"23502","firedtimes":2,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"015","name":"agent2","ip":"172.31.4.103"},"manager":{"name":"ip-172-31-8-191"},"id":"1707908784.6721868","cluster":{"name":"wazuh","node":"manager2"},"decoder":{"name":"json"},"data":{"vulnerability":{"cve":"CVE-2022-32215","cvss":{"cvss3":{"base_score":"6.500000"}},"enumeration":"CVE","package":{"architecture":"x86_64","name":"Node.js","version":"18.1.0"},"published":"2022-07-14T15:15:08Z","reference":"https://hackerone.com/reports/1501679, https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ICG6CSIB3GUWH5DUSQEVX53MOJW7LYK/, https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QCNN3YG2BCLS4ZEKJ3CLSUT6AS7AXTH3/, https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VMQK5L5SBYD47QQZ67LEMHNQ662GH3OY/, https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf, https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/, https://www.debian.org/security/2023/dsa-5326","severity":"Medium","status":"Solved","title":"CVE-2022-32215 affecting Node.js was solved","type":"Packages","updated":"2023-07-19T00:56:02Z"}},"location":"vulnerability-detector"} {"timestamp":"2024-02-14T11:06:24.163+0000","rule":{"level":3,"description":"The CVE-2023-23918 that affected Node.js was solved due to a package removal/update or a system upgrade","id":"23502","firedtimes":3,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"015","name":"agent2","ip":"172.31.4.103"},"manager":{"name":"ip-172-31-8-191"},"id":"1707908784.6724258","cluster":{"name":"wazuh","node":"manager2"},"decoder":{"name":"json"},"data":{"vulnerability":{"cve":"CVE-2023-23918","cvss":{"cvss3":{"base_score":"7.500000"}},"enumeration":"CVE","package":{"architecture":"x86_64","name":"Node.js","version":"18.1.0"},"published":"2023-02-23T20:15:13Z","reference":"https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/, https://security.netapp.com/advisory/ntap-20230316-0008/","severity":"High","status":"Solved","title":"CVE-2023-23918 affecting Node.js was solved","type":"Packages","updated":"2023-03-16T16:15:11Z"}},"location":"vulnerability-detector"} {"timestamp":"2024-02-14T11:06:24.174+0000","rule":{"level":3,"description":"The CVE-2022-3786 that affected Node.js was solved due to a package removal/update or a system upgrade","id":"23502","firedtimes":4,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"015","name":"agent2","ip":"172.31.4.103"},"manager":{"name":"ip-172-31-8-191"},"id":"1707908784.6725688","cluster":{"name":"wazuh","node":"manager2"},"decoder":{"name":"json"},"data":{"vulnerability":{"cve":"CVE-2022-3786","cvss":{"cvss3":{"base_score":"7.500000"}},"enumeration":"CVE","package":{"architecture":"x86_64","name":"Node.js","version":"18.1.0"},"published":"2022-11-01T18:15:11Z","reference":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=c42165b5706e42f67ef8ef4c351a9a4c5d21639a, https://www.openssl.org/news/secadv/20221101.txt","severity":"High","status":"Solved","title":"CVE-2022-3786 affecting Node.js was solved","type":"Packages","updated":"2023-01-19T15:47:45Z"}},"location":"vulnerability-detector"} {"timestamp":"2024-02-14T11:06:24.184+0000","rule":{"level":3,"description":"The CVE-2023-30588 that affected Node.js was solved due to a package removal/update or a system upgrade","id":"23502","firedtimes":5,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"015","name":"agent2","ip":"172.31.4.103"},"manager":{"name":"ip-172-31-8-191"},"id":"1707908784.6727153","cluster":{"name":"wazuh","node":"manager2"},"decoder":{"name":"json"},"data":{"vulnerability":{"cve":"CVE-2023-30588","cvss":{"cvss3":{"base_score":"5.300000"}},"enumeration":"CVE","package":{"architecture":"x86_64","name":"Node.js","version":"18.1.0"},"published":"2023-11-28T20:15:07Z","reference":"https://nodejs.org/en/blog/vulnerability/june-2023-security-releases","severity":"Medium","status":"Solved","title":"CVE-2023-30588 affecting Node.js was solved","type":"Packages","updated":"2023-12-04T17:40:31Z"}},"location":"vulnerability-detector"} {"timestamp":"2024-02-14T11:06:24.194+0000","rule":{"level":3,"description":"The CVE-2023-32559 that affected Node.js was solved due to a package removal/update or a system upgrade","id":"23502","firedtimes":6,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"015","name":"agent2","ip":"172.31.4.103"},"manager":{"name":"ip-172-31-8-191"},"id":"1707908784.6728461","cluster":{"name":"wazuh","node":"manager2"},"decoder":{"name":"json"},"data":{"vulnerability":{"cve":"CVE-2023-32559","cvss":{"cvss3":{"base_score":"7.500000"}},"enumeration":"CVE","package":{"architecture":"x86_64","name":"Node.js","version":"18.1.0"},"published":"2023-08-24T02:15:09Z","reference":"https://hackerone.com/reports/1946470, https://security.netapp.com/advisory/ntap-20231006-0006/","severity":"High","status":"Solved","title":"CVE-2023-32559 affecting Node.js was solved","type":"Packages","updated":"2023-10-24T17:48:55Z"}},"location":"vulnerability-detector"} {"timestamp":"2024-02-14T11:06:24.204+0000","rule":{"level":3,"description":"The CVE-2022-32214 that affected Node.js was solved due to a package removal/update or a system upgrade","id":"23502","firedtimes":7,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"015","name":"agent2","ip":"172.31.4.103"},"manager":{"name":"ip-172-31-8-191"},"id":"1707908784.6729819","cluster":{"name":"wazuh","node":"manager2"},"decoder":{"name":"json"},"data":{"vulnerability":{"cve":"CVE-2022-32214","cvss":{"cvss3":{"base_score":"6.500000"}},"enumeration":"CVE","package":{"architecture":"x86_64","name":"Node.js","version":"18.1.0"},"published":"2022-07-14T15:15:08Z","reference":"https://hackerone.com/reports/1524692, https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/, https://www.debian.org/security/2023/dsa-5326","severity":"Medium","status":"Solved","title":"CVE-2022-32214 affecting Node.js was solved","type":"Packages","updated":"2023-07-19T00:55:52Z"}},"location":"vulnerability-detector"} {"timestamp":"2024-02-14T11:06:24.215+0000","rule":{"level":3,"description":"The CVE-2023-23919 that affected Node.js was solved due to a package removal/update or a system upgrade","id":"23502","firedtimes":8,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"015","name":"agent2","ip":"172.31.4.103"},"manager":{"name":"ip-172-31-8-191"},"id":"1707908784.6731301","cluster":{"name":"wazuh","node":"manager2"},"decoder":{"name":"json"},"data":{"vulnerability":{"cve":"CVE-2023-23919","cvss":{"cvss3":{"base_score":"7.500000"}},"enumeration":"CVE","package":{"architecture":"x86_64","name":"Node.js","version":"18.1.0"},"published":"2023-02-23T20:15:13Z","reference":"https://hackerone.com/reports/1808596, https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/, https://security.netapp.com/advisory/ntap-20230316-0008/","severity":"High","status":"Solved","title":"CVE-2023-23919 affecting Node.js was solved","type":"Packages","updated":"2023-03-16T16:15:11Z"}},"location":"vulnerability-detector"} {"timestamp":"2024-02-14T11:06:24.225+0000","rule":{"level":3,"description":"The CVE-2023-30590 that affected Node.js was solved due to a package removal/update or a system upgrade","id":"23502","firedtimes":9,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"015","name":"agent2","ip":"172.31.4.103"},"manager":{"name":"ip-172-31-8-191"},"id":"1707908784.6732809","cluster":{"name":"wazuh","node":"manager2"},"decoder":{"name":"json"},"data":{"vulnerability":{"cve":"CVE-2023-30590","cvss":{"cvss3":{"base_score":"7.500000"}},"enumeration":"CVE","package":{"architecture":"x86_64","name":"Node.js","version":"18.1.0"},"published":"2023-11-28T20:15:07Z","reference":"https://nodejs.org/en/blog/vulnerability/june-2023-security-releases","severity":"High","status":"Solved","title":"CVE-2023-30590 affecting Node.js was solved","type":"Packages","updated":"2023-12-04T17:39:07Z"}},"location":"vulnerability-detector"} {"timestamp":"2024-02-14T11:06:24.235+0000","rule":{"level":3,"description":"The CVE-2022-32212 that affected Node.js was solved due to a package removal/update or a system upgrade","id":"23502","firedtimes":10,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"015","name":"agent2","ip":"172.31.4.103"},"manager":{"name":"ip-172-31-8-191"},"id":"1707908784.6734113","cluster":{"name":"wazuh","node":"manager2"},"decoder":{"name":"json"},"data":{"vulnerability":{"cve":"CVE-2022-32212","cvss":{"cvss3":{"base_score":"8.100000"}},"enumeration":"CVE","package":{"architecture":"x86_64","name":"Node.js","version":"18.1.0"},"published":"2022-07-14T15:15:08Z","reference":"https://hackerone.com/reports/1632921","severity":"High","status":"Solved","title":"CVE-2022-32212 affecting Node.js was solved","type":"Packages","updated":"2023-02-23T20:15:12Z"}},"location":"vulnerability-detector"} {"timestamp":"2024-02-14T11:06:24.245+0000","rule":{"level":3,"description":"The CVE-2023-30585 that affected Node.js was solved due to a package removal/update or a system upgrade","id":"23502","firedtimes":11,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"015","name":"agent2","ip":"172.31.4.103"},"manager":{"name":"ip-172-31-8-191"},"id":"1707908784.6735355","cluster":{"name":"wazuh","node":"manager2"},"decoder":{"name":"json"},"data":{"vulnerability":{"cve":"CVE-2023-30585","cvss":{"cvss3":{"base_score":"7.500000"}},"enumeration":"CVE","package":{"architecture":"x86_64","name":"Node.js","version":"18.1.0"},"published":"2023-11-28T02:15:42Z","reference":"https://nodejs.org/en/blog/vulnerability/june-2023-security-releases","severity":"High","status":"Solved","title":"CVE-2023-30585 affecting Node.js was solved","type":"Packages","updated":"2023-12-02T04:39:59Z"}},"location":"vulnerability-detector"} {"timestamp":"2024-02-14T11:06:24.256+0000","rule":{"level":3,"description":"The CVE-2023-30589 that affected Node.js was solved due to a package removal/update or a system upgrade","id":"23502","firedtimes":12,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"015","name":"agent2","ip":"172.31.4.103"},"manager":{"name":"ip-172-31-8-191"},"id":"1707908784.6736659","cluster":{"name":"wazuh","node":"manager2"},"decoder":{"name":"json"},"data":{"vulnerability":{"cve":"CVE-2023-30589","cvss":{"cvss3":{"base_score":"7.500000"}},"enumeration":"CVE","package":{"architecture":"x86_64","name":"Node.js","version":"18.1.0"},"published":"2023-07-01T00:15:10Z","reference":"https://hackerone.com/reports/2001873, https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HMEELCREWMRT6NS7HWXLA6XFLLMO36HE/, https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UEJWL67XR67JAGEL2ZK22NA3BRKNMZNY/, https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VEEQIN5242K5NBE2CZ4DYTNA5B4YTYE5/, https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VKFMKD4MJZIKFQJAAJ4VZ2FHIJ764A76/, https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IV326O2X4BE3SINX5FJHMAKVHUAA4ZYF/, https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VCVG4TQRGTK4LKAZKVEQAUEJM7DUACYE/, https://security.netapp.com/advisory/ntap-20230803-0009/","severity":"High","status":"Solved","title":"CVE-2023-30589 affecting Node.js was solved","type":"Packages","updated":"2023-12-12T14:33:56Z"}},"location":"vulnerability-detector"} {"timestamp":"2024-02-14T11:06:24.266+0000","rule":{"level":3,"description":"The CVE-2023-32006 that affected Node.js was solved due to a package removal/update or a system upgrade","id":"23502","firedtimes":13,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"015","name":"agent2","ip":"172.31.4.103"},"manager":{"name":"ip-172-31-8-191"},"id":"1707908784.6739577","cluster":{"name":"wazuh","node":"manager2"},"decoder":{"name":"json"},"data":{"vulnerability":{"cve":"CVE-2023-32006","cvss":{"cvss3":{"base_score":"8.800000"}},"enumeration":"CVE","package":{"architecture":"x86_64","name":"Node.js","version":"18.1.0"},"published":"2023-08-15T16:15:11Z","reference":"https://hackerone.com/reports/2043807, https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JQPELKG2LVTADSB7ME73AV4DXQK47PWK/, https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PBOZE2QZIBLFFTYWYN23FGKN6HULZ6HX/, https://security.netapp.com/advisory/ntap-20230915-0009/","severity":"High","status":"Solved","title":"CVE-2023-32006 affecting Node.js was solved","type":"Packages","updated":"2023-09-15T14:15:10Z"}},"location":"vulnerability-detector"} {"timestamp":"2024-02-14T11:06:24.276+0000","rule":{"level":3,"description":"The CVE-2023-38552 that affected Node.js was solved due to a package removal/update or a system upgrade","id":"23502","firedtimes":14,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"015","name":"agent2","ip":"172.31.4.103"},"manager":{"name":"ip-172-31-8-191"},"id":"1707908784.6741455","cluster":{"name":"wazuh","node":"manager2"},"decoder":{"name":"json"},"data":{"vulnerability":{"cve":"CVE-2023-38552","cvss":{"cvss3":{"base_score":"7.500000"}},"enumeration":"CVE","package":{"architecture":"x86_64","name":"Node.js","version":"18.1.0"},"published":"2023-10-18T04:15:11Z","reference":"https://hackerone.com/reports/2094235, https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/, https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/, https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/, https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/, https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/, https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/, https://security.netapp.com/advisory/ntap-20231116-0013/","severity":"High","status":"Solved","title":"CVE-2023-38552 affecting Node.js was solved","type":"Packages","updated":"2023-11-16T16:15:30Z"}},"location":"vulnerability-detector"} {"timestamp":"2024-02-14T11:06:24.287+0000","rule":{"level":3,"description":"The CVE-2022-3602 that affected Node.js was solved due to a package removal/update or a system upgrade","id":"23502","firedtimes":15,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"015","name":"agent2","ip":"172.31.4.103"},"manager":{"name":"ip-172-31-8-191"},"id":"1707908784.6744373","cluster":{"name":"wazuh","node":"manager2"},"decoder":{"name":"json"},"data":{"vulnerability":{"cve":"CVE-2022-3602","cvss":{"cvss3":{"base_score":"7.500000"}},"enumeration":"CVE","package":{"architecture":"x86_64","name":"Node.js","version":"18.1.0"},"published":"2022-11-01T18:15:10Z","reference":"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=fe3b639dc19b325846f4f6801f2f4604f56e3de3, https://security.gentoo.org/glsa/202211-01, http://www.openwall.com/lists/oss-security/2022/11/01/15, http://www.openwall.com/lists/oss-security/2022/11/01/16, http://www.openwall.com/lists/oss-security/2022/11/01/17, http://www.openwall.com/lists/oss-security/2022/11/01/18, http://www.openwall.com/lists/oss-security/2022/11/01/19, http://www.openwall.com/lists/oss-security/2022/11/01/20, http://www.openwall.com/lists/oss-security/2022/11/01/21, http://www.openwall.com/lists/oss-security/2022/11/01/24, http://www.openwall.com/lists/oss-security/2022/11/02/1, http://www.openwall.com/lists/oss-security/2022/11/02/10, http://www.openwall.com/lists/oss-security/2022/11/02/11, http://www.openwall.com/lists/oss-security/2022/11/02/12, http://www.openwall.com/lists/oss-security/2022/11/02/13, http://www.openwall.com/lists/oss-security/2022/11/02/14, http://www.openwall.com/lists/oss-security/2022/11/02/15, http://www.openwall.com/lists/oss-security/2022/11/02/2, http://www.openwall.com/lists/oss-security/2022/11/02/3, http://www.openwall.com/lists/oss-security/2022/11/02/5, http://www.openwall.com/lists/oss-security/2022/11/02/6, http://www.openwall.com/lists/oss-security/2022/11/02/7, http://www.openwall.com/lists/oss-security/2022/11/02/9, http://www.openwall.com/lists/oss-security/2022/11/03/1, http://www.openwall.com/lists/oss-security/2022/11/03/10, http://www.openwall.com/lists/oss-security/2022/11/03/11, http://www.openwall.com/lists/oss-security/2022/11/03/2, http://www.openwall.com/lists/oss-security/2022/11/03/3, http://www.openwall.com/lists/oss-security/2022/11/03/5, http://www.openwall.com/lists/oss-security/2022/11/03/6, http://www.openwall.com/lists/oss-security/2022/11/03/7, http://www.openwall.com/lists/oss-security/2022/11/03/9, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/63YRPWPUSX3MBHNPIEJZDKQT6YA7UF6S/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DWP23EZYOBDJQP7HP4YU7W2ABU2YDITS/, https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0023, https://security.netapp.com/advisory/ntap-20221102-0001/, https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-W9sdCc2a, http://packetstormsecurity.com/files/169687/OpenSSL-Security-Advisory-20221101.html, https://www.kb.cert.org/vuls/id/794340, https://www.openssl.org/news/secadv/20221101.txt","severity":"High","status":"Solved","title":"CVE-2022-3602 affecting Node.js was solved","type":"Packages","updated":"2023-08-08T14:21:49Z"}},"location":"vulnerability-detector"} {"timestamp":"2024-02-14T11:06:24.297+0000","rule":{"level":3,"description":"The CVE-2023-32002 that affected Node.js was solved due to a package removal/update or a system upgrade","id":"23502","firedtimes":16,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"015","name":"agent2","ip":"172.31.4.103"},"manager":{"name":"ip-172-31-8-191"},"id":"1707908784.6750604","cluster":{"name":"wazuh","node":"manager2"},"decoder":{"name":"json"},"data":{"vulnerability":{"cve":"CVE-2023-32002","cvss":{"cvss3":{"base_score":"9.800000"}},"enumeration":"CVE","package":{"architecture":"x86_64","name":"Node.js","version":"18.1.0"},"published":"2023-08-21T17:15:47Z","reference":"https://hackerone.com/reports/1960870, https://security.netapp.com/advisory/ntap-20230915-0009/","severity":"Critical","status":"Solved","title":"CVE-2023-32002 affecting Node.js was solved","type":"Packages","updated":"2023-09-15T14:15:09Z"}},"location":"vulnerability-detector"} {"timestamp":"2024-02-14T11:06:24.307+0000","rule":{"level":3,"description":"The CVE-2022-32222 that affected Node.js was solved due to a package removal/update or a system upgrade","id":"23502","firedtimes":17,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"015","name":"agent2","ip":"172.31.4.103"},"manager":{"name":"ip-172-31-8-191"},"id":"1707908784.6751970","cluster":{"name":"wazuh","node":"manager2"},"decoder":{"name":"json"},"data":{"vulnerability":{"cve":"CVE-2022-32222","cvss":{"cvss3":{"base_score":"5.300000"}},"enumeration":"CVE","package":{"architecture":"x86_64","name":"Node.js","version":"18.1.0"},"published":"2022-07-14T15:15:08Z","reference":"https://hackerone.com/reports/1695596","severity":"Medium","status":"Solved","title":"CVE-2022-32222 affecting Node.js was solved","type":"Packages","updated":"2023-07-24T13:16:33Z"}},"location":"vulnerability-detector"} {"timestamp":"2024-02-14T11:06:24.318+0000","rule":{"level":3,"description":"The CVE-2022-43548 that affected Node.js was solved due to a package removal/update or a system upgrade","id":"23502","firedtimes":18,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"015","name":"agent2","ip":"172.31.4.103"},"manager":{"name":"ip-172-31-8-191"},"id":"1707908784.6753216","cluster":{"name":"wazuh","node":"manager2"},"decoder":{"name":"json"},"data":{"vulnerability":{"cve":"CVE-2022-43548","cvss":{"cvss3":{"base_score":"8.100000"}},"enumeration":"CVE","package":{"architecture":"x86_64","name":"Node.js","version":"18.1.0"},"published":"2022-12-05T22:15:10Z","reference":"https://lists.debian.org/debian-lts-announce/2023/02/msg00038.html, https://nodejs.org/en/blog/vulnerability/november-2022-security-releases/, https://security.netapp.com/advisory/ntap-20230120-0004/, https://www.debian.org/security/2023/dsa-5326, https://security.netapp.com/advisory/ntap-20230427-0007/","severity":"High","status":"Solved","title":"CVE-2022-43548 affecting Node.js was solved","type":"Packages","updated":"2023-04-27T15:15:09Z"}},"location":"vulnerability-detector"} {"timestamp":"2024-02-14T11:06:24.328+0000","rule":{"level":3,"description":"The CVE-2023-23920 that affected Node.js was solved due to a package removal/update or a system upgrade","id":"23502","firedtimes":19,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"015","name":"agent2","ip":"172.31.4.103"},"manager":{"name":"ip-172-31-8-191"},"id":"1707908784.6754992","cluster":{"name":"wazuh","node":"manager2"},"decoder":{"name":"json"},"data":{"vulnerability":{"cve":"CVE-2023-23920","cvss":{"cvss3":{"base_score":"4.200000"}},"enumeration":"CVE","package":{"architecture":"x86_64","name":"Node.js","version":"18.1.0"},"published":"2023-02-23T20:15:14Z","reference":"https://lists.debian.org/debian-lts-announce/2023/02/msg00038.html, https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/, https://security.netapp.com/advisory/ntap-20230316-0008/, https://www.debian.org/security/2023/dsa-5395","severity":"Medium","status":"Solved","title":"CVE-2023-23920 affecting Node.js was solved","type":"Packages","updated":"2023-05-03T04:15:09Z"}},"location":"vulnerability-detector"} ```

E2E-VD-8: Deleting a vulnerable package - Any of the previous ones

Installed package version
```console C:\Users\qa>node -v 'node' is not recognized as an internal or external command, operable program or batch file. ```
Vulnerability scanning
```console {"timestamp":"2024-02-14T09:32:16.341+0000","rule":{"level":5,"description":"Windows: Application Uninstalled.","id":"18146","firedtimes":2,"mail":false,"groups":["windows"],"pci_dss":["10.6.2"]},"agent":{"id":"015","name":"agent2","ip":"172.31.4.103"},"manager":{"name":"ip-172-31-8-191"},"id":"1707903136.4230526","cluster":{"name":"wazuh","node":"manager2"},"full_log":"2024 Feb 14 01:32:15 WinEvtLog: Application: INFORMATION(11724): MsiInstaller: qa: DESKTOP-AQ2R8SM: DESKTOP-AQ2R8SM: Product: Node.js -- Removal completed successfully. (NULL) (NULL) (NULL) (NULL) (NULL) ? ","predecoder":{"program_name":"WinEvtLog","timestamp":"2024 Feb 14 01:32:15"},"decoder":{"parent":"windows","name":"windows"},"data":{"dstuser":"qa","id":"11724","status":"INFORMATION","extra_data":"MsiInstaller","system_name":"DESKTOP-AQ2R8SM","type":"Application"},"location":"WinEvtLog" ```

E2E-VD-9: Installation of a non-vulnerable package

Installed package version
```console C:\Users\qa>node -v v19.5.0 ```
Vulnerability scanning
```console {"timestamp":"2024-02-14T11:29:29.277+0000","rule":{"level":5,"description":"Windows: Application Installed.","id":"18147","firedtimes":2,"mail":false,"groups":["windows"],"pci_dss":["10.6.2"]},"agent":{"id":"015","name":"agent2","ip":"172.31.4.103"},"manager":{"name":"ip-172-31-8-191"},"id":"1707910169.6793937","cluster":{"name":"wazuh","node":"manager2"},"full_log":"2024 Feb 14 03:29:25 WinEvtLog: Application: INFORMATION(11707): MsiInstaller: qa: DESKTOP-AQ2R8SM: DESKTOP-AQ2R8SM: Product: Node.js -- Installation completed successfully. (NULL) (NULL) (NULL) (NULL) (NULL) ? ","predecoder":{"program_name":"WinEvtLog","timestamp":"2024 Feb 14 03:29:25"},"decoder":{"parent":"windows","name":"windows"},"data":{"dstuser":"qa","id":"11707","status":"INFORMATION","extra_data":"MsiInstaller","system_name":"DESKTOP-AQ2R8SM","type":"Application"},"location":"WinEvtLog"} ```

E2E-VD-10: Updating a non-vulnerable package that remains non-vulnerable

Installed package version
```console C:\Users\qa>node -v v19.6.0 ```
Vulnerability scanning
```console {"timestamp":"2024-02-14T11:40:39.095+0000","rule":{"level":5,"description":"Windows: Application Installed.","id":"18147","firedtimes":3,"mail":false,"groups":["windows"],"pci_dss":["10.6.2"]},"agent":{"id":"015","name":"agent2","ip":"172.31.4.103"},"manager":{"name":"ip-172-31-8-191"},"id":"1707910839.6801713","cluster":{"name":"wazuh","node":"manager2"},"full_log":"2024 Feb 14 03:40:37 WinEvtLog: Application: INFORMATION(11707): MsiInstaller: qa: DESKTOP-AQ2R8SM: DESKTOP-AQ2R8SM: Product: Node.js -- Installation completed successfully. (NULL) (NULL) (NULL) (NULL) (NULL) ? ","predecoder":{"program_name":"WinEvtLog","timestamp":"2024 Feb 14 03:40:37"},"decoder":{"parent":"windows","name":"windows"},"data":{"dstuser":"qa","id":"11707","status":"INFORMATION","extra_data":"MsiInstaller","system_name":"DESKTOP-AQ2R8SM","type":"Application"},"location":"WinEvtLog"} ```

E2E-VD-11: Updating a non-vulnerable package that becomes vulnerable

Installed package version
```console C:\Users\qa>node -v v20.5.1 ```
Vulnerability scanning
```console {"timestamp":"2024-02-14T11:46:58.061+0000","rule":{"level":5,"description":"Windows: Application Installed.","id":"18147","firedtimes":4,"mail":false,"groups":["windows"],"pci_dss":["10.6.2"]},"agent":{"id":"015","name":"agent2","ip":"172.31.4.103"},"manager":{"name":"ip-172-31-8-191"},"id":"1707911218.6824243","cluster":{"name":"wazuh","node":"manager2"},"full_log":"2024 Feb 14 03:46:55 WinEvtLog: Application: INFORMATION(11707): MsiInstaller: qa: DESKTOP-AQ2R8SM: DESKTOP-AQ2R8SM: Product: Node.js -- Installation completed successfully. (NULL) (NULL) (NULL) (NULL) (NULL) ? ","predecoder":{"program_name":"WinEvtLog","timestamp":"2024 Feb 14 03:46:55"},"decoder":{"parent":"windows","name":"windows"},"data":{"dstuser":"qa","id":"11707","status":"INFORMATION","extra_data":"MsiInstaller","system_name":"DESKTOP-AQ2R8SM","type":"Application"},"location":"WinEvtLog"} {"timestamp":"2024-02-14T11:47:16.739+0000","rule":{"level":10,"description":"CVE-2023-44487 affects Node.js","id":"23505","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"015","name":"agent2","ip":"172.31.4.103"},"manager":{"name":"ip-172-31-8-191"},"id":"1707911236.6824642","cluster":{"name":"wazuh","node":"manager2"},"decoder":{"name":"json"},"data":{"vulnerability":{"assigner":"mitre","cve":"CVE-2023-44487","cvss":{"cvss3":{"base_score":"7.500000","vector":{"availability":"HIGH","confidentiality_impact":"NONE","integrity_impact":"NONE","privileges_required":"NONE","scope":"UNCHANGED","user_interaction":"NONE"}}},"cwe_reference":"CWE-400","enumeration":"CVE","package":{"architecture":"x86_64","condition":"Package less than 20.8.1","name":"Node.js","source":" ","version":"20.5.1"},"published":"2023-10-10T14:15:10Z","rationale":"The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.","reference":"https://github.com/micrictor/http2-rst-stream, https://news.ycombinator.com/item?id=37837043, https://github.com/etcd-io/etcd/issues/16740, https://github.com/line/armeria/pull/5232, https://github.com/opensearch-project/data-prepper/issues/3474, https://github.com/projectcontour/contour/pull/5826, https://bugzilla.proxmox.com/show_bug.cgi?id=4988, https://github.com/kazu-yamamoto/http2/issues/93, https://news.ycombinator.com/item?id=37830987, https://news.ycombinator.com/item?id=37831062, https://bugzilla.redhat.com/show_bug.cgi?id=2242803, https://bugzilla.suse.com/show_bug.cgi?id=1216123, https://github.com/Azure/AKS/issues/3947, https://github.com/Kong/kong/discussions/11741, https://github.com/akka/akka-http/issues/4323, https://github.com/alibaba/tengine/issues/1872, https://github.com/apache/apisix/issues/10320, https://github.com/apache/httpd-site/pull/10, https://github.com/caddyserver/caddy/issues/5877, https://github.com/eclipse/jetty.project/issues/10679, https://github.com/golang/go/issues/63417, https://github.com/haproxy/haproxy/issues/2312, https://github.com/junkurihara/rust-rpxy/issues/97, https://github.com/ninenines/cowboy/issues/1615, https://github.com/openresty/openresty/issues/930, https://github.com/oqtane/oqtane.framework/discussions/3367, https://github.com/tempesta-tech/tempesta/issues/1986, https://github.com/varnishcache/varnish-cache/issues/3996, https://news.ycombinator.com/item?id=37830998, http://www.openwall.com/lists/oss-security/2023/10/20/8, https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html, https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9, http://www.openwall.com/lists/oss-security/2023/10/13/4, http://www.openwall.com/lists/oss-security/2023/10/13/9, http://www.openwall.com/lists/oss-security/2023/10/18/4, http://www.openwall.com/lists/oss-security/2023/10/18/8, http://www.openwall.com/lists/oss-security/2023/10/19/6, https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html, https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html, https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html, https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html, https://lists.debian.org/debian-lts-announce/2023/11/msg00012.html, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/, https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html, https://www.openwall.com/lists/oss-security/2023/10/10/6, https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo, https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q, https://github.com/advisories/GHSA-vx74-f528-fxqg, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487, https://github.com/dotnet/announcements/issues/277, https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/, https://github.com/h2o/h2o/pull/3291, https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1, https://github.com/advisories/GHSA-xpw8-rcwv-8f8p, https://github.com/apache/trafficserver/pull/10564, https://github.com/envoyproxy/envoy/pull/30055, https://github.com/facebook/proxygen/pull/466, https://github.com/grpc/grpc-go/pull/6703, https://github.com/kubernetes/kubernetes/pull/121120, https://github.com/microsoft/CBL-Mariner/pull/6381, https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61, https://github.com/nghttp2/nghttp2/pull/1961, https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/, https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73, https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113, https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2, https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244, https://github.com/caddyserver/caddy/releases/tag/v2.7.5, https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0, https://netty.io/news/2023/10/10/4-1-100-Final.html, https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14, https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve, https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/, https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/, https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack, https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715, https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088, https://github.com/bcdannyboy/CVE-2023-44487, https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html, https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html, https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html, https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/, https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected, https://security.gentoo.org/glsa/202311-09, https://security.netapp.com/advisory/ntap-20231016-0001/, https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/, https://www.debian.org/security/2023/dsa-5540, https://www.debian.org/security/2023/dsa-5549, https://www.debian.org/security/2023/dsa-5558, https://www.debian.org/security/2023/dsa-5570, https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/, https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack, https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event, https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/, https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487, https://access.redhat.com/security/cve/cve-2023-44487, https://aws.amazon.com/security/security-bulletins/AWS-2023-011/, https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/, https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/, https://blog.vespa.ai/cve-2023-44487/, https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125, https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764, https://github.com/advisories/GHSA-qppj-fm5r-hxr3, https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487, https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf, https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632, https://github.com/nodejs/node/pull/50121, https://istio.io/latest/news/security/istio-security-2023-004/, https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/, https://my.f5.com/manage/s/article/K000137106, https://security.paloaltonetworks.com/CVE-2023-44487, https://ubuntu.com/security/CVE-2023-44487, https://www.debian.org/security/2023/dsa-5521, https://www.debian.org/security/2023/dsa-5522, https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487, https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/, https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack","severity":"High","status":"Active","title":"CVE-2023-44487 affects Node.js","type":"Packages","updated":"2023-12-20T17:55:36Z"}},"location":"vulnerability-detector"} ```

Summary

Case Packages Download links CVE info CVE detected
E2E-VD-3: Installation of a vulnerable package Nodejs 17.0.1 node-v17.0.1-x64.msi Node.js-17.0.1 CVE-2021-4044
E2E-VD-4: Updating a vulnerable package that remains vulnerable to the same CVE Nodejs 17.0.1 -> 17.1.0 node-v17.1.0-x64.msi Node.js-17.1.0 CVE-2021-4044
E2E-VD-5: Updating a vulnerable package that becomes vulnerable to another CVE Nodejs 17.1.0 -> 18.0.0 node-v18.0.0-x64.msi Node.js-18.0.0 CVE-2023-38552 CVE-2023-32006 CVE-2023-30590 CVE-2023-30589 CVE-2023-30585 CVE-2022-3602 CVE-2023-32002 CVE-2022-32222 CVE-2022-43548 CVE-2023-23920 CVE-2022-32212 CVE-2023-23919 CVE-2022-32214 CVE-2023-32559 CVE-2023-30588 CVE-2022-3786 CVE-2023-23918 CVE-2022-32215
E2E-VD-6: Updating a vulnerable package that becomes vulnerable to another CVE and retains the previous one Nodejs 18.0.0 -> 18.1.0 node-v18.1.0-x64.msi Node.js-18.1.0 CVE-2023-38552 CVE-2023-30590 CVE-2023-30589 CVE-2023-30585 CVE-2023-32002 CVE-2022-32222 CVE-2022-43548 CVE-2023-23920 CVE-2022-32212 CVE-2023-23919 CVE-2022-32214 CVE-2023-32559 CVE-2023-30588 CVE-2022-3786 CVE-2023-23918 CVE-2022-32215 CVE-2023-30581 CVE-2023-32006 CVE-2022-3602
E2E-VD-7: Updating a vulnerable package that ceases to be vulnerable Nodejs 18.1.0 -> 19.5.0 node-v19.5.0-x64.msi Node.js-19.5.0 -
E2E-VD-8: Deleting a vulnerable package Any of the previous ones - - -
E2E-VD-9: Installation of a non-vulnerable package Nodejs 19.5.0 node-v19.5.0-x64.msi Node.js-19.5.0 -
E2E-VD-10: Updating a non-vulnerable package that remains non-vulnerable Nodejs 19.5.0 -> 19.6.0 node-v19.6.0-x64.msi Node.js-19.6.0 -
E2E-VD-11: Updating a non-vulnerable package that becomes vulnerable Nodejs 19.6.0 -> 20.5.1 node-v20.5.1-x64.msi Node.js-20.5.1 CVE-2023-44487
Rebits commented 8 months ago

Further research is imperative regarding the following agents:

It is necessary to identify vulnerable packages for the vulnerability detection module. Similar analysis conducted for the Windows 11 endpoint is essential for the remaining agents.

For centOS, @santipadilla encountered issues installing potentially vulnerable packages, I conduct an analysis of this situation within the E2E test environment.

Regarding macOS, our examination of the syscollector module revealed issues with the detection capabilities of pkg packages. Thus, it's crucial to verify if the Vulnerability Detection module can identify vulnerabilities in macport packages, as these are detected by syscollector.

santipadilla commented 8 months ago

Ubuntu 22 Agent

MySQL

MySQL packages are available here: https://downloads.mysql.com/archives/community/

Case Packages Download links CVE info CVE detected
E2E-VD-3: Installation of a vulnerable package MySQL 5.5.20 mysql-5.5.20 mysql-5.5.20 CVE-2018-2665 CVE-2018-2647 CVE-2018-2640 CVE-2015-2617 CVE-2018-2622 CVE-2018-2583 CVE-2018-0735 CVE-2017-3652 CVE-2017-10165 CVE-2017-3648 CVE-2012-0494 CVE-2017-3646 CVE-2017-3645 CVE-2017-3644 CVE-2017-3637 CVE-2017-3642 CVE-2017-3529 CVE-2012-1735 CVE-2017-3468 CVE-2014-2434 CVE-2014-6500 CVE-2017-3467 CVE-2017-3465 CVE-2017-3458 CVE-2017-3457 CVE-2016-3471 CVE-2012-0487 CVE-2013-3839 CVE-2017-3456 CVE-2017-3455 CVE-2017-3320 CVE-2020-14852 CVE-2017-3459 CVE-2016-2047 CVE-2012-0113 CVE-2017-3638 CVE-2016-0607 CVE-2017-3319 CVE-2018-2562 CVE-2017-3312 CVE-2017-3318 CVE-2017-3309 CVE-2016-0546 CVE-2012-3166 CVE-2017-3291 CVE-2017-3265 CVE-2015-2568 CVE-2013-1512 CVE-2017-3258 CVE-2016-0653 CVE-2016-0644 CVE-2017-3256 CVE-2017-3238 CVE-2017-10384 CVE-2017-10379 CVE-2015-4870 CVE-2012-3144 CVE-2017-10378 CVE-2017-10313 CVE-2017-10311 CVE-2017-10296 CVE-2017-3651 CVE-2017-10284 CVE-2017-10167 CVE-2016-8290 CVE-2016-9843 CVE-2016-8289 CVE-2018-2668 CVE-2017-3643 CVE-2014-4214 CVE-2016-8287 CVE-2017-3453 CVE-2016-7440 CVE-2014-2442 CVE-2016-5635 CVE-2016-0504 CVE-2015-2567 CVE-2014-0386 CVE-2016-5634 CVE-2016-0650 CVE-2017-3251 CVE-2016-5632 CVE-2017-3452 CVE-2015-2661 CVE-2016-5631 CVE-2012-1689 CVE-2016-5629 CVE-2016-5628 CVE-2017-3462 CVE-2015-4791 CVE-2016-5626 CVE-2017-3600 CVE-2013-0384 CVE-2016-5442 CVE-2016-5440 CVE-2016-3492 CVE-2017-3308 CVE-2016-3440 CVE-2012-0491 CVE-2016-5633 CVE-2016-0663 CVE-2016-0648 CVE-2016-6662 CVE-2016-0666 CVE-2016-0659 CVE-2016-0658 CVE-2016-0657 CVE-2016-0651 CVE-2016-0647 CVE-2016-5612 CVE-2016-0641 CVE-2016-0640 CVE-2013-5881 CVE-2016-0610 CVE-2017-3243 CVE-2016-3452 CVE-2016-0606 CVE-2017-3463 CVE-2014-0412 CVE-2016-0600 CVE-2016-0597 CVE-2013-2375 CVE-2017-3641 CVE-2016-0594 CVE-2016-0503 CVE-2016-0502 CVE-2019-2757 CVE-2015-4910 CVE-2014-0402 CVE-2015-4904 CVE-2014-0430 CVE-2015-4879 CVE-2015-4864 CVE-2015-4858 CVE-2014-2436 CVE-2015-4833 CVE-2016-8286 CVE-2015-4816 CVE-2015-4802 CVE-2015-4737 CVE-2013-5908 CVE-2016-0609
E2E-VD-4: Updating a vulnerable package that remains vulnerable to the same CVE MySQL 5.5.20 -> 5.5.21 mysql-5.5.21 mysql-5.5.21 Same as previous CVEs
E2E-VD-5: Updating a vulnerable package that becomes vulnerable to another CVE MySQL 5.5.18 -> 5.5.19 mysql-5.5.18 mysql-5.5.18 In addition to all of the above, these new ones: CVE-2023-22007 CVE-2023-22028 CVE-2021-2356 CVE-2022-21417 CVE-2022-21444 CVE-2023-21980 CVE-2023-21977
E2E-VD-6: Updating a vulnerable package that becomes vulnerable to another CVE and retains the previous one MySQL 5.5.18 -> 5.5.19 mysql-5.5.19 mysql-5.5.19 Same as previous CVEs and retains the CVEs from 5.5.18
E2E-VD-7: Updating a vulnerable package that ceases to be vulnerable MySQL has vulnerabilities in all its packages - - -
E2E-VD-8: Deleting a vulnerable package Any of the previous ones - - -
E2E-VD-9: Installation of a non-vulnerable package MySQL has vulnerabilities in all its packages - - -
E2E-VD-10: Updating a non-vulnerable package that remains non-vulnerable MySQL has vulnerabilities in all its packages - - -
E2E-VD-11: Updating a non-vulnerable package that becomes vulnerable MySQL has vulnerabilities in all its packages - - -

With Ubuntu 22.04 vulnerabilities are detected with the default "apt install" installation such as "sudo apt install openssl" or "sudo apt install samba". But when downloading and installing a package from an official repository it does not detect any vulnerability with any of the tested packages except mysql.

As we did not detect vulnerabilities in the versions of the installed packages, it was not possible to cover all cases since we cannot test with different versions, only with the version that ubuntu installs by default. With mysql it has not been possible to cover all the cases since it does not have any version without vulnerabilities.

By default, vulnerabilities appear as is the case with Vim but when downloading and installing those packages individually from its official repository, no vulnerability appears. Ubuntu does detect the installation and configuration of the packages but not the vulnerabilities.

It has been tested with versions that have vulnerabilities. The download and installation has been from the official repositories of each package:

openssl https://www.openssl.org/source/old/index.html libreoffice https://www.libreoffice.org/download/download-libreoffice/ postgresql https://www.postgresql.org/download/ nodejs https://nodejs.org/dist/ vim https://www.vim.org/download.php#unix

rafabailon commented 8 months ago

CentOS 7 Agent

OpenJDK

The packages are available in the CentOS 7 repository

Case Packages Download Links CVE Info Reference CVE
E2E-VD-3: Installation of a vulnerable package OpenJDK 1.6.0 yum install java-1.7.0-openjdk.x86_64 OpenJDK1.6.0 -
E2E-VD-4: Updating a vulnerable package that remains vulnerable to the same CVE OpenJDK 1.7.0 yum install java-1.7.0-openjdk.x86_64 OpenJDK1.7.0 CVE-2014-4264
E2E-VD-5: Updating a vulnerable package that becomes vulnerable to another CVE OpenJDK 1.7.0 yum install java-1.7.0-openjdk.x86_64 OpenJDK1.7.0 CVE-2013-1777
E2E-VD-6: Updating a vulnerable package that becomes vulnerable to another CVE and retains the previous one OpenJDK 1.8.0 yum install java-1.8.0-openjdk.x86_64 OpenJDK1.8.0 CVE-2015-0477, CVE-2014-6549
E2E-VD-7: Updating a vulnerable package that ceases to be vulnerable There are no non-vulnerable packages - - -
E2E-VD-8: Deleting a vulnerable package Any of the previous ones OpenJDK 1.6.0 yum remove java-1.6.0-openjdk.x86_64 - -
E2E-VD-9: Installation of a non-vulnerable package There are no non-vulnerable packages - - -
E2E-VD-10: Updating a non-vulnerable package that remains non-vulnerable There are no non-vulnerable packages - - -
E2E-VD-11: Updating a non-vulnerable package that becomes vulnerable - - - -

Issues Detected

Tested Packages

santipadilla commented 8 months ago

MacOS Sonoma Agent

It does not detect vulnerabilities with pkg, brew or macports. Open issue and left a comment about it.

Rebits commented 8 months ago

Missing Issues reporting unexpected results in the following OS using alternative packages:

Ubuntu: https://github.com/wazuh/wazuh-qa/issues/4943#issuecomment-1946044466 CentOS: https://github.com/wazuh/wazuh-qa/issues/4943#issuecomment-1946476887

These results make it difficult to continue with https://github.com/wazuh/wazuh-qa/issues/4991. Feedback from developer team in regard to missing vulnerabilities is required.

santipadilla commented 8 months ago

Unexpected results in the following OS:

davidjiglesias commented 8 months ago

LGTM