vuln-list-alt/oval/c10f1/ALT-PU-2020-2824/definitions.json

{
  "Definition": [
    {
      "ID": "oval:org.altlinux.errata:def:20202824",
      "Version": "oval:org.altlinux.errata:def:20202824",
      "Class": "patch",
      "Metadata": {
        "Title": "ALT-PU-2020-2824: package `node` update to version 14.11.0-alt1",
        "AffectedList": [
          {
            "Family": "unix",
            "Platforms": [
              "ALT Linux branch c10f1"
            ],
            "Products": [
              "ALT SP Workstation",
              "ALT SP Server"
            ]
          }
        ],
        "References": [
          {
            "RefID": "ALT-PU-2020-2824",
            "RefURL": "https://errata.altlinux.org/ALT-PU-2020-2824",
            "Source": "ALTPU"
          },
          {
            "RefID": "BDU:2020-05657",
            "RefURL": "https://bdu.fstec.ru/vul/2020-05657",
            "Source": "BDU"
          },
          {
            "RefID": "BDU:2020-05687",
            "RefURL": "https://bdu.fstec.ru/vul/2020-05687",
            "Source": "BDU"
          },
          {
            "RefID": "CVE-2020-8201",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2020-8201",
            "Source": "CVE"
          },
          {
            "RefID": "CVE-2020-8251",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2020-8251",
            "Source": "CVE"
          }
        ],
        "Description": "This update upgrades node to version 14.11.0-alt1. \nSecurity Fix(es):\n\n * BDU:2020-05657: Уязвимость программной платформы Node.js, связанная с ошибкой обработки имен HTTP - заголовка, позволяющая нарушителю получить доступ к защищаемой информации или повысить свои привилегии\n\n * BDU:2020-05687: Уязвимость программной платформы Node.js, связанная с ошибкой обработки имен HTTP - заголовка, позволяющая нарушителю вызвать отказ в обслуживании\n\n * CVE-2020-8201: Node.js \u003c 12.18.4 and \u003c 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system. The attack was possible due to a bug in processing of carrier-return symbols in the HTTP header names.\n\n * CVE-2020-8251: Node.js \u003c 14.11.0 is vulnerable to HTTP denial of service (DoS) attacks based on delayed requests submission which can make the server unable to accept new connections.",
        "Advisory": {
          "From": "errata.altlinux.org",
          "Severity": "High",
          "Rights": "Copyright 2024 BaseALT Ltd.",
          "Issued": {
            "Date": "2020-09-16"
          },
          "Updated": {
            "Date": "2020-09-16"
          },
          "BDUs": [
            {
              "ID": "BDU:2020-05657",
              "CVSS": "AV:N/AC:H/Au:N/C:C/I:C/A:N",
              "CVSS3": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
              "CWE": "CWE-444",
              "Href": "https://bdu.fstec.ru/vul/2020-05657",
              "Impact": "High",
              "Public": "20200918"
            },
            {
              "ID": "BDU:2020-05687",
              "CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
              "CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "CWE": "CWE-400",
              "Href": "https://bdu.fstec.ru/vul/2020-05687",
              "Impact": "High",
              "Public": "20200918"
            }
          ],
          "CVEs": [
            {
              "ID": "CVE-2020-8201",
              "CVSS": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
              "CVSS3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
              "CWE": "CWE-444",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2020-8201",
              "Impact": "High",
              "Public": "20200918"
            },
            {
              "ID": "CVE-2020-8251",
              "CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
              "CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "CWE": "CWE-400",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2020-8251",
              "Impact": "High",
              "Public": "20200918"
            }
          ],
          "AffectedCPEs": {
            "CPEs": [
              "cpe:/o:alt:spworkstation:10",
              "cpe:/o:alt:spserver:10"
            ]
          }
        }
      },
      "Criteria": {
        "Operator": "AND",
        "Criterions": [
          {
            "TestRef": "oval:org.altlinux.errata:tst:5001",
            "Comment": "ALT Linux must be installed"
          }
        ],
        "Criterias": [
          {
            "Operator": "OR",
            "Criterions": [
              {
                "TestRef": "oval:org.altlinux.errata:tst:20202824001",
                "Comment": "node is earlier than 0:14.11.0-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20202824002",
                "Comment": "node-devel is earlier than 0:14.11.0-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20202824003",
                "Comment": "node-doc is earlier than 0:14.11.0-alt1"
              }
            ]
          }
        ]
      }
    }
  ]
}