vuln-list-alt/oval/p9/ALT-PU-2021-2408/definitions.json

{
  "Definition": [
    {
      "ID": "oval:org.altlinux.errata:def:20212408",
      "Version": "oval:org.altlinux.errata:def:20212408",
      "Class": "patch",
      "Metadata": {
        "Title": "ALT-PU-2021-2408: package `npm` update to version 6.14.13-alt1",
        "AffectedList": [
          {
            "Family": "unix",
            "Platforms": [
              "ALT Linux branch p9"
            ],
            "Products": [
              "ALT Server",
              "ALT Virtualization Server",
              "ALT Workstation",
              "ALT Workstation K",
              "ALT Education",
              "Simply Linux",
              "Starterkit"
            ]
          }
        ],
        "References": [
          {
            "RefID": "ALT-PU-2021-2408",
            "RefURL": "https://errata.altlinux.org/ALT-PU-2021-2408",
            "Source": "ALTPU"
          },
          {
            "RefID": "BDU:2021-02865",
            "RefURL": "https://bdu.fstec.ru/vul/2021-02865",
            "Source": "BDU"
          },
          {
            "RefID": "BDU:2021-02874",
            "RefURL": "https://bdu.fstec.ru/vul/2021-02874",
            "Source": "BDU"
          },
          {
            "RefID": "CVE-2020-7774",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2020-7774",
            "Source": "CVE"
          },
          {
            "RefID": "CVE-2020-7788",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2020-7788",
            "Source": "CVE"
          },
          {
            "RefID": "CVE-2020-8244",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2020-8244",
            "Source": "CVE"
          }
        ],
        "Description": "This update upgrades npm to version 6.14.13-alt1. \nSecurity Fix(es):\n\n * BDU:2021-02865: Уязвимость библиотеки y18n прикладного программного обеспечения Аврора Центр, связанная с неконтролируемым изменением атрибутов прототипа объекта, позволяющая нарушителю реализовать атаку типа «загрязнение прототипа»\n\n * BDU:2021-02874: Уязвимость библиотеки ini прикладного программного обеспечения Аврора Центр, связанная с неконтролируемым изменением атрибутов прототипа объекта, позволяющая нарушителю реализовать атаку типа «загрязнение прототипа»\n\n * CVE-2020-7774: The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.\n\n * CVE-2020-7788: This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.\n\n * CVE-2020-8244: A buffer over-read vulnerability exists in bl \u003c4.0.3, \u003c3.0.1, \u003c2.2.1, and \u003c1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.",
        "Advisory": {
          "From": "errata.altlinux.org",
          "Severity": "Critical",
          "Rights": "Copyright 2023 BaseALT Ltd.",
          "Issued": {
            "Date": "2021-08-03"
          },
          "Updated": {
            "Date": "2021-08-03"
          },
          "bdu": [
            {
              "Cvss": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
              "Cvss3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
              "Cwe": "CWE-1321",
              "Href": "https://bdu.fstec.ru/vul/2021-02865",
              "Impact": "High",
              "Public": "20210525",
              "CveID": "BDU:2021-02865"
            },
            {
              "Cvss": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
              "Cvss3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
              "Cwe": "CWE-1321",
              "Href": "https://bdu.fstec.ru/vul/2021-02874",
              "Impact": "High",
              "Public": "20210525",
              "CveID": "BDU:2021-02874"
            }
          ],
          "Cves": [
            {
              "Cvss": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
              "Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "Cwe": "CWE-1321",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2020-7774",
              "Impact": "Critical",
              "Public": "20201117",
              "CveID": "CVE-2020-7774"
            },
            {
              "Cvss": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
              "Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "Cwe": "CWE-1321",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2020-7788",
              "Impact": "Critical",
              "Public": "20201211",
              "CveID": "CVE-2020-7788"
            },
            {
              "Cvss": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
              "Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
              "Cwe": "CWE-125",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2020-8244",
              "Impact": "Low",
              "Public": "20200830",
              "CveID": "CVE-2020-8244"
            }
          ],
          "AffectedCpeList": {
            "Cpe": [
              "cpe:/o:alt:kworkstation:9",
              "cpe:/o:alt:workstation:9",
              "cpe:/o:alt:server:9",
              "cpe:/o:alt:server-v:9",
              "cpe:/o:alt:education:9",
              "cpe:/o:alt:slinux:9",
              "cpe:/o:alt:starterkit:p9",
              "cpe:/o:alt:kworkstation:9.1",
              "cpe:/o:alt:workstation:9.1",
              "cpe:/o:alt:server:9.1",
              "cpe:/o:alt:server-v:9.1",
              "cpe:/o:alt:education:9.1",
              "cpe:/o:alt:slinux:9.1",
              "cpe:/o:alt:starterkit:9.1",
              "cpe:/o:alt:kworkstation:9.2",
              "cpe:/o:alt:workstation:9.2",
              "cpe:/o:alt:server:9.2",
              "cpe:/o:alt:server-v:9.2",
              "cpe:/o:alt:education:9.2",
              "cpe:/o:alt:slinux:9.2",
              "cpe:/o:alt:starterkit:9.2"
            ]
          }
        }
      },
      "Criteria": {
        "Operator": "AND",
        "Criterions": [
          {
            "TestRef": "oval:org.altlinux.errata:tst:1001",
            "Comment": "ALT Linux must be installed"
          }
        ],
        "Criterias": [
          {
            "Operator": "OR",
            "Criterions": [
              {
                "TestRef": "oval:org.altlinux.errata:tst:20212408001",
                "Comment": "npm is earlier than 0:6.14.13-alt1"
              }
            ]
          }
        ]
      }
    }
  ]
}