ID

VAR-202201-0349

CVE

CVE-2022-0235

TITLE

node-fetch Information disclosure vulnerability

DESCRIPTION

node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor. Description: Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services. Security Fix(es): * chart.js: prototype pollution (CVE-2020-7746) * moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129) * package immer before 9.0.6. Solution: For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. Red Hat recommends that you halt the server by stopping the JBoss Application Server process before installing this update. After installing the update, restart the server by starting the JBoss Application Server process. The References section of this erratum contains a download link. You must log in to download the update. Bugs fixed (https://bugzilla.redhat.com/): 2041833 - CVE-2021-23436 immer: type confusion vulnerability can lead to a bypass of CVE-2020-28477 2044591 - CVE-2022-0235 node-fetch: exposure of sensitive information to an unauthorized actor 2047200 - CVE-2022-23437 xerces-j2: infinite loop when handling specially crafted XML document payloads 2047343 - CVE-2022-21363 mysql-connector-java: Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors 2050863 - CVE-2022-21724 jdbc-postgresql: Unchecked Class Instantiation when providing Plugin Classes 2063601 - CVE-2022-23913 artemis-commons: Apache ActiveMQ Artemis DoS 2064007 - CVE-2022-26520 postgresql-jdbc: Arbitrary File Write Vulnerability 2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects 2066009 - CVE-2021-44906 minimist: prototype pollution 2067387 - CVE-2022-24771 node-forge: Signature verification leniency in checking `digestAlgorithm` structure can lead to signature forgery 2067458 - CVE-2022-24772 node-forge: Signature verification failing to check tailing garbage bytes can lead to signature forgery 2072009 - CVE-2022-24785 Moment.js: Path traversal in moment.locale 2076133 - CVE-2022-1365 cross-fetch: Exposure of Private Personal Information to an Unauthorized Actor 2085307 - CVE-2022-1650 eventsource: Exposure of Sensitive Information 2096966 - CVE-2020-7746 chart.js: prototype pollution 2103584 - CVE-2022-0722 parse-url: Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository ionicabizau/parse-url 2105075 - CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS 2107994 - CVE-2022-2458 Business-central: Possible XML External Entity Injection attack 5. Description: Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers the containers for the release. JIRA issues fixed (https://issues.jboss.org/): OSSM-1435 - Container release for Maistra 2.1.2.1 6. Description: Red Hat Advanced Cluster Management for Kubernetes 2.3.8 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs. 8) - aarch64, noarch, ppc64le, s390x, x86_64 3. 7) - noarch, x86_64 3. Description: Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: rh-nodejs14-nodejs (14.21.1), rh-nodejs14-nodejs-nodemon (2.0.20). Bug Fix(es): * rh-nodejs14-nodejs: Provide full-i18n subpackage (BZ#2009880) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2009880 - rh-nodejs14-nodejs: Provide full-i18n subpackage 2044591 - CVE-2022-0235 node-fetch: exposure of sensitive information to an unauthorized actor 2066009 - CVE-2021-44906 minimist: prototype pollution 2129806 - rh-nodejs14-nodejs: Rebase to the latest Nodejs 14 release [rhscl-3] 2134609 - CVE-2022-3517 nodejs-minimatch: ReDoS via the braceExpand function 2140911 - CVE-2022-43548 nodejs: DNS rebinding in inspect via invalid octal IP address 2150323 - CVE-2022-24999 express: "qs" prototype poisoning causes the hang of the node process 2156324 - CVE-2021-35065 glob-parent: Regular Expression Denial of Service 6. Package List: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat Data Grid 8.4.0 security update Advisory ID: RHSA-2022:8524-01 Product: Red Hat JBoss Data Grid Advisory URL: https://access.redhat.com/errata/RHSA-2022:8524 Issue date: 2022-11-17 CVE Names: CVE-2022-0235 CVE-2022-23647 CVE-2022-24823 CVE-2022-25857 CVE-2022-38749 CVE-2022-38750 CVE-2022-38751 CVE-2022-38752 ===================================================================== 1. Summary: An update for Red Hat Data Grid 8 is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically improving performance while providing availability, reliability, and elastic scale. Data Grid 8.4.0 replaces Data Grid 8.3.1 and includes bug fixes and enhancements. Find out more about Data Grid 8.4.0 in the Release Notes[3]. Security Fix(es): * prismjs: improperly escaped output allows a XSS (CVE-2022-23647) * snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857) * node-fetch: exposure of sensitive information to an unauthorized actor (CVE-2022-0235) * netty: world readable temporary file containing sensitive data (CVE-2022-24823) * snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749) * snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750) * snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751) * snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode (CVE-2022-38752) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: To install this update, do the following: 1. Download the Data Grid 8.4.0 Server patch from the customer portal[²]. 2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on. 3. Install the Data Grid 8.4.0 Server patch. 4. Restart Data Grid to ensure the changes take effect. For more information about Data Grid 8.4.0, refer to the 8.4.0 Release Notes[³] 4. Bugs fixed (https://bugzilla.redhat.com/): 2044591 - CVE-2022-0235 node-fetch: exposure of sensitive information to an unauthorized actor 2056643 - CVE-2022-23647 prismjs: improperly escaped output allows a XSS 2087186 - CVE-2022-24823 netty: world readable temporary file containing sensitive data 2126789 - CVE-2022-25857 snakeyaml: Denial of Service due to missing nested depth limitation for collections 2129706 - CVE-2022-38749 snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode 2129707 - CVE-2022-38750 snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject 2129709 - CVE-2022-38751 snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match 2129710 - CVE-2022-38752 snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode 5. References: https://access.redhat.com/security/cve/CVE-2022-0235 https://access.redhat.com/security/cve/CVE-2022-23647 https://access.redhat.com/security/cve/CVE-2022-24823 https://access.redhat.com/security/cve/CVE-2022-25857 https://access.redhat.com/security/cve/CVE-2022-38749 https://access.redhat.com/security/cve/CVE-2022-38750 https://access.redhat.com/security/cve/CVE-2022-38751 https://access.redhat.com/security/cve/CVE-2022-38752 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/softwareDetail.html?softwareId=70381&product=data.grid&version=8.4&downloadType=patches https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.4/html-single/red_hat_data_grid_8.4_release_notes/index 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY3aDp9zjgjWX9erEAQguCQ/+OYKKaLAAtbNiCNTq3llsyPpuRIEQFoK/ tAgdAwRlSYz3Cwyx9tEMKND3UdoYlncZgepk/slYEBURSYiZygSRUXy7z2ZqOpQP IReuW55RqG2x6v1BAr4I2NruG/8wi0k6QxeBrl48PYtiq19LT4aAb4tZJ1VKhTQX LCWncEs+xxRpqRLFSQT7IMRekkOcUmo2lxls4exjpPgOBtHvGiuppXFK1Um7eh6i Gl5icTyhrxtHeAkWsEN0/K6akPHsWYr/mM7BFOpVE5LIa00TFJ9g0wxHg/qVNEh5 2i8sWjz0mybc6rNUvYoa3vsx88x8ASD/rH/qrqRkqcNwiOzuQD3B4843eXxPQSS6 dRre/qbUQQuz/PatKPFtBqAzQlXVwR29fOJcV74G6kY2/37+5d4GCfU5AcgRzAVn 1fQElIcjM8/0mn9+65JoDNoEA8k8BbJyb9+jMTvPeu5AkalTp5wkYO78mjRVDba+ g1Rhz4Ewo6KTxr5K7txFi0ukoc9P/Li5Tbp2Q8+a9bvMnggDZZyU1PXWtLCkC9kD vqbue19Z8TfqoX1WDL/T0o4Go6KWaQBbH6FoP10o2rfcvn13QeiIw9kImQ99qGap 75uV9D2R7TWPBm843qBta57MuUO1uaZDOUlk+8V0+5sNN4SKRUZIoGnDT29WVS+U pdFf1sazxWU= =m90N -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . ========================================================================== Ubuntu Security Notice USN-6158-1 June 13, 2023 node-fetch vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS (Available with Ubuntu Pro) Summary: Node Fetch could be made to expose sensitive information if it opened a specially crafted file. Software Description: - node-fetch: A light-weight module that brings the Fetch API to Node.js Details: It was discovered that Node Fetch incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to obtain sensitive information. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS: node-fetch 1.7.3-2ubuntu0.1 Ubuntu 18.04 LTS (Available with Ubuntu Pro): node-fetch 1.7.3-1ubuntu0.1~esm1 In general, a standard system update will make all the necessary changes

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

information disclosure

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Red Hat

SOURCES

LAST UPDATE DATE

2026-04-18T22:28:46.154000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE