The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Node.js minimist: denial of service via Prototype Pollution

Synthesis of the vulnerability 

An attacker can trigger a fatal error via Prototype Pollution of Node.js minimist, in order to trigger a denial of service.
Vulnerable products: Nodejs Modules ~ not comprehensive, openSUSE Leap, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity of this weakness: 2/4.
Creation date: 15/06/2020.
Références of this bulletin: CVE-2020-7598, openSUSE-SU-2020:0802-1, RHSA-2020:2847-01, RHSA-2020:2848-01, RHSA-2020:2849-01, RHSA-2020:2852-01, RHSA-2020:2895-01, RHSA-2020:3042-01, RHSA-2020:3084-01, SUSE-SU-2020:1623-1, SUSE-SU-2020:2800-1, VIGILANCE-VUL-32538.

Description of the vulnerability 

An attacker can trigger a fatal error via Prototype Pollution of Node.js minimist, in order to trigger a denial of service.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This cybersecurity threat impacts software or systems such as Nodejs Modules ~ not comprehensive, openSUSE Leap, RHEL, SUSE Linux Enterprise Desktop, SLES.

Our Vigil@nce team determined that the severity of this computer threat note is medium.

The trust level is of type confirmed by the editor, with an origin of intranet client.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this security threat.

Solutions for this threat 

Node.js minimist: version 1.2.3.
The version 1.2.3 is fixed:
  https://www.npmjs.com/package/minimist

openSUSE Leap 15.1: new nodejs8 packages.
New packages are available:
  openSUSE Leap 15.1: nodejs8 8.17.0-lp151.2.15.1

RHEL 7: new rh-nodejs10-nodejs packages.
New packages are available:
  RHEL 7.0-7.8: rh-nodejs10-nodejs 10.21.0-3.el7

RHEL 7: new rh-nodejs12-nodejs packages.
New packages are available:
  RHEL 7.0-7.8: rh-nodejs12-nodejs 12.18.2-1.el7

RHEL 8.0: new nodejs-10 module.
The following module is updated:
  RHEL 8.0 Module: nodejs:10

RHEL 8.1: new nodejs-10 module.
The following module is updated:
  RHEL 8.1 Module: nodejs:10

RHEL 8.1: new nodejs-12 module.
The following module is updated:
  RHEL 8.1 Module: nodejs:12

RHEL 8.2: new nodejs-10 module.
The following module is updated:
  RHEL 8.2 Module: nodejs:10

RHEL 8.2: new nodejs-12 module.
The following module is updated:
  RHEL 8.2 Module: nodejs:12

SUSE LE 12: new nodejs6 packages.
New packages are available:
  SUSE LE 12 RTM: nodejs6 6.17.1-11.37.1

SUSE LE 15 SP2: new nodejs8 packages.
New packages are available:
  SUSE LE 15 SP2: nodejs8 8.17.0-10.3.1
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a software vulnerabilities note. The technology watch team tracks security threats targeting the computer system.