|
|
Subscribe / Log in / New account

Mageia alert MGASA-2023-0053 (nodejs-qs)



From:
              Mageia Updates <buildsystem-daemon@mageia.org>


To:
              updates-announce@ml.mageia.org


Subject:
              [updates-announce] MGASA-2023-0053: Updated nodejs-qs packages fix security vulnerability


Date:
              Mon, 20 Feb 2023 22:26:48 +0100


Message-ID:
              <20230220212648.26B8D9F8B2@duvel.mageia.org>


Archive-link:
              Article


MGASA-2023-0053 - Updated nodejs-qs packages fix security vulnerability

Publication date: 20 Feb 2023
URL: https://advisories.mageia.org/MGASA-2023-0053.html
Type: security
Affected Mageia releases: 8
CVE: CVE-2022-24999

Description:
nodejs qs before 6.10.3, as used in Express before 4.17.3 and other
products, allows attackers to cause a Node process hang for an Express
application because an __ proto__ key can be used. In many typical Express
use cases, an unauthenticated remote attacker can place the attack payload
in the query string of the URL that is used to visit the application, such
as a[__proto__]=b&a[__proto__]&a[length]=100000000.  (CVE-2022-24999)

References:
- https://bugs.mageia.org/show_bug.cgi?id=31494
- https://www.debian.org/lts/security/2023/dla-3299
- https://security-tracker.debian.org/tracker/CVE-2022-24999
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2...

SRPMS:
- 8/core/nodejs-qs-6.5.3-1.mga8
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds