An issue in NPM IP Package v.1.1.8 and before allows an attacker to execute arbitrary code and obtain sensitive information via the isPublic() function. https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html https://github.com/indutny/node-ip
Created nodejs-ip tracking bugs for this issue: Affects: epel-all [bug 2265162]
Created golang-github-prometheus tracking bugs for this issue: Affects: epel-all [bug 2265683] Created nodejs:13/nodejs tracking bugs for this issue: Affects: epel-all [bug 2265684] Created nodejs:16-epel/nodejs tracking bugs for this issue: Affects: epel-all [bug 2265685]
Statement Added: It appears that npm does not utilize the bundled code, making it vulnerable. So Red Hat Enterprise Linux is not affected by this vulnerbility. While the vulnerability in the NPM IP Package presents a significant security concern, it's categorized as important rather than critical due to several factors. Firstly, the misclassification of the private IP address 0x7f.1 as public by the isPublic() function does not directly lead to remote code execution or unauthorized access to critical systems. Instead, it facilitates SSRF attacks, which typically require additional conditions to fully exploit, such as the ability to influence server-side requests and responses. Additionally, the impact of SSRF attacks can vary depending on the specific environment and configuration of the affected system. While SSRF attacks can potentially lead to data exposure, service disruption, or lateral movement within a network, their severity is often mitigated by factors such as network segmentation, access controls, and the availability of sensitive resources.
https://access.redhat.com/security/cve/cve-2023-42282 The RedHat CVE shows that the RHEL8 node 18 distribution is `not affected` but when I inspect the base image, the vulnerable version of `ip` 2.0.0 is still installed: ``` MacBook-Pro-2 Desktop % podman run -it -u root --rm registry.access.redhat.com/ubi8/nodejs-18@sha256:cf3b944a5fffa2da8e133583b406004c583dd6e17dfea24825cd3f15f6335ac2 bash bash-4.4# cd lib/node_modules/npm/ bash-4.4# cat package.json | grep version "version": "10.2.4", "libnpmversion": "^5.0.1", "libnpmversion", "version": "4.19.0", bash-4.4# cd node_modules/ip bash-4.4# cat package.json | grep version "version": "2.0.0", bash-4.4# ``` Is the reason the ubi is not affected due to the statement above? ``` It appears that npm does not utilize the bundled code, making it vulnerable. So Red Hat Enterprise Linux is not affected by this vulnerbility. ```
(In reply to arturo from comment #11) > https://access.redhat.com/security/cve/cve-2023-42282 > The RedHat CVE shows that the RHEL8 node 18 distribution is `not affected` > but when I inspect the base image, the vulnerable version of `ip` 2.0.0 is > still installed: > ``` > MacBook-Pro-2 Desktop % podman run -it -u root --rm > registry.access.redhat.com/ubi8/nodejs-18@sha256: > cf3b944a5fffa2da8e133583b406004c583dd6e17dfea24825cd3f15f6335ac2 bash > bash-4.4# cd lib/node_modules/npm/ > bash-4.4# cat package.json | grep version > "version": "10.2.4", > "libnpmversion": "^5.0.1", > "libnpmversion", > "version": "4.19.0", > bash-4.4# cd node_modules/ip > bash-4.4# cat package.json | grep version > "version": "2.0.0", > bash-4.4# > ``` > > Is the reason the ubi is not affected due to the statement above? > ``` > It appears that npm does not utilize the bundled code, making it vulnerable. > So Red Hat Enterprise Linux is not affected by this vulnerbility. > ``` From relevant GH discussion (https://github.com/npm/cli/issues/7216#issuecomment-1939569800), the upstream states that NPM cli is not launching any servers (long-running processes) that could be targeted by the SSRF attacks; so while it is present in the package currently, it is not used in an exploitable way. FYI, further down the discussion it seems that the entire dependency will be dropped in a future release.
I see, `npm` developers have stated that this is a false positive. However, they did go ahead and patch this so that everyone would stop bugging them about it lol: https://github.com/npm/cli/issues/7216#issuecomment-1959743070 are there any plans to include this fix in the ubi?
(In reply to arturo from comment #13) > I see, `npm` developers have stated that this is a false positive. However, > they did go ahead and patch this so that everyone would stop bugging them > about it lol: https://github.com/npm/cli/issues/7216#issuecomment-1959743070 > are there any plans to include this fix in the ubi? Current plan is to pull the fix via some future upstream release of NodeJS/npm that will contain it. No dedicated rebases are planned.