{"id":"MGASA-2022-0294","summary":"Updated nodejs packages fix security vulnerability","details":"The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an\ninstallation even if dependency information in package-lock.json differs\nfrom package.json. This behavior is inconsistent with the documentation,\nand makes it easier for attackers to install malware that was supposed to\nhave been blocked by an exact version match requirement in\npackage-lock.json. (CVE-2021-43616)\n\nDNS rebinding in --inspect via invalid IP addresses (CVE-2022-32212)\n\nHTTP Request Smuggling - Flawed Parsing of Transfer-Encoding\n(CVE-2022-32213)\n\nHTTP Request Smuggling - Improper Delimiting of Header Fields\n(CVE-2022-32214)\n\nHTTP Request Smuggling - Incorrect Parsing of Multi-line Transfer-Encoding\n(CVE-2022-32215)\n\nAttempt to read openssl.cnf from /home/iojs/build/ upon startup\n(CVE-2022-32222)\n","modified":"2026-04-16T00:10:01.483641552Z","published":"2022-08-25T21:21:07Z","upstream":["CVE-2021-43616","CVE-2022-32212","CVE-2022-32213","CVE-2022-32214","CVE-2022-32215","CVE-2022-32222"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2022-0294.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=30078"},{"type":"WEB","url":"https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/"},{"type":"WEB","url":"https://github.com/nodejs/node/releases/tag/v14.19.0"},{"type":"WEB","url":"https://github.com/nodejs/node/releases/tag/v14.19.1"},{"type":"WEB","url":"https://github.com/nodejs/node/releases/tag/v14.19.2"},{"type":"WEB","url":"https://github.com/nodejs/node/releases/tag/v14.19.3"},{"type":"WEB","url":"https://github.com/nodejs/node/releases/tag/v14.20.0"}],"affected":[{"package":{"name":"nodejs","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/nodejs?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"14.20.0-1.1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2022-0294.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}