{
  "threat_severity" : "Important",
  "public_date" : "2024-02-08T00:00:00Z",
  "bugzilla" : {
    "description" : "nodejs-ip: arbitrary code execution via the isPublic() function",
    "id" : "2265161",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2265161"
  },
  "cvss3" : {
    "cvss3_base_score" : "9.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-918",
  "details" : [ "The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.", "A vulnerability was found in the NPM IP Package. This flaw allows an attacker to perform arbitrary code execution and obtain sensitive information via the isPublic() function by inducing a Server-Side Request Forgery (SSRF) attack and obtaining access to normally inaccessible resources." ],
  "statement" : "It appears that npm does not utilize the bundled code therefore Red Hat Enterprise Linux is not affected by this vulnerability.\nWhile the vulnerability in the NPM IP Package presents a significant security concern, it's categorized as important rather than critical due to several factors. Firstly, the misclassification of the private IP address 0x7f.1 as public by the isPublic() function does not directly lead to remote code execution or unauthorized access to critical systems. Instead, it facilitates SSRF attacks, which typically require additional conditions to fully exploit, such as the ability to influence server-side requests and responses. Additionally, the impact of SSRF attacks can vary depending on the specific environment and configuration of the affected system. While SSRF attacks can potentially lead to data exposure, service disruption, or lateral movement within a network, their severity is often mitigated by factors such as network segmentation, access controls, and the availability of sensitive resources.\nRed Hat Developer Hub contains a fix in 1.1-91 version.",
  "affected_release" : [ {
    "product_name" : "HawtIO 4.0.0 for Red Hat build of Apache Camel 4",
    "release_date" : "2024-06-03T00:00:00Z",
    "advisory" : "RHSA-2024:3550",
    "cpe" : "cpe:/a:redhat:rhboac_hawtio:4.0.0"
  }, {
    "product_name" : "Migration Toolkit for Virtualization 2.5",
    "release_date" : "2024-03-20T00:00:00Z",
    "advisory" : "RHBA-2024:1440",
    "cpe" : "cpe:/a:redhat:migration_toolkit_virtualization:2.5::el9",
    "package" : "migration-toolkit-virtualization/mtv-console-plugin-rhel9:2.5.6-4"
  }, {
    "product_name" : "NETWORK-OBSERVABILITY-1.6.0-RHEL-9",
    "release_date" : "2024-06-17T00:00:00Z",
    "advisory" : "RHSA-2024:3868",
    "cpe" : "cpe:/a:redhat:network_observ_optr:1.6.0::el9",
    "package" : "network-observability/network-observability-cli-rhel9:v1.6.0-66"
  }, {
    "product_name" : "NETWORK-OBSERVABILITY-1.6.0-RHEL-9",
    "release_date" : "2024-06-17T00:00:00Z",
    "advisory" : "RHSA-2024:3868",
    "cpe" : "cpe:/a:redhat:network_observ_optr:1.6.0::el9",
    "package" : "network-observability/network-observability-console-plugin-rhel9:v1.6.0-66"
  }, {
    "product_name" : "NETWORK-OBSERVABILITY-1.6.0-RHEL-9",
    "release_date" : "2024-06-17T00:00:00Z",
    "advisory" : "RHSA-2024:3868",
    "cpe" : "cpe:/a:redhat:network_observ_optr:1.6.0::el9",
    "package" : "network-observability/network-observability-ebpf-agent-rhel9:v1.6.0-66"
  }, {
    "product_name" : "NETWORK-OBSERVABILITY-1.6.0-RHEL-9",
    "release_date" : "2024-06-17T00:00:00Z",
    "advisory" : "RHSA-2024:3868",
    "cpe" : "cpe:/a:redhat:network_observ_optr:1.6.0::el9",
    "package" : "network-observability/network-observability-flowlogs-pipeline-rhel9:v1.6.0-66"
  }, {
    "product_name" : "NETWORK-OBSERVABILITY-1.6.0-RHEL-9",
    "release_date" : "2024-06-17T00:00:00Z",
    "advisory" : "RHSA-2024:3868",
    "cpe" : "cpe:/a:redhat:network_observ_optr:1.6.0::el9",
    "package" : "network-observability/network-observability-operator-bundle:1.6.0-78"
  }, {
    "product_name" : "NETWORK-OBSERVABILITY-1.6.0-RHEL-9",
    "release_date" : "2024-06-17T00:00:00Z",
    "advisory" : "RHSA-2024:3868",
    "cpe" : "cpe:/a:redhat:network_observ_optr:1.6.0::el9",
    "package" : "network-observability/network-observability-rhel9-operator:v1.6.0-66"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces 3 Containers",
    "release_date" : "2024-11-25T00:00:00Z",
    "advisory" : "RHSA-2024:10236",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3::el8",
    "package" : "devspaces/code-rhel8:3.17-19"
  }, {
    "product_name" : "RHDH-1.1-RHEL-9",
    "release_date" : "2024-03-18T00:00:00Z",
    "advisory" : "RHEA-2024:1366",
    "cpe" : "cpe:/a:redhat:rhdh:1.1::el9",
    "package" : "rhdh/rhdh-hub-rhel9:1.1-97"
  }, {
    "product_name" : "RHODF-4.15-RHEL-9",
    "release_date" : "2024-03-19T00:00:00Z",
    "advisory" : "RHSA-2024:1383",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.15::el9",
    "package" : "odf4/mcg-core-rhel9:v4.15.0-68"
  } ],
  "package_state" : [ {
    "product_name" : "Logging Subsystem for Red Hat OpenShift",
    "fix_state" : "Not affected",
    "package_name" : "openshift-logging/kibana6-rhel8",
    "cpe" : "cpe:/a:redhat:logging:5"
  }, {
    "product_name" : "Node HealthCheck Operator",
    "fix_state" : "Affected",
    "package_name" : "workload-availability/node-remediation-console-rhel8",
    "cpe" : "cpe:/a:redhat:workload_availability_nhc:0"
  }, {
    "product_name" : "Red Hat Advanced Cluster Security 3",
    "fix_state" : "Out of support scope",
    "package_name" : "advanced-cluster-security/rhacs-main-rhel8",
    "cpe" : "cpe:/a:redhat:advanced_cluster_security:3"
  }, {
    "product_name" : "Red Hat Advanced Cluster Security 4",
    "fix_state" : "Not affected",
    "package_name" : "advanced-cluster-security/rhacs-main-rhel8",
    "cpe" : "cpe:/a:redhat:advanced_cluster_security:4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "nodejs:16/nodejs",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "nodejs:18/nodejs",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "nodejs:20/nodejs",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "nodejs",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "nodejs:18/nodejs",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "nodejs:20/nodejs",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Software Collections",
    "fix_state" : "Not affected",
    "package_name" : "rh-nodejs14-nodejs",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-42282\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-42282\nhttps://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html" ],
  "name" : "CVE-2023-42282",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}