Wrongly assigned CVE critical vulnerabilities to 16.16.0

[CrlsMrls]

After reading the contributing guidelines, in my opinion this is the best place I found to raise this issue. I understand this may not be correct though, sorry in advance for the inconvenience.

What is the problem this feature will solve?

There are multiple resources that (in my opinion) are wrongly assigning CVE critical vulnerabilities to node.js version 16.16.0.

The goal of this GitHub issue is to raise awareness in the Node.js community, so this situation is fixed.

Our security CICD pipelines are raising these critical vulnerabilities for the latest LTS version of node.js (version 16.16.0)

CVE	SEVERITY	CVSS	PACKAGE	VERSION	STATUS
CVE-2022-32215	critical	9.10	node	16.16.0	fixed in 18.5.0, 16.20.0, 14.20.0
CVE-2022-32214	critical	9.10	node	16.16.0	fixed in 18.5.0, 16.20.0, 14.20.0
CVE-2022-32213	critical	9.10	node	16.16.0	fixed in 18.5.0, 16.20.0, 14.20.0

This seems wrong to me, because:

• You announced in the July 2022 security releases blog these vulnerabilities were fixed.
• The vulnerability was reported in https://hackerone.com/reports/1501679, and you clearly state this was finally fixed.
• The commit 1da22eb addressed those issues and it is merged.
• The report says it will be fixed in 16.20.0 (which still does not exist)

On the other hand, there are very well respected vulnerability databases stating this is not fixed yet:

• The US government National Vulnerability Database (NVD) assigns CVSS 9.1, indicating that it is fixed ONLY in v.16.20.0 https://nvd.nist.gov/vuln/detail/CVE-2022-32215
• Synk vulnerability DB says there is no fix for this vulnerability. https://security.snyk.io/vuln/SNYK-JS-LLHTTP-2946720

I am not sure how to resolve these discrepancies. Until this is fixed, our security practices are blocking this node.js version, which means we cannot use version 16 at all.

What is the feature you are proposing to solve the problem?

Somebody from the Node.js organization contacts NATIONAL VULNERABILITY DATABASE to fix the issue.

[mhdawson]

Looking at our entries in Hacker 1 which is how we request/publish CVEs it does seems like there was a cut/paste error so that we reported it was fixed in 16.20.0 intead of 16.16.0.

I could not find an option in H1 to update the CVE data so I've send a message asking how can can do this.

Thanks for raising the issue.

[mhdawson]

@RafaelGSS FYI.

@mcollina FYI

[mcollina]

@mhdawson thanks for taking care of this. I made another typo too apparently in another one.

We really need more eyes on them before hitting publish.

[mcollina]

One note: I'm not aware why those vulnerabilities were classified as critical by others. THEY ARE NOT.

Update at your own pace, you are almost certainly not at risk as they apply only in very specific conditions with limited impact.

[mhdawson]

No answer to my question on how to update yet and I'm out until next Tuesday. WIll check when I get back.

[texiontech]

We have got this report issue from Aqua-scan too.

[mcollina]

@MylesBorins what would be the best way to notify the Github Security Advisories team about this change?

[nil4]

https://github.com/github/advisory-database#contributions suggests a couple of approaches that might help.

[mhdawson]

Trying to follow up with a contact we have at H1 as I'm still waiting on a response through the help system.

[mcollina]

I checked and it's not possible to fix it via GitHub as the information is not copied in that registry.

[mhdawson]

I reached out to our contact at H1 and they indicated they would help point me in the right direction. Will update here when I have more info.

[aberezovski]

Hey guys,

I was thinking to open similar issue, but found this one.
Regarding NVD confusion, I was convinced that it was a copy/paste issue regarding the Node.js versioning in NVD vulnerabilities like CVE-2022-32214.
The original NVD statement says vulnerability applicable:

• from (including) 16.0.0 up to (excluding) 16.20.0

but the update from July 27th says vulnerability applicable:

• from (including) 16.0.0 up to (including) 16.12.0
• from (including) 16.13.0 up to (excluding) 16.16.0

Apart of that I would like to understand how did the above mentioned commit 1da22eb fix the issue?
The July 7th Security Release mentions that all three CVEs related to llhttp library issue were fixed by using llhttp v6.0.7 where tag v6.0.7 was added on July 6th.

I found the line project(llhttp VERSION 6.0.5) in the Node.js 16.16.0 source code, but according to security release the fix is in llhttp v6.0.7.

Could you clarify what does the sticked llhttp version 6.0.5 in the file deps/llhttp/CMakeLists.txt mean?
And if there is nothing missed to provide a proper fix for the discussed CVEs?