摘要:
nodejs-qs security update
安全等级: High
公告ID: KylinSec-SA-2024-3149
发布日期: 2024年4月12日
关联CVE: CVE-2022-24999
This is a query string parser for node and the browser supporting nesting, as it was removed from 0.3.x, so this library provides the previous and commonly desired behavior (and twice as fast). Used by express, connect and others.
Security Fix(es):
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).(CVE-2022-24999)
| cve名称 | 产品 | 组件 | 是否受影响 |
|---|---|---|---|
| CVE-2022-24999 | KY3.4-5A | nodejs-qs | Fixed |
| 软件名称 | 架构 | 版本号 |
|---|---|---|
| nodejs-qs | noarch | 6.5.1-2.kb1.ky3_4 |
方法一:下载安装包进行升级安装
1、通过下载链接下载需要升级的升级包保存,如 xxx.rpm
2、通过rpm命令升级,如 rpm -Uvh xxx.rpm
方法二:通过软件源进行升级安装
1、保持能够连接上互联网
2、通过yum命令升级指定的包,如 yum install 包名
