Summary Node.js is used by IBM App Connect Enterprise Certified Container as one of the main runtimes. IBM App Connect Enterprise Certified Container operands are vulnerable to loss of confidentiality and denial of service. This bulletin provides patch information to address the reported vulnerability in Node.js. [CVE-2023-46809] [CVE-2024-21892] [CVE-2024-22019] Vulnerability Details ** CVEID: CVE-2023-46809 DESCRIPTION: **Node.js could allow a remote attacker to obtain sensitive information, caused by a vulnerability in the privateDecrypt() API of the crypto library. An attacker could exploit this vulnerability to conduct a covert timing side-channel during PKCS#1 v1.5 padding error handling and obtain significant timing differences in decryption for valid and invalid ciphertexts. CVSS Base score: 5.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/282990 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) ** CVEID: CVE-2024-21892 DESCRIPTION: **Node.js could allow a local authenticated attacker to gain elevated privileges on the system, caused by a bug in the implementation of the exception of CAP_NET_BIND_SERVICE. An attacker could exploit this vulnerability to inject code that inherits the process's elevated privileges. CVSS Base score: 7.8 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/282986 for the current score. CVSS Vector:…Read More