The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3886 advisory. – ————————————————————————- Debian LTS Advisory DLA-3886-1 [email protected] https://www.debian.org/lts/security/ Bastien Roucaris September 14, 2024 https://wiki.debian.org/LTS – ————————————————————————- Package : nodejs Version : 12.22.12~dfsg-1~deb11u5 CVE ID : CVE-2023-30589 CVE-2023-30590 CVE-2023-32559 CVE-2023-46809 CVE-2024-22019 CVE-2024-22025 CVE-2024-27982 CVE-2024-27983 Node.js a JavaScript runtime environment that executes JavaScript code outside a web browser (server side) was vulnerable. CVE-2023-30589 The llhttp parser in the http module in Node does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. CVE-2023-30590 The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has…Read More