Vulnerability Scan Report for registry.suse.com/bci/nodejs:20-31.11

Node.js 20 development container based on the SLE Base Container Image.

registry.suse.com/bci/nodejs:20-31.11

Last scanned on: May 16, 2025 07:13

Package Name	Severity	Status	Description	Reference links
npm20	HIGH	fixed	Security update for nodejs20 Vulnerability ID: SUSE-SU-2025:0237-1 Installed Version: 20.15.1-150600.3.3.2 Fixed Version: 20.18.2-150600.3.9.1 This update for nodejs20 fixes the following issues: Update to 20.18.2: - CVE-2025-23083: Fixed worker permission bypass via InternalWorker leak in diagnostics (bsc#1236251) - CVE-2025-23085: Fixed HTTP2 memory leak on premature close and ERR_PROTO (bsc#1236250) - CVE-2025-22150: Fixed insufficiently random values used when defining the boundary for a multipart/form-data request in undici (bsc#1236258)	CVE-2025-22150 CVE-2025-23083 CVE-2025-23085 SU-20250237-1 SUSE Bug#1236250 SUSE Bug#1236251 SUSE Bug#1236258 SUSE Mailing List [sle-security-updates] 2025-January#020197 SUSE Security Rating
npm20	MEDIUM	fixed	Security update for nodejs20 Vulnerability ID: SUSE-SU-2024:4286-1 Installed Version: 20.15.1-150600.3.3.2 Fixed Version: 20.18.1-150600.3.6.1 This update for nodejs20 fixes the following issues: - CVE-2024-21538: Fixed regular expression denial of service in cross-spawn dependency (bsc#1233856) Other fixes: - Updated to 20.18.1: * Experimental Network Inspection Support in Node.js * Exposes X509_V_FLAG_PARTIAL_CHAIN to tls.createSecureContext * New option for vm.createContext() to create a context with a freezable globalThis * buffer: optimize createFromString - Changes in 20.17.0: * module: support require()ing synchronous ESM graphs * path: add matchesGlob method * stream: expose DuplexPair API - Changes in 20.16.0: * process: add process.getBuiltinModule(id) * inspector: fix disable async hooks on Debugger.setAsyncCallStackDepth * buffer: add .bytes() method to Blob	CVE-2024-21538 SU-20244286-1 SUSE Bug#1233856 SUSE Mailing List [sle-security-updates] 2024-December#019985 SUSE Security Rating
openssl-3	HIGH	fixed	Security update for openssl-3 Vulnerability ID: SUSE-SU-2024:3106-1 Installed Version: 3.1.4-150600.5.10.1 Fixed Version: 3.1.4-150600.5.15.1 This update for openssl-3 fixes the following issues: - CVE-2024-6119: Fixed denial of service in X.509 name checks (bsc#1229465) Other fixes: - FIPS: Deny SHA-1 signature verification in FIPS provider (bsc#1221365). - FIPS: RSA keygen PCT requirements. - FIPS: Check that the fips provider is available before setting it as the default provider in FIPS mode (bsc#1220523). - FIPS: Port openssl to use jitterentropy (bsc#1220523). - FIPS: Block non-Approved Elliptic Curves (bsc#1221786). - FIPS: Service Level Indicator (bsc#1221365). - FIPS: Output the FIPS-validation name and module version which uniquely identify the FIPS validated module (bsc#1221751). - FIPS: Add required selftests: (bsc#1221760). - FIPS: DH: Disable FIPS 186-4 Domain Parameters (bsc#1221821). - FIPS: Recommendation for Password-Based Key Derivation (bsc#1221827). - FIPS: Zero initialization required (bsc#1221752). - FIPS: Reseed DRBG (bsc#1220690, bsc#1220693, bsc#1220696). - FIPS: NIST SP 800-56Brev2 (bsc#1221824). - FIPS: Approved Modulus Sizes for RSA Digital Signature for FIPS 186-4 (bsc#1221787). - FIPS: Port openssl to use jitterentropy (bsc#1220523). - FIPS: NIST SP 800-56Arev3 (bsc#1221822). - FIPS: Error state has to be enforced (bsc#1221753).	CVE-2024-6119 SU-20243106-1 SUSE Bug#1220523 SUSE Bug#1220690 SUSE Bug#1220693 SUSE Bug#1220696 SUSE Bug#1221365 SUSE Bug#1221751 SUSE Bug#1221752 SUSE Bug#1221753 SUSE Bug#1221760 SUSE Bug#1221786 SUSE Bug#1221787 SUSE Bug#1221821 SUSE Bug#1221822 SUSE Bug#1221824 SUSE Bug#1221827 SUSE Bug#1229465 SUSE Mailing List [sle-updates] 2024-September#036766 SUSE Security Rating
openssl-3	HIGH	fixed	Security update for openssl-3 Vulnerability ID: SUSE-SU-2024:3501-1 Installed Version: 3.1.4-150600.5.10.1 Fixed Version: 3.1.4-150600.5.18.1 This update for openssl-3 fixes the following issues: - CVE-2024-41996: Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers to trigger expensive server-side DHE (bsc#1230698)	CVE-2024-41996 SU-20243501-1 SUSE Bug#1230698 SUSE Mailing List [sle-updates] 2024-October#037124 SUSE Security Rating
openssl-3	HIGH	fixed	Security update for openssl-3 Vulnerability ID: SUSE-SU-2025:1550-1 Installed Version: 3.1.4-150600.5.10.1 Fixed Version: 3.1.4-150600.5.27.1 This update for openssl-3 fixes the following issues: Security: - CVE-2025-27587: Timing side channel vulnerability in the P-384 implementation when used with ECDSA in the PPC architecture (bsc#1240366). - Missing null pointer check before accessing handshake_func in ssl_lib.c (bsc#1240607). FIPS: - Disabling EMS in OpenSSL configuration prevents sshd from starting (bsc#1230959, bsc#1232326, bsc#1231748).	CVE-2025-27587 SU-20251550-1 SUSE Bug#1230959 SUSE Bug#1231748 SUSE Bug#1232326 SUSE Bug#1240366 SUSE Bug#1240607 SUSE Mailing List [sle-updates] 2025-May#039218 SUSE Security Rating