Advisories » MGASA-2024-0080

Updated nodejs-tough-cookie packages fix security vulnerability

Publication date: 22 Mar 2024
Modification date: 21 Mar 2024
Type: security
Affected Mageia releases : 9
CVE: CVE-2023-26136

Description

Versions of the package tough-cookie before 4.1.3 are vulnerable to
Prototype Pollution due to improper handling of Cookies when using
CookieJar in rejectPublicSuffixes=false mode.
This issue arises from the manner in which the objects are initialized.
(CVE-2023-26136)
                

References

• https://bugs.mageia.org/show_bug.cgi?id=32114
• https://www.debian.org/lts/security/2023/dla-3488
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26136

SRPMS

9/core

• nodejs-tough-cookie-2.3.4-5.1.mga9