Security Bulletin: Node.js as used in IBM QRadar Packet Capture is susceptible to multiple vulnerabilities

Vulnerability Details

CVEID: CVE-2018-7158
Description: Node.js path module is vulnerable to a denial of service. By sending a specially crafted file path, an attacker could exploit this vulnerability to cause a regular expression denial of service.
CVSS Base Score: 5.90
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/143449 for the current score
CVSS Environmental Score: *Undefined
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CVEID: CVE-2018-7159
Description: Node.js http module could allow a remote attacker to bypass security restrictions, caused by the acceptance of incorrect Content-Length values, containing spaces within the value, in HTTP headers. An attacker could exploit this vulnerability to confuse the script and launch further attacks on the system.
CVSS Base Score: 5.30
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/143448 for the current score
CVSS Environmental Score: *Undefined
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVEID: CVE-2018-7160
Description: Node.js inspector module could allow a remote attacker to bypass security restrictions, caused by the failure to properly validate the Host header. An attacker could exploit this vulnerability to bypass same-origin policy and conduct a DNS rebinding attack.
CVSS Base Score: 5.80
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/143447 for the current score
CVSS Environmental Score: *Undefined
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L

CVEID: CVE-2018-7161
Description: Node.js is vulnerable to a denial of service, caused by an error within the http2 implementation. By interacting with the http2 server in an insecure manner, a remote attacker could exploit this vulnerability to cause the node server providing an http2 server to crash. 
CVSS Base Score: 7.50
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/144736 for the current score 
CVSS Environmental Score: *Undefined 
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVEID: CVE-2018-12115
Description: Node.js is vulnerable to a denial of service, caused by an out-of-bounds write in Buffer. An attacker could exploit this vulnerability to write to memory outside of a Buffer's memory space, corrupt Buffer objects or cause the process to crash.
CVSS Base Score: 8.20
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/148426 for the current score 
CVSS Environmental Score: *Undefined 
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

CVEID: CVE-2018-7166
Description: Node.js could allow a remote attacker to obtain sensitive information, caused by the return of uninitialized memory by the Buffer.alloc() function. By sending a specially crafted argument, an attacker could exploit this vulnerability to obtain sensitive information. 
CVSS Base Score: 7.50
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/148425 for the current score 
CVSS Environmental Score: *Undefined 
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N