Bitnami package

node-min

pkg:bitnami/node-min

Vulnerabilities (107)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2021-44532		—	< 12.22.9	12.22.9	Feb 24, 2022	Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name
CVE-2021-44531		—	< 12.22.9	12.22.9	Feb 24, 2022	Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are o
CVE-2022-21824		—	>= 12.0.0, < 12.22.9	12.22.9	Feb 24, 2022	Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "__proto__". The p
CVE-2021-4044		—	>= 17.0.0, < 17.3.0	17.3.0	Dec 14, 2021	Internally libssl in OpenSSL calls X509_verify_cert() on the client side to verify a certificate supplied by a server. That function may return a negative return value to indicate an internal error (for example out of memory). Such a negative return value is mishandled by OpenSSL
CVE-2021-3672		—	>= 12.0.0, < 12.12.1	12.12.1	Nov 23, 2021	A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality
CVE-2021-22930		—	>= 12.0.0, < 12.22.4	12.22.4	Oct 7, 2021	Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.
CVE-2021-22940		—	>= 12.0.0, < 12.22.5	12.22.5	Aug 16, 2021	Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.
CVE-2021-22939		—	>= 12.0.0, < 12.22.5	12.22.5	Aug 16, 2021	If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.
CVE-2021-22931		—	>= 12.0.0, < 12.12.1	12.12.1	Aug 16, 2021	Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacki
CVE-2021-22921		—	>= 12.0.0, < 12.22.2	12.22.2	Jul 12, 2021	Node.js before 16.4.1, 14.17.2, and 12.22.2 is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escala
CVE-2021-22918		—	>= 12.0.0, < 12.22.2	12.22.2	Jul 12, 2021	Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. Th
CVE-2021-3450		—	>= 10.0.0, < 10.24.1	10.24.1	Mar 25, 2021	The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve paramet
CVE-2021-3449		—	>= 10.0.0, < 10.12.1	10.12.1	Mar 25, 2021	An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_ce
CVE-2021-22883		—	>= 10.0.0, < 10.24.0	10.24.0	Mar 3, 2021	Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then th
CVE-2021-22884		—	>= 10.0.0, < 10.24.0	10.24.0	Mar 3, 2021	Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker control
CVE-2021-23840	Hig	7.5	>= 10.0.0, < 10.12.1	10.12.1	Feb 16, 2021	Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be
CVE-2020-8265		—	>= 10.0.0, < 10.23.1	10.23.1	Jan 6, 2021	Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If t
CVE-2020-8287		—	>= 10.0.0, < 10.23.1	10.23.1	Jan 6, 2021	Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggl
CVE-2020-1971		—	>= 10.0.0, < 10.12.1	10.12.1	Dec 8, 2020	The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This functi
CVE-2020-8277		—	>= 12.16.3, < 12.19.1	12.19.1	Nov 19, 2020	A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed i

CVE-2021-44532Feb 24, 2022
affected < 12.22.9fixed 12.22.9
Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name
CVE-2021-44531Feb 24, 2022
affected < 12.22.9fixed 12.22.9
Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are o
CVE-2022-21824Feb 24, 2022
affected >= 12.0.0, < 12.22.9fixed 12.22.9
Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "__proto__". The p
CVE-2021-4044Dec 14, 2021
affected >= 17.0.0, < 17.3.0fixed 17.3.0
Internally libssl in OpenSSL calls X509_verify_cert() on the client side to verify a certificate supplied by a server. That function may return a negative return value to indicate an internal error (for example out of memory). Such a negative return value is mishandled by OpenSSL
CVE-2021-3672Nov 23, 2021
affected >= 12.0.0, < 12.12.1fixed 12.12.1
A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality
CVE-2021-22930Oct 7, 2021
affected >= 12.0.0, < 12.22.4fixed 12.22.4
Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.
CVE-2021-22940Aug 16, 2021
affected >= 12.0.0, < 12.22.5fixed 12.22.5
Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.
CVE-2021-22939Aug 16, 2021
affected >= 12.0.0, < 12.22.5fixed 12.22.5
If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.
CVE-2021-22931Aug 16, 2021
affected >= 12.0.0, < 12.12.1fixed 12.12.1
Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacki
CVE-2021-22921Jul 12, 2021
affected >= 12.0.0, < 12.22.2fixed 12.22.2
Node.js before 16.4.1, 14.17.2, and 12.22.2 is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escala
CVE-2021-22918Jul 12, 2021
affected >= 12.0.0, < 12.22.2fixed 12.22.2
Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. Th
CVE-2021-3450Mar 25, 2021
affected >= 10.0.0, < 10.24.1fixed 10.24.1
The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve paramet
CVE-2021-3449Mar 25, 2021
affected >= 10.0.0, < 10.12.1fixed 10.12.1
An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_ce
CVE-2021-22883Mar 3, 2021
affected >= 10.0.0, < 10.24.0fixed 10.24.0
Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then th
CVE-2021-22884Mar 3, 2021
affected >= 10.0.0, < 10.24.0fixed 10.24.0
Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker control
CVE-2021-23840HigFeb 16, 2021
affected >= 10.0.0, < 10.12.1fixed 10.12.1
Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be
CVE-2020-8265Jan 6, 2021
affected >= 10.0.0, < 10.23.1fixed 10.23.1
Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If t
CVE-2020-8287Jan 6, 2021
affected >= 10.0.0, < 10.23.1fixed 10.23.1
Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggl
CVE-2020-1971Dec 8, 2020
affected >= 10.0.0, < 10.12.1fixed 10.12.1
The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This functi
CVE-2020-8277Nov 19, 2020
affected >= 12.16.3, < 12.19.1fixed 12.19.1
A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed i

Page 5 of 6