Bitnami package
node
pkg:bitnami/node
Vulnerabilities (109)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-1971 | Med | 5.9 | >= 10.13.0, < 10.23.1 | 10.23.1 | Dec 8, 2020 | The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This functi | |
| CVE-2020-8277 | — | >= 12.16.3, < 12.19.1 | 12.19.1 | Nov 19, 2020 | A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed i | ||
| CVE-2020-8201 | — | >= 12.0.0, < 12.18.4 | 12.18.4 | Sep 18, 2020 | Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending | ||
| CVE-2020-8252 | — | >= 10.0.0, < 10.22.1 | 10.22.1 | Sep 18, 2020 | The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes. | ||
| CVE-2020-8251 | — | >= 14.0.0, < 14.11.0 | 14.11.0 | Sep 18, 2020 | Node.js < 14.11.0 is vulnerable to HTTP denial of service (DoS) attacks based on delayed requests submission which can make the server unable to accept new connections. | ||
| CVE-2020-8174 | — | < 10.21.0 | 10.21.0 | Jul 24, 2020 | napi_get_value_string_*() allows various kinds of memory corruption in node < 10.21.0, 12.18.0, and < 14.4.0. | ||
| CVE-2020-8172 | — | >= 12.0.0, < 12.18.0 | 12.18.0 | Jun 8, 2020 | TLS session reuse can lead to host certificate verification bypass in node version < 12.18.0 and < 14.4.0. | ||
| CVE-2020-11080 | — | >= 10.13.0, < 10.21.0 | 10.21.0 | Jun 3, 2020 | In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. T | ||
| CVE-2020-10531 | — | >= 10.13.0, < 10.21.0 | 10.21.0 | Mar 12, 2020 | An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp. |
- affected >= 10.13.0, < 10.23.1fixed 10.23.1
The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This functi
- CVE-2020-8277Nov 19, 2020affected >= 12.16.3, < 12.19.1fixed 12.19.1
A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed i
- CVE-2020-8201Sep 18, 2020affected >= 12.0.0, < 12.18.4fixed 12.18.4
Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending
- CVE-2020-8252Sep 18, 2020affected >= 10.0.0, < 10.22.1fixed 10.22.1
The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes.
- CVE-2020-8251Sep 18, 2020affected >= 14.0.0, < 14.11.0fixed 14.11.0
Node.js < 14.11.0 is vulnerable to HTTP denial of service (DoS) attacks based on delayed requests submission which can make the server unable to accept new connections.
- CVE-2020-8174Jul 24, 2020affected < 10.21.0fixed 10.21.0
napi_get_value_string_*() allows various kinds of memory corruption in node < 10.21.0, 12.18.0, and < 14.4.0.
- CVE-2020-8172Jun 8, 2020affected >= 12.0.0, < 12.18.0fixed 12.18.0
TLS session reuse can lead to host certificate verification bypass in node version < 12.18.0 and < 14.4.0.
- CVE-2020-11080Jun 3, 2020affected >= 10.13.0, < 10.21.0fixed 10.21.0
In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. T
- CVE-2020-10531Mar 12, 2020affected >= 10.13.0, < 10.21.0fixed 10.21.0
An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp.
Page 6 of 6