Bitnami package
node
pkg:bitnami/node
Vulnerabilities (107)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-8201 | — | >= 12.0.0, < 12.18.4 | 12.18.4 | Sep 18, 2020 | Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending | ||
| CVE-2020-8252 | — | >= 10.0.0, < 10.22.1 | 10.22.1 | Sep 18, 2020 | The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes. | ||
| CVE-2020-8251 | — | >= 14.0.0, < 14.11.0 | 14.11.0 | Sep 18, 2020 | Node.js < 14.11.0 is vulnerable to HTTP denial of service (DoS) attacks based on delayed requests submission which can make the server unable to accept new connections. | ||
| CVE-2020-8174 | — | < 10.21.0 | 10.21.0 | Jul 24, 2020 | napi_get_value_string_*() allows various kinds of memory corruption in node < 10.21.0, 12.18.0, and < 14.4.0. | ||
| CVE-2020-8172 | — | >= 12.0.0, < 12.18.0 | 12.18.0 | Jun 8, 2020 | TLS session reuse can lead to host certificate verification bypass in node version < 12.18.0 and < 14.4.0. | ||
| CVE-2020-11080 | — | >= 10.13.0, < 10.21.0 | 10.21.0 | Jun 3, 2020 | In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. T | ||
| CVE-2020-10531 | — | >= 10.13.0, < 10.21.0 | 10.21.0 | Mar 12, 2020 | An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp. |
- CVE-2020-8201Sep 18, 2020affected >= 12.0.0, < 12.18.4fixed 12.18.4
Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending
- CVE-2020-8252Sep 18, 2020affected >= 10.0.0, < 10.22.1fixed 10.22.1
The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes.
- CVE-2020-8251Sep 18, 2020affected >= 14.0.0, < 14.11.0fixed 14.11.0
Node.js < 14.11.0 is vulnerable to HTTP denial of service (DoS) attacks based on delayed requests submission which can make the server unable to accept new connections.
- CVE-2020-8174Jul 24, 2020affected < 10.21.0fixed 10.21.0
napi_get_value_string_*() allows various kinds of memory corruption in node < 10.21.0, 12.18.0, and < 14.4.0.
- CVE-2020-8172Jun 8, 2020affected >= 12.0.0, < 12.18.0fixed 12.18.0
TLS session reuse can lead to host certificate verification bypass in node version < 12.18.0 and < 14.4.0.
- CVE-2020-11080Jun 3, 2020affected >= 10.13.0, < 10.21.0fixed 10.21.0
In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. T
- CVE-2020-10531Mar 12, 2020affected >= 10.13.0, < 10.21.0fixed 10.21.0
An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp.
Page 6 of 6