rpm package
almalinux/nodejs-libs
pkg:rpm/almalinux/nodejs-libs
Vulnerabilities (70)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-32214 | — | < 1:16.16.0-1.el9_0 | 1:16.16.0-1.el9_0 | Jul 14, 2022 | The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). | ||
| CVE-2022-32213 | — | < 1:16.16.0-1.el9_0 | 1:16.16.0-1.el9_0 | Jul 14, 2022 | The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS). | ||
| CVE-2022-32212 | — | < 1:16.16.0-1.el9_0 | 1:16.16.0-1.el9_0 | Jul 14, 2022 | A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding | ||
| CVE-2022-33987 | — | < 1:16.16.0-1.el9_0 | 1:16.16.0-1.el9_0 | Jun 18, 2022 | The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket. | ||
| CVE-2022-29244 | — | < 1:16.16.0-1.el9_0 | 1:16.16.0-1.el9_0 | Jun 13, 2022 | npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. `--workspaces`, `--workspace=`). Anyone who has run `npm pack` or `npm publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively, m | ||
| CVE-2021-44906 | — | < 1:16.18.1-3.el9_1 | 1:16.18.1-3.el9_1 | Mar 17, 2022 | Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95). | ||
| CVE-2021-3807 | — | < 1:16.16.0-1.el9_0 | 1:16.16.0-1.el9_0 | Sep 17, 2021 | ansi-regex is vulnerable to Inefficient Regular Expression Complexity | ||
| CVE-2020-28469 | — | < 1:16.16.0-1.el9_0 | 1:16.16.0-1.el9_0 | Jun 3, 2021 | This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator. | ||
| CVE-2021-33502 | — | < 1:16.16.0-1.el9_0 | 1:16.16.0-1.el9_0 | May 24, 2021 | The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs. | ||
| CVE-2020-7788 | — | < 1:16.16.0-1.el9_0 | 1:16.16.0-1.el9_0 | Dec 11, 2020 | This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context. |
- CVE-2022-32214Jul 14, 2022affected < 1:16.16.0-1.el9_0fixed 1:16.16.0-1.el9_0
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).
- CVE-2022-32213Jul 14, 2022affected < 1:16.16.0-1.el9_0fixed 1:16.16.0-1.el9_0
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).
- CVE-2022-32212Jul 14, 2022affected < 1:16.16.0-1.el9_0fixed 1:16.16.0-1.el9_0
A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding
- CVE-2022-33987Jun 18, 2022affected < 1:16.16.0-1.el9_0fixed 1:16.16.0-1.el9_0
The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
- CVE-2022-29244Jun 13, 2022affected < 1:16.16.0-1.el9_0fixed 1:16.16.0-1.el9_0
npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. `--workspaces`, `--workspace=`). Anyone who has run `npm pack` or `npm publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively, m
- CVE-2021-44906Mar 17, 2022affected < 1:16.18.1-3.el9_1fixed 1:16.18.1-3.el9_1
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
- CVE-2021-3807Sep 17, 2021affected < 1:16.16.0-1.el9_0fixed 1:16.16.0-1.el9_0
ansi-regex is vulnerable to Inefficient Regular Expression Complexity
- CVE-2020-28469Jun 3, 2021affected < 1:16.16.0-1.el9_0fixed 1:16.16.0-1.el9_0
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
- CVE-2021-33502May 24, 2021affected < 1:16.16.0-1.el9_0fixed 1:16.16.0-1.el9_0
The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
- CVE-2020-7788Dec 11, 2020affected < 1:16.16.0-1.el9_0fixed 1:16.16.0-1.el9_0
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
Page 4 of 4