rpm package

almalinux/nodejs-nodemon

pkg:rpm/almalinux/nodejs-nodemon

Vulnerabilities (146)

CVE	CVSS	Affected versions	Fixed in	Published	Description
CVE-2021-22940	—	< 2.0.3-1.module_el8.4.0+2521+c668cc9f	2.0.3-1.module_el8.4.0+2521+c668cc9f	Aug 16, 2021	Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.
CVE-2021-22939	—	< 2.0.3-1.module_el8.4.0+2521+c668cc9f	2.0.3-1.module_el8.4.0+2521+c668cc9f	Aug 16, 2021	If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.
CVE-2021-22931	—	< 2.0.3-1.module_el8.4.0+2521+c668cc9f	2.0.3-1.module_el8.4.0+2521+c668cc9f	Aug 16, 2021	Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacki
CVE-2021-32804	—	< 2.0.3-1.module_el8.4.0+2521+c668cc9f	2.0.3-1.module_el8.4.0+2521+c668cc9f	Aug 3, 2021	The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into rel
CVE-2021-32803	—	< 2.0.3-1.module_el8.4.0+2521+c668cc9f	2.0.3-1.module_el8.4.0+2521+c668cc9f	Aug 3, 2021	The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not e
CVE-2021-22918	—	< 2.0.3-1.module_el8.4.0+2521+c668cc9f	2.0.3-1.module_el8.4.0+2521+c668cc9f	Jul 12, 2021	Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. Th
CVE-2020-28469	—	< 2.0.15-1.module_el8.6.0+2904+f21ad6f4	2.0.15-1.module_el8.6.0+2904+f21ad6f4	Jun 3, 2021	This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
CVE-2021-33502	—	< 2.0.15-1.module_el8.6.0+2904+f21ad6f4	2.0.15-1.module_el8.6.0+2904+f21ad6f4	May 24, 2021	The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
CVE-2021-23343	—	< 2.0.3-1.module_el8.4.0+2521+c668cc9f	2.0.3-1.module_el8.4.0+2521+c668cc9f	May 4, 2021	All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
CVE-2021-23362	—	< 2.0.3-1.module_el8.4.0+2521+c668cc9f	2.0.3-1.module_el8.4.0+2521+c668cc9f	Mar 23, 2021	The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
CVE-2021-27290	—	< 2.0.3-1.module_el8.4.0+2521+c668cc9f	2.0.3-1.module_el8.4.0+2521+c668cc9f	Mar 12, 2021	ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
CVE-2021-22883	—	< 2.0.3-1.module_el8.4.0+2521+c668cc9f	2.0.3-1.module_el8.4.0+2521+c668cc9f	Mar 3, 2021	Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then th
CVE-2021-22884	—	< 2.0.3-1.module_el8.4.0+2521+c668cc9f	2.0.3-1.module_el8.4.0+2521+c668cc9f	Mar 3, 2021	Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker control
CVE-2020-8265	—	< 1.18.3-1.module_el8.3.0+2023+d2377ea3	1.18.3-1.module_el8.3.0+2023+d2377ea3	Jan 6, 2021	Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If t
CVE-2020-8287	—	< 1.18.3-1.module_el8.3.0+2023+d2377ea3	1.18.3-1.module_el8.3.0+2023+d2377ea3	Jan 6, 2021	Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggl
CVE-2020-7788	—	< 1.18.3-1.module_el8.3.0+2023+d2377ea3	1.18.3-1.module_el8.3.0+2023+d2377ea3	Dec 11, 2020	This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
CVE-2020-8277	—	< 1.18.3-1.module_el8.3.0+2023+d2377ea3	1.18.3-1.module_el8.3.0+2023+d2377ea3	Nov 19, 2020	A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed i
CVE-2020-7774	—	< 1.18.3-1.module_el8.3.0+2023+d2377ea3	1.18.3-1.module_el8.3.0+2023+d2377ea3	Nov 17, 2020	The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.
CVE-2020-7754	—	< 1.18.3-1.module_el8.3.0+2023+d2377ea3	1.18.3-1.module_el8.3.0+2023+d2377ea3	Oct 27, 2020	This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters.
CVE-2020-8201	—	< 1.18.3-1.module_el8.3.0+2023+d2377ea3	1.18.3-1.module_el8.3.0+2023+d2377ea3	Sep 18, 2020	Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending

CVE-2021-22940Aug 16, 2021
affected < 2.0.3-1.module_el8.4.0+2521+c668cc9ffixed 2.0.3-1.module_el8.4.0+2521+c668cc9f
Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.
CVE-2021-22939Aug 16, 2021
affected < 2.0.3-1.module_el8.4.0+2521+c668cc9ffixed 2.0.3-1.module_el8.4.0+2521+c668cc9f
If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.
CVE-2021-22931Aug 16, 2021
affected < 2.0.3-1.module_el8.4.0+2521+c668cc9ffixed 2.0.3-1.module_el8.4.0+2521+c668cc9f
Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacki
CVE-2021-32804Aug 3, 2021
affected < 2.0.3-1.module_el8.4.0+2521+c668cc9ffixed 2.0.3-1.module_el8.4.0+2521+c668cc9f
The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into rel
CVE-2021-32803Aug 3, 2021
affected < 2.0.3-1.module_el8.4.0+2521+c668cc9ffixed 2.0.3-1.module_el8.4.0+2521+c668cc9f
The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not e
CVE-2021-22918Jul 12, 2021
affected < 2.0.3-1.module_el8.4.0+2521+c668cc9ffixed 2.0.3-1.module_el8.4.0+2521+c668cc9f
Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. Th
CVE-2020-28469Jun 3, 2021
affected < 2.0.15-1.module_el8.6.0+2904+f21ad6f4fixed 2.0.15-1.module_el8.6.0+2904+f21ad6f4
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
CVE-2021-33502May 24, 2021
affected < 2.0.15-1.module_el8.6.0+2904+f21ad6f4fixed 2.0.15-1.module_el8.6.0+2904+f21ad6f4
The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
CVE-2021-23343May 4, 2021
affected < 2.0.3-1.module_el8.4.0+2521+c668cc9ffixed 2.0.3-1.module_el8.4.0+2521+c668cc9f
All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
CVE-2021-23362Mar 23, 2021
affected < 2.0.3-1.module_el8.4.0+2521+c668cc9ffixed 2.0.3-1.module_el8.4.0+2521+c668cc9f
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
CVE-2021-27290Mar 12, 2021
affected < 2.0.3-1.module_el8.4.0+2521+c668cc9ffixed 2.0.3-1.module_el8.4.0+2521+c668cc9f
ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
CVE-2021-22883Mar 3, 2021
affected < 2.0.3-1.module_el8.4.0+2521+c668cc9ffixed 2.0.3-1.module_el8.4.0+2521+c668cc9f
Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then th
CVE-2021-22884Mar 3, 2021
affected < 2.0.3-1.module_el8.4.0+2521+c668cc9ffixed 2.0.3-1.module_el8.4.0+2521+c668cc9f
Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker control
CVE-2020-8265Jan 6, 2021
affected < 1.18.3-1.module_el8.3.0+2023+d2377ea3fixed 1.18.3-1.module_el8.3.0+2023+d2377ea3
Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If t
CVE-2020-8287Jan 6, 2021
affected < 1.18.3-1.module_el8.3.0+2023+d2377ea3fixed 1.18.3-1.module_el8.3.0+2023+d2377ea3
Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggl
CVE-2020-7788Dec 11, 2020
affected < 1.18.3-1.module_el8.3.0+2023+d2377ea3fixed 1.18.3-1.module_el8.3.0+2023+d2377ea3
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
CVE-2020-8277Nov 19, 2020
affected < 1.18.3-1.module_el8.3.0+2023+d2377ea3fixed 1.18.3-1.module_el8.3.0+2023+d2377ea3
A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed i
CVE-2020-7774Nov 17, 2020
affected < 1.18.3-1.module_el8.3.0+2023+d2377ea3fixed 1.18.3-1.module_el8.3.0+2023+d2377ea3
The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.
CVE-2020-7754Oct 27, 2020
affected < 1.18.3-1.module_el8.3.0+2023+d2377ea3fixed 1.18.3-1.module_el8.3.0+2023+d2377ea3
This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters.
CVE-2020-8201Sep 18, 2020
affected < 1.18.3-1.module_el8.3.0+2023+d2377ea3fixed 1.18.3-1.module_el8.3.0+2023+d2377ea3
Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending

Page 6 of 8