rpm package
almalinux/nodejs
pkg:rpm/almalinux/nodejs
Vulnerabilities (111)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-32214 | Med | 6.5 | < 1:14.20.0-2.module_el8.6.0+3261+490666b3 | 1:14.20.0-2.module_el8.6.0+3261+490666b3 | Jul 14, 2022 | The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). | |
| CVE-2022-32213 | Med | 6.5 | < 1:14.20.0-2.module_el8.6.0+3261+490666b3 | 1:14.20.0-2.module_el8.6.0+3261+490666b3 | Jul 14, 2022 | The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS). | |
| CVE-2022-32212 | Hig | 8.1 | < 1:14.20.0-2.module_el8.6.0+3261+490666b3 | 1:14.20.0-2.module_el8.6.0+3261+490666b3 | Jul 14, 2022 | A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding | |
| CVE-2022-33987 | Med | 5.3 | < 1:14.20.0-2.module_el8.6.0+3261+490666b3 | 1:14.20.0-2.module_el8.6.0+3261+490666b3 | Jun 18, 2022 | The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket. | |
| CVE-2022-29244 | Hig | 7.5 | < 1:16.16.0-1.el9_0 | 1:16.16.0-1.el9_0 | Jun 13, 2022 | npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. `--workspaces`, `--workspace=`). Anyone who has run `npm pack` or `npm publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively, m | |
| CVE-2021-44906 | Cri | 9.8 | < 1:16.18.1-3.module_el8.7.0+3371+ed8c43db | 1:16.18.1-3.module_el8.7.0+3371+ed8c43db | Mar 17, 2022 | Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95). | |
| CVE-2022-21824 | Hig | 8.2 | < 1:14.20.1-2.module_el8.7.0+3342+b2df8497 | 1:14.20.1-2.module_el8.7.0+3342+b2df8497 | Feb 24, 2022 | Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "__proto__". The p | |
| CVE-2021-44533 | Med | 5.3 | < 1:14.20.1-2.module_el8.7.0+3342+b2df8497 | 1:14.20.1-2.module_el8.7.0+3342+b2df8497 | Feb 24, 2022 | Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguis | |
| CVE-2021-44532 | Med | 5.3 | < 1:14.20.1-2.module_el8.7.0+3342+b2df8497 | 1:14.20.1-2.module_el8.7.0+3342+b2df8497 | Feb 24, 2022 | Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name | |
| CVE-2021-44531 | Hig | 7.4 | < 1:14.20.1-2.module_el8.7.0+3342+b2df8497 | 1:14.20.1-2.module_el8.7.0+3342+b2df8497 | Feb 24, 2022 | Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are o | |
| CVE-2022-0235 | Med | 6.1 | < 1:14.21.1-2.module_el8.7.0+3373+a4c18c43 | 1:14.21.1-2.module_el8.7.0+3373+a4c18c43 | Jan 16, 2022 | node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor | |
| CVE-2021-3672 | Med | 5.6 | < 1:12.22.5-1.module_el8.4.0+2529+af52a4c7 | 1:12.22.5-1.module_el8.4.0+2529+af52a4c7 | Nov 23, 2021 | A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality | |
| CVE-2021-22959 | Med | 6.5 | < 1:16.13.1-3.module_el8.5.0+2605+45d748af | 1:16.13.1-3.module_el8.5.0+2605+45d748af | Nov 15, 2021 | The parser in accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6. | |
| CVE-2021-43616 | Cri | 9.0 | < 1:16.14.0-4.module_el8.6.0+2904+f21ad6f4 | 1:16.14.0-4.module_el8.6.0+2904+f21ad6f4 | Nov 13, 2021 | The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was sup | |
| CVE-2021-3918 | Cri | 9.8 | < 1:16.13.1-3.module_el8.5.0+2605+45d748af | 1:16.13.1-3.module_el8.5.0+2605+45d748af | Nov 13, 2021 | json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | |
| CVE-2021-22960 | Med | 6.5 | < 1:16.13.1-3.module_el8.5.0+2605+45d748af | 1:16.13.1-3.module_el8.5.0+2605+45d748af | Nov 3, 2021 | The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions. | |
| CVE-2021-22930 | Cri | 9.8 | < 1:12.22.5-1.module_el8.4.0+2529+af52a4c7 | 1:12.22.5-1.module_el8.4.0+2529+af52a4c7 | Oct 7, 2021 | Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior. | |
| CVE-2021-3807 | Hig | 7.5 | < 1:16.13.1-3.module_el8.5.0+2605+45d748af | 1:16.13.1-3.module_el8.5.0+2605+45d748af | Sep 17, 2021 | ansi-regex is vulnerable to Inefficient Regular Expression Complexity | |
| CVE-2021-37712 | Hig | 8.2 | < 1:14.18.2-2.module_el8.5.0+2618+8d46dafd | 1:14.18.2-2.module_el8.5.0+2618+8d46dafd | Aug 31, 2021 | The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This | |
| CVE-2021-37701 | Hig | 8.2 | < 1:14.18.2-2.module_el8.5.0+2618+8d46dafd | 1:14.18.2-2.module_el8.5.0+2618+8d46dafd | Aug 31, 2021 | The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This i |
- affected < 1:14.20.0-2.module_el8.6.0+3261+490666b3fixed 1:14.20.0-2.module_el8.6.0+3261+490666b3
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).
- affected < 1:14.20.0-2.module_el8.6.0+3261+490666b3fixed 1:14.20.0-2.module_el8.6.0+3261+490666b3
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).
- affected < 1:14.20.0-2.module_el8.6.0+3261+490666b3fixed 1:14.20.0-2.module_el8.6.0+3261+490666b3
A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding
- affected < 1:14.20.0-2.module_el8.6.0+3261+490666b3fixed 1:14.20.0-2.module_el8.6.0+3261+490666b3
The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
- affected < 1:16.16.0-1.el9_0fixed 1:16.16.0-1.el9_0
npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. `--workspaces`, `--workspace=`). Anyone who has run `npm pack` or `npm publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively, m
- affected < 1:16.18.1-3.module_el8.7.0+3371+ed8c43dbfixed 1:16.18.1-3.module_el8.7.0+3371+ed8c43db
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
- affected < 1:14.20.1-2.module_el8.7.0+3342+b2df8497fixed 1:14.20.1-2.module_el8.7.0+3342+b2df8497
Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "__proto__". The p
- affected < 1:14.20.1-2.module_el8.7.0+3342+b2df8497fixed 1:14.20.1-2.module_el8.7.0+3342+b2df8497
Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguis
- affected < 1:14.20.1-2.module_el8.7.0+3342+b2df8497fixed 1:14.20.1-2.module_el8.7.0+3342+b2df8497
Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name
- affected < 1:14.20.1-2.module_el8.7.0+3342+b2df8497fixed 1:14.20.1-2.module_el8.7.0+3342+b2df8497
Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are o
- affected < 1:14.21.1-2.module_el8.7.0+3373+a4c18c43fixed 1:14.21.1-2.module_el8.7.0+3373+a4c18c43
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
- affected < 1:12.22.5-1.module_el8.4.0+2529+af52a4c7fixed 1:12.22.5-1.module_el8.4.0+2529+af52a4c7
A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality
- affected < 1:16.13.1-3.module_el8.5.0+2605+45d748affixed 1:16.13.1-3.module_el8.5.0+2605+45d748af
The parser in accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6.
- affected < 1:16.14.0-4.module_el8.6.0+2904+f21ad6f4fixed 1:16.14.0-4.module_el8.6.0+2904+f21ad6f4
The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was sup
- affected < 1:16.13.1-3.module_el8.5.0+2605+45d748affixed 1:16.13.1-3.module_el8.5.0+2605+45d748af
json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
- affected < 1:16.13.1-3.module_el8.5.0+2605+45d748affixed 1:16.13.1-3.module_el8.5.0+2605+45d748af
The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions.
- affected < 1:12.22.5-1.module_el8.4.0+2529+af52a4c7fixed 1:12.22.5-1.module_el8.4.0+2529+af52a4c7
Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.
- affected < 1:16.13.1-3.module_el8.5.0+2605+45d748affixed 1:16.13.1-3.module_el8.5.0+2605+45d748af
ansi-regex is vulnerable to Inefficient Regular Expression Complexity
- affected < 1:14.18.2-2.module_el8.5.0+2618+8d46dafdfixed 1:14.18.2-2.module_el8.5.0+2618+8d46dafd
The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This
- affected < 1:14.18.2-2.module_el8.5.0+2618+8d46dafdfixed 1:14.18.2-2.module_el8.5.0+2618+8d46dafd
The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This i
Page 5 of 6