rpm package

almalinux/nodejs

pkg:rpm/almalinux/nodejs

Vulnerabilities (111)

CVE	CVSS	Affected versions	Fixed in	Published	Description
CVE-2021-22940	—	< 1:12.22.5-1.module_el8.4.0+2529+af52a4c7	1:12.22.5-1.module_el8.4.0+2529+af52a4c7	Aug 16, 2021	Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.
CVE-2021-22939	—	< 1:12.22.5-1.module_el8.4.0+2529+af52a4c7	1:12.22.5-1.module_el8.4.0+2529+af52a4c7	Aug 16, 2021	If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.
CVE-2021-22931	—	< 1:12.22.5-1.module_el8.4.0+2529+af52a4c7	1:12.22.5-1.module_el8.4.0+2529+af52a4c7	Aug 16, 2021	Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacki
CVE-2021-32804	—	< 1:12.22.5-1.module_el8.4.0+2529+af52a4c7	1:12.22.5-1.module_el8.4.0+2529+af52a4c7	Aug 3, 2021	The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into rel
CVE-2021-32803	—	< 1:12.22.5-1.module_el8.4.0+2529+af52a4c7	1:12.22.5-1.module_el8.4.0+2529+af52a4c7	Aug 3, 2021	The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not e
CVE-2020-28469	—	< 1:16.13.1-3.module_el8.5.0+2605+45d748af	1:16.13.1-3.module_el8.5.0+2605+45d748af	Jun 3, 2021	This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
CVE-2021-33502	—	< 1:16.13.1-3.module_el8.5.0+2605+45d748af	1:16.13.1-3.module_el8.5.0+2605+45d748af	May 24, 2021	The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
CVE-2021-23343	—	< 1:12.22.5-1.module_el8.4.0+2529+af52a4c7	1:12.22.5-1.module_el8.4.0+2529+af52a4c7	May 4, 2021	All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
CVE-2021-22883	—	< 1:10.24.0-1.module_el8.5.0+81+7dbe79d3	1:10.24.0-1.module_el8.5.0+81+7dbe79d3	Mar 3, 2021	Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then th
CVE-2021-22884	—	< 1:10.24.0-1.module_el8.5.0+81+7dbe79d3	1:10.24.0-1.module_el8.5.0+81+7dbe79d3	Mar 3, 2021	Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker control
CVE-2020-7788	—	< 1:16.13.1-3.module_el8.5.0+2605+45d748af	1:16.13.1-3.module_el8.5.0+2605+45d748af	Dec 11, 2020	This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

CVE-2021-22940Aug 16, 2021
affected < 1:12.22.5-1.module_el8.4.0+2529+af52a4c7fixed 1:12.22.5-1.module_el8.4.0+2529+af52a4c7
Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.
CVE-2021-22939Aug 16, 2021
affected < 1:12.22.5-1.module_el8.4.0+2529+af52a4c7fixed 1:12.22.5-1.module_el8.4.0+2529+af52a4c7
If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.
CVE-2021-22931Aug 16, 2021
affected < 1:12.22.5-1.module_el8.4.0+2529+af52a4c7fixed 1:12.22.5-1.module_el8.4.0+2529+af52a4c7
Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacki
CVE-2021-32804Aug 3, 2021
affected < 1:12.22.5-1.module_el8.4.0+2529+af52a4c7fixed 1:12.22.5-1.module_el8.4.0+2529+af52a4c7
The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into rel
CVE-2021-32803Aug 3, 2021
affected < 1:12.22.5-1.module_el8.4.0+2529+af52a4c7fixed 1:12.22.5-1.module_el8.4.0+2529+af52a4c7
The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not e
CVE-2020-28469Jun 3, 2021
affected < 1:16.13.1-3.module_el8.5.0+2605+45d748affixed 1:16.13.1-3.module_el8.5.0+2605+45d748af
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
CVE-2021-33502May 24, 2021
affected < 1:16.13.1-3.module_el8.5.0+2605+45d748affixed 1:16.13.1-3.module_el8.5.0+2605+45d748af
The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
CVE-2021-23343May 4, 2021
affected < 1:12.22.5-1.module_el8.4.0+2529+af52a4c7fixed 1:12.22.5-1.module_el8.4.0+2529+af52a4c7
All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
CVE-2021-22883Mar 3, 2021
affected < 1:10.24.0-1.module_el8.5.0+81+7dbe79d3fixed 1:10.24.0-1.module_el8.5.0+81+7dbe79d3
Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then th
CVE-2021-22884Mar 3, 2021
affected < 1:10.24.0-1.module_el8.5.0+81+7dbe79d3fixed 1:10.24.0-1.module_el8.5.0+81+7dbe79d3
Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker control
CVE-2020-7788Dec 11, 2020
affected < 1:16.13.1-3.module_el8.5.0+2605+45d748affixed 1:16.13.1-3.module_el8.5.0+2605+45d748af
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Page 6 of 6