rpm package

opensuse/nodejs10&distro=openSUSE Leap 15.2

pkg:rpm/opensuse/nodejs10&distro=openSUSE%20Leap%2015.2

Vulnerabilities (18)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2021-3672		—	< 10.24.1-lp152.2.18.1	10.24.1-lp152.2.18.1	Nov 23, 2021	A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality
CVE-2021-22930		—	< 10.24.1-lp152.2.18.1	10.24.1-lp152.2.18.1	Oct 7, 2021	Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.
CVE-2021-22939		—	< 10.24.1-lp152.2.18.1	10.24.1-lp152.2.18.1	Aug 16, 2021	If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.
CVE-2021-22931		—	< 10.24.1-lp152.2.18.1	10.24.1-lp152.2.18.1	Aug 16, 2021	Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacki
CVE-2021-22918		—	< 10.24.1-lp152.2.15.1	10.24.1-lp152.2.15.1	Jul 12, 2021	Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. Th
CVE-2021-3450		—	< 10.24.1-lp152.2.15.1	10.24.1-lp152.2.15.1	Mar 25, 2021	The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve paramet
CVE-2021-3449		—	< 10.24.1-lp152.2.15.1	10.24.1-lp152.2.15.1	Mar 25, 2021	An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_ce
CVE-2021-23362		—	< 10.24.1-lp152.2.15.1	10.24.1-lp152.2.15.1	Mar 23, 2021	The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
CVE-2021-27290		—	< 10.24.1-lp152.2.15.1	10.24.1-lp152.2.15.1	Mar 12, 2021	ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
CVE-2021-22883		—	< 10.24.0-lp152.2.12.1	10.24.0-lp152.2.12.1	Mar 3, 2021	Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then th
CVE-2021-22884		—	< 10.24.0-lp152.2.12.1	10.24.0-lp152.2.12.1	Mar 3, 2021	Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker control
CVE-2021-23840	Hig	7.5	< 10.24.0-lp152.2.12.1	10.24.0-lp152.2.12.1	Feb 16, 2021	Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be
CVE-2020-8265		—	< 10.23.1-lp152.2.9.1	10.23.1-lp152.2.9.1	Jan 6, 2021	Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If t
CVE-2020-8287		—	< 10.23.1-lp152.2.9.1	10.23.1-lp152.2.9.1	Jan 6, 2021	Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggl
CVE-2020-1971		—	< 10.23.1-lp152.2.9.1	10.23.1-lp152.2.9.1	Dec 8, 2020	The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This functi
CVE-2020-7774		—	< 10.24.1-lp152.2.15.1	10.24.1-lp152.2.15.1	Nov 17, 2020	The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.
CVE-2020-8252		—	< 10.22.1-lp152.2.6.1	10.22.1-lp152.2.6.1	Sep 18, 2020	The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes.
CVE-2020-15095		—	< 10.22.1-lp152.2.6.1	10.22.1-lp152.2.6.1	Jul 7, 2020	Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "://[[:]@][:][:][/]". The password value is not redacted and is printed to stdout and also

CVE-2021-3672Nov 23, 2021
affected < 10.24.1-lp152.2.18.1fixed 10.24.1-lp152.2.18.1
A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality
CVE-2021-22930Oct 7, 2021
affected < 10.24.1-lp152.2.18.1fixed 10.24.1-lp152.2.18.1
Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.
CVE-2021-22939Aug 16, 2021
affected < 10.24.1-lp152.2.18.1fixed 10.24.1-lp152.2.18.1
If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.
CVE-2021-22931Aug 16, 2021
affected < 10.24.1-lp152.2.18.1fixed 10.24.1-lp152.2.18.1
Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacki
CVE-2021-22918Jul 12, 2021
affected < 10.24.1-lp152.2.15.1fixed 10.24.1-lp152.2.15.1
Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. Th
CVE-2021-3450Mar 25, 2021
affected < 10.24.1-lp152.2.15.1fixed 10.24.1-lp152.2.15.1
The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve paramet
CVE-2021-3449Mar 25, 2021
affected < 10.24.1-lp152.2.15.1fixed 10.24.1-lp152.2.15.1
An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_ce
CVE-2021-23362Mar 23, 2021
affected < 10.24.1-lp152.2.15.1fixed 10.24.1-lp152.2.15.1
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
CVE-2021-27290Mar 12, 2021
affected < 10.24.1-lp152.2.15.1fixed 10.24.1-lp152.2.15.1
ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
CVE-2021-22883Mar 3, 2021
affected < 10.24.0-lp152.2.12.1fixed 10.24.0-lp152.2.12.1
Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then th
CVE-2021-22884Mar 3, 2021
affected < 10.24.0-lp152.2.12.1fixed 10.24.0-lp152.2.12.1
Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker control
CVE-2021-23840HigFeb 16, 2021
affected < 10.24.0-lp152.2.12.1fixed 10.24.0-lp152.2.12.1
Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be
CVE-2020-8265Jan 6, 2021
affected < 10.23.1-lp152.2.9.1fixed 10.23.1-lp152.2.9.1
Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If t
CVE-2020-8287Jan 6, 2021
affected < 10.23.1-lp152.2.9.1fixed 10.23.1-lp152.2.9.1
Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggl
CVE-2020-1971Dec 8, 2020
affected < 10.23.1-lp152.2.9.1fixed 10.23.1-lp152.2.9.1
The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This functi
CVE-2020-7774Nov 17, 2020
affected < 10.24.1-lp152.2.15.1fixed 10.24.1-lp152.2.15.1
The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.
CVE-2020-8252Sep 18, 2020
affected < 10.22.1-lp152.2.6.1fixed 10.22.1-lp152.2.6.1
The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes.
CVE-2020-15095Jul 7, 2020
affected < 10.22.1-lp152.2.6.1fixed 10.22.1-lp152.2.6.1
Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "://[[:]@][:][:][/]". The password value is not redacted and is printed to stdout and also