rpm package
opensuse/nodejs12&distro=openSUSE Leap 15.2
pkg:rpm/opensuse/nodejs12&distro=openSUSE%20Leap%2015.2
Vulnerabilities (28)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-8265 | — | < 12.20.1-lp152.3.9.1 | 12.20.1-lp152.3.9.1 | Jan 6, 2021 | Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If t | ||
| CVE-2020-8287 | — | < 12.20.1-lp152.3.9.1 | 12.20.1-lp152.3.9.1 | Jan 6, 2021 | Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggl | ||
| CVE-2020-1971 | — | < 12.20.1-lp152.3.9.1 | 12.20.1-lp152.3.9.1 | Dec 8, 2020 | The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This functi | ||
| CVE-2020-8277 | — | < 12.20.1-lp152.3.9.1 | 12.20.1-lp152.3.9.1 | Nov 19, 2020 | A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed i | ||
| CVE-2020-7774 | — | < 12.22.2-lp152.3.15.1 | 12.22.2-lp152.3.15.1 | Nov 17, 2020 | The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution. | ||
| CVE-2020-8201 | — | < 12.18.4-lp152.3.6.1 | 12.18.4-lp152.3.6.1 | Sep 18, 2020 | Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending | ||
| CVE-2020-8252 | — | < 12.18.4-lp152.3.6.1 | 12.18.4-lp152.3.6.1 | Sep 18, 2020 | The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes. | ||
| CVE-2020-15095 | — | < 12.18.4-lp152.3.6.1 | 12.18.4-lp152.3.6.1 | Jul 7, 2020 | Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "://[[:]@][:][:][/]". The password value is not redacted and is printed to stdout and also |
- CVE-2020-8265Jan 6, 2021affected < 12.20.1-lp152.3.9.1fixed 12.20.1-lp152.3.9.1
Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If t
- CVE-2020-8287Jan 6, 2021affected < 12.20.1-lp152.3.9.1fixed 12.20.1-lp152.3.9.1
Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggl
- CVE-2020-1971Dec 8, 2020affected < 12.20.1-lp152.3.9.1fixed 12.20.1-lp152.3.9.1
The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This functi
- CVE-2020-8277Nov 19, 2020affected < 12.20.1-lp152.3.9.1fixed 12.20.1-lp152.3.9.1
A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed i
- CVE-2020-7774Nov 17, 2020affected < 12.22.2-lp152.3.15.1fixed 12.22.2-lp152.3.15.1
The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.
- CVE-2020-8201Sep 18, 2020affected < 12.18.4-lp152.3.6.1fixed 12.18.4-lp152.3.6.1
Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending
- CVE-2020-8252Sep 18, 2020affected < 12.18.4-lp152.3.6.1fixed 12.18.4-lp152.3.6.1
The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes.
- CVE-2020-15095Jul 7, 2020affected < 12.18.4-lp152.3.6.1fixed 12.18.4-lp152.3.6.1
Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "://[[:]@][:][:][/]". The password value is not redacted and is printed to stdout and also
Page 2 of 2