rpm package
opensuse/nodejs12&distro=openSUSE Leap 15.4
pkg:rpm/opensuse/nodejs12&distro=openSUSE%20Leap%2015.4
Vulnerabilities (20)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-30590 | — | < 12.22.12-150200.4.50.1 | 12.22.12-150200.4.50.1 | Nov 28, 2023 | The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet, but the function is also needed to compute the corresponding public key after calling setPrivat | ||
| CVE-2023-30581 | — | < 12.22.12-150200.4.50.1 | 12.22.12-150200.4.50.1 | Nov 22, 2023 | The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the experimental policy mechanism in all active release lines: v16, v18 and, v20. | ||
| CVE-2023-38552 | — | < 12.22.12-150200.4.53.2 | 12.22.12-150200.4.53.2 | Oct 18, 2023 | When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation and return a forged checksum to the node's policy implementation, thus effectively disabling the integrity check. Impacts: This vulnerability | ||
| CVE-2023-44487 | Hig | 7.5 | KEV | < 12.22.12-150200.4.53.2 | 12.22.12-150200.4.53.2 | Oct 10, 2023 | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. |
| CVE-2023-32559 | — | < 12.22.12-150200.4.50.1 | 12.22.12-150200.4.50.1 | Aug 24, 2023 | A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `pr | ||
| CVE-2023-32002 | — | < 12.22.12-150200.4.50.1 | 12.22.12-150200.4.50.1 | Aug 21, 2023 | The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note | ||
| CVE-2023-32006 | — | < 12.22.12-150200.4.50.1 | 12.22.12-150200.4.50.1 | Aug 15, 2023 | The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and | ||
| CVE-2023-30589 | — | < 12.22.12-150200.4.50.1 | 12.22.12-150200.4.50.1 | Jun 30, 2023 | The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RF | ||
| CVE-2023-23920 | — | < 12.22.12-150200.4.44.1 | 12.22.12-150200.4.44.1 | Feb 23, 2023 | An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges. | ||
| CVE-2023-23918 | — | < 12.22.12-150200.4.50.1 | 12.22.12-150200.4.50.1 | Feb 23, 2023 | A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule. | ||
| CVE-2022-25881 | — | < 12.22.12-150200.4.47.1 | 12.22.12-150200.4.47.1 | Jan 31, 2023 | This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library. | ||
| CVE-2022-43548 | — | < 12.22.12-150200.4.41.2 | 12.22.12-150200.4.41.2 | Dec 5, 2022 | A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing | ||
| CVE-2022-35256 | — | < 12.22.12-150200.4.38.1 | 12.22.12-150200.4.38.1 | Dec 5, 2022 | The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling. | ||
| CVE-2022-32215 | — | < 12.22.12-150200.4.35.1 | 12.22.12-150200.4.35.1 | Jul 14, 2022 | The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS). | ||
| CVE-2022-32214 | — | < 12.22.12-150200.4.35.1 | 12.22.12-150200.4.35.1 | Jul 14, 2022 | The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). | ||
| CVE-2022-32213 | — | < 12.22.12-150200.4.35.1 | 12.22.12-150200.4.35.1 | Jul 14, 2022 | The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS). | ||
| CVE-2022-32212 | — | < 12.22.12-150200.4.35.1 | 12.22.12-150200.4.35.1 | Jul 14, 2022 | A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding | ||
| CVE-2021-44906 | — | < 12.22.12-150200.4.32.1 | 12.22.12-150200.4.32.1 | Mar 17, 2022 | Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95). | ||
| CVE-2022-0778 | Hig | 7.5 | < 12.22.12-150200.4.32.1 | 12.22.12-150200.4.32.1 | Mar 15, 2022 | The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curv | |
| CVE-2022-0235 | — | < 12.22.12-150200.4.32.1 | 12.22.12-150200.4.32.1 | Jan 16, 2022 | node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor |
- CVE-2023-30590Nov 28, 2023affected < 12.22.12-150200.4.50.1fixed 12.22.12-150200.4.50.1
The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet, but the function is also needed to compute the corresponding public key after calling setPrivat
- CVE-2023-30581Nov 22, 2023affected < 12.22.12-150200.4.50.1fixed 12.22.12-150200.4.50.1
The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the experimental policy mechanism in all active release lines: v16, v18 and, v20.
- CVE-2023-38552Oct 18, 2023affected < 12.22.12-150200.4.53.2fixed 12.22.12-150200.4.53.2
When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation and return a forged checksum to the node's policy implementation, thus effectively disabling the integrity check. Impacts: This vulnerability
- affected < 12.22.12-150200.4.53.2fixed 12.22.12-150200.4.53.2
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
- CVE-2023-32559Aug 24, 2023affected < 12.22.12-150200.4.50.1fixed 12.22.12-150200.4.50.1
A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `pr
- CVE-2023-32002Aug 21, 2023affected < 12.22.12-150200.4.50.1fixed 12.22.12-150200.4.50.1
The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note
- CVE-2023-32006Aug 15, 2023affected < 12.22.12-150200.4.50.1fixed 12.22.12-150200.4.50.1
The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and
- CVE-2023-30589Jun 30, 2023affected < 12.22.12-150200.4.50.1fixed 12.22.12-150200.4.50.1
The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RF
- CVE-2023-23920Feb 23, 2023affected < 12.22.12-150200.4.44.1fixed 12.22.12-150200.4.44.1
An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges.
- CVE-2023-23918Feb 23, 2023affected < 12.22.12-150200.4.50.1fixed 12.22.12-150200.4.50.1
A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.
- CVE-2022-25881Jan 31, 2023affected < 12.22.12-150200.4.47.1fixed 12.22.12-150200.4.47.1
This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.
- CVE-2022-43548Dec 5, 2022affected < 12.22.12-150200.4.41.2fixed 12.22.12-150200.4.41.2
A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing
- CVE-2022-35256Dec 5, 2022affected < 12.22.12-150200.4.38.1fixed 12.22.12-150200.4.38.1
The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.
- CVE-2022-32215Jul 14, 2022affected < 12.22.12-150200.4.35.1fixed 12.22.12-150200.4.35.1
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).
- CVE-2022-32214Jul 14, 2022affected < 12.22.12-150200.4.35.1fixed 12.22.12-150200.4.35.1
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).
- CVE-2022-32213Jul 14, 2022affected < 12.22.12-150200.4.35.1fixed 12.22.12-150200.4.35.1
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).
- CVE-2022-32212Jul 14, 2022affected < 12.22.12-150200.4.35.1fixed 12.22.12-150200.4.35.1
A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding
- CVE-2021-44906Mar 17, 2022affected < 12.22.12-150200.4.32.1fixed 12.22.12-150200.4.32.1
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
- affected < 12.22.12-150200.4.32.1fixed 12.22.12-150200.4.32.1
The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curv
- CVE-2022-0235Jan 16, 2022affected < 12.22.12-150200.4.32.1fixed 12.22.12-150200.4.32.1
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor