rpm package
opensuse/nodejs14&distro=openSUSE Leap 15.3
pkg:rpm/opensuse/nodejs14&distro=openSUSE%20Leap%2015.3
Vulnerabilities (34)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-43548 | — | < 14.21.1-150200.15.40.2 | 14.21.1-150200.15.40.2 | Dec 5, 2022 | A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing | ||
| CVE-2022-35256 | — | < 14.20.1-150200.15.37.1 | 14.20.1-150200.15.37.1 | Dec 5, 2022 | The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling. | ||
| CVE-2022-32215 | — | < 14.20.0-150200.15.34.1 | 14.20.0-150200.15.34.1 | Jul 14, 2022 | The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS). | ||
| CVE-2022-32214 | — | < 14.20.0-150200.15.34.1 | 14.20.0-150200.15.34.1 | Jul 14, 2022 | The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). | ||
| CVE-2022-32213 | — | < 14.20.0-150200.15.34.1 | 14.20.0-150200.15.34.1 | Jul 14, 2022 | The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS). | ||
| CVE-2022-32212 | — | < 14.20.0-150200.15.34.1 | 14.20.0-150200.15.34.1 | Jul 14, 2022 | A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding | ||
| CVE-2021-44906 | — | < 14.19.1-150200.15.31.1 | 14.19.1-150200.15.31.1 | Mar 17, 2022 | Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95). | ||
| CVE-2022-0778 | Hig | 7.5 | < 14.19.1-150200.15.31.1 | 14.19.1-150200.15.31.1 | Mar 15, 2022 | The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curv | |
| CVE-2021-44533 | — | < 14.18.3-15.24.1 | 14.18.3-15.24.1 | Feb 24, 2022 | Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguis | ||
| CVE-2021-44532 | — | < 14.18.3-15.24.1 | 14.18.3-15.24.1 | Feb 24, 2022 | Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name | ||
| CVE-2021-44531 | — | < 14.18.3-15.24.1 | 14.18.3-15.24.1 | Feb 24, 2022 | Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are o | ||
| CVE-2022-21824 | — | < 14.18.3-15.24.1 | 14.18.3-15.24.1 | Feb 24, 2022 | Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "__proto__". The p | ||
| CVE-2022-0235 | — | < 14.19.1-150200.15.31.1 | 14.19.1-150200.15.31.1 | Jan 16, 2022 | node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor | ||
| CVE-2021-3672 | — | < 14.17.5-5.15.5 | 14.17.5-5.15.5 | Nov 23, 2021 | A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality | ||
| CVE-2021-22959 | — | < 14.18.1-15.21.2 | 14.18.1-15.21.2 | Nov 15, 2021 | The parser in accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6. | ||
| CVE-2021-3918 | — | < 14.19.0-15.27.1 | 14.19.0-15.27.1 | Nov 13, 2021 | json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | ||
| CVE-2021-22960 | — | < 14.18.1-15.21.2 | 14.18.1-15.21.2 | Nov 3, 2021 | The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions. | ||
| CVE-2021-22930 | — | < 14.17.5-5.15.5 | 14.17.5-5.15.5 | Oct 7, 2021 | Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior. | ||
| CVE-2021-3807 | — | < 14.19.0-15.27.1 | 14.19.0-15.27.1 | Sep 17, 2021 | ansi-regex is vulnerable to Inefficient Regular Expression Complexity | ||
| CVE-2021-39135 | — | < 14.18.1-15.21.2 | 14.18.1-15.21.2 | Aug 31, 2021 | `@npmcli/arborist`, the library that calculates dependency trees and manages the node_modules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into |
- CVE-2022-43548Dec 5, 2022affected < 14.21.1-150200.15.40.2fixed 14.21.1-150200.15.40.2
A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing
- CVE-2022-35256Dec 5, 2022affected < 14.20.1-150200.15.37.1fixed 14.20.1-150200.15.37.1
The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.
- CVE-2022-32215Jul 14, 2022affected < 14.20.0-150200.15.34.1fixed 14.20.0-150200.15.34.1
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).
- CVE-2022-32214Jul 14, 2022affected < 14.20.0-150200.15.34.1fixed 14.20.0-150200.15.34.1
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).
- CVE-2022-32213Jul 14, 2022affected < 14.20.0-150200.15.34.1fixed 14.20.0-150200.15.34.1
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).
- CVE-2022-32212Jul 14, 2022affected < 14.20.0-150200.15.34.1fixed 14.20.0-150200.15.34.1
A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding
- CVE-2021-44906Mar 17, 2022affected < 14.19.1-150200.15.31.1fixed 14.19.1-150200.15.31.1
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
- affected < 14.19.1-150200.15.31.1fixed 14.19.1-150200.15.31.1
The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curv
- CVE-2021-44533Feb 24, 2022affected < 14.18.3-15.24.1fixed 14.18.3-15.24.1
Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguis
- CVE-2021-44532Feb 24, 2022affected < 14.18.3-15.24.1fixed 14.18.3-15.24.1
Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name
- CVE-2021-44531Feb 24, 2022affected < 14.18.3-15.24.1fixed 14.18.3-15.24.1
Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are o
- CVE-2022-21824Feb 24, 2022affected < 14.18.3-15.24.1fixed 14.18.3-15.24.1
Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "__proto__". The p
- CVE-2022-0235Jan 16, 2022affected < 14.19.1-150200.15.31.1fixed 14.19.1-150200.15.31.1
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
- CVE-2021-3672Nov 23, 2021affected < 14.17.5-5.15.5fixed 14.17.5-5.15.5
A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality
- CVE-2021-22959Nov 15, 2021affected < 14.18.1-15.21.2fixed 14.18.1-15.21.2
The parser in accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6.
- CVE-2021-3918Nov 13, 2021affected < 14.19.0-15.27.1fixed 14.19.0-15.27.1
json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
- CVE-2021-22960Nov 3, 2021affected < 14.18.1-15.21.2fixed 14.18.1-15.21.2
The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions.
- CVE-2021-22930Oct 7, 2021affected < 14.17.5-5.15.5fixed 14.17.5-5.15.5
Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.
- CVE-2021-3807Sep 17, 2021affected < 14.19.0-15.27.1fixed 14.19.0-15.27.1
ansi-regex is vulnerable to Inefficient Regular Expression Complexity
- CVE-2021-39135Aug 31, 2021affected < 14.18.1-15.21.2fixed 14.18.1-15.21.2
`@npmcli/arborist`, the library that calculates dependency trees and manages the node_modules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into
Page 1 of 2