VYPR

rpm package

opensuse/nodejs16&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/nodejs16&distro=openSUSE%20Tumbleweed

Vulnerabilities (19)

  • CVE-2022-35256Dec 5, 2022
    affected < 16.17.1-1.1fixed 16.17.1-1.1

    The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.

  • CVE-2022-35255Dec 5, 2022
    affected < 16.17.1-1.1fixed 16.17.1-1.1

    A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with this: 1) It does not check the return value, it assumes EntropySource() alwa

  • CVE-2022-35949Aug 12, 2022
    affected < 16.17.0-2.1fixed 16.17.0-2.1

    undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//

  • CVE-2022-31150Jul 19, 2022
    affected < 16.17.0-2.1fixed 16.17.0-2.1

    undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate `\r\n` is a wor

  • CVE-2022-32215Jul 14, 2022
    affected < 16.17.1-1.1fixed 16.17.1-1.1

    The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).

  • CVE-2022-32213Jul 14, 2022
    affected < 16.16.0-1.1fixed 16.16.0-1.1

    The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).

  • CVE-2022-32212Jul 14, 2022
    affected < 16.16.0-1.1fixed 16.16.0-1.1

    A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding

  • CVE-2022-29244Jun 13, 2022
    affected < 16.17.0-1.1fixed 16.17.0-1.1

    npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. `--workspaces`, `--workspace=`). Anyone who has run `npm pack` or `npm publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively, m

  • CVE-2021-44533Feb 24, 2022
    affected < 16.13.2-1.1fixed 16.13.2-1.1

    Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguis

  • CVE-2021-44532Feb 24, 2022
    affected < 16.13.2-1.1fixed 16.13.2-1.1

    Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name

  • CVE-2021-44531Feb 24, 2022
    affected < 16.13.2-1.1fixed 16.13.2-1.1

    Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are o

  • CVE-2022-21824Feb 24, 2022
    affected < 16.13.2-1.1fixed 16.13.2-1.1

    Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "__proto__". The p

  • CVE-2021-3672Nov 23, 2021
    affected < 16.6.2-2.2fixed 16.6.2-2.2

    A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality

  • CVE-2021-22959Nov 15, 2021
    affected < 16.13.0-1.1fixed 16.13.0-1.1

    The parser in accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6.

  • CVE-2021-22960Nov 3, 2021
    affected < 16.13.0-1.1fixed 16.13.0-1.1

    The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions.

  • CVE-2021-22930Oct 7, 2021
    affected < 16.6.2-2.2fixed 16.6.2-2.2

    Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.

  • CVE-2021-22940Aug 16, 2021
    affected < 16.6.2-2.2fixed 16.6.2-2.2

    Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.

  • CVE-2021-22939Aug 16, 2021
    affected < 16.6.2-2.2fixed 16.6.2-2.2

    If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.

  • CVE-2021-22918Jul 12, 2021
    affected < 16.6.2-2.2fixed 16.6.2-2.2

    Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. Th