rpm package
opensuse/nodejs21&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/nodejs21&distro=openSUSE%20Tumbleweed
Vulnerabilities (13)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-27980 | Hig | 8.1 | < 21.7.3-1.1 | 21.7.3-1.1 | Jan 9, 2025 | Due to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled. | |
| CVE-2023-46809 | Hig | 7.4 | < 21.6.2-1.1 | 21.6.2-1.1 | Sep 7, 2024 | Node.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked version of OpenSSL which are unpatched are vulnerable to the Marvin Attack - https://people.redhat.com/~hkario/marvin/, if PCKS #1 v1.5 padding is allowed when performing RSA descryp | |
| CVE-2024-27982 | Med | 6.5 | < 21.7.2-1.1 | 21.7.2-1.1 | May 7, 2024 | The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attacke | |
| CVE-2024-27983 | Hig | 8.2 | < 21.7.2-1.1 | 21.7.2-1.1 | Apr 9, 2024 | An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the se | |
| CVE-2024-30260 | — | < 21.7.2-1.1 | 21.7.2-1.1 | Apr 4, 2024 | Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1. | ||
| CVE-2024-22025 | Med | 6.5 | < 21.6.2-1.1 | 21.6.2-1.1 | Mar 19, 2024 | A vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack through resource exhaustion when using the fetch() function to retrieve content from an untrusted URL. The vulnerability stems from the fact that the fetch() function in Node.js always d | |
| CVE-2024-22017 | Hig | 7.3 | < 21.6.2-1.1 | 21.6.2-1.1 | Mar 19, 2024 | setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid(). This allows the process to perform privileged operations despite presumably having dropped such privileges through a call to setuid(). This vulnerability affects all users us | |
| CVE-2024-21896 | — | < 21.6.2-1.1 | 21.6.2-1.1 | Feb 20, 2024 | The permission model protects itself against path traversal attacks by calling path.resolve() on any paths given by the user. If the path is to be treated as a Buffer, the implementation uses Buffer.from() to obtain a Buffer from the result of path.resolve(). By monkey-patching B | ||
| CVE-2024-21890 | — | < 21.6.2-1.1 | 21.6.2-1.1 | Feb 20, 2024 | The Node.js Permission Model does not clarify in the documentation that wildcards should be only used as the last character of a file path. For example: ``` --allow-fs-read=/home/node/.ssh/*.pub ``` will ignore `pub` and give access to everything after `.ssh/`. This misleading | ||
| CVE-2024-21891 | — | < 21.6.2-1.1 | 21.6.2-1.1 | Feb 20, 2024 | Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions, which can be overwitten with user-defined implementations leading to filesystem permission model bypass through path traversal attack. This vulnerability affects all users usi | ||
| CVE-2024-22019 | — | < 21.6.2-1.1 | 21.6.2-1.1 | Feb 20, 2024 | A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of li | ||
| CVE-2024-21892 | — | < 21.6.2-1.1 | 21.6.2-1.1 | Feb 20, 2024 | On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user while the process is running with elevated privileges with the only exception of CAP_NET_BIND_SERVICE. Due to a bug in the implementation of this exception, Node.js incorrec | ||
| CVE-2024-24758 | — | < 21.6.2-1.1 | 21.6.2-1.1 | Feb 16, 2024 | Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Proxy-Authentication` headers. This issue has been patched in versions 5.28.3 and 6.6.1. Users are advised to upgrade. There |
- affected < 21.7.3-1.1fixed 21.7.3-1.1
Due to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.
- affected < 21.6.2-1.1fixed 21.6.2-1.1
Node.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked version of OpenSSL which are unpatched are vulnerable to the Marvin Attack - https://people.redhat.com/~hkario/marvin/, if PCKS #1 v1.5 padding is allowed when performing RSA descryp
- affected < 21.7.2-1.1fixed 21.7.2-1.1
The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attacke
- affected < 21.7.2-1.1fixed 21.7.2-1.1
An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the se
- CVE-2024-30260Apr 4, 2024affected < 21.7.2-1.1fixed 21.7.2-1.1
Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.
- affected < 21.6.2-1.1fixed 21.6.2-1.1
A vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack through resource exhaustion when using the fetch() function to retrieve content from an untrusted URL. The vulnerability stems from the fact that the fetch() function in Node.js always d
- affected < 21.6.2-1.1fixed 21.6.2-1.1
setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid(). This allows the process to perform privileged operations despite presumably having dropped such privileges through a call to setuid(). This vulnerability affects all users us
- CVE-2024-21896Feb 20, 2024affected < 21.6.2-1.1fixed 21.6.2-1.1
The permission model protects itself against path traversal attacks by calling path.resolve() on any paths given by the user. If the path is to be treated as a Buffer, the implementation uses Buffer.from() to obtain a Buffer from the result of path.resolve(). By monkey-patching B
- CVE-2024-21890Feb 20, 2024affected < 21.6.2-1.1fixed 21.6.2-1.1
The Node.js Permission Model does not clarify in the documentation that wildcards should be only used as the last character of a file path. For example: ``` --allow-fs-read=/home/node/.ssh/*.pub ``` will ignore `pub` and give access to everything after `.ssh/`. This misleading
- CVE-2024-21891Feb 20, 2024affected < 21.6.2-1.1fixed 21.6.2-1.1
Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions, which can be overwitten with user-defined implementations leading to filesystem permission model bypass through path traversal attack. This vulnerability affects all users usi
- CVE-2024-22019Feb 20, 2024affected < 21.6.2-1.1fixed 21.6.2-1.1
A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of li
- CVE-2024-21892Feb 20, 2024affected < 21.6.2-1.1fixed 21.6.2-1.1
On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user while the process is running with elevated privileges with the only exception of CAP_NET_BIND_SERVICE. Due to a bug in the implementation of this exception, Node.js incorrec
- CVE-2024-24758Feb 16, 2024affected < 21.6.2-1.1fixed 21.6.2-1.1
Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Proxy-Authentication` headers. This issue has been patched in versions 5.28.3 and 6.6.1. Users are advised to upgrade. There