rpm package

opensuse/nodejs8&distro=openSUSE Leap 15.1

pkg:rpm/opensuse/nodejs8&distro=openSUSE%20Leap%2015.1

Vulnerabilities (19)

CVE	CVSS	Affected versions	Fixed in	Published	Description
CVE-2020-8174	—	< 8.17.0-lp151.2.15.1	8.17.0-lp151.2.15.1	Jul 24, 2020	napi_get_value_string_*() allows various kinds of memory corruption in node < 10.21.0, 12.18.0, and < 14.4.0.
CVE-2020-15095	—	< 8.17.0-lp151.2.21.1	8.17.0-lp151.2.21.1	Jul 7, 2020	Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "://[[:]@][:][:][/]". The password value is not redacted and is printed to stdout and also
CVE-2020-11080	—	< 8.17.0-lp151.2.15.1	8.17.0-lp151.2.15.1	Jun 3, 2020	In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. T
CVE-2020-7598	—	< 8.17.0-lp151.2.15.1	8.17.0-lp151.2.15.1	Mar 11, 2020	minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "__proto__" payload.
CVE-2019-15606	—	< 8.17.0-lp151.2.12.1	8.17.0-lp151.2.12.1	Feb 7, 2020	Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons
CVE-2019-15604	—	< 8.17.0-lp151.2.12.1	8.17.0-lp151.2.12.1	Feb 7, 2020	Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a crafted X.509 certificate
CVE-2019-15605	—	< 8.17.0-lp151.2.12.1	8.17.0-lp151.2.12.1	Feb 7, 2020	HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed
CVE-2019-16777	—	< 8.17.0-lp151.2.9.1	8.17.0-lp151.2.9.1	Dec 13, 2019	Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subse
CVE-2019-16776	—	< 8.17.0-lp151.2.9.1	8.17.0-lp151.2.9.1	Dec 13, 2019	Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher t
CVE-2019-16775	—	< 8.17.0-lp151.2.9.1	8.17.0-lp151.2.9.1	Dec 13, 2019	Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would a
CVE-2019-9518	—	< 8.16.1-lp151.2.6.1	8.16.1-lp151.2.6.1	Aug 13, 2019	Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE.
CVE-2019-9517	—	< 8.16.1-lp151.2.6.1	8.16.1-lp151.2.6.1	Aug 13, 2019	Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually writ
CVE-2019-9516	—	< 8.16.1-lp151.2.6.1	8.16.1-lp151.2.6.1	Aug 13, 2019	Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations a
CVE-2019-9515	—	< 8.16.1-lp151.2.6.1	8.16.1-lp151.2.6.1	Aug 13, 2019	Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame
CVE-2019-9513	—	< 8.16.1-lp151.2.6.1	8.16.1-lp151.2.6.1	Aug 13, 2019	Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consu
CVE-2019-9512	—	< 8.16.1-lp151.2.6.1	8.16.1-lp151.2.6.1	Aug 13, 2019	Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consum
CVE-2019-9511	—	< 8.16.1-lp151.2.6.1	8.16.1-lp151.2.6.1	Aug 13, 2019	Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and
CVE-2019-9514	—	< 8.16.1-lp151.2.6.1	8.16.1-lp151.2.6.1	Aug 13, 2019	Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer
CVE-2019-13173	—	< 8.15.1-lp151.2.3.1	8.15.1-lp151.2.3.1	Jul 2, 2019	fstream before 1.0.12 is vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink, will overwrite the system's file with the contents of the extracted file. The fstream.DirW

CVE-2020-8174Jul 24, 2020
affected < 8.17.0-lp151.2.15.1fixed 8.17.0-lp151.2.15.1
napi_get_value_string_*() allows various kinds of memory corruption in node < 10.21.0, 12.18.0, and < 14.4.0.
CVE-2020-15095Jul 7, 2020
affected < 8.17.0-lp151.2.21.1fixed 8.17.0-lp151.2.21.1
Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "://[[:]@][:][:][/]". The password value is not redacted and is printed to stdout and also
CVE-2020-11080Jun 3, 2020
affected < 8.17.0-lp151.2.15.1fixed 8.17.0-lp151.2.15.1
In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. T
CVE-2020-7598Mar 11, 2020
affected < 8.17.0-lp151.2.15.1fixed 8.17.0-lp151.2.15.1
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "__proto__" payload.
CVE-2019-15606Feb 7, 2020
affected < 8.17.0-lp151.2.12.1fixed 8.17.0-lp151.2.12.1
Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons
CVE-2019-15604Feb 7, 2020
affected < 8.17.0-lp151.2.12.1fixed 8.17.0-lp151.2.12.1
Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a crafted X.509 certificate
CVE-2019-15605Feb 7, 2020
affected < 8.17.0-lp151.2.12.1fixed 8.17.0-lp151.2.12.1
HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed
CVE-2019-16777Dec 13, 2019
affected < 8.17.0-lp151.2.9.1fixed 8.17.0-lp151.2.9.1
Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subse
CVE-2019-16776Dec 13, 2019
affected < 8.17.0-lp151.2.9.1fixed 8.17.0-lp151.2.9.1
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher t
CVE-2019-16775Dec 13, 2019
affected < 8.17.0-lp151.2.9.1fixed 8.17.0-lp151.2.9.1
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would a
CVE-2019-9518Aug 13, 2019
affected < 8.16.1-lp151.2.6.1fixed 8.16.1-lp151.2.6.1
Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE.
CVE-2019-9517Aug 13, 2019
affected < 8.16.1-lp151.2.6.1fixed 8.16.1-lp151.2.6.1
Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually writ
CVE-2019-9516Aug 13, 2019
affected < 8.16.1-lp151.2.6.1fixed 8.16.1-lp151.2.6.1
Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations a
CVE-2019-9515Aug 13, 2019
affected < 8.16.1-lp151.2.6.1fixed 8.16.1-lp151.2.6.1
Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame
CVE-2019-9513Aug 13, 2019
affected < 8.16.1-lp151.2.6.1fixed 8.16.1-lp151.2.6.1
Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consu
CVE-2019-9512Aug 13, 2019
affected < 8.16.1-lp151.2.6.1fixed 8.16.1-lp151.2.6.1
Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consum
CVE-2019-9511Aug 13, 2019
affected < 8.16.1-lp151.2.6.1fixed 8.16.1-lp151.2.6.1
Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and
CVE-2019-9514Aug 13, 2019
affected < 8.16.1-lp151.2.6.1fixed 8.16.1-lp151.2.6.1
Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer
CVE-2019-13173Jul 2, 2019
affected < 8.15.1-lp151.2.3.1fixed 8.15.1-lp151.2.3.1
fstream before 1.0.12 is vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink, will overwrite the system's file with the contents of the extracted file. The fstream.DirW