rpm package

suse/nodejs10&distro=SUSE Linux Enterprise Module for Web and Scripting 15 SP1

pkg:rpm/suse/nodejs10&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP1

Vulnerabilities (24)

CVE	CVSS	Affected versions	Fixed in	Published	Description
CVE-2020-8265	—	< 10.23.1-1.30.1	10.23.1-1.30.1	Jan 6, 2021	Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If t
CVE-2020-8287	—	< 10.23.1-1.30.1	10.23.1-1.30.1	Jan 6, 2021	Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggl
CVE-2020-1971	—	< 10.23.1-1.30.1	10.23.1-1.30.1	Dec 8, 2020	The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This functi
CVE-2020-8252	—	< 10.22.1-1.27.1	10.22.1-1.27.1	Sep 18, 2020	The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes.
CVE-2020-8174	—	< 10.21.0-1.21.1	10.21.0-1.21.1	Jul 24, 2020	napi_get_value_string_*() allows various kinds of memory corruption in node < 10.21.0, 12.18.0, and < 14.4.0.
CVE-2020-15095	—	< 10.22.1-1.27.1	10.22.1-1.27.1	Jul 7, 2020	Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "://[[:]@][:][:][/]". The password value is not redacted and is printed to stdout and also
CVE-2020-11080	—	< 10.21.0-1.21.1	10.21.0-1.21.1	Jun 3, 2020	In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. T
CVE-2020-10531	—	< 10.21.0-1.21.1	10.21.0-1.21.1	Mar 12, 2020	An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp.
CVE-2020-7598	—	< 10.21.0-1.21.1	10.21.0-1.21.1	Mar 11, 2020	minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "__proto__" payload.
CVE-2019-15606	—	< 10.19.0-1.18.1	10.19.0-1.18.1	Feb 7, 2020	Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons
CVE-2019-15604	—	< 10.19.0-1.18.1	10.19.0-1.18.1	Feb 7, 2020	Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a crafted X.509 certificate
CVE-2019-15605	—	< 10.19.0-1.18.1	10.19.0-1.18.1	Feb 7, 2020	HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed
CVE-2019-16777	—	< 10.18.0-1.15.1	10.18.0-1.15.1	Dec 13, 2019	Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subse
CVE-2019-16776	—	< 10.18.0-1.15.1	10.18.0-1.15.1	Dec 13, 2019	Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher t
CVE-2019-16775	—	< 10.18.0-1.15.1	10.18.0-1.15.1	Dec 13, 2019	Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would a
CVE-2019-9518	—	< 10.16.3-1.12.1	10.16.3-1.12.1	Aug 13, 2019	Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE.
CVE-2019-9517	—	< 10.16.3-1.12.1	10.16.3-1.12.1	Aug 13, 2019	Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually writ
CVE-2019-9516	—	< 10.16.3-1.12.1	10.16.3-1.12.1	Aug 13, 2019	Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations a
CVE-2019-9515	—	< 10.16.3-1.12.1	10.16.3-1.12.1	Aug 13, 2019	Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame
CVE-2019-9513	—	< 10.16.3-1.12.1	10.16.3-1.12.1	Aug 13, 2019	Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consu

CVE-2020-8265Jan 6, 2021
affected < 10.23.1-1.30.1fixed 10.23.1-1.30.1
Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If t
CVE-2020-8287Jan 6, 2021
affected < 10.23.1-1.30.1fixed 10.23.1-1.30.1
Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggl
CVE-2020-1971Dec 8, 2020
affected < 10.23.1-1.30.1fixed 10.23.1-1.30.1
The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This functi
CVE-2020-8252Sep 18, 2020
affected < 10.22.1-1.27.1fixed 10.22.1-1.27.1
The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes.
CVE-2020-8174Jul 24, 2020
affected < 10.21.0-1.21.1fixed 10.21.0-1.21.1
napi_get_value_string_*() allows various kinds of memory corruption in node < 10.21.0, 12.18.0, and < 14.4.0.
CVE-2020-15095Jul 7, 2020
affected < 10.22.1-1.27.1fixed 10.22.1-1.27.1
Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "://[[:]@][:][:][/]". The password value is not redacted and is printed to stdout and also
CVE-2020-11080Jun 3, 2020
affected < 10.21.0-1.21.1fixed 10.21.0-1.21.1
In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. T
CVE-2020-10531Mar 12, 2020
affected < 10.21.0-1.21.1fixed 10.21.0-1.21.1
An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp.
CVE-2020-7598Mar 11, 2020
affected < 10.21.0-1.21.1fixed 10.21.0-1.21.1
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "__proto__" payload.
CVE-2019-15606Feb 7, 2020
affected < 10.19.0-1.18.1fixed 10.19.0-1.18.1
Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons
CVE-2019-15604Feb 7, 2020
affected < 10.19.0-1.18.1fixed 10.19.0-1.18.1
Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a crafted X.509 certificate
CVE-2019-15605Feb 7, 2020
affected < 10.19.0-1.18.1fixed 10.19.0-1.18.1
HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed
CVE-2019-16777Dec 13, 2019
affected < 10.18.0-1.15.1fixed 10.18.0-1.15.1
Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subse
CVE-2019-16776Dec 13, 2019
affected < 10.18.0-1.15.1fixed 10.18.0-1.15.1
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher t
CVE-2019-16775Dec 13, 2019
affected < 10.18.0-1.15.1fixed 10.18.0-1.15.1
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would a
CVE-2019-9518Aug 13, 2019
affected < 10.16.3-1.12.1fixed 10.16.3-1.12.1
Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE.
CVE-2019-9517Aug 13, 2019
affected < 10.16.3-1.12.1fixed 10.16.3-1.12.1
Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually writ
CVE-2019-9516Aug 13, 2019
affected < 10.16.3-1.12.1fixed 10.16.3-1.12.1
Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations a
CVE-2019-9515Aug 13, 2019
affected < 10.16.3-1.12.1fixed 10.16.3-1.12.1
Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame
CVE-2019-9513Aug 13, 2019
affected < 10.16.3-1.12.1fixed 10.16.3-1.12.1
Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consu

Page 1 of 2