rpm package
suse/nodejs10&distro=SUSE Linux Enterprise Server 15-LTSS
pkg:rpm/suse/nodejs10&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSS
Vulnerabilities (38)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-23362 | — | < 10.24.1-1.36.1 | 10.24.1-1.36.1 | Mar 23, 2021 | The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity. | ||
| CVE-2021-27290 | — | < 10.24.1-1.36.1 | 10.24.1-1.36.1 | Mar 12, 2021 | ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option. | ||
| CVE-2021-22883 | — | < 10.24.0-1.33.2 | 10.24.0-1.33.2 | Mar 3, 2021 | Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then th | ||
| CVE-2021-22884 | — | < 10.24.0-1.33.2 | 10.24.0-1.33.2 | Mar 3, 2021 | Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker control | ||
| CVE-2021-23840 | Hig | 7.5 | < 10.24.0-1.33.2 | 10.24.0-1.33.2 | Feb 16, 2021 | Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be | |
| CVE-2020-8265 | — | < 10.23.1-1.30.1 | 10.23.1-1.30.1 | Jan 6, 2021 | Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If t | ||
| CVE-2020-8287 | — | < 10.23.1-1.30.1 | 10.23.1-1.30.1 | Jan 6, 2021 | Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggl | ||
| CVE-2020-1971 | — | < 10.23.1-1.30.1 | 10.23.1-1.30.1 | Dec 8, 2020 | The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This functi | ||
| CVE-2020-7774 | — | < 10.24.1-1.36.1 | 10.24.1-1.36.1 | Nov 17, 2020 | The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution. | ||
| CVE-2020-8252 | — | < 10.22.1-1.27.1 | 10.22.1-1.27.1 | Sep 18, 2020 | The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes. | ||
| CVE-2020-8174 | — | < 10.21.0-1.21.1 | 10.21.0-1.21.1 | Jul 24, 2020 | napi_get_value_string_*() allows various kinds of memory corruption in node < 10.21.0, 12.18.0, and < 14.4.0. | ||
| CVE-2020-15095 | — | < 10.22.1-1.27.1 | 10.22.1-1.27.1 | Jul 7, 2020 | Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "://[[:]@][:][:][/]". The password value is not redacted and is printed to stdout and also | ||
| CVE-2020-11080 | — | < 10.21.0-1.21.1 | 10.21.0-1.21.1 | Jun 3, 2020 | In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. T | ||
| CVE-2020-10531 | — | < 10.21.0-1.21.1 | 10.21.0-1.21.1 | Mar 12, 2020 | An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp. | ||
| CVE-2020-7598 | — | < 10.21.0-1.21.1 | 10.21.0-1.21.1 | Mar 11, 2020 | minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "__proto__" payload. | ||
| CVE-2019-15606 | — | < 10.19.0-1.18.1 | 10.19.0-1.18.1 | Feb 7, 2020 | Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons | ||
| CVE-2019-15604 | — | < 10.19.0-1.18.1 | 10.19.0-1.18.1 | Feb 7, 2020 | Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a crafted X.509 certificate | ||
| CVE-2019-15605 | — | < 10.19.0-1.18.1 | 10.19.0-1.18.1 | Feb 7, 2020 | HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed |
- CVE-2021-23362Mar 23, 2021affected < 10.24.1-1.36.1fixed 10.24.1-1.36.1
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
- CVE-2021-27290Mar 12, 2021affected < 10.24.1-1.36.1fixed 10.24.1-1.36.1
ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
- CVE-2021-22883Mar 3, 2021affected < 10.24.0-1.33.2fixed 10.24.0-1.33.2
Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then th
- CVE-2021-22884Mar 3, 2021affected < 10.24.0-1.33.2fixed 10.24.0-1.33.2
Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker control
- affected < 10.24.0-1.33.2fixed 10.24.0-1.33.2
Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be
- CVE-2020-8265Jan 6, 2021affected < 10.23.1-1.30.1fixed 10.23.1-1.30.1
Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If t
- CVE-2020-8287Jan 6, 2021affected < 10.23.1-1.30.1fixed 10.23.1-1.30.1
Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggl
- CVE-2020-1971Dec 8, 2020affected < 10.23.1-1.30.1fixed 10.23.1-1.30.1
The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This functi
- CVE-2020-7774Nov 17, 2020affected < 10.24.1-1.36.1fixed 10.24.1-1.36.1
The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.
- CVE-2020-8252Sep 18, 2020affected < 10.22.1-1.27.1fixed 10.22.1-1.27.1
The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes.
- CVE-2020-8174Jul 24, 2020affected < 10.21.0-1.21.1fixed 10.21.0-1.21.1
napi_get_value_string_*() allows various kinds of memory corruption in node < 10.21.0, 12.18.0, and < 14.4.0.
- CVE-2020-15095Jul 7, 2020affected < 10.22.1-1.27.1fixed 10.22.1-1.27.1
Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "://[[:]@][:][:][/]". The password value is not redacted and is printed to stdout and also
- CVE-2020-11080Jun 3, 2020affected < 10.21.0-1.21.1fixed 10.21.0-1.21.1
In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. T
- CVE-2020-10531Mar 12, 2020affected < 10.21.0-1.21.1fixed 10.21.0-1.21.1
An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp.
- CVE-2020-7598Mar 11, 2020affected < 10.21.0-1.21.1fixed 10.21.0-1.21.1
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "__proto__" payload.
- CVE-2019-15606Feb 7, 2020affected < 10.19.0-1.18.1fixed 10.19.0-1.18.1
Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons
- CVE-2019-15604Feb 7, 2020affected < 10.19.0-1.18.1fixed 10.19.0-1.18.1
Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a crafted X.509 certificate
- CVE-2019-15605Feb 7, 2020affected < 10.19.0-1.18.1fixed 10.19.0-1.18.1
HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed
Page 2 of 2