rpm package
suse/nodejs10&distro=SUSE Linux Enterprise Module for Web and Scripting 12
pkg:rpm/suse/nodejs10&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012
Vulnerabilities (44)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-21824 | — | < 10.24.1-1.46.1 | 10.24.1-1.46.1 | Feb 24, 2022 | Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "__proto__". The p | ||
| CVE-2021-3672 | — | < 10.24.1-1.42.2 | 10.24.1-1.42.2 | Nov 23, 2021 | A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality | ||
| CVE-2021-3918 | — | < 10.24.1-1.46.1 | 10.24.1-1.46.1 | Nov 13, 2021 | json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | ||
| CVE-2021-22930 | — | < 10.24.1-1.42.2 | 10.24.1-1.42.2 | Oct 7, 2021 | Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior. | ||
| CVE-2021-3807 | — | < 10.24.1-1.46.1 | 10.24.1-1.46.1 | Sep 17, 2021 | ansi-regex is vulnerable to Inefficient Regular Expression Complexity | ||
| CVE-2021-22939 | — | < 10.24.1-1.42.2 | 10.24.1-1.42.2 | Aug 16, 2021 | If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted. | ||
| CVE-2021-22931 | — | < 10.24.1-1.42.2 | 10.24.1-1.42.2 | Aug 16, 2021 | Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacki | ||
| CVE-2021-32804 | — | < 10.24.1-1.46.1 | 10.24.1-1.46.1 | Aug 3, 2021 | The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into rel | ||
| CVE-2021-32803 | — | < 10.24.1-1.46.1 | 10.24.1-1.46.1 | Aug 3, 2021 | The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not e | ||
| CVE-2021-22918 | — | < 10.24.1-1.39.1 | 10.24.1-1.39.1 | Jul 12, 2021 | Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. Th | ||
| CVE-2021-23343 | — | < 10.24.1-1.46.1 | 10.24.1-1.46.1 | May 4, 2021 | All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity. | ||
| CVE-2021-3450 | — | < 10.24.1-1.39.1 | 10.24.1-1.39.1 | Mar 25, 2021 | The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve paramet | ||
| CVE-2021-3449 | — | < 10.24.1-1.39.1 | 10.24.1-1.39.1 | Mar 25, 2021 | An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_ce | ||
| CVE-2021-23362 | — | < 10.24.1-1.39.1 | 10.24.1-1.39.1 | Mar 23, 2021 | The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity. | ||
| CVE-2021-27290 | — | < 10.24.1-1.39.1 | 10.24.1-1.39.1 | Mar 12, 2021 | ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option. | ||
| CVE-2021-22883 | — | < 10.24.0-1.36.2 | 10.24.0-1.36.2 | Mar 3, 2021 | Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then th | ||
| CVE-2021-22884 | — | < 10.24.0-1.36.2 | 10.24.0-1.36.2 | Mar 3, 2021 | Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker control | ||
| CVE-2021-23840 | Hig | 7.5 | < 10.24.0-1.36.2 | 10.24.0-1.36.2 | Feb 16, 2021 | Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be | |
| CVE-2020-8265 | — | < 10.23.1-1.33.1 | 10.23.1-1.33.1 | Jan 6, 2021 | Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If t | ||
| CVE-2020-8287 | — | < 10.23.1-1.33.1 | 10.23.1-1.33.1 | Jan 6, 2021 | Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggl |
- CVE-2022-21824Feb 24, 2022affected < 10.24.1-1.46.1fixed 10.24.1-1.46.1
Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "__proto__". The p
- CVE-2021-3672Nov 23, 2021affected < 10.24.1-1.42.2fixed 10.24.1-1.42.2
A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality
- CVE-2021-3918Nov 13, 2021affected < 10.24.1-1.46.1fixed 10.24.1-1.46.1
json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
- CVE-2021-22930Oct 7, 2021affected < 10.24.1-1.42.2fixed 10.24.1-1.42.2
Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.
- CVE-2021-3807Sep 17, 2021affected < 10.24.1-1.46.1fixed 10.24.1-1.46.1
ansi-regex is vulnerable to Inefficient Regular Expression Complexity
- CVE-2021-22939Aug 16, 2021affected < 10.24.1-1.42.2fixed 10.24.1-1.42.2
If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.
- CVE-2021-22931Aug 16, 2021affected < 10.24.1-1.42.2fixed 10.24.1-1.42.2
Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacki
- CVE-2021-32804Aug 3, 2021affected < 10.24.1-1.46.1fixed 10.24.1-1.46.1
The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into rel
- CVE-2021-32803Aug 3, 2021affected < 10.24.1-1.46.1fixed 10.24.1-1.46.1
The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not e
- CVE-2021-22918Jul 12, 2021affected < 10.24.1-1.39.1fixed 10.24.1-1.39.1
Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. Th
- CVE-2021-23343May 4, 2021affected < 10.24.1-1.46.1fixed 10.24.1-1.46.1
All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
- CVE-2021-3450Mar 25, 2021affected < 10.24.1-1.39.1fixed 10.24.1-1.39.1
The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve paramet
- CVE-2021-3449Mar 25, 2021affected < 10.24.1-1.39.1fixed 10.24.1-1.39.1
An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_ce
- CVE-2021-23362Mar 23, 2021affected < 10.24.1-1.39.1fixed 10.24.1-1.39.1
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
- CVE-2021-27290Mar 12, 2021affected < 10.24.1-1.39.1fixed 10.24.1-1.39.1
ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
- CVE-2021-22883Mar 3, 2021affected < 10.24.0-1.36.2fixed 10.24.0-1.36.2
Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then th
- CVE-2021-22884Mar 3, 2021affected < 10.24.0-1.36.2fixed 10.24.0-1.36.2
Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker control
- affected < 10.24.0-1.36.2fixed 10.24.0-1.36.2
Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be
- CVE-2020-8265Jan 6, 2021affected < 10.23.1-1.33.1fixed 10.23.1-1.33.1
Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If t
- CVE-2020-8287Jan 6, 2021affected < 10.23.1-1.33.1fixed 10.23.1-1.33.1
Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggl
Page 1 of 3