suse/nodejs10&distro=SUSE Linux Enterprise Server 15 SP1-LTSS

Vulnerabilities (29)

• CVE-2023-44487HigKEVOct 10, 2023
  affected < 10.24.1-150000.1.62.3fixed 10.24.1-150000.1.62.3

  The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

• CVE-2023-23920Feb 23, 2023
  affected < 10.24.1-150000.1.56.1fixed 10.24.1-150000.1.56.1

  An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges.

• CVE-2022-25881Jan 31, 2023
  affected < 10.24.1-150000.1.59.1fixed 10.24.1-150000.1.59.1

  This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

• CVE-2022-43548Dec 5, 2022
  affected < 10.24.1-150000.1.53.1fixed 10.24.1-150000.1.53.1

  A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing

• CVE-2022-32215Jul 14, 2022
  affected < 10.24.1-150000.1.47.1fixed 10.24.1-150000.1.47.1

  The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).

• CVE-2022-32214Jul 14, 2022
  affected < 10.24.1-150000.1.47.1fixed 10.24.1-150000.1.47.1

  The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).

• CVE-2022-32213Jul 14, 2022
  affected < 10.24.1-150000.1.47.1fixed 10.24.1-150000.1.47.1

  The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).

• CVE-2022-32212Jul 14, 2022
  affected < 10.24.1-150000.1.47.1fixed 10.24.1-150000.1.47.1

  A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding

• CVE-2021-44906Mar 17, 2022
  affected < 10.24.1-150000.1.44.1fixed 10.24.1-150000.1.44.1

  Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

• CVE-2022-21824Feb 24, 2022
  affected < 10.24.1-150000.1.44.1fixed 10.24.1-150000.1.44.1

  Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "__proto__". The p

• CVE-2022-0235Jan 16, 2022
  affected < 10.24.1-150000.1.44.1fixed 10.24.1-150000.1.44.1

  node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

• CVE-2021-22959Nov 15, 2021
  affected < 10.24.1-150000.1.47.1fixed 10.24.1-150000.1.47.1

  The parser in accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6.

• CVE-2021-3918Nov 13, 2021
  affected < 10.24.1-150000.1.44.1fixed 10.24.1-150000.1.44.1

  json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

• CVE-2021-22960Nov 3, 2021
  affected < 10.24.1-150000.1.47.1fixed 10.24.1-150000.1.47.1

  The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions.

• CVE-2021-22930Oct 7, 2021
  affected < 10.24.1-150000.1.47.1fixed 10.24.1-150000.1.47.1

  Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.

• CVE-2021-3807Sep 17, 2021
  affected < 10.24.1-150000.1.44.1fixed 10.24.1-150000.1.44.1

  ansi-regex is vulnerable to Inefficient Regular Expression Complexity

• CVE-2021-22940Aug 16, 2021
  affected < 10.24.1-150000.1.47.1fixed 10.24.1-150000.1.47.1

  Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.

• CVE-2021-32804Aug 3, 2021
  affected < 10.24.1-150000.1.44.1fixed 10.24.1-150000.1.44.1

  The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into rel

• CVE-2021-32803Aug 3, 2021
  affected < 10.24.1-150000.1.44.1fixed 10.24.1-150000.1.44.1

  The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not e

• CVE-2021-22918Jul 12, 2021
  affected < 10.24.1-1.36.1fixed 10.24.1-1.36.1

  Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. Th