rpm package

suse/nodejs10&distro=SUSE Manager Retail Branch Server 4.0

pkg:rpm/suse/nodejs10&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.0

Vulnerabilities (9)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2021-22918		—	< 10.24.1-1.36.1	10.24.1-1.36.1	Jul 12, 2021	Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. Th
CVE-2021-3450		—	< 10.24.1-1.36.1	10.24.1-1.36.1	Mar 25, 2021	The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve paramet
CVE-2021-3449		—	< 10.24.1-1.36.1	10.24.1-1.36.1	Mar 25, 2021	An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_ce
CVE-2021-23362		—	< 10.24.1-1.36.1	10.24.1-1.36.1	Mar 23, 2021	The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
CVE-2021-27290		—	< 10.24.1-1.36.1	10.24.1-1.36.1	Mar 12, 2021	ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
CVE-2021-22883		—	< 10.24.0-1.33.2	10.24.0-1.33.2	Mar 3, 2021	Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then th
CVE-2021-22884		—	< 10.24.0-1.33.2	10.24.0-1.33.2	Mar 3, 2021	Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker control
CVE-2021-23840	Hig	7.5	< 10.24.0-1.33.2	10.24.0-1.33.2	Feb 16, 2021	Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be
CVE-2020-7774		—	< 10.24.1-1.36.1	10.24.1-1.36.1	Nov 17, 2020	The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.

CVE-2021-22918Jul 12, 2021
affected < 10.24.1-1.36.1fixed 10.24.1-1.36.1
Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. Th
CVE-2021-3450Mar 25, 2021
affected < 10.24.1-1.36.1fixed 10.24.1-1.36.1
The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve paramet
CVE-2021-3449Mar 25, 2021
affected < 10.24.1-1.36.1fixed 10.24.1-1.36.1
An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_ce
CVE-2021-23362Mar 23, 2021
affected < 10.24.1-1.36.1fixed 10.24.1-1.36.1
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
CVE-2021-27290Mar 12, 2021
affected < 10.24.1-1.36.1fixed 10.24.1-1.36.1
ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
CVE-2021-22883Mar 3, 2021
affected < 10.24.0-1.33.2fixed 10.24.0-1.33.2
Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then th
CVE-2021-22884Mar 3, 2021
affected < 10.24.0-1.33.2fixed 10.24.0-1.33.2
Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker control
CVE-2021-23840HigFeb 16, 2021
affected < 10.24.0-1.33.2fixed 10.24.0-1.33.2
Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be
CVE-2020-7774Nov 17, 2020
affected < 10.24.1-1.36.1fixed 10.24.1-1.36.1
The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.