rpm package
suse/nodejs12&distro=SUSE Linux Enterprise Module for Web and Scripting 12
pkg:rpm/suse/nodejs12&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012
Vulnerabilities (66)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-8287 | — | < 12.20.1-1.26.1 | 12.20.1-1.26.1 | Jan 6, 2021 | Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggl | ||
| CVE-2020-1971 | — | < 12.20.1-1.26.1 | 12.20.1-1.26.1 | Dec 8, 2020 | The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This functi | ||
| CVE-2020-8277 | — | < 12.19.1-1.23.1 | 12.19.1-1.23.1 | Nov 19, 2020 | A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed i | ||
| CVE-2020-7774 | — | < 12.22.2-1.32.1 | 12.22.2-1.32.1 | Nov 17, 2020 | The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution. | ||
| CVE-2020-8201 | — | < 12.18.4-1.20.1 | 12.18.4-1.20.1 | Sep 18, 2020 | Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending | ||
| CVE-2020-8252 | — | < 12.18.4-1.20.1 | 12.18.4-1.20.1 | Sep 18, 2020 | The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes. | ||
| CVE-2020-8174 | — | < 12.18.0-1.14.1 | 12.18.0-1.14.1 | Jul 24, 2020 | napi_get_value_string_*() allows various kinds of memory corruption in node < 10.21.0, 12.18.0, and < 14.4.0. | ||
| CVE-2020-15095 | — | < 12.18.4-1.20.1 | 12.18.4-1.20.1 | Jul 7, 2020 | Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "://[[:]@][:][:][/]". The password value is not redacted and is printed to stdout and also | ||
| CVE-2020-8172 | — | < 12.18.0-1.14.1 | 12.18.0-1.14.1 | Jun 8, 2020 | TLS session reuse can lead to host certificate verification bypass in node version < 12.18.0 and < 14.4.0. | ||
| CVE-2020-11080 | — | < 12.18.0-1.14.1 | 12.18.0-1.14.1 | Jun 3, 2020 | In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. T | ||
| CVE-2020-7598 | — | < 12.18.0-1.14.1 | 12.18.0-1.14.1 | Mar 11, 2020 | minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "__proto__" payload. | ||
| CVE-2019-15606 | — | < 12.15.0-1.6.1 | 12.15.0-1.6.1 | Feb 7, 2020 | Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons | ||
| CVE-2019-15604 | — | < 12.15.0-1.6.1 | 12.15.0-1.6.1 | Feb 7, 2020 | Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a crafted X.509 certificate | ||
| CVE-2019-15605 | — | < 12.15.0-1.6.1 | 12.15.0-1.6.1 | Feb 7, 2020 | HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed | ||
| CVE-2019-16777 | — | < 12.15.0-1.6.1 | 12.15.0-1.6.1 | Dec 13, 2019 | Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subse | ||
| CVE-2019-16776 | — | < 12.15.0-1.6.1 | 12.15.0-1.6.1 | Dec 13, 2019 | Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher t | ||
| CVE-2019-16775 | — | < 12.15.0-1.6.1 | 12.15.0-1.6.1 | Dec 13, 2019 | Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would a | ||
| CVE-2019-9518 | — | < 12.13.0-1.3.1 | 12.13.0-1.3.1 | Aug 13, 2019 | Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. | ||
| CVE-2019-9517 | — | < 12.13.0-1.3.1 | 12.13.0-1.3.1 | Aug 13, 2019 | Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually writ | ||
| CVE-2019-9516 | — | < 12.13.0-1.3.1 | 12.13.0-1.3.1 | Aug 13, 2019 | Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations a |
- CVE-2020-8287Jan 6, 2021affected < 12.20.1-1.26.1fixed 12.20.1-1.26.1
Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggl
- CVE-2020-1971Dec 8, 2020affected < 12.20.1-1.26.1fixed 12.20.1-1.26.1
The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This functi
- CVE-2020-8277Nov 19, 2020affected < 12.19.1-1.23.1fixed 12.19.1-1.23.1
A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed i
- CVE-2020-7774Nov 17, 2020affected < 12.22.2-1.32.1fixed 12.22.2-1.32.1
The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.
- CVE-2020-8201Sep 18, 2020affected < 12.18.4-1.20.1fixed 12.18.4-1.20.1
Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending
- CVE-2020-8252Sep 18, 2020affected < 12.18.4-1.20.1fixed 12.18.4-1.20.1
The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes.
- CVE-2020-8174Jul 24, 2020affected < 12.18.0-1.14.1fixed 12.18.0-1.14.1
napi_get_value_string_*() allows various kinds of memory corruption in node < 10.21.0, 12.18.0, and < 14.4.0.
- CVE-2020-15095Jul 7, 2020affected < 12.18.4-1.20.1fixed 12.18.4-1.20.1
Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "://[[:]@][:][:][/]". The password value is not redacted and is printed to stdout and also
- CVE-2020-8172Jun 8, 2020affected < 12.18.0-1.14.1fixed 12.18.0-1.14.1
TLS session reuse can lead to host certificate verification bypass in node version < 12.18.0 and < 14.4.0.
- CVE-2020-11080Jun 3, 2020affected < 12.18.0-1.14.1fixed 12.18.0-1.14.1
In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. T
- CVE-2020-7598Mar 11, 2020affected < 12.18.0-1.14.1fixed 12.18.0-1.14.1
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "__proto__" payload.
- CVE-2019-15606Feb 7, 2020affected < 12.15.0-1.6.1fixed 12.15.0-1.6.1
Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons
- CVE-2019-15604Feb 7, 2020affected < 12.15.0-1.6.1fixed 12.15.0-1.6.1
Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a crafted X.509 certificate
- CVE-2019-15605Feb 7, 2020affected < 12.15.0-1.6.1fixed 12.15.0-1.6.1
HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed
- CVE-2019-16777Dec 13, 2019affected < 12.15.0-1.6.1fixed 12.15.0-1.6.1
Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subse
- CVE-2019-16776Dec 13, 2019affected < 12.15.0-1.6.1fixed 12.15.0-1.6.1
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher t
- CVE-2019-16775Dec 13, 2019affected < 12.15.0-1.6.1fixed 12.15.0-1.6.1
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would a
- CVE-2019-9518Aug 13, 2019affected < 12.13.0-1.3.1fixed 12.13.0-1.3.1
Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE.
- CVE-2019-9517Aug 13, 2019affected < 12.13.0-1.3.1fixed 12.13.0-1.3.1
Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually writ
- CVE-2019-9516Aug 13, 2019affected < 12.13.0-1.3.1fixed 12.13.0-1.3.1
Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations a
Page 3 of 4