rpm package
suse/nodejs12&distro=SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS
pkg:rpm/suse/nodejs12&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-ESPOS
Vulnerabilities (11)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-30590 | — | < 12.22.12-150200.4.50.1 | 12.22.12-150200.4.50.1 | Nov 28, 2023 | The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet, but the function is also needed to compute the corresponding public key after calling setPrivat | ||
| CVE-2023-30581 | — | < 12.22.12-150200.4.50.1 | 12.22.12-150200.4.50.1 | Nov 22, 2023 | The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the experimental policy mechanism in all active release lines: v16, v18 and, v20. | ||
| CVE-2023-38552 | — | < 12.22.12-150200.4.53.2 | 12.22.12-150200.4.53.2 | Oct 18, 2023 | When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation and return a forged checksum to the node's policy implementation, thus effectively disabling the integrity check. Impacts: This vulnerability | ||
| CVE-2023-44487 | Hig | 7.5 | KEV | < 12.22.12-150200.4.53.2 | 12.22.12-150200.4.53.2 | Oct 10, 2023 | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. |
| CVE-2023-32559 | — | < 12.22.12-150200.4.50.1 | 12.22.12-150200.4.50.1 | Aug 24, 2023 | A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `pr | ||
| CVE-2023-32002 | — | < 12.22.12-150200.4.50.1 | 12.22.12-150200.4.50.1 | Aug 21, 2023 | The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note | ||
| CVE-2023-32006 | — | < 12.22.12-150200.4.50.1 | 12.22.12-150200.4.50.1 | Aug 15, 2023 | The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and | ||
| CVE-2023-30589 | — | < 12.22.12-150200.4.50.1 | 12.22.12-150200.4.50.1 | Jun 30, 2023 | The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RF | ||
| CVE-2023-23920 | — | < 12.22.12-150200.4.44.1 | 12.22.12-150200.4.44.1 | Feb 23, 2023 | An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges. | ||
| CVE-2023-23918 | — | < 12.22.12-150200.4.50.1 | 12.22.12-150200.4.50.1 | Feb 23, 2023 | A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule. | ||
| CVE-2022-25881 | — | < 12.22.12-150200.4.47.1 | 12.22.12-150200.4.47.1 | Jan 31, 2023 | This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library. |
- CVE-2023-30590Nov 28, 2023affected < 12.22.12-150200.4.50.1fixed 12.22.12-150200.4.50.1
The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet, but the function is also needed to compute the corresponding public key after calling setPrivat
- CVE-2023-30581Nov 22, 2023affected < 12.22.12-150200.4.50.1fixed 12.22.12-150200.4.50.1
The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the experimental policy mechanism in all active release lines: v16, v18 and, v20.
- CVE-2023-38552Oct 18, 2023affected < 12.22.12-150200.4.53.2fixed 12.22.12-150200.4.53.2
When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation and return a forged checksum to the node's policy implementation, thus effectively disabling the integrity check. Impacts: This vulnerability
- affected < 12.22.12-150200.4.53.2fixed 12.22.12-150200.4.53.2
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
- CVE-2023-32559Aug 24, 2023affected < 12.22.12-150200.4.50.1fixed 12.22.12-150200.4.50.1
A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `pr
- CVE-2023-32002Aug 21, 2023affected < 12.22.12-150200.4.50.1fixed 12.22.12-150200.4.50.1
The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note
- CVE-2023-32006Aug 15, 2023affected < 12.22.12-150200.4.50.1fixed 12.22.12-150200.4.50.1
The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and
- CVE-2023-30589Jun 30, 2023affected < 12.22.12-150200.4.50.1fixed 12.22.12-150200.4.50.1
The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RF
- CVE-2023-23920Feb 23, 2023affected < 12.22.12-150200.4.44.1fixed 12.22.12-150200.4.44.1
An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges.
- CVE-2023-23918Feb 23, 2023affected < 12.22.12-150200.4.50.1fixed 12.22.12-150200.4.50.1
A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.
- CVE-2022-25881Jan 31, 2023affected < 12.22.12-150200.4.47.1fixed 12.22.12-150200.4.47.1
This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.