VYPR

rpm package

suse/nodejs12&distro=SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS

pkg:rpm/suse/nodejs12&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-ESPOS

Vulnerabilities (11)

  • CVE-2023-30590Nov 28, 2023
    affected < 12.22.12-150200.4.50.1fixed 12.22.12-150200.4.50.1

    The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet, but the function is also needed to compute the corresponding public key after calling setPrivat

  • CVE-2023-30581Nov 22, 2023
    affected < 12.22.12-150200.4.50.1fixed 12.22.12-150200.4.50.1

    The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the experimental policy mechanism in all active release lines: v16, v18 and, v20.

  • CVE-2023-38552Oct 18, 2023
    affected < 12.22.12-150200.4.53.2fixed 12.22.12-150200.4.53.2

    When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation and return a forged checksum to the node's policy implementation, thus effectively disabling the integrity check. Impacts: This vulnerability

  • CVE-2023-44487HigKEVOct 10, 2023
    affected < 12.22.12-150200.4.53.2fixed 12.22.12-150200.4.53.2

    The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

  • CVE-2023-32559Aug 24, 2023
    affected < 12.22.12-150200.4.50.1fixed 12.22.12-150200.4.50.1

    A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `pr

  • CVE-2023-32002Aug 21, 2023
    affected < 12.22.12-150200.4.50.1fixed 12.22.12-150200.4.50.1

    The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note

  • CVE-2023-32006Aug 15, 2023
    affected < 12.22.12-150200.4.50.1fixed 12.22.12-150200.4.50.1

    The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and

  • CVE-2023-30589Jun 30, 2023
    affected < 12.22.12-150200.4.50.1fixed 12.22.12-150200.4.50.1

    The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RF

  • CVE-2023-23920Feb 23, 2023
    affected < 12.22.12-150200.4.44.1fixed 12.22.12-150200.4.44.1

    An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges.

  • CVE-2023-23918Feb 23, 2023
    affected < 12.22.12-150200.4.50.1fixed 12.22.12-150200.4.50.1

    A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.

  • CVE-2022-25881Jan 31, 2023
    affected < 12.22.12-150200.4.47.1fixed 12.22.12-150200.4.47.1

    This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.