rpm package

suse/nodejs14&distro=SUSE Linux Enterprise Module for Web and Scripting 12

pkg:rpm/suse/nodejs14&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012

Vulnerabilities (49)

CVE	CVSS	Affected versions	Fixed in	Published	Description
CVE-2021-44532	—	< 14.18.3-6.21.1	14.18.3-6.21.1	Feb 24, 2022	Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name
CVE-2021-44531	—	< 14.18.3-6.21.1	14.18.3-6.21.1	Feb 24, 2022	Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are o
CVE-2022-21824	—	< 14.18.3-6.21.1	14.18.3-6.21.1	Feb 24, 2022	Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "__proto__". The p
CVE-2022-0235	—	< 14.19.1-6.28.1	14.19.1-6.28.1	Jan 16, 2022	node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
CVE-2021-3672	—	< 14.17.5-6.15.3	14.17.5-6.15.3	Nov 23, 2021	A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality
CVE-2021-22959	—	< 14.18.1-6.18.2	14.18.1-6.18.2	Nov 15, 2021	The parser in accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6.
CVE-2021-3918	—	< 14.19.0-6.24.1	14.19.0-6.24.1	Nov 13, 2021	json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2021-22960	—	< 14.18.1-6.18.2	14.18.1-6.18.2	Nov 3, 2021	The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions.
CVE-2021-22930	—	< 14.17.5-6.15.3	14.17.5-6.15.3	Oct 7, 2021	Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.
CVE-2021-3807	—	< 14.19.0-6.24.1	14.19.0-6.24.1	Sep 17, 2021	ansi-regex is vulnerable to Inefficient Regular Expression Complexity
CVE-2021-39135	—	< 14.18.1-6.18.2	14.18.1-6.18.2	Aug 31, 2021	`@npmcli/arborist`, the library that calculates dependency trees and manages the node_modules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into
CVE-2021-39134	—	< 14.18.1-6.18.2	14.18.1-6.18.2	Aug 31, 2021	`@npmcli/arborist`, the library that calculates dependency trees and manages the `node_modules` folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed in
CVE-2021-37713	—	< 14.18.1-6.18.2	14.18.1-6.18.2	Aug 31, 2021	The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not e
CVE-2021-37712	—	< 14.18.1-6.18.2	14.18.1-6.18.2	Aug 31, 2021	The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This
CVE-2021-37701	—	< 14.18.1-6.18.2	14.18.1-6.18.2	Aug 31, 2021	The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This i
CVE-2021-22940	—	< 14.17.5-6.15.3	14.17.5-6.15.3	Aug 16, 2021	Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.
CVE-2021-22939	—	< 14.17.5-6.15.3	14.17.5-6.15.3	Aug 16, 2021	If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.
CVE-2021-22931	—	< 14.17.5-6.15.3	14.17.5-6.15.3	Aug 16, 2021	Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacki
CVE-2021-32804	—	< 14.19.0-6.24.1	14.19.0-6.24.1	Aug 3, 2021	The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into rel
CVE-2021-32803	—	< 14.19.0-6.24.1	14.19.0-6.24.1	Aug 3, 2021	The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not e

CVE-2021-44532Feb 24, 2022
affected < 14.18.3-6.21.1fixed 14.18.3-6.21.1
Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name
CVE-2021-44531Feb 24, 2022
affected < 14.18.3-6.21.1fixed 14.18.3-6.21.1
Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are o
CVE-2022-21824Feb 24, 2022
affected < 14.18.3-6.21.1fixed 14.18.3-6.21.1
Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "__proto__". The p
CVE-2022-0235Jan 16, 2022
affected < 14.19.1-6.28.1fixed 14.19.1-6.28.1
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
CVE-2021-3672Nov 23, 2021
affected < 14.17.5-6.15.3fixed 14.17.5-6.15.3
A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality
CVE-2021-22959Nov 15, 2021
affected < 14.18.1-6.18.2fixed 14.18.1-6.18.2
The parser in accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6.
CVE-2021-3918Nov 13, 2021
affected < 14.19.0-6.24.1fixed 14.19.0-6.24.1
json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2021-22960Nov 3, 2021
affected < 14.18.1-6.18.2fixed 14.18.1-6.18.2
The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions.
CVE-2021-22930Oct 7, 2021
affected < 14.17.5-6.15.3fixed 14.17.5-6.15.3
Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.
CVE-2021-3807Sep 17, 2021
affected < 14.19.0-6.24.1fixed 14.19.0-6.24.1
ansi-regex is vulnerable to Inefficient Regular Expression Complexity
CVE-2021-39135Aug 31, 2021
affected < 14.18.1-6.18.2fixed 14.18.1-6.18.2
`@npmcli/arborist`, the library that calculates dependency trees and manages the node_modules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into
CVE-2021-39134Aug 31, 2021
affected < 14.18.1-6.18.2fixed 14.18.1-6.18.2
`@npmcli/arborist`, the library that calculates dependency trees and manages the `node_modules` folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed in
CVE-2021-37713Aug 31, 2021
affected < 14.18.1-6.18.2fixed 14.18.1-6.18.2
The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not e
CVE-2021-37712Aug 31, 2021
affected < 14.18.1-6.18.2fixed 14.18.1-6.18.2
The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This
CVE-2021-37701Aug 31, 2021
affected < 14.18.1-6.18.2fixed 14.18.1-6.18.2
The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This i
CVE-2021-22940Aug 16, 2021
affected < 14.17.5-6.15.3fixed 14.17.5-6.15.3
Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.
CVE-2021-22939Aug 16, 2021
affected < 14.17.5-6.15.3fixed 14.17.5-6.15.3
If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.
CVE-2021-22931Aug 16, 2021
affected < 14.17.5-6.15.3fixed 14.17.5-6.15.3
Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacki
CVE-2021-32804Aug 3, 2021
affected < 14.19.0-6.24.1fixed 14.19.0-6.24.1
The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into rel
CVE-2021-32803Aug 3, 2021
affected < 14.19.0-6.24.1fixed 14.19.0-6.24.1
The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not e

Page 2 of 3