rpm package
suse/nodejs14&distro=SUSE Linux Enterprise Module for Web and Scripting 15 SP3
pkg:rpm/suse/nodejs14&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP3
Vulnerabilities (34)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-39134 | — | < 14.18.1-15.21.2 | 14.18.1-15.21.2 | Aug 31, 2021 | `@npmcli/arborist`, the library that calculates dependency trees and manages the `node_modules` folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed in | ||
| CVE-2021-37713 | — | < 14.18.1-15.21.2 | 14.18.1-15.21.2 | Aug 31, 2021 | The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not e | ||
| CVE-2021-37712 | — | < 14.18.1-15.21.2 | 14.18.1-15.21.2 | Aug 31, 2021 | The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This | ||
| CVE-2021-37701 | — | < 14.18.1-15.21.2 | 14.18.1-15.21.2 | Aug 31, 2021 | The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This i | ||
| CVE-2021-22940 | — | < 14.17.5-5.15.5 | 14.17.5-5.15.5 | Aug 16, 2021 | Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior. | ||
| CVE-2021-22939 | — | < 14.17.5-5.15.5 | 14.17.5-5.15.5 | Aug 16, 2021 | If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted. | ||
| CVE-2021-22931 | — | < 14.17.5-5.15.5 | 14.17.5-5.15.5 | Aug 16, 2021 | Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacki | ||
| CVE-2021-32804 | — | < 14.19.0-15.27.1 | 14.19.0-15.27.1 | Aug 3, 2021 | The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into rel | ||
| CVE-2021-32803 | — | < 14.19.0-15.27.1 | 14.19.0-15.27.1 | Aug 3, 2021 | The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not e | ||
| CVE-2021-22918 | — | < 14.17.2-5.12.1 | 14.17.2-5.12.1 | Jul 12, 2021 | Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. Th | ||
| CVE-2021-23343 | — | < 14.19.0-15.27.1 | 14.19.0-15.27.1 | May 4, 2021 | All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity. | ||
| CVE-2021-23362 | — | < 14.17.2-5.12.1 | 14.17.2-5.12.1 | Mar 23, 2021 | The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity. | ||
| CVE-2021-27290 | — | < 14.17.2-5.12.1 | 14.17.2-5.12.1 | Mar 12, 2021 | ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option. | ||
| CVE-2020-7774 | — | < 14.17.2-5.12.1 | 14.17.2-5.12.1 | Nov 17, 2020 | The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution. |
- CVE-2021-39134Aug 31, 2021affected < 14.18.1-15.21.2fixed 14.18.1-15.21.2
`@npmcli/arborist`, the library that calculates dependency trees and manages the `node_modules` folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed in
- CVE-2021-37713Aug 31, 2021affected < 14.18.1-15.21.2fixed 14.18.1-15.21.2
The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not e
- CVE-2021-37712Aug 31, 2021affected < 14.18.1-15.21.2fixed 14.18.1-15.21.2
The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This
- CVE-2021-37701Aug 31, 2021affected < 14.18.1-15.21.2fixed 14.18.1-15.21.2
The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This i
- CVE-2021-22940Aug 16, 2021affected < 14.17.5-5.15.5fixed 14.17.5-5.15.5
Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.
- CVE-2021-22939Aug 16, 2021affected < 14.17.5-5.15.5fixed 14.17.5-5.15.5
If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.
- CVE-2021-22931Aug 16, 2021affected < 14.17.5-5.15.5fixed 14.17.5-5.15.5
Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacki
- CVE-2021-32804Aug 3, 2021affected < 14.19.0-15.27.1fixed 14.19.0-15.27.1
The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into rel
- CVE-2021-32803Aug 3, 2021affected < 14.19.0-15.27.1fixed 14.19.0-15.27.1
The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not e
- CVE-2021-22918Jul 12, 2021affected < 14.17.2-5.12.1fixed 14.17.2-5.12.1
Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. Th
- CVE-2021-23343May 4, 2021affected < 14.19.0-15.27.1fixed 14.19.0-15.27.1
All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
- CVE-2021-23362Mar 23, 2021affected < 14.17.2-5.12.1fixed 14.17.2-5.12.1
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
- CVE-2021-27290Mar 12, 2021affected < 14.17.2-5.12.1fixed 14.17.2-5.12.1
ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
- CVE-2020-7774Nov 17, 2020affected < 14.17.2-5.12.1fixed 14.17.2-5.12.1
The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.
Page 2 of 2