rpm package
suse/nodejs14&distro=SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS
pkg:rpm/suse/nodejs14&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSS
Vulnerabilities (17)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-46809 | Hig | 7.4 | < 14.21.3-150200.15.55.1 | 14.21.3-150200.15.55.1 | Sep 7, 2024 | Node.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked version of OpenSSL which are unpatched are vulnerable to the Marvin Attack - https://people.redhat.com/~hkario/marvin/, if PCKS #1 v1.5 padding is allowed when performing RSA descryp | |
| CVE-2024-27982 | Med | 6.5 | < 14.21.3-150200.15.58.1 | 14.21.3-150200.15.58.1 | May 7, 2024 | The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attacke | |
| CVE-2024-27983 | Hig | 8.2 | < 14.21.3-150200.15.58.1 | 14.21.3-150200.15.58.1 | Apr 9, 2024 | An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the se | |
| CVE-2024-22025 | Med | 6.5 | < 14.21.3-150200.15.55.1 | 14.21.3-150200.15.55.1 | Mar 19, 2024 | A vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack through resource exhaustion when using the fetch() function to retrieve content from an untrusted URL. The vulnerability stems from the fact that the fetch() function in Node.js always d | |
| CVE-2024-22019 | — | < 14.21.3-150200.15.55.1 | 14.21.3-150200.15.55.1 | Feb 20, 2024 | A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of li | ||
| CVE-2024-24806 | — | < 14.21.3-150200.15.55.1 | 14.21.3-150200.15.55.1 | Feb 7, 2024 | libuv is a multi-platform support library with a focus on asynchronous I/O. The `uv_getaddrinfo` function in `src/unix/getaddrinfo.c` (and its windows counterpart `src/win/getaddrinfo.c`), truncates hostnames to 256 characters before calling `getaddrinfo`. This behavior can be ex | ||
| CVE-2023-30590 | — | < 14.21.3-150200.15.49.1 | 14.21.3-150200.15.49.1 | Nov 28, 2023 | The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet, but the function is also needed to compute the corresponding public key after calling setPrivat | ||
| CVE-2023-30581 | — | < 14.21.3-150200.15.49.1 | 14.21.3-150200.15.49.1 | Nov 22, 2023 | The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the experimental policy mechanism in all active release lines: v16, v18 and, v20. | ||
| CVE-2023-38552 | — | < 14.21.3-150200.15.52.2 | 14.21.3-150200.15.52.2 | Oct 18, 2023 | When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation and return a forged checksum to the node's policy implementation, thus effectively disabling the integrity check. Impacts: This vulnerability | ||
| CVE-2023-44487 | Hig | 7.5 | KEV | < 14.21.3-150200.15.52.2 | 14.21.3-150200.15.52.2 | Oct 10, 2023 | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. |
| CVE-2023-32559 | — | < 14.21.3-150200.15.49.1 | 14.21.3-150200.15.49.1 | Aug 24, 2023 | A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `pr | ||
| CVE-2023-32002 | — | < 14.21.3-150200.15.49.1 | 14.21.3-150200.15.49.1 | Aug 21, 2023 | The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note | ||
| CVE-2023-32006 | — | < 14.21.3-150200.15.49.1 | 14.21.3-150200.15.49.1 | Aug 15, 2023 | The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and | ||
| CVE-2023-30589 | — | < 14.21.3-150200.15.49.1 | 14.21.3-150200.15.49.1 | Jun 30, 2023 | The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RF | ||
| CVE-2023-23920 | — | < 14.21.3-150200.15.43.1 | 14.21.3-150200.15.43.1 | Feb 23, 2023 | An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges. | ||
| CVE-2023-23918 | — | < 14.21.3-150200.15.43.1 | 14.21.3-150200.15.43.1 | Feb 23, 2023 | A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule. | ||
| CVE-2022-25881 | — | < 14.21.3-150200.15.46.1 | 14.21.3-150200.15.46.1 | Jan 31, 2023 | This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library. |
- affected < 14.21.3-150200.15.55.1fixed 14.21.3-150200.15.55.1
Node.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked version of OpenSSL which are unpatched are vulnerable to the Marvin Attack - https://people.redhat.com/~hkario/marvin/, if PCKS #1 v1.5 padding is allowed when performing RSA descryp
- affected < 14.21.3-150200.15.58.1fixed 14.21.3-150200.15.58.1
The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attacke
- affected < 14.21.3-150200.15.58.1fixed 14.21.3-150200.15.58.1
An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the se
- affected < 14.21.3-150200.15.55.1fixed 14.21.3-150200.15.55.1
A vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack through resource exhaustion when using the fetch() function to retrieve content from an untrusted URL. The vulnerability stems from the fact that the fetch() function in Node.js always d
- CVE-2024-22019Feb 20, 2024affected < 14.21.3-150200.15.55.1fixed 14.21.3-150200.15.55.1
A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of li
- CVE-2024-24806Feb 7, 2024affected < 14.21.3-150200.15.55.1fixed 14.21.3-150200.15.55.1
libuv is a multi-platform support library with a focus on asynchronous I/O. The `uv_getaddrinfo` function in `src/unix/getaddrinfo.c` (and its windows counterpart `src/win/getaddrinfo.c`), truncates hostnames to 256 characters before calling `getaddrinfo`. This behavior can be ex
- CVE-2023-30590Nov 28, 2023affected < 14.21.3-150200.15.49.1fixed 14.21.3-150200.15.49.1
The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet, but the function is also needed to compute the corresponding public key after calling setPrivat
- CVE-2023-30581Nov 22, 2023affected < 14.21.3-150200.15.49.1fixed 14.21.3-150200.15.49.1
The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the experimental policy mechanism in all active release lines: v16, v18 and, v20.
- CVE-2023-38552Oct 18, 2023affected < 14.21.3-150200.15.52.2fixed 14.21.3-150200.15.52.2
When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation and return a forged checksum to the node's policy implementation, thus effectively disabling the integrity check. Impacts: This vulnerability
- affected < 14.21.3-150200.15.52.2fixed 14.21.3-150200.15.52.2
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
- CVE-2023-32559Aug 24, 2023affected < 14.21.3-150200.15.49.1fixed 14.21.3-150200.15.49.1
A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `pr
- CVE-2023-32002Aug 21, 2023affected < 14.21.3-150200.15.49.1fixed 14.21.3-150200.15.49.1
The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note
- CVE-2023-32006Aug 15, 2023affected < 14.21.3-150200.15.49.1fixed 14.21.3-150200.15.49.1
The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and
- CVE-2023-30589Jun 30, 2023affected < 14.21.3-150200.15.49.1fixed 14.21.3-150200.15.49.1
The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RF
- CVE-2023-23920Feb 23, 2023affected < 14.21.3-150200.15.43.1fixed 14.21.3-150200.15.43.1
An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges.
- CVE-2023-23918Feb 23, 2023affected < 14.21.3-150200.15.43.1fixed 14.21.3-150200.15.43.1
A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.
- CVE-2022-25881Jan 31, 2023affected < 14.21.3-150200.15.46.1fixed 14.21.3-150200.15.46.1
This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.