rpm package
suse/nodejs16&distro=SUSE Linux Enterprise Module for Web and Scripting 15 SP3
pkg:rpm/suse/nodejs16&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP3
Vulnerabilities (11)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-43548 | — | < 16.18.1-150300.7.15.1 | 16.18.1-150300.7.15.1 | Dec 5, 2022 | A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing | ||
| CVE-2022-35256 | — | < 16.17.1-150300.7.12.1 | 16.17.1-150300.7.12.1 | Dec 5, 2022 | The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling. | ||
| CVE-2022-35255 | — | < 16.17.1-150300.7.12.1 | 16.17.1-150300.7.12.1 | Dec 5, 2022 | A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with this: 1) It does not check the return value, it assumes EntropySource() alwa | ||
| CVE-2022-35948 | — | < 16.17.0-150300.7.9.1 | 16.17.0-150300.7.9.1 | Aug 13, 2022 | undici is an HTTP/1.1 client, written from scratch for Node.js.`=< undici@5.8.0` users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the `content-type` header. Example: ``` import { request } from 'undici' | ||
| CVE-2022-35949 | — | < 16.17.0-150300.7.9.1 | 16.17.0-150300.7.9.1 | Aug 12, 2022 | undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `// | ||
| CVE-2022-31150 | — | < 16.17.0-150300.7.9.1 | 16.17.0-150300.7.9.1 | Jul 19, 2022 | undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate `\r\n` is a wor | ||
| CVE-2022-32215 | — | < 16.16.0-150300.7.6.2 | 16.16.0-150300.7.6.2 | Jul 14, 2022 | The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS). | ||
| CVE-2022-32214 | — | < 16.16.0-150300.7.6.2 | 16.16.0-150300.7.6.2 | Jul 14, 2022 | The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). | ||
| CVE-2022-32213 | — | < 16.16.0-150300.7.6.2 | 16.16.0-150300.7.6.2 | Jul 14, 2022 | The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS). | ||
| CVE-2022-32212 | — | < 16.16.0-150300.7.6.2 | 16.16.0-150300.7.6.2 | Jul 14, 2022 | A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding | ||
| CVE-2022-29244 | — | < 16.17.0-150300.7.9.1 | 16.17.0-150300.7.9.1 | Jun 13, 2022 | npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. `--workspaces`, `--workspace=`). Anyone who has run `npm pack` or `npm publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively, m |
- CVE-2022-43548Dec 5, 2022affected < 16.18.1-150300.7.15.1fixed 16.18.1-150300.7.15.1
A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing
- CVE-2022-35256Dec 5, 2022affected < 16.17.1-150300.7.12.1fixed 16.17.1-150300.7.12.1
The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.
- CVE-2022-35255Dec 5, 2022affected < 16.17.1-150300.7.12.1fixed 16.17.1-150300.7.12.1
A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with this: 1) It does not check the return value, it assumes EntropySource() alwa
- CVE-2022-35948Aug 13, 2022affected < 16.17.0-150300.7.9.1fixed 16.17.0-150300.7.9.1
undici is an HTTP/1.1 client, written from scratch for Node.js.`=< undici@5.8.0` users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the `content-type` header. Example: ``` import { request } from 'undici'
- CVE-2022-35949Aug 12, 2022affected < 16.17.0-150300.7.9.1fixed 16.17.0-150300.7.9.1
undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//
- CVE-2022-31150Jul 19, 2022affected < 16.17.0-150300.7.9.1fixed 16.17.0-150300.7.9.1
undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate `\r\n` is a wor
- CVE-2022-32215Jul 14, 2022affected < 16.16.0-150300.7.6.2fixed 16.16.0-150300.7.6.2
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).
- CVE-2022-32214Jul 14, 2022affected < 16.16.0-150300.7.6.2fixed 16.16.0-150300.7.6.2
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).
- CVE-2022-32213Jul 14, 2022affected < 16.16.0-150300.7.6.2fixed 16.16.0-150300.7.6.2
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).
- CVE-2022-32212Jul 14, 2022affected < 16.16.0-150300.7.6.2fixed 16.16.0-150300.7.6.2
A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding
- CVE-2022-29244Jun 13, 2022affected < 16.17.0-150300.7.9.1fixed 16.17.0-150300.7.9.1
npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. `--workspaces`, `--workspace=`). Anyone who has run `npm pack` or `npm publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively, m