rpm package
suse/nodejs4&distro=SUSE Enterprise Storage 4
pkg:rpm/suse/nodejs4&distro=SUSE%20Enterprise%20Storage%204
Vulnerabilities (25)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2019-13173 | — | < 4.9.1-15.23.1 | 4.9.1-15.23.1 | Jul 2, 2019 | fstream before 1.0.12 is vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink, will overwrite the system's file with the contents of the extracted file. The fstream.DirW | ||
| CVE-2019-5739 | — | < 4.9.1-15.20.1 | 4.9.1-15.20.1 | Mar 28, 2019 | Keep-alive HTTP and HTTPS connections can remain open and inactive for up to 2 minutes in Node.js 6.16.0 and earlier. Node.js 8.0.0 introduced a dedicated server.keepAliveTimeout which defaults to 5 seconds. The behavior in Node.js 6.16.0 and earlier is a potential Denial of Serv | ||
| CVE-2019-5737 | — | < 4.9.1-15.20.1 | 4.9.1-15.20.1 | Mar 28, 2019 | In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1, an attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep-alive mode and by sending headers very slowly. This keeps the connection an | ||
| CVE-2019-1559 | — | < 4.9.1-15.20.1 | 4.9.1-15.20.1 | Feb 27, 2019 | If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 by | ||
| CVE-2018-12123 | — | < 4.9.1-15.17.1 | 4.9.1-15.17.1 | Nov 28, 2018 | Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case "javascript:" (e.g. | ||
| CVE-2018-12122 | — | < 4.9.1-15.17.1 | 4.9.1-15.17.1 | Nov 28, 2018 | Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Slowloris HTTP Denial of Service: An attacker can cause a Denial of Service (DoS) by sending headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time. | ||
| CVE-2018-12121 | — | < 4.9.1-15.17.1 | 4.9.1-15.17.1 | Nov 28, 2018 | Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers (almost 80 KB per connection), and carefully timed completion of the headers, it is possible to | ||
| CVE-2018-12120 | — | < 4.9.1-15.17.1 | 4.9.1-15.17.1 | Nov 28, 2018 | Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug po | ||
| CVE-2018-12116 | — | < 4.9.1-15.17.1 | 4.9.1-15.17.1 | Nov 28, 2018 | Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-define | ||
| CVE-2018-5407 | — | < 4.9.1-15.17.1 | 4.9.1-15.17.1 | Nov 15, 2018 | Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'. | ||
| CVE-2018-0734 | — | < 4.9.1-15.17.1 | 4.9.1-15.17.1 | Oct 30, 2018 | The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fi | ||
| CVE-2018-12115 | — | < 4.9.1-15.14.1 | 4.9.1-15.14.1 | Aug 21, 2018 | In all versions of Node.js prior to 6.14.4, 8.11.4 and 10.9.0 when used with UCS-2 encoding (recognized by Node.js under the names `'ucs2'`, `'ucs-2'`, `'utf16le'` and `'utf-16le'`), `Buffer#write()` can be abused to write outside of the bounds of a single `Buffer`. Writes that s | ||
| CVE-2018-0732 | — | < 4.9.1-15.14.1 | 4.9.1-15.14.1 | Jun 12, 2018 | During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client | ||
| CVE-2018-7159 | — | < 4.9.1-15.11.1 | 4.9.1-15.11.1 | May 17, 2018 | The HTTP parser in all current versions of Node.js ignores spaces in the `Content-Length` header, allowing input such as `Content-Length: 1 2` to be interpreted as having a value of `12`. The HTTP specification does not allow for spaces in the `Content-Length` value and the Node. | ||
| CVE-2018-7158 | — | < 4.9.1-15.11.1 | 4.9.1-15.11.1 | May 17, 2018 | The `'path'` module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. The code in question was replaced in Node.js 6.x and later so this vulnerability only impacts all versions of Node.js 4.x. The regular expression, `splitP | ||
| CVE-2017-15896 | Cri | 9.1 | < 4.8.7-15.8.1 | 4.8.7-15.8.1 | Dec 11, 2017 | Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake failure. The result was that an active network attacker could send application data to Node.js using the TLS or HTTP2 modules in a way that bypassed TLS authentica | |
| CVE-2017-3738 | Med | 5.9 | < 4.8.7-15.8.1 | 4.8.7-15.8.1 | Dec 7, 2017 | There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believ | |
| CVE-2017-3736 | Med | 6.5 | < 4.8.7-15.8.1 | 4.8.7-15.8.1 | Nov 2, 2017 | There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL before 1.0.2m and 1.1.0 before 1.1.0g. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are n | |
| CVE-2017-14919 | Hig | 7.5 | < 4.8.7-15.8.1 | 4.8.7-15.8.1 | Oct 30, 2017 | Node.js before 4.8.5, 6.x before 6.11.5, and 8.x before 8.8.0 allows remote attackers to cause a denial of service (uncaught exception and crash) by leveraging a change in the zlib module 1.2.9 making 8 an invalid value for the windowBits parameter. | |
| CVE-2017-3735 | Med | 5.3 | < 4.8.7-15.8.1 | 4.8.7-15.8.1 | Aug 28, 2017 | While parsing an IPAddressFamily extension in an X.509 certificate, it is possible to do a one-byte overread. This would result in an incorrect text display of the certificate. This bug has been present since 2006 and is present in all versions of OpenSSL before 1.0.2m and 1.1.0g |
- CVE-2019-13173Jul 2, 2019affected < 4.9.1-15.23.1fixed 4.9.1-15.23.1
fstream before 1.0.12 is vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink, will overwrite the system's file with the contents of the extracted file. The fstream.DirW
- CVE-2019-5739Mar 28, 2019affected < 4.9.1-15.20.1fixed 4.9.1-15.20.1
Keep-alive HTTP and HTTPS connections can remain open and inactive for up to 2 minutes in Node.js 6.16.0 and earlier. Node.js 8.0.0 introduced a dedicated server.keepAliveTimeout which defaults to 5 seconds. The behavior in Node.js 6.16.0 and earlier is a potential Denial of Serv
- CVE-2019-5737Mar 28, 2019affected < 4.9.1-15.20.1fixed 4.9.1-15.20.1
In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1, an attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep-alive mode and by sending headers very slowly. This keeps the connection an
- CVE-2019-1559Feb 27, 2019affected < 4.9.1-15.20.1fixed 4.9.1-15.20.1
If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 by
- CVE-2018-12123Nov 28, 2018affected < 4.9.1-15.17.1fixed 4.9.1-15.17.1
Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case "javascript:" (e.g.
- CVE-2018-12122Nov 28, 2018affected < 4.9.1-15.17.1fixed 4.9.1-15.17.1
Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Slowloris HTTP Denial of Service: An attacker can cause a Denial of Service (DoS) by sending headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time.
- CVE-2018-12121Nov 28, 2018affected < 4.9.1-15.17.1fixed 4.9.1-15.17.1
Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers (almost 80 KB per connection), and carefully timed completion of the headers, it is possible to
- CVE-2018-12120Nov 28, 2018affected < 4.9.1-15.17.1fixed 4.9.1-15.17.1
Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug po
- CVE-2018-12116Nov 28, 2018affected < 4.9.1-15.17.1fixed 4.9.1-15.17.1
Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-define
- CVE-2018-5407Nov 15, 2018affected < 4.9.1-15.17.1fixed 4.9.1-15.17.1
Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'.
- CVE-2018-0734Oct 30, 2018affected < 4.9.1-15.17.1fixed 4.9.1-15.17.1
The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fi
- CVE-2018-12115Aug 21, 2018affected < 4.9.1-15.14.1fixed 4.9.1-15.14.1
In all versions of Node.js prior to 6.14.4, 8.11.4 and 10.9.0 when used with UCS-2 encoding (recognized by Node.js under the names `'ucs2'`, `'ucs-2'`, `'utf16le'` and `'utf-16le'`), `Buffer#write()` can be abused to write outside of the bounds of a single `Buffer`. Writes that s
- CVE-2018-0732Jun 12, 2018affected < 4.9.1-15.14.1fixed 4.9.1-15.14.1
During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client
- CVE-2018-7159May 17, 2018affected < 4.9.1-15.11.1fixed 4.9.1-15.11.1
The HTTP parser in all current versions of Node.js ignores spaces in the `Content-Length` header, allowing input such as `Content-Length: 1 2` to be interpreted as having a value of `12`. The HTTP specification does not allow for spaces in the `Content-Length` value and the Node.
- CVE-2018-7158May 17, 2018affected < 4.9.1-15.11.1fixed 4.9.1-15.11.1
The `'path'` module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. The code in question was replaced in Node.js 6.x and later so this vulnerability only impacts all versions of Node.js 4.x. The regular expression, `splitP
- affected < 4.8.7-15.8.1fixed 4.8.7-15.8.1
Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake failure. The result was that an active network attacker could send application data to Node.js using the TLS or HTTP2 modules in a way that bypassed TLS authentica
- affected < 4.8.7-15.8.1fixed 4.8.7-15.8.1
There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believ
- affected < 4.8.7-15.8.1fixed 4.8.7-15.8.1
There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL before 1.0.2m and 1.1.0 before 1.1.0g. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are n
- affected < 4.8.7-15.8.1fixed 4.8.7-15.8.1
Node.js before 4.8.5, 6.x before 6.11.5, and 8.x before 8.8.0 allows remote attackers to cause a denial of service (uncaught exception and crash) by leveraging a change in the zlib module 1.2.9 making 8 an invalid value for the windowBits parameter.
- affected < 4.8.7-15.8.1fixed 4.8.7-15.8.1
While parsing an IPAddressFamily extension in an X.509 certificate, it is possible to do a one-byte overread. This would result in an incorrect text display of the certificate. This bug has been present since 2006 and is present in all versions of OpenSSL before 1.0.2m and 1.1.0g
Page 1 of 2