rpm package
suse/nodejs6&distro=SUSE OpenStack Cloud Crowbar 8
pkg:rpm/suse/nodejs6&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208
Vulnerabilities (22)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-8174 | — | < 6.17.1-11.37.1 | 6.17.1-11.37.1 | Jul 24, 2020 | napi_get_value_string_*() allows various kinds of memory corruption in node < 10.21.0, 12.18.0, and < 14.4.0. | ||
| CVE-2020-7598 | — | < 6.17.1-11.37.1 | 6.17.1-11.37.1 | Mar 11, 2020 | minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "__proto__" payload. | ||
| CVE-2019-15606 | — | < 6.17.1-11.33.1 | 6.17.1-11.33.1 | Feb 7, 2020 | Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons | ||
| CVE-2019-15604 | — | < 6.17.1-11.33.1 | 6.17.1-11.33.1 | Feb 7, 2020 | Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a crafted X.509 certificate | ||
| CVE-2019-15605 | — | < 6.17.1-11.33.1 | 6.17.1-11.33.1 | Feb 7, 2020 | HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed | ||
| CVE-2019-16777 | — | < 6.17.1-11.30.1 | 6.17.1-11.30.1 | Dec 13, 2019 | Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subse | ||
| CVE-2019-16776 | — | < 6.17.1-11.30.1 | 6.17.1-11.30.1 | Dec 13, 2019 | Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher t | ||
| CVE-2019-16775 | — | < 6.17.1-11.30.1 | 6.17.1-11.30.1 | Dec 13, 2019 | Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would a | ||
| CVE-2019-13173 | — | < 6.17.0-11.27.1 | 6.17.0-11.27.1 | Jul 2, 2019 | fstream before 1.0.12 is vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink, will overwrite the system's file with the contents of the extracted file. The fstream.DirW | ||
| CVE-2019-5739 | — | < 6.17.0-11.24.1 | 6.17.0-11.24.1 | Mar 28, 2019 | Keep-alive HTTP and HTTPS connections can remain open and inactive for up to 2 minutes in Node.js 6.16.0 and earlier. Node.js 8.0.0 introduced a dedicated server.keepAliveTimeout which defaults to 5 seconds. The behavior in Node.js 6.16.0 and earlier is a potential Denial of Serv | ||
| CVE-2019-5737 | — | < 6.17.0-11.24.1 | 6.17.0-11.24.1 | Mar 28, 2019 | In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1, an attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep-alive mode and by sending headers very slowly. This keeps the connection an | ||
| CVE-2019-1559 | — | < 6.17.0-11.24.1 | 6.17.0-11.24.1 | Feb 27, 2019 | If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 by | ||
| CVE-2018-12123 | — | < 6.16.0-11.21.1 | 6.16.0-11.21.1 | Nov 28, 2018 | Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case "javascript:" (e.g. | ||
| CVE-2018-12122 | — | < 6.16.0-11.21.1 | 6.16.0-11.21.1 | Nov 28, 2018 | Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Slowloris HTTP Denial of Service: An attacker can cause a Denial of Service (DoS) by sending headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time. | ||
| CVE-2018-12121 | — | < 6.16.0-11.21.1 | 6.16.0-11.21.1 | Nov 28, 2018 | Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers (almost 80 KB per connection), and carefully timed completion of the headers, it is possible to | ||
| CVE-2018-12120 | — | < 6.16.0-11.21.1 | 6.16.0-11.21.1 | Nov 28, 2018 | Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug po | ||
| CVE-2018-12116 | — | < 6.16.0-11.21.1 | 6.16.0-11.21.1 | Nov 28, 2018 | Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-define | ||
| CVE-2018-5407 | — | < 6.16.0-11.21.1 | 6.16.0-11.21.1 | Nov 15, 2018 | Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'. | ||
| CVE-2018-0734 | — | < 6.16.0-11.21.1 | 6.16.0-11.21.1 | Oct 30, 2018 | The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fi | ||
| CVE-2018-12115 | — | < 6.14.4-11.18.1 | 6.14.4-11.18.1 | Aug 21, 2018 | In all versions of Node.js prior to 6.14.4, 8.11.4 and 10.9.0 when used with UCS-2 encoding (recognized by Node.js under the names `'ucs2'`, `'ucs-2'`, `'utf16le'` and `'utf-16le'`), `Buffer#write()` can be abused to write outside of the bounds of a single `Buffer`. Writes that s |
- CVE-2020-8174Jul 24, 2020affected < 6.17.1-11.37.1fixed 6.17.1-11.37.1
napi_get_value_string_*() allows various kinds of memory corruption in node < 10.21.0, 12.18.0, and < 14.4.0.
- CVE-2020-7598Mar 11, 2020affected < 6.17.1-11.37.1fixed 6.17.1-11.37.1
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "__proto__" payload.
- CVE-2019-15606Feb 7, 2020affected < 6.17.1-11.33.1fixed 6.17.1-11.33.1
Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons
- CVE-2019-15604Feb 7, 2020affected < 6.17.1-11.33.1fixed 6.17.1-11.33.1
Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a crafted X.509 certificate
- CVE-2019-15605Feb 7, 2020affected < 6.17.1-11.33.1fixed 6.17.1-11.33.1
HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed
- CVE-2019-16777Dec 13, 2019affected < 6.17.1-11.30.1fixed 6.17.1-11.30.1
Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subse
- CVE-2019-16776Dec 13, 2019affected < 6.17.1-11.30.1fixed 6.17.1-11.30.1
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher t
- CVE-2019-16775Dec 13, 2019affected < 6.17.1-11.30.1fixed 6.17.1-11.30.1
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would a
- CVE-2019-13173Jul 2, 2019affected < 6.17.0-11.27.1fixed 6.17.0-11.27.1
fstream before 1.0.12 is vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink, will overwrite the system's file with the contents of the extracted file. The fstream.DirW
- CVE-2019-5739Mar 28, 2019affected < 6.17.0-11.24.1fixed 6.17.0-11.24.1
Keep-alive HTTP and HTTPS connections can remain open and inactive for up to 2 minutes in Node.js 6.16.0 and earlier. Node.js 8.0.0 introduced a dedicated server.keepAliveTimeout which defaults to 5 seconds. The behavior in Node.js 6.16.0 and earlier is a potential Denial of Serv
- CVE-2019-5737Mar 28, 2019affected < 6.17.0-11.24.1fixed 6.17.0-11.24.1
In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1, an attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep-alive mode and by sending headers very slowly. This keeps the connection an
- CVE-2019-1559Feb 27, 2019affected < 6.17.0-11.24.1fixed 6.17.0-11.24.1
If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 by
- CVE-2018-12123Nov 28, 2018affected < 6.16.0-11.21.1fixed 6.16.0-11.21.1
Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case "javascript:" (e.g.
- CVE-2018-12122Nov 28, 2018affected < 6.16.0-11.21.1fixed 6.16.0-11.21.1
Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Slowloris HTTP Denial of Service: An attacker can cause a Denial of Service (DoS) by sending headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time.
- CVE-2018-12121Nov 28, 2018affected < 6.16.0-11.21.1fixed 6.16.0-11.21.1
Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers (almost 80 KB per connection), and carefully timed completion of the headers, it is possible to
- CVE-2018-12120Nov 28, 2018affected < 6.16.0-11.21.1fixed 6.16.0-11.21.1
Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug po
- CVE-2018-12116Nov 28, 2018affected < 6.16.0-11.21.1fixed 6.16.0-11.21.1
Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-define
- CVE-2018-5407Nov 15, 2018affected < 6.16.0-11.21.1fixed 6.16.0-11.21.1
Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'.
- CVE-2018-0734Oct 30, 2018affected < 6.16.0-11.21.1fixed 6.16.0-11.21.1
The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fi
- CVE-2018-12115Aug 21, 2018affected < 6.14.4-11.18.1fixed 6.14.4-11.18.1
In all versions of Node.js prior to 6.14.4, 8.11.4 and 10.9.0 when used with UCS-2 encoding (recognized by Node.js under the names `'ucs2'`, `'ucs-2'`, `'utf16le'` and `'utf-16le'`), `Buffer#write()` can be abused to write outside of the bounds of a single `Buffer`. Writes that s
Page 1 of 2