Lucene search
K

346 matches found

CNNVD
CNNVD
added 2021/04/18 12:0 a.m.5 views

npm picotts 命令注入漏洞

npm picotts is an application from the US company npm. PicoTTS wrapper for NodeJS. picotts has a security vulnerability that can be exploited by an attacker to potentially execute arbitrary commands. This is due to the lack of input validation when executing functions using child processes...

9.8CVSS8.6AI score0.01943EPSS
Exploits1References3
RedHat Linux
RedHat Linux
added 2021/03/15 2:55 p.m.2 views

nodejs: DNS rebinding in --inspect

A flaw was found in nodejs. A denial of service is possible when the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS over the network. If the attacker controls the victim's DNS server or can spoof its response...

7.5CVSS7AI score0.32362EPSS
Exploits1References4
RedHat Linux
RedHat Linux
added 2021/03/08 10:18 a.m.4 views

nodejs: DNS rebinding in --inspect

A flaw was found in nodejs. A denial of service is possible when the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS over the network. If the attacker controls the victim's DNS server or can spoof its response...

7.5CVSS7AI score0.32362EPSS
Exploits1References4
OSV
OSV
added 2021/03/03 6:15 p.m.2 views

UBUNTU-CVE-2021-22883

Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unabl...

7.5CVSS6.9AI score0.77385EPSS
Exploits0References5
OSV
OSV
added 2021/03/03 6:15 p.m.3 views

UBUNTU-CVE-2021-22884

Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DN...

7.5CVSS6.9AI score0.32362EPSS
Exploits1References5
RedHat Linux
RedHat Linux
added 2021/02/15 6:28 p.m.3 views

nodejs: HTTP request smuggling via two copies of a header field in an http request

A flaw was found in nodejs. Affected versions of Node.js allow two copies of a header field in an HTTP request. The first header field is recognized while the second is ignored leading to HTTP request smuggling. The highest threat from this vulnerability is to data confidentiality and integrity...

6.5CVSS7.3AI score0.16296EPSS
Exploits2References4
RedHat Linux
RedHat Linux
added 2021/02/04 5:20 p.m.2 views

nodejs: HTTP request smuggling via two copies of a header field in an http request

A flaw was found in nodejs. Affected versions of Node.js allow two copies of a header field in an HTTP request. The first header field is recognized while the second is ignored leading to HTTP request smuggling. The highest threat from this vulnerability is to data confidentiality and integrity...

6.5CVSS7.3AI score0.16296EPSS
Exploits2References4
RedHat Linux
RedHat Linux
added 2021/02/04 5:20 p.m.4 views

nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS

This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters...

7.5CVSS7.4AI score0.0344EPSS
Exploits1References5
RedHat Linux
RedHat Linux
added 2021/02/04 5:20 p.m.1 views

nodejs: use-after-free in the TLS implementation

A flaw was found in nodejs. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResu...

8.1CVSS7.2AI score0.09009EPSS
Exploits1References5
OSV
OSV
added 2021/01/06 9:15 p.m.4 views

ALPINE-CVE-2020-8265

Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method...

8.1CVSS6.9AI score0.09009EPSS
Exploits1References1
IBM Security Bulletins
IBM Security Bulletins
added 2020/12/09 11:22 a.m.14 views

Security Bulletin: Vulnerabilities in OpenSSL affect IBM Integration Bus and IBM App Connect Enterprise (CVE-2019-1551)

Summary Vulnerabilities in OpenSSL affect IBM Integration Bus and IBM App Connect Enterprise . The DataDirect ODBC Drivers and level of node js used by IBM App Connect Enterprise and IBM Integration Bus have addressed the applicable CVEs Vulnerability Details CVEID: CVE-2019-1551 DESCRIPTION:...

5.3CVSS1.1AI score0.14298EPSS
Exploits0
OSV
OSV
added 2020/11/19 1:15 a.m.5 views

AZL-32281 CVE-2020-8277 affecting package python-gevent for versions less than 21.1.2-3

A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions 15.2.1, 14.15.1, and 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed in 15.2.1, 14.15.1, and...

7.5CVSS6.9AI score0.54164EPSS
Exploits0References1
OSV
OSV
added 2020/09/18 9:15 p.m.1 views

UBUNTU-CVE-2020-8252

The implementation of realpath in libuv 10.22.1, 12.18.4, and 14.9.0 used within Node.js incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes...

7.8CVSS7AI score0.00714EPSS
Exploits0References6
Huntr
Huntr
added 2020/09/02 12:0 a.m.93 views

Command Injection in kylefarris/clamscan

Overview clamscan is a Use Node JS to scan files on your server with ClamAV's clamscan binary or clamdscan daemon. This is especially useful for scanning uploaded files provided by un-trusted sources. This package are vulnerable to Command Injection, itt is possible to inject arbitrary commands a...

6.8CVSS1.8AI score0.02122EPSS
Exploits1
BDU FSTEC
BDU FSTEC
added 2020/07/31 12:0 a.m.4 views

The vulnerability in the implementation of the TLS protocol on the Node.js software platform allows a attacker to execute a type of “man-in-the-middle” attack.

The vulnerability of the Node.js software platform’s TLS protocol lies in the shortcomings of certificate authenticity verification. Exploiting this vulnerability allows a malicious actor to execute a type of “man-in-the-middle” attack...

8.8CVSS7AI score0.06065EPSS
Exploits1References10Affected Software8
OSV
OSV
added 2020/07/24 10:15 p.m.2 views

ALPINE-CVE-2020-8174

napigetvaluestring allows various kinds of memory corruption in node 10.21.0, 12.18.0, and 14.4.0...

8.1CVSS7.1AI score0.07646EPSS
Exploits1References1
RedHat Linux
RedHat Linux
added 2020/02/25 1:7 p.m.6 views

nodejs: HTTP request smuggling using malformed Transfer-Encoding header

A flaw was found in the Node.js code where a specially crafted HTTPs request sent to a Node.js server failed to properly process the HTTPs headers, resulting in a request smuggling attack. An attacker can use this flaw to alter a request sent as an authenticated user if the Node.js server is...

9.8CVSS7.2AI score0.57132EPSS
Exploits0References5
RedHat Linux
RedHat Linux
added 2020/02/25 8:39 a.m.3 views

nodejs: HTTP request smuggling using malformed Transfer-Encoding header

A flaw was found in the Node.js code where a specially crafted HTTPs request sent to a Node.js server failed to properly process the HTTPs headers, resulting in a request smuggling attack. An attacker can use this flaw to alter a request sent as an authenticated user if the Node.js server is...

9.8CVSS7.2AI score0.57132EPSS
Exploits0References5
RedHat Linux
RedHat Linux
added 2020/02/24 12:55 p.m.6 views

nodejs: HTTP header values do not have trailing optional whitespace trimmed

A flaw was found in Node.js where the HTTPs header values were not stripped of trailing whitespace. An attacker can use this flaw to send an HTTPs request which is validated by an upstream proxy server, but not by the Node.js HTTPs server...

9.8CVSS7.1AI score0.20041EPSS
Exploits1References5
OSV
OSV
added 2020/02/12 3:15 p.m.3 views

UBUNTU-CVE-2013-7381

libnotify before 1.0.4 for Node.js allows remote attackers to execute arbitrary commands via unspecified characters in a call to libnotify.notify...

9.8CVSS6.1AI score0.02685EPSS
Exploits0References5
Rows per page
Query Builder