RHEL 8 : grafana (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 8 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. - nodejs-underscore: Arbitrary code execution via the template function CVE-2021-23358 - node-fetch is...

CBL Mariner 2.0 Security Update: fluent-bit / nghttp2 / nodejs / nodejs18 (CVE-2024-28182)

The version of fluent-bit / nghttp2 / nodejs / nodejs18 installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-28182 advisory. - nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 ...

CBL Mariner 2.0 Security Update: nodejs / nodejs18 / reaper (CVE-2024-28863)

The version of nodejs / nodejs18 / reaper installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-28863 advisory. - node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the numbe...

SUSE CVE-2024-22018

A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used. This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious actors can retrieve...

AZL-43213 CVE-2024-22018 affecting package nodejs 20.14.0-13

A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used. This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious actors can retrieve...

DEBIAN-CVE-2024-22018

A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used. This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious actors can retrieve...

CVE-2024-22018 vulnerabilities

Vulnerabilities for packages: nodejs...

Authorization Bypass

Overview Affected versions of this package are vulnerable to Authorization Bypass due to a failure to restrict file stats through the fs.lstat API that allows attackers to retrieve stats from files to which they do not have explicit read access. Note: This is exploitable only for users of the...

Authorization Bypass

Overview Affected versions of this package are vulnerable to Authorization Bypass via fs.fchown or fs.fchmod operations which can use a "read-only" file descriptor to change the owner and permissions of a file. Note: This is only exploitable for users using the experimental permission when the...

AZL-43216 CVE-2024-22020 affecting package nodejs18 for versions less than 18.20.3-3

A security flaw in Node.js allows a bypass of network import restrictions. By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security. Verified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports...

CVE-2024-22020 vulnerabilities

Vulnerabilities for packages: nodejs...

AZL-43195 CVE-2024-22020 affecting package nodejs for versions less than 20.14.0-5

A security flaw in Node.js allows a bypass of network import restrictions. By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security. Verified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports...

undici Security breach

undici is an HTTP/1.1 client. A security vulnerability exists in undici version 6.14.0 through versions prior to 6.19.2, which stems from the response.arrayBuffer function potentially containing portions of memory from a Node.js process...

CBL Mariner 2.0 Security Update: cloud-hypervisor-cvm / hvloader / nodejs / nodejs18 / openssl (CVE-2023-6129)

The version of cloud-hypervisor-cvm / hvloader / nodejs / nodejs18 / openssl installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2023-6129 advisory. - Issue summary: The POLY1305 MAC message authentication...

CBL Mariner 2.0 Security Update: c-ares / fluent-bit / grpc / nodejs (CVE-2023-31130)

The version of c-ares / fluent-bit / grpc / nodejs installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2023-31130 advisory. - c-ares is an asynchronous resolver library. aresinetnetpton is vulnerable to a...

CBL Mariner 2.0 Security Update: nodejs18 / nodejs (CVE-2024-27982)

The version of nodejs18 / nodejs installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-27982 advisory. - The team has identified a critical vulnerability in the http server of the most recent version of...

CBL Mariner 2.0 Security Update: c-ares / fluent-bit / grpc / nodejs (CVE-2023-31147)

The version of c-ares / fluent-bit / grpc / nodejs installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2023-31147 advisory. - c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom a...

CBL Mariner 2.0 Security Update: c-ares / nodejs / python-gevent / grpc (CVE-2022-4904)

The version of c-ares / nodejs / python-gevent / grpc installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2022-4904 advisory. - A flaw was found in the c-ares package. The aressetsortlist is missing checks...

CBL Mariner 2.0 Security Update: cloud-hypervisor-cvm / edk2 / hvloader / nodejs / nodejs18 / openssl (CVE-2024-4603)

The version of cloud-hypervisor-cvm / edk2 / hvloader / nodejs / nodejs18 / openssl installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-4603 advisory. - Issue summary: Checking excessively long DSA ke...

CBL Mariner 2.0 Security Update: c-ares / fluent-bit / grpc / nodejs (CVE-2023-32067)

The version of c-ares / fluent-bit / grpc / nodejs installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2023-32067 advisory. - c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of...