OESA-2024-1402 nodejs-qs security update

This is a query string parser for node and the browser supporting nesting, as it was removed from 0.3.x, so this library provides the previous and commonly desired behavior and twice as fast. Used by express, connect and others. Security Fixes: qs before 6.10.3, as used in Express before 4.17.3 a...

OESA-2024-1400 nodejs-qs security update

This is a query string parser for node and the browser supporting nesting, as it was removed from 0.3.x, so this library provides the previous and commonly desired behavior and twice as fast. Used by express, connect and others. Security Fixes: qs before 6.10.3, as used in Express before 4.17.3 a...

OESA-2024-1403 nodejs-qs security update

This is a query string parser for node and the browser supporting nesting, as it was removed from 0.3.x, so this library provides the previous and commonly desired behavior and twice as fast. Used by express, connect and others. Security Fixes: qs before 6.10.3, as used in Express before 4.17.3 a...

Fedora 38 : nodejs-undici (2024-6d9c1da54f)

The remote Fedora 38 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-6d9c1da54f advisory. Update to version 6.11.1. Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has not...

Fedora 39 : nodejs-undici (2024-ad51aa23c3)

The remote Fedora 39 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-ad51aa23c3 advisory. Update to version 6.11.1. Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has not...

Important Photon OS Security Update - PHSA-2024-5.0-0243

Updates of 'nodejs', 'openssl' packages of Photon OS have been released...

MySQL2 安全漏洞

MySQL2 is a MySQL client for Node.js by the individual developer Andrey Sidorov. A security vulnerability exists in MySQL2 versions prior to 3.9.4 that stems from improper cleaning of user input...

The vulnerability of the PrivateDecrypt() function in the cryptographic library of the Node.js software platform, which allows a attacker to execute the Bleichenbacher attack or the Marvin attack.

The vulnerability of the PrivateDecrypt function in the Node.js software library is related to the use of hidden auxiliary channels due to a discrepancy in the timing of decrypting valid and invalid encrypted texts based on the PKCS1 v1.5 cryptographic standard. Exploiting this vulnerability allo...

CVE-2024-22025 affecting package nodejs for versions less than 16.20.2-4

CVE-2024-22025 affecting package nodejs for versions less than 16.20.2-4. A patched version of the package is available...

AZL-39587 CVE-2024-27983 affecting package nodejs18 for versions less than 18.18.2-7

An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a T...

ALPINE-CVE-2024-27983

An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a T...

AZL-39584 CVE-2024-27983 affecting package nodejs for versions less than 20.14.0-1

An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a T...

Mageia: Security Advisory (MGASA-2024-0110)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

nodejs: multiple permission model bypasses due to improper path traversal sequence sanitization

A flaw was found in Node.js. Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions, which can be overwritten with user-defined implementations, leading to a filesystem permission model bypass through a path traversal attack...

nodejs: path traversal by monkey-patching buffer internals

A flaw was found in Node.js. The permission model protects itself against path traversal attacks by calling path.resolve on any paths given by the user. If the path is to be treated as a buffer, the implementation uses Buffer.from to obtain a buffer from the result of path.resolve. By...

nodejs: improper handling of wildcards in --allow-fs-read and --allow-fs-write

A flaw was found in the Node.js Permission Model, where it is not clarified in the documentation that wildcards should only be used as the last character of a file path. For example: --allow-fs-read=/home/node/.ssh/.pub will ignore pub and give access to everything after .ssh/...

nodejs: setuid() does not drop all privileges due to io_uring

A flaw was found in Node.js, where the setuid does not affect libuv's internal iouring operations if initialized before the call to setuid. This issue allows the process to perform privileged operations despite presumably having dropped such privileges through a call to setuid...

RHEL 9 : nodejs:20 (RHSA-2024:1688)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:1688 advisory. Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language...

nodejs:20 security update

nodejs 1:20.11.1-1 - Rebase to version 20.11.1 - Fixes: CVE-2024-21892 CVE-2024-21896 CVE-2024-22017 CVE-2024-22019 high - Fixes: CVE-2023-46809 CVE-2024-21890 CVE-2024-21891 medium nodejs-nodemon nodejs-packaging...

nodejs:20 security update

nodejs 1:20.11.1-1 - Rebase to version 20.11.1 - Fixes: CVE-2024-21892 CVE-2024-21896 CVE-2024-22017 CVE-2024-22019 high - Fixes: CVE-2023-46809 CVE-2024-21890 CVE-2024-21891 medium nodejs-nodemon nodejs-packaging...