AZL-34278 CVE-2024-24806 affecting package nodejs18 for versions less than 18.18.2-4

libuv is a multi-platform support library with a focus on asynchronous I/O. The uvgetaddrinfo function in src/unix/getaddrinfo.c and its windows counterpart src/win/getaddrinfo.c, truncates hostnames to 256 characters before calling getaddrinfo. This behavior can be exploited to create addresses...

CVE-2024-24806 vulnerabilities

Vulnerabilities for packages: libuv, nodejs...

CVE-2024-24806 vulnerabilities

Vulnerabilities for packages: nodejs, libuv...

Moderate: Red Hat Security Advisory: Migration Toolkit for Runtimes security, bug fix and enhancement update

Migration Toolkit for Runtimes 1.2.4 release Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the...

Security Bulletin: Multiple vulnerabilities in nodejs packages affect IBM Business Automation Workflow - CVE-2023-26159, CVE-2023-45857

Summary IBM Business Automation Workflow Workflow Center user interfaces package vulnerable versions of open source dependencies. Vulnerability Details CVEID:CVE-2023-26159 DESCRIPTION: follow-redirects could allow a remote attacker to conduct phishing attacks, caused by an open redirect...

AZL-33935 CVE-2024-0727 affecting package nodejs for versions less than 16.20.2-2

Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack Impact summary: Applications loading files in the PKCS12 format from untrusted sources might terminate abruptly. A file in PKCS12 format can contain certificates...

Debian: Security Advisory (DSA-5589-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

AZL-33349 CVE-2024-22195 affecting package nodejs18 for versions less than 18.20.3-3

Jinja is an extensible templating engine. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template, potentially leading to Cross-Site Scripting XSS. The Jinja xmlattr filter can be abused t...

AZL-35044 CVE-2023-6129 affecting package nodejs for versions less than 20.14.0-1

Issue summary: The POLY1305 MAC message authentication code implementation contains a bug that might corrupt the internal state of applications running on PowerPC CPU based platforms if the CPU provides vector instructions. Impact summary: If an attacker can influence whether the POLY1305 MAC...

Malicious code in dynatrace-oneagent-nodejs (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware b38a3f821fef1b8ddca507f11dff965bc5dddb2e2bd7d952c3b6b19103c69c10 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Ubuntu: Security Advisory (USN-6564-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

USN-6564-1 nodejs vulnerabilities

Hubert Kario discovered that Node.js incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to obtain sensitive information. CVE-2022-4304 CarpetFuzz, Dawei Wang discovered that...

CVE-2023-52079

CVE-2023-52079 concerns msgpackr (NodeJS/JavaScript) before version 1.10.1. When decoding user-supplied MessagePack messages, the decoder can get stuck in a loop, tying up threads. The issue is associated with how certain extensions (e.g., 0x70) may be processed; a mitigation path involves replac...

CVE-2023-52079 Conversion of property names to strings can trigger infinite recursion

msgpackr is a fast MessagePack NodeJS/JavaScript implementation. Prior to 1.10.1, when decoding user supplied MessagePack messages, users can trigger stuck threads by crafting messages that keep the decoder stuck in a loop. The fix is available in v1.10.1. Exploits seem to require structured...

DSA-5589-1 nodejs - security update

Bulletin has no description...

Denial Of Service (DoS)

@octokit/webhooks is vulnerable to Denial Of Service DoS. The vulnerability is caused by a lack of exception handling in the verifyAndReceive method within src/verify-and-receive.ts. This method internally calls another method verify which throws an exception which remains unhandled. This uncaugh...

CVE-2023-50728

An uncaught exception vulnerability was found in octokit webhooks. An error may be undefined in some cases, and the resulting request can cause an uncaught exception that ends the nodejs process...

PT-2023-31626 · Github · Octokit/Webhooks +1

Name of the Vulnerable Software and Affected Versions: octokit/webhooks versions 9.26.0 through 9.26.2 octokit/webhooks versions 10.9.0 through 10.9.1 octokit/webhooks versions 11.1.0 through 11.1.1 octokit/webhooks versions 12.0.0 through 12.0.3 Description: The issue is caused by a problem with...

GHSA-4G6Q-77J7-VVJC Logging of the firestore key within nodejs-firestore

A potential logging of the firestore key via logging within nodejs-firestore exists - Developers who were logging objects through this.settings would be logging the firestore key as well potentially exposing it to anyone with logs read access. We recommend upgrading to version 6.1.0 to avoid this...

Logging of the firestore key within nodejs-firestore

A potential logging of the firestore key via logging within nodejs-firestore exists - Developers who were logging objects through this.settings would be logging the firestore key as well potentially exposing it to anyone with logs read access. We recommend upgrading to version 6.1.0 to avoid this...