nodejs:14 security, bug fix, and enhancement update

nodejs 1:14.21.3-1 - Rebase to 14.21.3 Resolves: rhbz2153712 Resolves: CVE-2022-25881 CVE-2023-23918 CVE-2023-23920 CVE-2022-38900 Resolves: CVE-2022-4904...

Vulnerability fixed in Node.js vm2

A vulnerability has been fixed in vm2. vm2 is a package for Node.js and provides a sandbox environment for running untrusted code. The vulnerability allows a malicious party to to break out of the sandbox and thus execute code on the system on which vm2 is running. The way the vulnerability can b...

nodejs:18 security, bug fix, and enhancement update

An update is available for nodejs, nodejs-packaging, module.nodejs-packaging, module.nodejs-nodemon, nodejs-nodemon, module.nodejs. This update affects Rocky Linux 8. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability...

vm2 安全漏洞

vm2 is an advanced virtual machine/sandbox for Node.js by individual developer Patrik Simek in the Czech Republic. to run untrusted code using whitelisted Node built-in modules. A security vulnerability exists in vm2 versions prior to 3.9.15 that stems from vm2 not properly handling passed host...

nodejs:16 security, bug fix, and enhancement update

nodejs 1:16.19.1-1 - Rebase to 16.19.1 Resolves: rhbz2153713 Resolves: CVE-2023-23918 CVE-2023-23919 CVE-2023-23936 CVE-2023-24807 CVE-2023-23920 Resolves: CVE-2022-25881 CVE-2022-4904 nodejs-nodemon 2.0.20-3 - Patch bundled glob-parent Resolves: CVE-2021-35065...

nodejs:18 security, bug fix, and enhancement update

nodejs 1:18.14.2-2 - Provide simduft 1:18.14.2-1 - Rebase to 18.14.2 - Resolves: 2178087 - Resolves: CVE-2022-25881, CVE-2022-4904, CVE-2023-23936, CVE-2023-24807 - Resolves: CVE-2023-23918, CVE-2023-23919, CVE-2023-23920...

Node.js: insecure loading of ICU data through ICU_DATA environment variable

An untrusted search path vulnerability exists in Node.js. 19.6.1, 18.14.1, 16.19.1, and 14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges...

Node.js: insecure loading of ICU data through ICU_DATA environment variable

An untrusted search path vulnerability exists in Node.js. 19.6.1, 18.14.1, 16.19.1, and 14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges...

nodejs-minimatch: ReDoS via the braceExpand function

A vulnerability was found in the nodejs-minimatch package. This flaw allows a Regular Expression Denial of Service ReDoS when calling the braceExpand function with specific arguments, resulting in a Denial of Service...

CBL Mariner 2.0 Security Update: nodejs (CVE-2023-23918)

The version of nodejs installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2023-23918 advisory. - A privilege escalation vulnerability exists in Node.js 19.6.1, 18.14.1, 16.19.1 and 14.21.3 that made it...

Mageia: Security Advisory (MGASA-2023-0053)

The remote host is missing an update for the SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Mageia: Security Advisory (MGASA-2023-0035)

The remote host is missing an update for the SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

CVE-2023-23936 affecting package nodejs for versions less than 16.19.1-1

CVE-2023-23936 affecting package nodejs for versions less than 16.19.1-1. An upgraded version of the package is available that resolves this issue...

CVE-2023-23918 affecting package nodejs for versions less than 16.19.1-1

CVE-2023-23918 affecting package nodejs for versions less than 16.19.1-1. An upgraded version of the package is available that resolves this issue...

CVE-2023-23920 affecting package nodejs for versions less than 16.19.1-1

CVE-2023-23920 affecting package nodejs for versions less than 16.19.1-1. This CVE either no longer is or was never applicable...

CVE-2023-24807 affecting package nodejs for versions less than 16.19.1-1

CVE-2023-24807 affecting package nodejs for versions less than 16.19.1-1. An upgraded version of the package is available that resolves this issue...

The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

...

Important: nodejs

Issue Overview: This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library. CVE-2022-25881 Affected Packages: nodejs Issue...

Important: nodejs

Issue Overview: An HTTP Request Smuggling HRS vulnerability was found in the llhttp library, used by Node.JS. Spaces as part of the header names were accepted as valid. In situations where HTTP conversations are being proxied such as proxy, reverse-proxy, load-balancer, an attacker can use this...

Amazon Linux 2023 : nodejs, nodejs-devel, nodejs-full-i18n (ALAS2023-2023-084)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2023-084 advisory. An HTTP Request Smuggling HRS vulnerability was found in the llhttp library, used by Node.JS. Spaces as part of the header names were accepted as valid. In situations where HTTP conversations a...