4403 matches found
AZL-41581 CVE-2021-22918 affecting package pytorch for versions less than 2.2.2-4
Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uvidnatoascii is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to...
DEBIAN-CVE-2021-22918
Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uvidnatoascii is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to...
[SECURITY] Fedora 34 Update: nodejs-svgo-2.3.1-1.fc34
SVG Optimizer is a Nodejs-based tool for optimizing SVG vector graphics files. Why? SVG files, especially those exported from various editors, usually contain a lot of redundant and useless information. This can include editor metadata, comments, hidden elements, default or non-optimal values and...
Fedora: Security Advisory for nodejs-svgo (FEDORA-2021-3f62e7d125)
The remote host is missing an update for the SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
Nodejs 安全漏洞
nodejs is a JavaScript runtime environment based on the ChromeV8 engine that makes it possible to develop high-performance backend applications in Javascript by encapsulating the Chromev8 engine and using event-driven and non-blocking IO applications. A security vulnerability exists in Nodejs on...
Moderate: Red Hat Security Advisory: Red Hat OpenShift Enterprise security and bug fix update
Red Hat OpenShift Container Platform release 4.6.36 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which...
Unspecified vulnerability in calipso
Calipso is a simple NodeJS content management system. Built on themes similar to Drupal and Wordpress, it is designed to be fast, flexible and simple. calipso has a security vulnerability that can be exploited by an attacker to overwrite files on any file system...
SUSE: Security Advisory (SUSE-SU-2019:0627-1)
The remote host is missing an update for the SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
@ayk/registry (=1.0.0), @cag-group/google-api-tools (=0.3.1) +339 more potentially affected by CVE-2021-25945 via js-extend (>=0.0.1 <=1.0.1)
js-extend NPM version =0.0.1, =0.6.2, =2.1.12, =1.0.2, =3.4.1, =17.0.0, =1.0.0, =0.0.0, =1.0.0, =0.0.1, =1.0.0, =1.0.2 and more Source cves: CVE-2021-25945 Source advisory: OSV:GHSA-MH82-55CM-6GFH...
Node.js: All versions prior to Node.js 6.15.0 8.14.0 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname that hostname can be spoofed by using a mixed case "javascript:" (e.g. "javAscript:") protocol (other protocols are not affected). If security decisions are made about the URL based on the hostname they may be incorrect.
...
Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a hang which could result in a Denial of Service. In order to address this vulnerability the implementations of Buffer.alloc() and Buffer.fill() were updated so that they zero fill instead of hanging in these cases. All versions of Node.js 6.x (LTS "Boron") 8.x (LTS "Carbon") and 9.x are vulnerable. All versions of Node.js 10.x (Current) are NOT vulnerable.
...
AZL-44118 CVE-2020-28469 affecting package nodejs-nodemon 2.0.3-5
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator...
nodejs-lodash: command injection via template
A flaw was found in nodejs-lodash. A command injection flaw is possible through template variables...
ReDoS in Sec-Websocket-Protocol header
Impact A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server. Proof of concept js for const length of 1000, 2000, 4000, 8000, 16000, 32000 const value = 'b' + ' '.repeatlength + 'x'; const start = process.hrtime.bigint; value.trim.split/...
CVE-2021-32640
A flaw was found in nodejs-ws. A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server. Mitigation In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the...
CommScope Ruckus IoT Controller 1.7.1.0 Web Application Arbitrary Read/Write
KL-001-2021-006: CommScope Ruckus IoT Controller Web Application Arbitrary Read/Write Title: CommScope Ruckus IoT Controller Web Application Arbitrary Read/Write Advisory ID: KL-001-2021-006 Publication Date: 2021.05.26 Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2021-006.t...
Fedora: Security Advisory for python-fastapi (FEDORA-2021-e7fabd81fb)
The remote host is missing an update for the Copyright C 2021 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...
CommScope Ruckus IoT Controller Web Application Arbitrary Read/Write
Vulnerability Details Affected Vendor: CommScope Affected Product: Ruckus IoT Controller Affected Version: 1.7.1.0 and earlier Platform: Linux CWE Classification: CWE-250: Execution with Unnecessary Privileges CVE ID: CVE-2021-33217 2. Vulnerability Description The IoT Controller web application...
CVE-2021-23386
Remote memory exposure vulnerability was found in nodejs dns-packet library. The buffers created with allocUnsafe are not always filled before forming the network packets and an attacker can use this vulnerability to potentially get access to internal application memory over non encrypted network...
DEBIAN-CVE-2021-33502
The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS regular expression denial of service issue because it has exponential performance for data: URLs...