RHEL 8 : nodejs:10 (RHSA-2021:0735)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:0735 advisory. Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The...

DEBIAN-CVE-2021-22883

Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unabl...

DEBIAN-CVE-2021-22884

Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DN...

CVE-2021-27516

A flaw was found in nodejs-urijs where URI.js urijs mishandles certain uses of the backslash such as http:/ and interprets the URI as a relative path. The highest threat from this vulnerability is to confidentiality...

@3kmfi6hp/nodejs-proxy (>=1.0.0 <=1.0.4), @aarhus-university/au-designsystem-delphinus (>=1.0.0 <=1.2.0) +342 more potentially affected by CVE-2021-21353 via pug-code-gen (>=0.0.0 <=1.1.1)

pug-code-gen NPM version =0.0.0, =1.0.0, =1.0.0, =1.0.0, =2.0.0, =0.2.0, =0.0.1, =0.0.2, =0.8.10, =0.0.9, =1.0.0, =2.1.1-alpha.1 and more Source cves: CVE-2021-21353 Source advisory: OSV:GHSA-P493-635Q-R6GR...

SUSE-SU-2021:0673-1 Security update for nodejs10

This update for nodejs10 fixes the following issues: New upstream LTS version 10.24.0: - CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion bsc1182619 - CVE-2021-22884: DNS rebinding in --inspect bsc1182620 - CVE-2021-23840: OpenSSL - Integer overflow in...

OPENSUSE-SU-2021:0357-1 Security update for nodejs12

This update for nodejs12 fixes the following issues: New upstream LTS version 12.21.0: - CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion bsc1182619 - CVE-2021-22884: DNS rebinding in --inspect bsc1182620 - CVE-2021-23840: OpenSSL - Integer overflow in...

CVE-2021-21298

Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier has a vulnerability which allows arbitrary path traversal via the Projects API. If the Projects feature is enabled, a user with projects.read permission is able to access any file via t...

CVE-2021-21298 Path traversal in Node-Red

Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier has a vulnerability which allows arbitrary path traversal via the Projects API. If the Projects feature is enabled, a user with projects.read permission is able to access any file via t...

CVE-2021-21298

CVE-2021-21298 affects Node-RED up to v1.2.7 with a path traversal vulnerability via the Projects API. When the Projects feature is enabled, a user with projects.read can access arbitrary files through the Projects API. The issue has been fixed in Node-RED v1.2.8. The vulnerability applies only t...

CVE-2021-21297

Node-RED CVE-2021-21297 affects Node-RED 1.2.7 and earlier, with a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object, potentially altering Node-RED runtime behavior. The issue is fixed in version 1.2.8; a practical...

CVE-2021-21297 Prototype Pollution in Node-Red

Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default...

SUSE-SU-2021:0650-1 Security update for nodejs14

This update for nodejs14 fixes the following issues: New upstream LTS version 14.16.0: - CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion bsc1182619 - CVE-2021-22884: DNS rebinding in --inspect bsc1182620...

Debian: Security Advisory (DSA-4863-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

GHSA-7M7Q-Q53V-J47V Regular Expression Denial of Service

A flaw was found in nodejs-marked versions from 0.5.0 to before 0.6.1. Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS. Input to the host variable is vulnerable when input contains parenthesis in link URIs, coupled with a high number of link tokens i...

Regular Expression Denial of Service

A flaw was found in nodejs-marked versions from 0.5.0 to before 0.6.1. Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS. Input to the host variable is vulnerable when input contains parenthesis in link URIs, coupled with a high number of link tokens i...

DNS Rebinding

nodejs is vulnerable to DNS rebinding attacks. The vulnerability exists in the inspector component allowing an attacker to bypass the DNS rebinding protection if the, said attacker controls the victim's DNS server or can spoof its responses...

Denial Of Service (DoS)

nodejs is vulnerable to denial of serviceDoS attacks. A remote attacker could cause memory exhaustion via too many connection attempts with an 'unknownProtocol' leading to system unavailability...

Moderate: Red Hat Security Advisory: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update

Red Hat OpenShift Container Platform release 4.7.0 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the...

DSA-4863-1 nodejs - security update

Bulletin has no description...