63pokupki-nodejs-common (=0.0.2), @63pokupki/nodejs-common (>=0.0.2 <=0.0.85) +1209 more potentially affected by CVE-2019-10757 via knex (>=0.10.0 <=0.19.4)

knex NPM version =0.10.0, =0.0.2, =1.0.10, =0.0.1, =4.0.0, =0.0.1, =0.1.0, =0.0.1, =0.2.0, =0.1.0, =0.1.1, =0.5.0 and more Source cves: CVE-2019-10757 Source advisory: OSV:GHSA-58V4-QWX5-7F59...

Node.js third-party modules: [git-lib] RCE via insecure command formatting

I would like to report a RCE issue in the git-lib module. It allows to execute arbitrary commands remotely inside the victim's PC Module module name: git-lib version: 1.6.0 npm page: https://www.npmjs.com/package/git-lib Module Description A library that contains different methods to be consumed ...

Moderate: Red Hat Security Advisory: ovirt-web-ui security and bug fix update

An update for ovirt-web-ui is now available for Red Hat Virtualization Engine 4.3. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

Oracle Linux 8 : nodejs:10 (ELSA-2019-2925)

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2019-2925 advisory. nodejs-packaging 17-3 - Change Requires to Recommends on nodejs dependency, so it is usable for building nodejs Tenable has extracted the preceding...

nodejs: Hostname spoofing in URL parser for javascript protocol

Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse to determine the URL hostname, that hostname can be spoofed by using a mixed case "javascript:" e.g. "javAscript:" protoc...

Denial Of Service (DoS)

nodejs is vulnerable to denial of service. An attacker is able to crash the application by requesting for large response, which causes the server to consume excessive memoty that leads to a denial of service condition...

Denial Of Service (DoS)

nodejs is vulnerable to denial of service. A remote attacker is able to crash the application by flooding the server with empty frames which results in excessive resource consumption...

RHEL 8 : nodejs:10 (RHSA-2019:2925)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2019:2925 advisory. Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The...

nodejs: Insufficient Slowloris fix causing DoS via server.headersTimeout bypass

It was found that the original fix for Slowloris, CVE-2018-12122, was insufficient. It is possible to bypass the server's headersTimeout by sending two specially crafted HTTP requests in the same connection. An attacker could use this flaw to bypass Slowloris protection, resulting in a denial of...

Divergent: "Fileless" NodeJS Malware Burrows Deep Within the Host

Update 09/27/2019: Additional information regarding the malware interaction with various online advertisements has been included to highlight the click-fraud related network communications associated with Divergent. Executive summary Cisco Talos recently discovered a new malware loader being used...

nodejs:10 security update

nodejs-packaging 17-3 - Change Requires to Recommends on nodejs dependency, so it is usable for building nodejs...

Node.js third-party modules: [treekill] RCE via insecure command concatenation (only Windows)

I would like to report a RCE issue in the treekill module. It allows to execute arbitrary commands remotely inside the victim's PC Module module name: treekill version: 1.0.0 npm page: https://www.npmjs.com/package/treekill Module Description treekill process and it's all children and child...

MGASA-2019-0277 Updated nodejs packages fix security vulnerabilities

This update provides nodejs v6.17.1 fixing at least the following security issues: The c-ares function aresparsenaptrreply, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer CVE-2017-1000381 Fix for 'path' module regular expression deni...

Updated nodejs packages fix security vulnerabilities

This update provides nodejs v6.17.1 fixing at least the following security issues: The c-ares function aresparsenaptrreply, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer CVE-2017-1000381 Fix for 'path' module regular expression deni...

Node.js third-party modules: [expressjs-ip-control] Whitelist IP bypass leads to authorization bypass and sensitive info disclosure

I would like to report a unauthenticated access/authorization bypass issue in the expressjs-ip-control module. It allows to bypass the whitelist IP check in order to bypass the authorization check and possibly expose sensitive datas. Module module name: MODULE NAME version: MODULE VERSION npm pag...

OPENSUSE-SU-2019:2114-1 Security update for nodejs10

This update for nodejs10 to version 10.16.3 fixes the following issues: Security issues fixed: - CVE-2019-9511: Fixed HTTP/2 implementations that are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service bsc1146091. -...

CVE-2019-6644

Similar to the issue identified in CVE-2018-12120, on versions 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.2, and 12.1.0-12.1.4 BIG-IP will bind a debug nodejs process to all interfaces when invoked. This may expose the process to unauthorized users if the plugin is left in debug mode and the...

CVE-2019-6644

Similar to the issue identified in CVE-2018-12120, on versions 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.2, and 12.1.0-12.1.4 BIG-IP will bind a debug nodejs process to all interfaces when invoked. This may expose the process to unauthorized users if the plugin is left in debug mode and the...

CVE-2019-6644

Similar to the issue identified in CVE-2018-12120, on versions 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.2, and 12.1.0-12.1.4 BIG-IP will bind a debug nodejs process to all interfaces when invoked. This may expose the process to unauthorized users if the plugin is left in debug mode and the...

CVE-2019-6644

CVE-2019-6644 describes a vulnerability in F5 BIG-IP iRulesLX: when configured with a workspace that includes the --debug flag, the system binds a debug NodeJS process to all interfaces. This can expose the debug port to unauthorized users and allow remote JavaScript execution. Affected versions ...