OpenJDK: insufficient randomization of JNDI DNS port numbers (JNDI, 8286910)

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: JNDI. Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Difficult to exploit...

OpenJDK: insufficient randomization of JNDI DNS port numbers (JNDI, 8286910)

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: JNDI. Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Difficult to exploit...

OpenJDK: insufficient randomization of JNDI DNS port numbers (JNDI, 8286910)

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: JNDI. Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Difficult to exploit...

Oracle Linux 8 : nodejs:16 (ELSA-2022-6964)

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2022-6964 advisory. - Resolves: CVE-2022-35255 CVE-2022-35256 Tenable has extracted the preceding description block directly from the Oracle Linux security advisory. Note...

Node.js 安全特征问题漏洞

Node.js is an open source, cross-platform JavaScript runtime environment. A security vulnerability exists in Node.js that stems from weak randomness in the WebCrypto keygen...

nodejs: weak randomness in WebCrypto keygen

A vulnerability was found in NodeJS due to weak randomness in the WebCrypto keygen within the SecretKeyGenTraits::DoKeyGen in src/crypto/cryptokeygen.cc. Node.js made calls to EntropySource in SecretKeyGenTraits::DoKeyGen. However, it does not check the return value and assumes the EntropySource...

RLSA-2022:6964 Important: nodejs:16 security update

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs 16. Security Fixes: nodejs: weak randomness in WebCrypto keygen CVE-2022-35255 nodej...

nodejs security update

An update is available for nodejs. This update affects Rocky Linux 9. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Node.js is a software development platform for building fast and scalable...

RLSA-2022:6963 Important: nodejs security update

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs 16.17.1. Security Fixes: nodejs: weak randomness in WebCrypto keygen CVE-2022-35255...

Oracle Linux 9 : nodejs (ELSA-2022-6963)

The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2022-6963 advisory. 16.17.1-1 - Rebase to version 16.17.1 Resolves: CVE-2022-35255 CVE-2022-35256 Tenable has extracted the preceding description block directly from the...

RHEL 8 : nodejs:16 (RHSA-2022:6964)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:6964 advisory. Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The...

SUSE SLES12 Security Update : nodejs16 (SUSE-SU-2022:3524-1)

The remote SUSE Linux SLES12 / SLESSAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:3524-1 advisory. - The llhttp parser v14.20.1, v16.17.1 and v18.9.1 in the http module in Node.js does not correctly parse and validate...

computeAddress does not follow the standard procedure to compute the address. The contract can not create pool for some pairs due to hash collision

Lines of code Vulnerability details Impact Poor source of randomness, an attacker can easily decipher the computed address. The contract can be easily tricked. This can cause hash collision, due to this, for some pairs, the contract can not create pool. Proof of Concept AlgebraFactory.solL123 : T...

Security fix for the ALT Linux 10 package node version 16.17.1-alt1

Sept. 30, 2022 Vitaly Lipatov 16.17.1-alt1 - new version 16.17.1 with rpmrb script - set npm = 8.15.0 - CVE-2022-32212: DNS rebinding in --inspect on macOS High - CVE-2022-32213: bypass via obs-fold mechanic Medium - CVE-2022-35255: Weak randomness in WebCrypto keygen - CVE-2022-35256: HTTP Reque...

CVE-2022-35255

A vulnerability was found in NodeJS due to weak randomness in the WebCrypto keygen within the SecretKeyGenTraits::DoKeyGen in src/crypto/cryptokeygen.cc. Node.js made calls to EntropySource in SecretKeyGenTraits::DoKeyGen. However, it does not check the return value and assumes the EntropySource...

Authorization

An authorization bypass in b2evolution allows remote, unauthenticated attackers to predict password reset tokens for any user through the use of a bad randomness function. This allows the attacker to get valid sessions for arbitrary users, and optionally reset their password. Tested and confirmed...

CVE-2022-30935

An authorization bypass in b2evolution allows remote, unauthenticated attackers to predict password reset tokens for any user through the use of a bad randomness function. This allows the attacker to get valid sessions for arbitrary users, and optionally reset their password. Tested and confirmed...

PT-2022-20394 · Unknown · B2Evolution

Name of the Vulnerable Software and Affected Versions: b2evolution versions prior to 7.2.3 Description: An authorization bypass in b2evolution allows remote, unauthenticated attackers to predict password reset tokens for any user through the use of a bad randomness function. This allows the...

upgradeRandProvider could be bricked if still waiting for seed

Lines of code Vulnerability details Impact The updgradeRandProvider function exists in case the chainlink randomness provider is phased out in the long term future. It is impossible to upgrade the randomness provider while the contract is still waiting for a seed. This is a reasonable thing to...

USN-5639-1 linux-azure-fde vulnerabilities

It was discovered that the framebuffer driver on the Linux kernel did not verify size limits when changing font or screen size, leading to an out-of- bounds write. A local attacker could use this to cause a denial of service system crash or possibly execute arbitrary code. CVE-2021-33655 Moshe Ko...