CVE-2020-15168

CVE-2020-15168 affects node-fetch: the size option is not honored after redirects, so large content may bypass size checks and trigger DoS risk if data is not size-checked post-fetch. Affects node-fetch before 2.6.1 and 3.0.0-beta.9; upgrade to 2.6.1 or 3.0.0-beta.9 (or later) to remediate. The c...

Denial of Service

Overview Node Fetch did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are...

20190403-utils (=1.0.0), 3nit-utils (>=0.24.0 <=1.0.2) +4759 more potentially affected by CVE-2020-15168 via node-fetch (>=2.0.0 <=2.6.0)

node-fetch NPM version =2.0.0, =0.24.0, =0.0.0-alpha.1, =1.0.43, =0.0.80, =1.0.0-beta.1, =0.0.0-canary.0, =0.0.1, =2.0.0, =1.0.0, =0.1.0, =2.0.0, =2.0.3 and more Source cves: CVE-2020-15168 Source advisory: OSV:GHSA-W7RC-RWVF-8Q5R...

@ctx-core/auth0 (>=25.0.2 <=28.0.23), @ctx-core/auth0-lock (>=12.0.2 <=13.0.9) +55 more potentially affected by CVE-2020-15168 via node-fetch (>=3.0.0-beta.10 <=3.0.0-beta.8)

node-fetch NPM version =3.0.0-beta.10, =25.0.2, =12.0.2, =6.0.2, =1.0.1, =10.0.2, =11.0.2, =9.0.2, =1.0.0, =11.0.16, =0.0.1, =7.0.0, =5.0.0, =6.0.0, =8.0.2, =0.0.1, =0.0.6 and more Source cves: CVE-2020-15168 Source advisory: OSV:GHSA-W7RC-RWVF-8Q5R...

The `size` option isn't honored after following a redirect in node-fetch

Impact Node Fetch did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relyin...

GHSA-W7RC-RWVF-8Q5R The `size` option isn't honored after following a redirect in node-fetch

Impact Node Fetch did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relyin...

oniguruma: Heap-based buffer over-read in function fetch_interval_quantifier in regparse.c

An out-of-bounds read vulnerability was found in Oniguruma in the way it handled regular expression quantifiers. A remote attacker could abuse this flaw by providing a malformed regular expression that, when processed by an application linked to Oniguruma, could possibly crash the application,...

Mozilla: Use-After-Free when aborting an operation

When aborting an operation, such as a fetch, an abort signal may be deleted while alerting the objects to be notified. This results in a use-after-free and we presume that with enough effort it could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR 68.12 and...

Important: Red Hat Security Advisory: bind security update

An update for bind is now available for Red Hat Enterprise Linux 6.6 Advanced Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for ea...

bind: BIND does not sufficiently limit the number of fetches performed when processing referrals

A flaw was found in BIND, where it does not sufficiently limit the number of fetches that can be performed while processing a referral response. This flaw allows an attacker to cause a denial of service attack. The attacker can also exploit this behavior to use the recursing server as a reflector...

chromium-browser: Heap buffer overflow in background fetch

Heap buffer overflow in background fetch in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page...

PT-2020-14785 · Ripe Ncc · Ripe Ncc Rpki Validator

Name of the Vulnerable Software and Affected Versions: RIPE NCC RPKI Validator versions 3.x before 3.1-2020.07.06.14.28 Description: An issue was discovered in the RIPE NCC RPKI Validator where RRDP fetches proceed even with a lack of validation of a TLS HTTPS endpoint. This allows remote attacke...

DEBIAN-CVE-2020-6510

Heap buffer overflow in background fetch in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page...

UBUNTU-CVE-2020-6510

Heap buffer overflow in background fetch in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page...

CVE-2020-6510

Heap buffer overflow in background fetch in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page...

Information Disclosure

npm-registry-fetch is vulnerable to information disclosure. The vulnerability exists as as it does not mask sensitive information that may be logged through the malicious URL such as ://:@::/...

Sensitive Data Exposure

Overview Affected versions of npm-registry-fetch are vulnerable to an information exposure vulnerability through log files. The package supports URLs like ://:@::/. The password value is not redacted and is printed to stdout and also to any generated log files. Recommendation Upgrade to version...

Sensitive information exposure through logs in npm-registry-fetch

Affected versions of npm-registry-fetch are vulnerable to an information exposure vulnerability through log files. The cli supports URLs like ://:@::/. The password value is not redacted and is printed to stdout and also to any generated log files...

GHSA-JMQM-F2GX-4FJV Sensitive information exposure through logs in npm-registry-fetch

Affected versions of npm-registry-fetch are vulnerable to an information exposure vulnerability through log files. The cli supports URLs like ://:@::/. The password value is not redacted and is printed to stdout and also to any generated log files...

CVE-2020-5909

In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface UI to fetch the agent installer, the server TLS certificate is not verified...