The vulnerability of the Node.js module and the control tools of App Connect Enterprise Certified Container allows a hacker to compromise protected information.

The vulnerability of the Node.js module related to the App Connect Enterprise Certified Container management tool is linked to errors in the certificate validation process. Exploiting this vulnerability could allow an attacker to compromise protected information...

PT-2022-3606 · Node.Js +8 · Node.Js +8

Name of the Vulnerable Software and Affected Versions: Node.js versions prior to 14.20.1 Node.js versions prior to 16.17.1 Node.js versions prior to 18.9.1 Description: The issue is related to the llhttp parser in the http module in Node.js, which does not strictly use the CRLF sequence to delimi...

nodejs: Improper handling of URI Subject Alternative Names

A flaw was found in node.js where it accepted a certificate's Subject Alternative Names SAN entry, as opposed to what is specified by the HTTPS protocol. This flaw allows an active person-in-the-middle to forge a certificate and impersonate a trusted host...

nodejs-json-schema: Prototype pollution vulnerability

The json-schema Node.JS library was vulnerable to prototype pollution during the validation of a JSON object. An attacker, able to provide a specially crafted JSON file for validation, could use this flaw to modify the behavior of the node program, to, for example, execute arbitrary code...

nodejs: Incorrect handling of certificate subject and issuer fields

A flaw was found in node.js, where it did not properly handle multi-value Relative Distinguished Names. This flaw allows a specially crafted x509 certificate to produce a false multi-value Relative Distinguished Name and to inject arbitrary data in node.js libraries...

nodejs-json-schema: Prototype pollution vulnerability

The json-schema Node.JS library was vulnerable to prototype pollution during the validation of a JSON object. An attacker, able to provide a specially crafted JSON file for validation, could use this flaw to modify the behavior of the node program, to, for example, execute arbitrary code...

GHSA-GWP3-F7MR-QPFV OS Command Injection in s3-uploader

OS command injection vulnerability in Turistforeningen node-s3-uploader through 2.0.3 for Node.js allows attackers to execute arbitrary commands via the metadata function...

ssl-utils 操作系统命令注入漏洞

ssl-utils is a wrapper for some OpenSSL commands around Node.js. A security vulnerability exists in ssl-utils version 1.0.0, which can be exploited by an attacker to execute arbitrary commands...

s3-uploader 操作系统命令注入漏洞

s3-uploader is flexible and efficient for image resizing, renaming and uploading to Amazon S3 disk storage. A security vulnerability in Turistforeningen node-s3-uploader 2.0.3 and earlier stems from a Node.js package insecurely passing data to the metadata function, which ultimately connects to a...

Session Fixation

Overview passport is a Simple, unobtrusive authentication for Node.js. Affected versions of this package are vulnerable to Session Fixation. When a user logs in or logs out, the session is regenerated instead of being closed. Remediation Upgrade passport to version 0.6.0 or higher. References -...

dicer 安全漏洞

dicer is a very fast streaming multipart parser for mscdex individual developers. A security vulnerability exists in dicer. A malicious attacker can send modified forms to the server and crash the nodejs service. An attacker can send the payload over and over again, thus crashing the service over...

bignum 安全漏洞

bignum is an arbitrary precision integral algorithm for Node.js using OpenSSL by Stefan Thomas, a personal developer. A security vulnerability exists in bignum that stems from vulnerability to denial of service DoS attacks...

Vulnerabilities fixed in IBM Cognos Analytics

Several vulnerabilities have been fixed in IBM Cognos Analytics. Most of the vulnerabilities are in third-party software components third-party software components included with IBM Cognos, including OpenSSL and Node.js. The vulnerabilities allow a malicious party to execute attacks that result i...

Accepting arbitrary Subject Alternative Name (SAN) types unless a PKI is specifically defined to use a particular SAN type can result in bypassing name-constrained intermediates. Node.js < 12.22.9 < 14.18.3 < 16.13.2 and < 17.3.1 was accepting URI SAN types which PKIs are often not defined to use. Additionally when a protocol allows URI SANs Node.js did not match the URI correctly.Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the --security-revert command-line option.

...

UBUNTU-CVE-2022-21824

Due to the formatting logic of the "console.table" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "proto". The prototype pollution has...

SUSE-SU-2022:0563-1 Security update for nodejs8

This update for nodejs8 fixes the following issues: - CVE-2021-23343: Fixed ReDoS via splitDeviceRe, splitTailRe and splitPathRe bsc1192153. - CVE-2021-32803: Fixed insufficient symlink protection in node-tar allowing arbitrary file creation and overwrite bsc1191963. - CVE-2021-32804: Fixed...

llhttp: HTTP Request Smuggling due to spaces in headers

An HTTP Request Smuggling HRS vulnerability was found in the llhttp library, used by Node.JS. Spaces as part of the header names were accepted as valid. In situations where HTTP conversations are being proxied such as proxy, reverse-proxy, load-balancer, an attacker can use this flaw to inject...

nodejs-json-schema: Prototype pollution vulnerability

The json-schema Node.JS library was vulnerable to prototype pollution during the validation of a JSON object. An attacker, able to provide a specially crafted JSON file for validation, could use this flaw to modify the behavior of the node program, to, for example, execute arbitrary code...

GHSA-X55W-VJJP-222R inflect vulnerable to Inefficient Regular Expression Complexity

inflect is customizable inflections for nodejs. inflect is vulnerable to Inefficient Regular Expression Complexity...

nodejs: Use-after-free on close http2 on stream canceling

A flaw was found in Node.js, where it is vulnerable to a use-after-free attack. This flaw allows an attacker to exploit memory corruption to change process behavior. The highest threat from this vulnerability is to confidentiality and integrity...