nodejs: HTTP request smuggling via two copies of a header field in an http request

A flaw was found in nodejs. Affected versions of Node.js allow two copies of a header field in an HTTP request. The first header field is recognized while the second is ignored leading to HTTP request smuggling. The highest threat from this vulnerability is to data confidentiality and integrity...

nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS

This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters...

nodejs: use-after-free in the TLS implementation

A flaw was found in nodejs. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResu...

ALPINE-CVE-2020-8265

Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method...

Security Bulletin: Vulnerabilities in OpenSSL affect IBM Integration Bus and IBM App Connect Enterprise (CVE-2019-1551)

Summary Vulnerabilities in OpenSSL affect IBM Integration Bus and IBM App Connect Enterprise . The DataDirect ODBC Drivers and level of node js used by IBM App Connect Enterprise and IBM Integration Bus have addressed the applicable CVEs Vulnerability Details CVEID: CVE-2019-1551 DESCRIPTION:...

AZL-32281 CVE-2020-8277 affecting package python-gevent for versions less than 21.1.2-3

A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions 15.2.1, 14.15.1, and 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed in 15.2.1, 14.15.1, and...

UBUNTU-CVE-2020-8252

The implementation of realpath in libuv 10.22.1, 12.18.4, and 14.9.0 used within Node.js incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes...

Command Injection in kylefarris/clamscan

Overview clamscan is a Use Node JS to scan files on your server with ClamAV's clamscan binary or clamdscan daemon. This is especially useful for scanning uploaded files provided by un-trusted sources. This package are vulnerable to Command Injection, itt is possible to inject arbitrary commands a...

The vulnerability in the implementation of the TLS protocol on the Node.js software platform allows a attacker to execute a type of “man-in-the-middle” attack.

The vulnerability of the Node.js software platform’s TLS protocol lies in the shortcomings of certificate authenticity verification. Exploiting this vulnerability allows a malicious actor to execute a type of “man-in-the-middle” attack...

ALPINE-CVE-2020-8174

napigetvaluestring allows various kinds of memory corruption in node 10.21.0, 12.18.0, and 14.4.0...

nodejs: HTTP request smuggling using malformed Transfer-Encoding header

A flaw was found in the Node.js code where a specially crafted HTTPs request sent to a Node.js server failed to properly process the HTTPs headers, resulting in a request smuggling attack. An attacker can use this flaw to alter a request sent as an authenticated user if the Node.js server is...

nodejs: HTTP request smuggling using malformed Transfer-Encoding header

A flaw was found in the Node.js code where a specially crafted HTTPs request sent to a Node.js server failed to properly process the HTTPs headers, resulting in a request smuggling attack. An attacker can use this flaw to alter a request sent as an authenticated user if the Node.js server is...

nodejs: HTTP header values do not have trailing optional whitespace trimmed

A flaw was found in Node.js where the HTTPs header values were not stripped of trailing whitespace. An attacker can use this flaw to send an HTTPs request which is validated by an upstream proxy server, but not by the Node.js HTTPs server...

UBUNTU-CVE-2013-7381

libnotify before 1.0.4 for Node.js allows remote attackers to execute arbitrary commands via unspecified characters in a call to libnotify.notify...

The vulnerability relates to the implementation of the HTTP/2 network protocol on Windows operating systems, Apache Traffic Server web servers, H2O web servers, network programming tools such as netty, SwiftNIO, Envoy, and the Node.js software platform. This allows attackers to induce service failures.

The vulnerability of the HTTP/2 network protocol implementation in Windows operating systems, Apache Traffic Server web servers, H2O web servers, network programming tools such as netty, SwiftNIO, Envoy, and Node.js software platforms is related to an uncontrolled resource consumption. Exploiting...

The vulnerability relates to the implementation of the HTTP/2 network protocol on Windows operating systems, nginx servers, network programming tools like netty, Envoy, SwiftNIO, and Node.js software platforms. This allows attackers to induce service failures.

The vulnerability of the HTTP/2 network protocol implementation in Windows operating systems, nginx servers, network programming tools like Netty, Envoy, SwiftNIO, and Node.js software platforms is related to an uncontrolled resource consumption. Exploiting this vulnerability can allow a maliciou...

DEBIAN-CVE-2019-14939

An issue was discovered in the mysql aka mysqljs module 2.17.1 for Node.js. The LOAD DATA LOCAL INFILE option is open by default...

PT-2019-3015

Name of the Vulnerable Software and Affected Versions HTTP/2 implementations affected versions not specified nginx affected versions not specified Node.js affected versions not specified Apache HTTP Server affected versions not specified Windows affected versions not specified Description The iss...

Jenkins 2.150.2 Remote Command Execution Via Node JS

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class MetasploitModule 'Jenkins %q This module can run commands on the system using Jenkins users who has JOB creation and BUILD privileges. The...

Jenkins 2.150.2 - Remote Command Execution (Metasploit)

Jenkins 2.150.2 - Remote Command Execution Metasploit This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class MetasploitModule 'Jenkins %q This module can run commands on the system using Jenkins user...