Security Bulletin: There are multiple vulnerabilites that affect IBM Engineering Requirements Quality Assistant On-Premises (CVE-2022-0778, CVE-2021-38868, CVE-2021-29799, CVE-2021-29790, CVE-2021-29788)

Summary IBM Engineering Requirements Quality Assistant On-Premises affected by multiple vulnerabilites including OpenSSL, cross-site scripting, cross-site request forgery CVE-2022-0778, CVE-2021-38868, CVE-2021-29799, CVE-2021-29790, CVE-2021-29788 which allowed an attacker or an unauthenticated...

PT-2022-21160 · Node.Js · Node.Js

Name of the Vulnerable Software and Affected Versions: Node.js versions 18.x prior to 18.40.0 Description: A cryptographic issue exists in Node.js on Linux, where the default path for openssl.cnf might be accessible to a non-admin user under certain circumstances, instead of being located in...

Security fix for the ALT Linux 10 package node version 16.14.2-alt1

April 23, 2022 Vitaly Lipatov 16.14.2-alt1 - new version 16.14.2 with rpmrb script - set openssl = 1.1.1n - CVE-2022-0778: Infinite loop in BNmodsqrt reachable when parsing certificates High...

Security fix for the ALT Linux 10 package node version 16.13.2-alt1

March 18, 2022 Vitaly Lipatov 16.13.2-alt1 - new version 16.13.2 with rpmrb script - set npm = 8.3.1 - set libuv = 1.43.0 - CVE-2021-44531: Improper handling of URI Subject Alternative Names Medium - CVE-2021-44532: Certificate Verification Bypass via String Injection Medium - CVE-2021-44533:...

Security fix for the ALT Linux 10 package node version 14.17.5-alt1

14.17.5-alt1 built Aug. 17, 2021 Vitaly Lipatov in task 282492 Aug. 11, 2021 Vitaly Lipatov - new version 14.17.5 with rpmrb script - set c-ares = 1.17.2 - CVE-2021-3672, CVE-2021-22931: Improper handling of untypical characters in domain names - CVE-2021-22930: Use after free on close http2 on...

Security fix for the ALT Linux 9 package node version 14.17.2-alt1

14.17.2-alt1 built Aug. 3, 2021 Vitaly Lipatov in task 279921 July 1, 2021 Vitaly Lipatov - new version 14.17.2 with rpmrb script - CVE-2021-22918: Out of bounds read set libuv = 1.41.0-alt3...

Prototype Pollution in silentmatt/expr-eval

✍️ Description With speficific input attckers can define properties on prototype, which will lead to prototype pollution. Need node version=12.0.0, which introduce Object.fromEntries 🕵️‍♂️ Proof of Concept // PoC.js const Parser = require'expr-eval'; const o = ; console.log"o.a=", o.a; // o.a=...

Security fix for the ALT Linux 9 package node version 14.15.4-alt1

Feb. 5, 2021 Vitaly Lipatov 14.15.4-alt1 - new version 14.15.4 with rpmrb script - CVE-2020-1971: OpenSSL - EDIPARTYNAME NULL pointer de-reference High - CVE-2020-8265: use-after-free in TLSWrap High - CVE-2020-8287: HTTP Request Smuggling in nodejs Low...

Security fix for the ALT Linux 10 package node version 14.15.4-alt1

Feb. 5, 2021 Vitaly Lipatov 14.15.4-alt1 - new version 14.15.4 with rpmrb script - CVE-2020-1971: OpenSSL - EDIPARTYNAME NULL pointer de-reference High - CVE-2020-8265: use-after-free in TLSWrap High - CVE-2020-8287: HTTP Request Smuggling in nodejs Low...

Security fix for the ALT Linux 9 package node version 14.15.1-alt1

14.15.1-alt1 built Nov. 26, 2020 Vitaly Lipatov in task 261957 Nov. 16, 2020 Vitaly Lipatov - new version 14.15.1 with rpmrb script - set c-ares = 1.16.1-alt2 - CVE-2020-8277: Denial of Service through DNS request High...

Security fix for the ALT Linux 10 package node version 14.15.1-alt1

Nov. 16, 2020 Vitaly Lipatov 14.15.1-alt1 - new version 14.15.1 with rpmrb script - set c-ares = 1.16.1-alt2 - CVE-2020-8277: Denial of Service through DNS request High...

Security fix for the ALT Linux 10 package node version 14.11.0-alt1

Sept. 16, 2020 Vitaly Lipatov 14.11.0-alt1 - new version 14.11.0 with rpmrb script - CVE-2020-8251: Denial of Service by resource exhaustion CWE-400 due to unfinished HTTP/1.1 requests Critical - CVE-2020-8201: HTTP Request Smuggling due to CR-to-Hyphen conversion High...

GHSA-MVCH-RH6H-2M47 Malicious Package in equest

All versions of equest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process wa...

Malicious Package in reuest

All versions of reuest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process wa...

Malicious Package in requst

All versions of requst typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process wa...

Malicious Package in saync

All versions of saync typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was...

GHSA-HG5Q-RJ62-C43G Malicious Package in reqest

All versions of reqest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process wa...

Malicious Package in erquest

All versions of erquest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process w...

Malicious Package in rqeuest

All versions of rqeuest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process w...

GHSA-PJ97-J597-PPM7 Malicious Package in rqeuest

All versions of rqeuest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process w...