Oracle Linux 8 : nodejs:14 (ELSA-2022-0350)

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2022-0350 advisory. nodejs 1:14.18.2-2 - Add missing fixes - Resolves: RHBZ2027642, RHBZ2027635 1:14.18.2-1 - Resolves: RHBZ2027609 - Resolves: RHBZ2027649, RHBZ2027646,...

nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite

A flaw was found in the npm package "tar" aka node-tar. Extracting tar files that contain two directories and a symlink with names containing Unicode values that normalize to the same value on Windows systems made it possible to bypass node-tar symlink checks on directories. This allows an...

SUSE SLES12 Security Update : nodejs12 (SUSE-SU-2022:0101-1)

The remote SUSE Linux SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:0101-1 advisory. - The parser in accepts requests with a space SP right after the header name before the colon. This can lead to HTTP Request Smuggling HRS in...

The vulnerability of the Node.js module for processing tar archives using Node-tar lies in the shortcomings of the pathname limitation, which allows attackers to compromise the integrity of the data and cause service failures.

The vulnerability of the Node.js module for processing tar archives using Node-tar is related to incorrect filtering of the '/' character sequence. Exploiting this vulnerability can allow an attacker to compromise data integrity and cause service failures...

The vulnerability of the Node.js module for processing tar archives, Node-tar, is related to shortcomings in pathname restrictions for directories. This allows attackers to compromise data integrity and cause service failures.

The vulnerability of the Node.js module for processing tar archives with the Node-tar module is related to the possibility of bypassing the symbolic link checks for directories. Exploiting this vulnerability can allow an attacker to compromise data integrity and cause service failures...

openSUSE 15 Security Update : nodejs12 (openSUSE-SU-2021:1574-1)

The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2021:1574-1 advisory. - The parser in accepts requests with a space SP right after the header name before the colon. This can lead to HTTP Request Smuggling HRS ...

openSUSE 15 Security Update : nodejs14 (openSUSE-SU-2021:3964-1)

The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2021:3964-1 advisory. - The parser in accepts requests with a space SP right after the header name before the colon. This can lead to HTTP Request Smuggling HRS ...

SUSE SLES15 Security Update : nodejs12 (SUSE-SU-2021:3940-1)

The remote SUSE Linux SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:3940-1 advisory. - The parser in accepts requests with a space SP right after the header name before the colon. This can lead to HTTP Request Smuggling HRS in...

openSUSE 15 Security Update : nodejs12 (openSUSE-SU-2021:3940-1)

The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2021:3940-1 advisory. - The parser in accepts requests with a space SP right after the header name before the colon. This can lead to HTTP Request Smuggling HRS ...

SUSE SLES12 Security Update : nodejs14 (SUSE-SU-2021:3886-1)

The remote SUSE Linux SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:3886-1 advisory. - The parser in accepts requests with a space SP right after the header name before the colon. This can lead to HTTP Request Smuggling HRS in...

Debian: Security Advisory (DSA-5008-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Debian DSA-5008-1 : node-tar - security update

The remote Debian 11 host has a package installed that is affected by multiple vulnerabilities as referenced in the dsa-5008 advisory. It was discovered that the symlink extraction protections in node-tar, a Tar archives module for Node.js could by bypassed; allowing a malicious Tar archive to...

[SECURITY] [DSA 5008-1] node-tar security update

------------------------------------------------------------------------- Debian Security Advisory DSA-5008-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff November 11, 2021 https://www.debian.org/security/faq -...

DSA-5008-1 node-tar - security update

Bulletin has no description...

nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite

The npm package "tar" aka node-tar has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted...

nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite

The npm package "tar" aka node-tar has an arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the preservePaths flag is not set to true. This i...

Oracle Linux 8 : nodejs:14 (ELSA-2021-3666)

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-3666 advisory. - Resolves CVE-2021-22930, CVE-2021-22931, CVE-2021-22939, CVE-2021-22940, - CVE-2021-23343, CVE-2021-32803, CVE-2021-32804, CVE-2021-3672 - Resolves...

nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite

The npm package "tar" aka node-tar has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted...

ALPINE-CVE-2021-37713

The npm package "tar" aka node-tar before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, ...

DEBIAN-CVE-2021-37701

The npm package "tar" aka node-tar before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieve...