SUSE SLES15 / openSUSE 15 Security Update : nodejs20 (SUSE-SU-2024:4286-1)

The remote SUSE Linux SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2024:4286-1 advisory. - CVE-2024-21538: Fixed regular expression denial of service in cross-spawn dependency bsc1233856 Other fixes: - Updated to...

SUSE SLES15 / openSUSE 15 Security Update : nodejs20 (SUSE-SU-2024:4300-1)

The remote SUSE Linux SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2024:4300-1 advisory. - CVE-2024-21538: Fixed regular expression denial of service in cross-spawn dependency bsc1233856 Other fixes: - Updated to...

SUSE-SU-2024:4286-1 Security update for nodejs20

This update for nodejs20 fixes the following issues: - CVE-2024-21538: Fixed regular expression denial of service in cross-spawn dependency bsc1233856 Other fixes: - Updated to 20.18.1: Experimental Network Inspection Support in Node.js Exposes X509VFLAGPARTIALCHAIN to tls.createSecureContext New...

Amazon Linux 2022 : nodejs, nodejs-devel, nodejs-full-i18n (ALAS2022-2022-013)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2022-2022-013 advisory. An HTTP Request Smuggling HRS vulnerability was found in the llhttp library, used by Node.JS. Spaces as part of the header names were accepted as valid. In situations where HTTP conversations a...

Amazon Linux 2022 : nodejs, nodejs-devel, nodejs-full-i18n (ALAS2022-2022-019)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2022-2022-019 advisory. A flaw was found in node.js where it accepted a certificate's Subject Alternative Names SAN entry, as opposed to what is specified by the HTTPS protocol. This flaw allows an active...

@intlify/shared Prototype Pollution vulnerability

Vulnerability type: Prototype Pollution Affected Package: Product: @intlify/shared Version: 10.0.4 Vulnerability Locations: nodemodules/@intlify/shared/dist/shared.cjs:232:26 Description: The latest version of @intlify/shared 10.0.4 is vulnerable to Prototype Pollution through the entry functions...

CVE-2024-52810 Prototype Pollution in @intlify/shared >=9.7.0 <= 10.0.4

@intlify/shared is a shared library for the intlify project. The latest version of @intlify/shared 10.0.4 is vulnerable to Prototype Pollution through the entry functions lib.deepCopy. An attacker can supply a payload with Object.prototype setter to introduce or modify properties within the globa...

CVE-2024-52810 Prototype Pollution in @intlify/shared >=9.7.0 <= 10.0.4

@intlify/shared is a shared library for the intlify project. The latest version of @intlify/shared 10.0.4 is vulnerable to Prototype Pollution through the entry functions lib.deepCopy. An attacker can supply a payload with Object.prototype setter to introduce or modify properties within the globa...

CVE-2024-52810 Prototype Pollution in @intlify/shared >=9.7.0 <= 10.0.4

@intlify/shared is a shared library for the intlify project. The latest version of @intlify/shared 10.0.4 is vulnerable to Prototype Pollution through the entry functions lib.deepCopy. An attacker can supply a payload with Object.prototype setter to introduce or modify properties within the globa...

CVE-2024-52810

CVE-2024-52810 covers a Prototype Pollution vulnerability in the package @intlify/shared (v10.0.4). The entry function lib.deepCopy can be fed with a crafted object to pollute the global Object prototype, enabling denial of service and potentially enabling further injection-based attacks if pollu...

BIT-NODE-2024-22017

setuid does not affect libuv's internal iouring operations if initialized before the call to setuid. This allows the process to perform privileged operations despite presumably having dropped such privileges through a call to setuid. This vulnerability affects all users using version greater or...

Exploit for CVE-2024-21534

POC - CVE-2024-21534 Jsonpath-plus vulnerable to Remote Code E...

Security Bulletin: IBM Observability with Instana for Synthetic PoP is affected by Multiple Security Vulnerabilities

Summary Multiple vulnerabilities were addressed in IBM Observability with Instana for Synthetic PoP build 284 Vulnerability Details CVEID:CVE-2024-2398 DESCRIPTION: cURL libcurl is vulnerable to a denial of service, caused by a memory leak when allowing HTTP/2 server push. By sending a specially...

Security Bulletin: IBM Analytics Content Hub is affected by security vulnerabilities

Summary There are vulnerabilities in multiple Open Source Software OSS components consumed by IBM Analytics Content Hub. Additionally, IBM Analytics Content Hub is vulnerable to Buffer Overflow, Server Side Request Forgery SSRF and Improper Error Handling vulnerabilities. Please refer to the tabl...

CVE-2024-53843

@dapperduckling/keycloak-connector-server is an opinionated series of libraries for Node.js applications and frontend clients to interface with keycloak. A Reflected Cross-Site Scripting XSS vulnerability was discovered in the authentication flow of the application. This issue arises due to...

CVE-2024-53843

CVE-2024-53843 describes a Reflected XSS in the @dapperduckling/keycloak-connector-server authentication flow due to improper sanitization of URL parameters. The vulnerability could allow crafted URLs to inject and reflect arbitrary JavaScript in victims’ browsers, affecting any application using...

CVE-2024-53843 Reflected XSS Vulnerability in Authentication Flow URL Handling in @dapperduckling/keycloak-connector-server

@dapperduckling/keycloak-connector-server is an opinionated series of libraries for Node.js applications and frontend clients to interface with keycloak. A Reflected Cross-Site Scripting XSS vulnerability was discovered in the authentication flow of the application. This issue arises due to...

CVE-2024-53843 Reflected XSS Vulnerability in Authentication Flow URL Handling in @dapperduckling/keycloak-connector-server

@dapperduckling/keycloak-connector-server is an opinionated series of libraries for Node.js applications and frontend clients to interface with keycloak. A Reflected Cross-Site Scripting XSS vulnerability was discovered in the authentication flow of the application. This issue arises due to...

CVE-2024-21538

A Regular Expression Denial of Service ReDoS vulnerability was found in the cross-spawn package for Node.js. Due to improper input sanitization, an attacker can increase CPU usage and crash the program with a large, specially crafted string...

Exploit for CVE-2024-21534

Vulnerability Information: CVE-2024-21534 The jsonpath-plus...