Security Bulletin: QRadar Suite Software includes components with multiple known vulnerabilities

Summary QRadar Suite Software includes components with known vulnerabilities. These have been updated in the latest release and vulnerabilities have been addressed. Please follow the instructions in the Remediation/Fixes section below to update to the latest version. Vulnerability Details...

The vulnerability of the fs.mkdtemp() and fs.mkdtempSync() methods in the Node.js software platform allows a hacker to create arbitrary directories.

The vulnerability of the fs.mkdtemp and fs.mkdtempSync methods in the Node.js software platform is related to incorrect path name restrictions for restricted-access directories. Exploiting this vulnerability could allow an attacker to create arbitrary directories remotely...

RHEL 8 : nodejs:20 (RHSA-2024:5814)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:5814 advisory. Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language...

RHEL 9 : nodejs:18 (RHSA-2024:6147)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:6147 advisory. Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language...

RHEL 9 : nodejs:20 (RHSA-2024:5815)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:5815 advisory. Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language...

Exploit for Code Injection in Ejs

THM Challenge: SSTI RCE...

K000148381: Node.js vulnerability CVE-2021-22883

Security Advisory Description Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the...

MAL-2024-10332 Malicious code in nodepaysafesdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 262a38bba91b52950dc38de3cc74144bbd62c1e3026190170176fb2fba6d08de Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

RHEL 6 / 7 : rh-nodejs4-nodejs and rh-nodejs4-http-parser (RHSA-2017:0002)

The remote Redhat Enterprise Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2017:0002 advisory. Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an...

Node.js: Improper error handling in async cryptographic operations crashes process

The C++ method SignTraits::DeriveBits incorrectly called ThrowException based on user-supplied inputs when executing in a background thread, crashing the Node.js process...

CVE-2024-49770 oak's path traversal allows transfer of hidden files within the served root directory

oak is a middleware framework for Deno's native HTTP server, Deno Deploy, Node.js 16.5 and later, Cloudflare Workers and Bun. By default oak does not allow transferring of hidden files with Context.send API. However, prior to version 17.1.3, this can be bypassed by encoding / as its URL encoded...

Amazon Linux 2023 : nodejs20, nodejs20-devel, nodejs20-full-i18n (ALAS2023-2024-749)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2024-749 advisory. A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used. This flaw arises from an inadequate permission model...

SUSE CVE-2020-26311

Useragent is a user agent parser for Node.js. All versions as of time of publication contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service ReDoS. As of time of publication, no patches are available...

SUSE CVE-2024-42461

In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because BER-encoded signatures are allowed...

CVE-2024-10491

A flaw was found in the Express Node.js framework. In certain versions, an attacker may be able to trigger an arbitrary resource injection attack via the link header when unsanitized data is used...

The vulnerability of the undici.request method in the HTTP/1.1 client of the Undici software platform for Node.js allows attackers to inject arbitrary HTTP headers.

The vulnerability of the undici.request method in the Node.js software platform relates to the failure to handle CRLF sequences in HTTP headers. Exploiting this vulnerability allows a remote attacker to inject arbitrary HTTP headers...

ROS-20241029-08

Vulnerability in the OpenSearch software package related to improper validation of the nextUrl parameter. Exploitation of the vulnerability could allow an attacker to redirect a user to a malicious site A vulnerability in the server.maxHeadersCount configuration of the ws client-server library in...

K000148290: Moment.JS vulnerabilities CVE-2017-18214 and CVE-2022-24785

Security Advisory Description CVE-2017-18214 The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055. CVE-2022-24785 Moment.js is a JavaScript date library for parsing, validating,...

Security Bulletin: Multiple Vulnerabilities in components for Cloud Pak System

Summary Vulnerabilities found in components packaged with Cloud Pak System, Node.js, Express, Axios. Vulnerability Details CVEID:CVE-2024-4068 DESCRIPTION: Node.js braces module is vulnerable to a denial of service, caused by the failure to limit the number of characters it can handle. leading to...

useragent Regular Expression Denial of Service vulnerability

Useragent is a user agent parser for Node.js. All versions as of time of publication contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service ReDoS. PoC js async function exploit const useragent = require"useragent"; // Create a malicious user-agent that...