CVE-2024-48948

The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve's base point is smaller than the hash, because of an truncateToN anomaly. This leads to...

CVE-2024-48948

The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve's base point is smaller than the hash, because of an truncateToN anomaly. This leads to...

CVE-2024-48948

The CVE-2024-48948 entry is linked to the Elliptic package for Node.js (v6.5.7). It describes a cryptographic signature verification issue in ECDSA caused by a _truncateToN anomaly: if the hash has at least four leading zero bytes and the base point order is smaller than the hash, valid signature...

CVE-2024-48948

The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve's base point is smaller than the hash, because of an truncateToN anomaly. This leads to...

Prototype Pollution

@sap/hana-client is vulnerable to Prototype Pollution. The vulnerability is due to improper user input sanitation when using the nestTables feature of the SAP HANA Node.js client package, allows attackers to manipulate object prototypes, enabling them to add arbitrary properties...

CVE-2024-21534

A flaw was found in jsonpath-plus. This vulnerability allows remote code execution via improper input sanitisation and unsafe default usage of the vm module in Node.js. Attackers can exploit this by executing arbitrary code through the unsafe use of the vm module in Node.js, which allows for...

Elliptic's verify function omits uniqueness validation

The Elliptic package 6.5.5 for Node.js for EDDSA implementation does not perform the required check if the signature proofs is within the bounds of the order n of the base point of the elliptic curve, leading to signature malleability. Namely, the verify function in lib/elliptic/eddsa/index.js...

CVE-2024-48949

The verify function in lib/elliptic/eddsa/index.js in the Elliptic package before 6.5.6 for Node.js omits "sig.S.gtesig.eddsa.curve.n || sig.S.isNeg" validation...

CVE-2024-48949

CVE-2024-48949 concerns the Elliptic package for Node.js before 6.5.6. The vulnerability stems from the verify function in lib/elliptic/eddsa/index.js, which omits the validation sig.S().gte(sig.eddsa.curve.n) || sig.S().isNeg(), enabling acceptance of invalid signatures. IBM’s bulletin lists thi...

CVE-2024-48949

The verify function in lib/elliptic/eddsa/index.js in the Elliptic package before 6.5.6 for Node.js omits "sig.S.gtesig.eddsa.curve.n || sig.S.isNeg" validation...

CVE-2024-48949

The verify function in lib/elliptic/eddsa/index.js in the Elliptic package before 6.5.6 for Node.js omits "sig.S.gtesig.eddsa.curve.n || sig.S.isNeg" validation...

CVE-2024-48949

The verify function in lib/elliptic/eddsa/index.js in the Elliptic package before 6.5.6 for Node.js omits "sig.S.gtesig.eddsa.curve.n || sig.S.isNeg" validation...

Security Bulletin: Multiple vulnerabilities in IBM SDK for Node.js affect IBM Business Automation Workflow

Summary IBM Business Automation Workflow Configuration Editor is packaging a vulnerable version of the Node.js runtime and vulnerable library versions. Vulnerability Details CVEID:CVE-2024-43796 DESCRIPTION: expressjs express is vulnerable to cross-site scripting, caused by improper validation of...

BIT-PARSE-2024-47183 Parse Server's custom object ID allows to acquire role privileges

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. If the Parse Server option allowCustomObjectId: true is set, an attacker that is allowed to create a new user can set a custom object ID for that new user that exploits the vulnerability and...

ggit is vulnerable to Command Injection via the fetchTags(branch) API

All versions of the package ggit are vulnerable to Command Injection via the fetchTagsbranch API, which allows user input to specify the branch to be fetched and then concatenates this string along with a git command which is then passed to the unsafe exec Node.js child process API...

GHSA-6339-GV7W-G5F4 SAP HANA Node.js client package vulnerable to Prototype Pollution

The SAP HANA Node.js client package versions from 2.0.0 before 2.21.31 is impacted by Prototype Pollution vulnerability allowing an attacker to add arbitrary properties to global object prototypes. This is due to improper user input sanitation when using the nestTables feature causing low impact ...

SAP HANA Node.js client package vulnerable to Prototype Pollution

The SAP HANA Node.js client package versions from 2.0.0 before 2.21.31 is impacted by Prototype Pollution vulnerability allowing an attacker to add arbitrary properties to global object prototypes. This is due to improper user input sanitation when using the nestTables feature causing low impact ...

CVE-2024-21532

All versions of the package ggit are vulnerable to Command Injection via the fetchTagsbranch API, which allows user input to specify the branch to be fetched and then concatenates this string along with a git command which is then passed to the unsafe exec Node.js child process API...

CVE-2024-21532

The CVE-2024-21532 issue affects the npm package ggit. Affected versions allow Command Injection via fetchTags(branch): user input specifies the branch, which is concatenated into a git command that is passed to Node.js child_process.exec(), enabling potentially arbitrary commands. Root cause is ...

CVE-2024-21532

All versions of the package ggit are vulnerable to Command Injection via the fetchTagsbranch API, which allows user input to specify the branch to be fetched and then concatenates this string along with a git command which is then passed to the unsafe exec Node.js child process API...