Security Bulletin: IBM Data Product Hub uses Node.js micromatch & braces modules which are vulnerable to a denial of service (CVE-2024-4067 & CVE-2024-4068)

Summary IBM Data Product Hub has dependencies on Node.js micromatch & braces modules which are vulnerable to a denial of service CVE-2024-4067 & CVE-2024-4068. This bulletin contains information regarding the vulnerabilities and their fixture. Vulnerability Details CVEID:CVE-2024-4068 DESCRIPTION...

Security Bulletin: IBM Planning Analytics Workspace is affected by vulnerabilities in multiple Open Source Software (OSS) components

Summary There are vulnerabilities in multiple Open Source Software OSS components consumed by IBM Planning Analytics Workspace. These issues have been addressed by upgrading or removing the vulnerable libraries. Please refer to the table in the Related Information section for vulnerability impact...

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Node.js

Summary IBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of Node.js Vulnerability Details CVEID:CVE-2024-30260 DESCRIPTION: Node.js undici module could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw with not clear Authorization...

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Node.js

Summary IBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of Node.js Vulnerability Details CVEID:CVE-2024-22019 DESCRIPTION: Node.js is vulnerable to a denial of service, caused by an error when reading unprocessed HTTP request with unbounded chunk extension. By sendin...

Security Bulletin: Denial of Service Vulnerability in Node.js affect Cloud Pak System [CVE-2022-25758]

Summary Cloud Pak System uses Node.js for implementation of Cloud Pak System Common UI. Vulnerability Details CVEID:CVE-2022-25758 DESCRIPTION: Node.js scss-tokenizer module is vulnerable to a denial of service, caused by a regular expression denial of service ReDoS vulnerability in the...

Oracle Linux 9 : nodejs:20 (ELSA-2024-5815)

The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2024-5815 advisory. nodejs 1:20.16.0-1 - Update to 20.16.0 Fixes: CVE-2024-36137 CVE-2024-22018 CVE-2024-22020 nodejs-nodemon nodejs-packaging Tenable has extracted the...

Security Bulletin: IBM Decision Optimization for Cloud Pak for Data is vulnerable to a denial of service (CVE-2024-37890)

Summary There is a vulnerability in Node.js ws module used by IBM Decision Optimization for IBM Cloud Pak for Data. IBM Decision Optimization for IBM Cloud Pak for Data has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2024-37890 DESCRIPTION: Node.js ws module is vulnerable to a...

Security Bulletin: IBM QRadar Use Case Manager app is vulnerable to using components with known vulnerabilities

Summary The product includes vulnerable components e.g., framework libraries that may be identified and exploited with automated tools. The update addresses these issues. Vulnerability Details CVEID:CVE-2024-4067 DESCRIPTION: Node.js micromatch module is vulnerable to a denial of service, caused ...

nodejs: fs.fchown/fchmod bypasses permission model

A flaw was found in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used. The Node.js Permission Model does not operate on file descriptors. However, operations such as fs.fchown or fs.fchmod can use a "read-only" file descriptor to change the owner...

nodejs: Bypass network import restriction via data URL

A flaw was found in the Node.js package. By embedding non-network imports in data URLs, this flaw allows an attacker to execute arbitrary code, compromising system security...

Moderate: Red Hat Security Advisory: nodejs:20 security update

An update for the nodejs:20 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

Moderate: Red Hat Security Advisory: nodejs:20 security update

An update for the nodejs:20 module is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

nodejs: fs.lstat bypasses permission model

A flaw was found in the Node.js package. This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious actors can retrieve stats from files they do not have explicit read access to...

Moderate: nodejs:20 security update

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fixes: node-tar: denial of service while parsing a tar file due to lack of folders depth validation CVE-2024-28863 nodejs: Bypass network import...

ALSA-2024:5815 Moderate: nodejs:20 security update

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fixes: nodejs: Bypass network import restriction via data URL CVE-2024-22020 nodejs: fs.lstat bypasses permission model CVE-2024-22018 nodejs:...

Moderate: nodejs:20 security update

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fixes: nodejs: Bypass network import restriction via data URL CVE-2024-22020 nodejs: fs.lstat bypasses permission model CVE-2024-22018 nodejs:...

Security Bulletin: IBM App Connect Enterprise Certified Container operands are vulnerable to denial of service [CVE-2024-37168] [CVE-2024-34890]

Summary Node.js is used by IBM App Connect Enterprise Certified Container as a runtime engine. IBM App Connect Enterprise Certified Container operands are vulnerable to denial of service. This bulletin provides patch information to address the reported vulnerability in Node.js modules ws and gRPC...

BIT-GHOST-2024-43409 Ghost's improper authentication allows access to member information and actions

Ghost is a Node.js content management system. Improper authentication on some endpoints used for member actions would allow an attacker to perform member-only actions, and read member information. This security vulnerability is present in Ghost 4.46.0 through 5.89.4. v5.89.5 contains a fix for th...

The vulnerability of the environment settings in Node.js software for managing Western Digital WD Discovery products allows a hacker to execute arbitrary code.

The vulnerability of the Node.js software for managing Western Digital WD Discovery products relates to insufficient validation of input data. Exploiting this vulnerability could allow an attacker to execute arbitrary code during the current session...

Exploit for Prototype Pollution in Clickbar Dot-Diver

CVE-2023-45827 취약점 개요 - CVE-2023-45827 - CVSS : 9.8 -...