CVE-2024-38372

Undici is an HTTP/1.1 client, written from scratch for Node.js. Depending on network and process conditions of a fetch request, response.arrayBuffer might include portion of memory from the Node.js process. This has been patched in v6.19.2...

UBUNTU-CVE-2024-38372

Undici is an HTTP/1.1 client, written from scratch for Node.js. Depending on network and process conditions of a fetch request, response.arrayBuffer might include portion of memory from the Node.js process. This has been patched in v6.19.2...

CVE-2024-38372

CVE-2024-38372 (Undici, Node.js) : An information disclosure issue in the Undici HTTP/1.1 client could cause response.arrayBuffer() to return memory from the Node.js process under certain network/process conditions. The vulnerability has been fixed in Undici v6.19.2. Affected/impacted details in ...

CVE-2024-38372 Undici vulnerable to data leak when using response.arrayBuffer()

Undici is an HTTP/1.1 client, written from scratch for Node.js. Depending on network and process conditions of a fetch request, response.arrayBuffer might include portion of memory from the Node.js process. This has been patched in v6.19.2...

CVE-2024-38372

Undici is an HTTP/1.1 client, written from scratch for Node.js. Depending on network and process conditions of a fetch request, response.arrayBuffer might include portion of memory from the Node.js process. This has been patched in v6.19.2...

CVE-2024-38372 Undici vulnerable to data leak when using response.arrayBuffer()

Undici is an HTTP/1.1 client, written from scratch for Node.js. Depending on network and process conditions of a fetch request, response.arrayBuffer might include portion of memory from the Node.js process. This has been patched in v6.19.2...

Security Bulletin: IBM QRadar Deployment Intelligence app for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities (CVE-2024-4067, CVE-2024-28849, CVE-2024-4068)

Summary The product includes vulnerable components e.g., framework libraries that may be identified and exploited with automated tools. IBM QRadar Deployment Intelligence app for IBM QRadar SIEM has addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2024-4067 DESCRIPTION: Node.js...

Security Bulletin: Node.js vulnerabilities affect IBM Spectrum Control

Summary Node.js is vulnerable to remote attacker to obtain sensitive information, denial of service, HTTP request smuggling and allow a local authenticated attacker to gain elevated privileges on the system. These vulnerabilities affect IBM Spectrum Control. CVE-2024-27983, CVE-2024-22019,...

Security Bulletin: Multiple Vulnerabilities in IBM Event Endpoint Management

Summary Multiple vulnerabilities were addressed in IBM Event Endpoint Management version 11.2.1 Vulnerability Details CVEID:CVE-2024-26308 DESCRIPTION: Apache Commons Compress is vulnerable to a denial of service, caused by an out of memory error. By persuading a victim to open a specially crafte...

Important: Red Hat Security Advisory: nodejs:16 security update

An update for the nodejs:16 package is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is...

PT-2024-4625 · Node.Js +1 · Node.Js +1

Name of the Vulnerable Software and Affected Versions: Node.js versions up to 18.20.3 Node.js versions up to 20.15.0 Node.js versions up to 22.4.0 Description: The issue arises from improper handling of batch files with all possible extensions on Windows via child process.spawn / child...

Node.js 18.x < 18.20.4 / 20.x < 20.15.1 / 22.x < 22.4.1 Multiple Vulnerabilities (Monday, July 8, 2024 Security Releases).

The version of Node.js installed on the remote host is prior to 18.20.4, 20.15.1, 22.4.1. It is, therefore, affected by multiple vulnerabilities as referenced in the Monday, July 8, 2024 Security Releases advisory. - The CVE-2024-27980 was identified as an incomplete fix for the BatBadBut...

RHEL 8 : nodejs:16 (RHSA-2024:4353)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2024:4353 advisory. Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fixes...

Monday, July 8, 2024 Security Releases

Monday, July 8, 2024 Security Releases Security releases available Updates are now available for the 22.x, 20.x, 18.x Node.js release lines for the following issues. Bypass incomplete fix of CVE-2024-27980 CVE-2024-36138 - High The CVE-2024-27980 was identified as an incomplete fix for the...

CVE-2024-39691

matrix-appservice-irc is a Node.js IRC bridge for the Matrix messaging protocol. The fix for GHSA-wm4w-7h2q-3pf7 / CVE-2024-32000 included in matrix-appservice-irc 2.0.0 relied on the Matrix homeserver-provided timestamp to determine whether a user has access to the event they're replying to when...

CVE-2024-39691 Malicious Matrix homeserver can leak truncated message content of messages it shouldn't have access to

matrix-appservice-irc is a Node.js IRC bridge for the Matrix messaging protocol. The fix for GHSA-wm4w-7h2q-3pf7 / CVE-2024-32000 included in matrix-appservice-irc 2.0.0 relied on the Matrix homeserver-provided timestamp to determine whether a user has access to the event they're replying to when...

CVE-2024-39691

CVE-2024-39691 affects matrix-appservice-irc, a Node.js IRC bridge for Matrix. Before version 2.0.1, the bridge used the Matrix homeserver-provided timestamp (origin_server_ts) to decide if a user could see the event being replied to. A malicious homeserver could fabricate this timestamp, causing...

CVE-2024-39691 Malicious Matrix homeserver can leak truncated message content of messages it shouldn't have access to

matrix-appservice-irc is a Node.js IRC bridge for the Matrix messaging protocol. The fix for GHSA-wm4w-7h2q-3pf7 / CVE-2024-32000 included in matrix-appservice-irc 2.0.0 relied on the Matrix homeserver-provided timestamp to determine whether a user has access to the event they're replying to when...

GHSA-5F4X-HWV2-W9W2 rejetto HFS vulnerable to OS Command Execution by remote authenticated users

rejetto HFS aka HTTP File Server 3 before 0.52.10 on Linux, UNIX, and macOS allows OS command execution by remote authenticated users if they have Upload permissions. This occurs because a shell is used to execute df i.e., with execSync instead of spawnSync in childprocess in Node.js...

rejetto HFS vulnerable to OS Command Execution by remote authenticated users

rejetto HFS aka HTTP File Server 3 before 0.52.10 on Linux, UNIX, and macOS allows OS command execution by remote authenticated users if they have Upload permissions. This occurs because a shell is used to execute df i.e., with execSync instead of spawnSync in childprocess in Node.js...