Security Bulletin: IBM App Connect Enterprise is vulnerable to a denial of service and HTTP request smuggling due to Node.js(CVE-2024-27983 & CVE-2024-27982)

Summary IBM App Connect Enterprise is vulnerable to a denial of service and HTTP request smuggling due to Node.js. This bulletin identifies the steps to take to address the vulnerability. Vulnerability Details CVEID:CVE-2024-27983 DESCRIPTION: Node.js is vulnerable to a denial of service, caused ...

K000139643: Node-tar vulnerability CVE-2024-28863

Security Advisory Description node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash t...

AlmaLinux 9 : nodejs:20 (ALSA-2024:2853)

The remote AlmaLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2024:2853 advisory. c-ares: Out of bounds read in aresreadline CVE-2024-25629 nghttp2: CONTINUATION frames DoS CVE-2024-28182 nodejs: using the fetch function to retrieve...

nodejs:20 security update

nodejs 1:20.12.2-2 - Backport nghttp2 patch for CVE-2024-28182 1:20.12.2-1 - Rebase to version 20.12.0 Fixes: CVE-2024-27983 CVE-2024-27982 CVE-2024-22025 node Fixes: CVE-2024-25629 c-ares nodejs-nodemon nodejs-packaging...

Important: Red Hat Security Advisory: nodejs:20 security update

An update for the nodejs:20 module is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

Oracle Linux 9 : nodejs:18 (ELSA-2024-2779)

The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2024-2779 advisory. nodejs 1:18.20.2-2 - Removes .ps1 files - Rebase to 18.20.2 - Fixes: CVE-2024-27983, CVE-2024-28182, CVE-2024-27982, CVE-2024-25629 nodejs-nodemon...

K000139615: Node.js vulnerability CVE-2024-27982

Security Advisory Description The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly,...

CVE-2023-42955

Claris International has successfully resolved an issue of potentially exposing password information to front-end websites when signed in to the Admin Console with an administrator role. This issue has been fixed in FileMaker Server 20.3.1 by eliminating the send of Admin Role passwords in the...

Rocky Linux 9 : nodejs (RLSA-2024:1438)

The remote Rocky Linux 9 host has a package installed that is affected by a vulnerability as referenced in the RLSA-2024:1438 advisory. - A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and...

nodejs:18 security update

nodejs 1:18.20.2-2 - Removes .ps1 files - Rebase to 18.20.2 - Fixes: CVE-2024-27983, CVE-2024-28182, CVE-2024-27982, CVE-2024-25629 nodejs-nodemon nodejs-packaging...

Security Bulletin: IBM Rational® Application Developer for WebSphere® Software is vulnerable to a denial of service

Summary Node.js is used by IBM Rational® Application Developer for WebSphere® Software as the SDK and runtime for Apache Cordova projects. CVE-2023-6129,CVE-2024-24806, CVE-2023-5678,CVE-2024-22019,CVE-2023-46809, CVE-2024-0727, CVE-2023-6237,CVE-2024-21892 Vulnerability Details...

AlmaLinux 9 : nodejs:18 (ALSA-2024:2779)

The remote AlmaLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2024:2779 advisory. nodejs: CONTINUATION frames DoS CVE-2024-27983 nodejs: using the fetch function to retrieve content from an untrusted URL leads to denial of service...

RHEL 8 : nodejs-deep-extend (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 8 host has one or more packages installed that are affected by a vulnerability that has been acknowledged by the vendor but will not be patched. - nodejs-deep-extend: Prototype pollution can allow attackers to modify object properties CVE-2018-3750 Note that...

Security Bulletin: IBM App Connect Enterprise is vulnerable to a remote attack due to the node.js module follow-redirects and Express.js (CVE-2024-28849, CVE-2024-29041)

Summary IBM App Connect Enterprise is vulnerable to a remote attack due to node.js module follow-redirects and Express.js. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2024-28849 DESCRIPTION: Node.js follow-redirects module could allow...

Security Bulletin: IBM App Connect Enterprise is vulnerable to multiple vulnerabilities due to Node.js.

Summary IBM App Connect Enterprise is vulnerable to multiple vulnerabilities due to Node.js. This bulletin identifies the steps to take to address the vulnerability. Vulnerability Details CVEID:CVE-2024-21892 DESCRIPTION: Node.js could allow a local authenticated attacker to gain elevated...

nodejs security update

An update is available for nodejs. This update affects Rocky Linux 9. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Node.js is a software development platform for building fast and scalable...

K000139579: Node.js vulneraility CVE-2024-21891

Security Advisory Description Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions, which can be overwitten with user-defined implementations leading to filesystem permission model bypass through path traversal attack. This vulnerability affects...

K000139578: Node.js vulnerability CVE-2024-21896

Security Advisory Description The permission model protects itself against path traversal attacks by calling path.resolve on any paths given by the user. If the path is to be treated as a Buffer, the implementation uses Buffer.from to obtain a Buffer from the result of path.resolve. By...

K000139577: Node.js vulnerability CVE-2024-21890

Security Advisory Description The Node.js Permission Model does not clarify in the documentation that wildcards should be only used as the last character of a file path. For example: --allow-fs-read=/home/node/.ssh/.pub will ignore pub and give access to everything after .ssh/. This misleading...

K000139573: node.js vulnerability CVE-2024-22017

Security Advisory Description setuid does not affect libuv's internal iouring operations if initialized before the call to setuid. This allows the process to perform privileged operations despite presumably having dropped such privileges through a call to setuid. This vulnerability affects all...