Important: Red Hat Security Advisory: nodejs:18 security update

An update for the nodejs:18 module is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is...

RHEL 8 : nodejs:18 (RHSA-2024:1880)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:1880 advisory. Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language...

SUSE SLES15 Security Update : nodejs16 (SUSE-SU-2024:1308-1)

The remote SUSE Linux SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:1308-1 advisory. - The team has identified a vulnerability in the http server of the most recent version of Node, where malformed headers can lead t...

SUSE SLES15 / openSUSE 15 Security Update : nodejs18 (SUSE-SU-2024:1309-1)

The remote SUSE Linux SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:1309-1 advisory. - libuv is a multi-platform support library with a focus on asynchronous I/O. The uvgetaddrinfo function in...

SUSE SLES12 Security Update : nodejs16 (SUSE-SU-2024:1305-1)

The remote SUSE Linux SLES12 / SLESSAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:1305-1 advisory. - The team has identified a vulnerability in the http server of the most recent version of Node, where malformed headers can lead t...

Security Bulletin: IBM App Connect Enterprise is vulnerable to a denial of service and remote attack due to node.js jose module and jsonata-js JSONata (CVE-2024-28176, CVE-2024-27307)

Summary The Discovery Connector nodes in IBM App Connect Enterprise are vulnerable to a denial of service due to node.js jose module and jsonata-js JSONata. This bulletin identifies the steps to take to address the vulnerability. Vulnerability Details CVEID:CVE-2024-28176 DESCRIPTION: Node.js jos...

USN-6735-1: Node.js vulnerabilities

It was discovered that Node.js incorrectly handled the use of invalid public keys while creating an x509 certificate. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service. This issue...

SUSE-SU-2024:1305-1 Security update for nodejs16

This update for nodejs16 fixes the following issues: - CVE-2024-27983: Fixed failed assertion in node::http2::Http2Session::Http2Session that could lead to HTTP/2 server crash bsc1222244 - CVE-2024-27982: Fixed HTTP Request Smuggling via Content Length Obfuscation bsc1222384...

Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 23.10 : Node.js vulnerabilities (USN-6735-1)

The remote Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 23.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-6735-1 advisory. It was discovered that Node.js incorrectly handled the use of invalid public keys while creating ...

The vulnerability of the `fetch()` function in HTTP/1.1 of the Node.js software platform allows a attacker to cause a service failure.

The vulnerability of the fetch function in HTTP/1.1 in Node.js software platforms is related to uncontrolled resource consumption. Exploiting this vulnerability can allow a remote attacker to cause service failures...

Node.js: Bypass incomplete fix of CVE-2024-27980

The CVE-2024-27980 was identified as an incomplete fix for the BatBadBut vulnerability. This vulnerability arose from improper handling of batch files with all possible extensions on Windows via childprocess.spawn and childprocess.spawnSync. A malicious command line argument could have been used ...

CVE-2024-32000 Truncated content of messages can be leaked from matrix-appservice-irc

matrix-appservice-irc is a Node.js IRC bridge for the Matrix messaging protocol. matrix-appservice-irc before version 2.0.0 can be exploited to leak the truncated body of a message if a malicious user sends a Matrix reply to an event ID they don't have access to. As a precondition to the attack,...

CVE-2024-32000 Truncated content of messages can be leaked from matrix-appservice-irc

matrix-appservice-irc is a Node.js IRC bridge for the Matrix messaging protocol. matrix-appservice-irc before version 2.0.0 can be exploited to leak the truncated body of a message if a malicious user sends a Matrix reply to an event ID they don't have access to. As a precondition to the attack,...

CVE-2024-32000

Matrix-appservice-irc (Node.js IRC bridge) before version 2.0.0 could leak the truncated body of a message when a malicious user replies to an event they shouldn’t access, provided they know the event ID and are in both the Matrix room and the bridged IRC channel. The root cause involved reliance...

Security Bulletin: IBM Security QRadar Analyst Workflow app for IBM QRadar SIEM includes components with known vulnerabilities

Summary The product includes vulnerable components e.g., framework libraries that might be identified and exploited with automated tools. IBM has addressed the vulnerabilities. Vulnerability Details CVEID:CVE-2023-44270 DESCRIPTION: PostCSS could allow a remote attacker to bypass security...

[SECURITY] Fedora 39 Update: nodejs-undici-6.11.1-2.fc39

An HTTP/1.1 client, written from scratch for Node.js...

[SECURITY] Fedora 38 Update: nodejs-undici-6.11.1-2.fc38

An HTTP/1.1 client, written from scratch for Node.js...

Fedora 38 : nodejs-undici (2024-6d9c1da54f)

The remote Fedora 38 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-6d9c1da54f advisory. Update to version 6.11.1. Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has not...

Fedora 39 : nodejs-undici (2024-ad51aa23c3)

The remote Fedora 39 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-ad51aa23c3 advisory. Update to version 6.11.1. Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has not...

Denial Of Service (DoS)

Node.js is vulnerable to Denial of Service DoS. The vulnerability is due to improper handling of HTTP/2 CONTINUATION frames, where sending a small amount of HTTP/2 frames packets can cause data to be left in nghttp2 memory after a reset, leading to a race condition when the Http2Session destructo...