mysql2 安全漏洞

MySQL2 is a MySQL client for Node.js by the individual developer Andrey Sidorov. A security vulnerability exists in versions of mysql2 prior to 3.9.4, which stems from vulnerability to Remote Code Execution RCE attacks via the readCodeFor function...

Vulnerability fixed in node.js

A vulnerability has been fixed in node.js. A malicious party can exploit the vulnerability to use a command-injection to execute arbitrary code on the system with permissions of the application running in the vulnerable node.js. The developers of node.js have released updates to fix the...

Node.js < 18.20.2, 19.x < 20.12.2, 21.x < 21.7.3 Command Injection Vulnerability (BatBadBut) - Windows

Node.js is prone to a command injection vulnerability on Windows dubbed SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

Security Bulletin: Node.js IP is vulnerable to CVE-2023-42282 used in IBM Maximo Application Suite - Monitor Component

Summary IBM Maximo Application Suite - Monitor Component uses Node.js IP which is vulnerable to CVE-2023-42282. This bulletin identifies the steps to take to address the vulnerability. Vulnerability Details CVEID:CVE-2023-42282 DESCRIPTION: Node.js IP package could allow a remote attacker to...

AlmaLinux 8 : nodejs:20 (ALSA-2024:1687)

The remote AlmaLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2024:1687 advisory. nodejs: vulnerable to timing variant of the Bleichenbacher attack against PKCS1 v1.5 padding Marvin CVE-2023-46809 nodejs: reading unprocessed HTTP reques...

AlmaLinux 9 : nodejs:20 (ALSA-2024:1688)

The remote AlmaLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2024:1688 advisory. nodejs: vulnerable to timing variant of the Bleichenbacher attack against PKCS1 v1.5 padding Marvin CVE-2023-46809 nodejs: reading unprocessed HTTP reques...

Wednesday, April 10, 2024 Security Releases

Wednesday, April 10, 2024 Security Releases Security releases available Updates are now available for the 18.x, 20.x, 21.x Node.js release lines for the following issues. Command injection via args parameter of childprocess.spawn without shell option enabled on Windows CVE-2024-27980 - HIGH Due t...

An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.

...

DEBIAN-CVE-2024-27983

An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a T...

CVE-2024-27983

An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a T...

CVE-2024-27983

An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a T...

UBUNTU-CVE-2024-27983

An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a T...

CVE-2024-27983

An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a T...

CVE-2024-27983

An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a T...

CVE-2024-27983

An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a T...

CVE-2024-27983

An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a T...

CVE-2024-27983

CVE-2024-27983 affects Node.js HTTP/2 support (CONTINUATION frames DoS) with a race condition that can leave nghttp2 memory and lead to denial of service. Connected sources confirm nodejs/nghttp2 involvement and advisories recommending security updates. Impact: availability disruption; no explici...

Improper Control of Generation of Code ('Code Injection')

Overview Affected versions of this package are vulnerable to Improper Control of Generation of Code 'Code Injection' due to the improper handling of batch files in childprocess.spawn or childprocess.spawnSync. An attacker can inject arbitrary commands and achieve code execution even if the shell...

PT-2024-26606

Name of the Vulnerable Software and Affected Versions process versions prior to 1.6.19.0 GHC versions prior to 9.10.1-alpha3 GHC versions prior to 9.8.3 GHC versions prior to 9.6.5 Node.js versions up to 21.7.2 Description A command injection vulnerability allows an attacker to perform command...

Internet Bug Bounty: Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash

The Node.js HTTP/2 server was affected by a vulnerability that caused it to crash instantly after receiving a small number of HTTP/2 frames. The issue was caused by a race condition that occurred when the Http2Session destructor was triggered while header frames were still being processed, leavin...