Security Bulletin: IBM DataPower Gateway is vulnerable to Denial of Service due to use of Node.js

Summary NodeJS is used by IBM DataPower Gateway as part of the API-GWY management interface CVE-2024-22019 Vulnerability Details CVEID:CVE-2024-22019 DESCRIPTION: Node.js is vulnerable to a denial of service, caused by an error when reading unprocessed HTTP request with unbounded chunk extension...

GHSA-34H3-8MW4-QW57 @electron/packager's build process memory potentially leaked into final executable

Impact A random segment of 1-10kb of Node.js heap memory allocated either side of a known buffer will be leaked into the final executable. This memory could contain sensitive information such as environment variables, secrets files, etc. Patches This issue is patched in 18.3.1 Workarounds No...

@electron/packager's build process memory potentially leaked into final executable

Impact A random segment of 1-10kb of Node.js heap memory allocated either side of a known buffer will be leaked into the final executable. This memory could contain sensitive information such as environment variables, secrets files, etc. Patches This issue is patched in 18.3.1 Workarounds No...

CVE-2024-29900 @electron/packager's build process memory potentially leaked into final executable

Electron Packager bundles Electron-based application source code with a renamed Electron executable and supporting files into folders ready for distribution. A random segment of 1-10kb of Node.js heap memory allocated either side of a known buffer will be leaked into the final executable. This...

CVE-2024-29900 @electron/packager's build process memory potentially leaked into final executable

Electron Packager bundles Electron-based application source code with a renamed Electron executable and supporting files into folders ready for distribution. A random segment of 1-10kb of Node.js heap memory allocated either side of a known buffer will be leaked into the final executable. This...

Node.js Module node-tar < 6.2.1 DoS

In the nodejs module node-tar prior to version 6.2.1, there is no validation of the number of folders created while unpacking a file. As a result, an attacker can use a malicious file to exhaust the CPU and memory on the host and crash the nodejs client. Note that Nessus has not tested for these...

Security Bulletin: IBM Planning Analytics Workspace is affected by vulnerabilities in multiple Open Source Software (OSS) components

Summary There are vulnerabilities in multiple Open Source Software OSS components consumed by IBM Planning Analytics Workspace. IBM Planning Analytics Workspace 2.0 Release 94 has addressed the applicable CVEs by upgrading or removing the vulnerable libraries. Please refer to the table in the...

Security Bulletin: IBM Planning Analytics Workspace has addressed multiple vulnerabilities

Summary IBM Planning Analytics Workspace is considered vulnerable to a Malicious File Upload vulnerability which could allow a privileged user to upload malicious files that can be automatically processed within the product CVE-2023-42017. This vulnerability has been addressed. IBM Planning...

nodejs:18 security update

An update is available for module.nodejs-nodemon, nodejs-packaging, module.nodejs-packaging, nodejs-nodemon. This update affects Rocky Linux 9. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list...

RLSA-2024:1503 Important: nodejs:18 security update

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fixes: nodejs: code injection and privilege escalation through Linux capabilities CVE-2024-21892 nodejs: reading unprocessed HTTP request with unbounded...

nodejs:18 security update

An update is available for nodejs-nodemon, module.nodejs, nodejs, module.nodejs-nodemon, module.nodejs-packaging, nodejs-packaging. This update affects Rocky Linux 8. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability...

RLSA-2024:1444 Important: nodejs:16 security update

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fixes: nodejs: reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks CVE-2024-22019 nodejs: HTTP/2: Multiple HTTP/2 enabled...

Rocky Linux 8 : nodejs:16 (RLSA-2024:1444)

The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2024:1444 advisory. - The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited i...

Rocky Linux 8 : nodejs:18 (RLSA-2024:1510)

The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2024:1510 advisory. - On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user while the process is running with elevated...

Rocky Linux 9 : nodejs:18 (RLSA-2024:1503)

The remote Rocky Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2024:1503 advisory. - On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user while the process is running with elevated...

Oracle Linux 8 : nodejs:18 (ELSA-2024-1510)

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2024-1510 advisory. - Fixes: CVE-2024-21892 CVE-2024-22019 high Tenable has extracted the preceding description block directly from the Oracle Linux security advisory. Not...

Internet Bug Bounty: Path traversal by monkey-patching Buffer internals

In Node.js 20 and 21, a path traversal vulnerability was introduced due to the ability to monkey-patch Buffer internals. By overwriting Buffer.prototype.utf8Write, an attacker could bypass the path resolution logic and access restricted file system paths. The vulnerability was caused by the...

nodejs: vulnerable to timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding (Marvin)

A flaw was found in Node.js. The privateDecrypt API of the crypto library may allow a covert timing side-channel during PKCS1 v1.5 padding error handling. This issue revealed significant timing differences in decryption for valid and invalid ciphertexts, which may allow a remote attacker to decry...

Oracle Linux 9 : nodejs:18 (ELSA-2024-1503)

The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2024-1503 advisory. - Fixes: CVE-2024-21892 CVE-2024-22019 high Tenable has extracted the preceding description block directly from the Oracle Linux security advisory. Not...

DLA-3776-1 nodejs - security update

Bulletin has no description...