Node.js third-party modules: [script-manager] Unintended require

I would like to report Unintended Require in script-manager. It allows loading arbitary non-production code js files. Module module name: script-manager version: 0.8.6 npm page: https://www.npmjs.com/package/script-manager Module Description node.js manager for running foreign and potentially...

Important: Red Hat Security Advisory: rh-nodejs8-nodejs security update

An update for rh-nodejs8-nodejs is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

Node.js third-party modules: Yarn transfers npm credentials over unencrypted http connection

Module module name: yarn version: 1.16.0 npm page: https://www.npmjs.com/package/yarn Module Description Fast, reliable, and secure dependency management. Module Stats Replace stats below with numbers from npm’s module page: 166 703 downloads in the last day 849 928 downloads in the last week 3 7...

Security Bulletin: Multiple Security Vulnerabilities affect IBM Cloud Private (CVE-2019-5739 CVE-2019-5737 CVE-2019-1559)

Summary IBM Cloud Private is vulnerable to multiple security vulnerabilities in Node.js Vulnerability Details CVEID: CVE-2019-1559 DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by the failure to immediately close the TCP connection after the hosts...

Node.js third-party modules: Command Injection in npm module name passed as an argument to pm2.install() function

Hi Lads, I would like to report Command Injection possible when npm module name is passed into pm2.install. An attacker is able to attach OS commands to npm module name and those commands will be executed when payload reaches execution sink in continueInstall function in API/Modules/NPM.js file...

Security Bulletin: Multiple vulnerabilities affect IBM Watson Assistant for IBM Cloud Pak for Data

Summary Multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Node.js™, and OpenSSL as used by Node.js affect IBM Watson™ Assistant for IBM Cloud Pak for Data. Vulnerability Details CVEID: CVE-2018-12547 DESCRIPTION: Eclipse OpenJ9 is vulnerable to a buffer overflow, caused by improper...

Node.js third-party modules: Command Injection due to lack of sanitisation of tar.gz filename passed as an argument to pm2.install() function

Hi Guys, It's been a while : I would like to report Command Injection in pm2.import function when tar.gz archive is installed with a name provided as user controlled input. Due to lack of proper validation of tar.gz archive filename, this vulnerability allows to inject arbitrary commands and...

Node.js: loader.js is not secure

Summary: Node.js loader.js can be exploited by an attacker The vulnerability https://github.com/nodejs/node/blob/a33c3c6d33fa81fa59a5aa95246d7f599e6abdd3/lib/internal/modules/cjs/loader.jsL892 js Module.initPaths = function var homeDir; var nodePath; if isWindows homeDir = process.env.USERPROFILE...

Node.js third-party modules: Application level denial of service due to shutting down the server

Module module name: http-live-simulator version: 1.0.7 npm page: https://www.npmjs.com/package/http-live-simulator Description I've found a way to crash the server due to the way it parses URL Steps To Reproduce: 1- Install the module : npm install -g http-live-simulator 2- Run the server :...

Out-of-bounds Read in stringstream

All versions of stringstream are vulnerable to out-of-bounds read as it allocates uninitialized Buffers when number is passed in input stream on Node.js 4.x and below. Recommendation No fix is currently available for this vulnerability. It is our recommendation to not install or use this module i...

Sensitive Data Exposure

Overview All versions of put are vulnerable to Uninitialized Memory Exposure. The package incorrectly calculates the allocated Buffer size and does not trim the bytes written, which may allow attackers to access uninitialized memory containing sensitive data. This vulnerability only affects...

Out-of-bounds Read in npmconf

Versions of npmconf before 2.1.3 allocate and write to disk uninitialized memory contents when a typed number is passed as input on Node.js 4.x. Recommendation Update to version 2.1.3 or later. Consider switching to another config storage mechanism, as npmconf is deprecated and should not be used...

[SECURITY] Fedora 30 Update: nodejs-tough-cookie-2.3.4-1.fc30

RFC6265 Cookies and Cookie Jar for Node.js...

CVE-2019-10157

It was found that Keycloak's Node.js adapter before version 4.8.3 did not properly verify the web token received from the server in its backchannel logout . An attacker with local access could use this to construct a malicious web token setting an NBF parameter that could prevent user access...

CVE-2019-10157

It was found that Keycloak's Node.js adapter before version 4.8.3 did not properly verify the web token received from the server in its backchannel logout . An attacker with local access could use this to construct a malicious web token setting an NBF parameter that could prevent user access...

Code injection

It was found that Keycloak's Node.js adapter before version 4.8.3 did not properly verify the web token received from the server in its backchannel logout . An attacker with local access could use this to construct a malicious web token setting an NBF parameter that could prevent user access...

CVE-2019-10157

It was found that Keycloak's Node.js adapter before version 4.8.3 did not properly verify the web token received from the server in its backchannel logout . An attacker with local access could use this to construct a malicious web token setting an NBF parameter that could prevent user access...

CVE-2019-10157

CVE-2019-10157 affects Keycloak’s Node.js adapter prior to 4.8.3. The vulnerability arises from improper verification of the web token received during backchannel logout, enabling a local attacker to craft a malicious JWT with an manipulated NBF value that could prevent a user from gaining access...

CVE-2019-10157

It was found that Keycloak's Node.js adapter did not properly verify the web token received from the server in its backchannel logout. An attacker with local access could use this to construct a malicious web token setting an NBF parameter that could prevent user access indefinitely...

UPDATE: OWASP Dependency-Check 5.0.0

PenTestIT RSS Feed My first post about this open source OWASP project was about an older version. About 18 hours ago, a new version was released. This post discusses the changes made to the open source software composition analysis utility in the latest release yesterday. This is the OWASP...