Security Bulletin: Vulnerabilities in OpenSSL affect IBM® SDK for Node.js™

Summary OpenSSL vulnerabilities were disclosed on March 19, 2015 by the OpenSSL Project. OpenSSL is used by IBM SDK for Node.js. IBM SDK for Node.js has addressed the applicable CVEs. Vulnerability Details CVEID: CVE-2015-0209 DESCRIPTION: OpenSSL could allow a remote attacker to execute arbitrar...

Security Bulletin: Vulnerabilities in zlib affect IBM® SDK for Node.js™ (CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843)

Summary zlib vulnerabilities were disclosed in December 2016 by the zlib project. zlib is used by IBM SDK for Node.js. IBM SDK for Node.js has addressed the applicable CVEs. Vulnerability Details CVEID: CVE-2016-9840 DESCRIPTION: zlib is vulnerable to a denial of service, caused by an out-of-boun...

Security Bulletin: Multiple vulnerabilities may affect IBM® SDK for Node.js™ in IBM Bluemix

Summary OpenSSL vulnerabilities were disclosed on September 22 and 26, 2016 by the OpenSSL Project. OpenSSL is used by IBM SDK for Node.js. IBM SDK for Node.js has addressed the applicable CVEs, plus three additional vulnerabilities unrelated to the OpenSSL release. Vulnerability Details CVEID:...

Security Bulletin: Multiple vulnerabilities may affect IBM® SDK for Node.js™

Summary Node.js vulnerabilities in Node.js and the V8 Javascript engine were disclosed on October 18 2016, by the Node.js Foundation. IBM SDK for Node.js has addressed the applicable CVEs. Vulnerability Details CVEID: CVE-2016-5180 DESCRIPTION: The V8 Javascript engine, as used in Google Chrome O...

Security Bulletin: A vulnerability in OpenSSL affect IBM® SDK for Node.js™ in IBM Cloud (CVE-2018-0739)

Summary OpenSSL vulnerabilities were disclosed by the OpenSSL Project. OpenSSL is used by IBM SDK for Node.js for IBM Cloud. IBM SDK for Node.js for IBM Cloud has addressed the applicable CVEs. Vulnerability Details CVEID: CVE-2018-0739 DESCRIPTION: OpenSSL is vulnerable to a denial of service. B...

Security Bulletin: Vulnerabilities in OpenSSL affect IBM® SDK for Node.js™ in IBM Bluemix (CVE-2017-3731 CVE-2017-3732 CVE-2016-7055)

Summary OpenSSL vulnerabilities were disclosed on January 26, 2017 by the OpenSSL Project. OpenSSL is used by IBM SDK for Node.js. IBM SDK for Node.js has addressed the applicable CVEs. Vulnerability Details CVEID: CVE-2017-3731 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by...

Security Bulletin: A security vulnerability has been identified in Node.js hoek shipped with Data Science Experience Local

Summary Node.js hoek is shipped as a component of Data Science Experience Local. Information about a security vulnerability affecting Node.js hoek has been published in a security bulletin. Vulnerability Details Please consult the security bulletins: CVE-2018-3728 for vulnerability details and...

Node.js third-party modules: Code Injection Vulnerability in dot Package

I would like to report a code injection vulnerability in dot. It allows attackers to execute arbitrary JS code, especially when combined with a prototype pollution attack. Module module name: dot version: 1.1.2 npm page: https://www.npmjs.com/package/dot Module Description Created in search of th...

Node.js third-party modules: Code Injection Vulnerability in morgan Package

I would like to report a code injection vulnerability in morgan. It allows an attacker to inject arbitrary JS commands in certain situations. Module module name: morgan version: 1.9.0 npm page: https://www.npmjs.com/package/morgan Module Description HTTP request logger middleware for node.js Name...

Node.js third-party modules: Command Injection Vulnerability in win-fork/win-spawn Packages

I would like to report a command injection vulnerability in win-fork and win-spawn packages. It allows an attacker to inject multiple commands in exec-like manner. Module module name: win-spawn version: 2.0.0 npm page: https://www.npmjs.com/package/win-spawn npm page:...

Node.js third-party modules: Command Injection Vulnerability in libnmap Package

I would like to report a command injection vulnerability in libnmap. It allows an attacker to inject arbitrary OS commands instead of a valid network range to be scanned. Module module name: libnmap version: 0.4.11 npm page: https://www.npmjs.com/package/libnmap Module Description API to access...

Node.js third-party modules: Prototype Pollution Vulnerability in mpath Package

I would like to report prototype pollution vulnerability in mpath. It allows an attacker to inject arbitrary properties on Object.prototype. Module module name: mpath version: 0.4.1 npm page: https://www.npmjs.com/package/mpath Module Description G,Set javascript object values using MongoDB-like...

Node.js third-party modules: Prototype Pollution Vulnerability in noble Package

I would like to report prototype pollution vulnerability in noble. It allows attackers to pollute the Object.prototype object of an application running noble, possibly through Bluetooth. Module module name: noble version: 1.9.1 npm page: https://www.npmjs.com/package/noble Module Description A...

Node.js third-party modules: Command Injection is ps Package

I would like to report a command injection in ps package. It allows attacker to inject arbitrary OS commands instead of PID numbers. Module module name: ps version: 0.0.2 npm page: https://www.npmjs.com/package/ps Module Description A Node.js module for looking up running processes. Module Stats ...

Node.js third-party modules: Prototype Pollution Vulnerability in cached-path-relative Package

I would like to report a prototype pollution attack in cached-path-relative. It allows an attacker to inject properties on Object.prototype which are then inherited by all the JS objects through the prototype chain. Module module name: cached-path-relative version: 1.0.1 npm page:...

Node.js third-party modules: [ascii-art] Command injection

I would like to report a command injection vulnerability in the ascii-art npm module. It allows arbitrary shell command execution through a maliciously crafted command line argument. Module module name: ascii-art version: 1.4.3 npm page: https://www.npmjs.com/package/ascii-art Module Description...

Security Bulletin: Multiple OpenSSL vulnerabilities in Node.js affect IBM Rational Application Developer for WebSphere Software included in Rational Developer for i and Rational Developer for AIX and Linux

Summary Portions of IBM Rational Application Developer for WebSphere Software are shipped as a component of Rational Developer for i RPG and COBOL + Modernization Tools, Java and EGL editions, and Rational Developer for AIX and Linux. Multiple OpenSSL vulnerabilities in Node.js were found on May ...

Security Bulletin: Buffer overflow in V8 in Node.js affects IBM Rational Application Developer for WebSphere Software included in Rational Developer for i and Rational Developer for AIX and Linux

Summary Portions of IBM Rational Application Developer for WebSphere Software are shipped as a component of Rational Developer for i RPG and COBOL + Modernization Tools, Java and EGL editions, and Rational Developer for AIX and Linux. Under certain conditions, V8 may improperly expand memory...

Security Bulletin: Multiple vulnerabilities in the IBM SDK for Node.js affect the Cordova tools in Rational Application Developer affecting Rational Developer for i and Rational Developer for AIX and Linux (CVE-2016-2086, CVE-2016-2216, CVE-2015-3197)

Summary Portions of IBM Rational Application Developer for WebSphere Software are shipped as a component of Rational Developer for i RPG and COBOL + Modernization Tools, Java and EGL editions, and Rational Developer for AIX and Linux. Security vulnerabilities have been discovered in the IBM SDK f...

Security Bulletin: Multiple OpenSSL and Non-OpenSSL vulnerabilities in Node.js affect IBM Rational Application Developer for WebSphere Software included in Rational Developer for i and Rational Developer for AIX and Linux

Summary Portions of IBM Rational Application Developer for WebSphere Software are shipped as a component of Rational Developer for i RPG and COBOL + Modernization Tools, Java and EGL editions, and Rational Developer for AIX and Linux. OpenSSL vulnerabilities were disclosed on September 22 and 26,...