CVE-2017-15896

CVE-2017-15896 maps to OpenSSL CVE-2017-3737 (Read/write after SSL object in error state) affecting Node.js through its OpenSSL stack. The vulnerability allows an attacker to bypass TLS authentication/encryption by abusing SSL_read()/SSL_write() after a fatal error during a handshake, as describe...

CVE-2017-15897

Node.js had a bug in versions 8.X and 9.X which caused buffers to not be initialized when the encoding for the fill value did not match the encoding specified. For example, 'Buffer.alloc0x100, "This is not correctly encoded", "hex";' The buffer implementation was updated such that the buffer will...

CVE-2017-15897

Node.js had a bug in versions 8.X and 9.X which caused buffers to not be initialized when the encoding for the fill value did not match the encoding specified. For example, 'Buffer.alloc0x100, "This is not correctly encoded", "hex";' The buffer implementation was updated such that the buffer will...

CVE-2017-15896

Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSLread due to TLS handshake failure. The result was that an active network attacker could send application data to Node.js using the TLS or HTTP2 modules in a way that bypassed TLS authentication and encryption...

CVE-2017-15897

Node.js had a bug in versions 8.X and 9.X which caused buffers to not be initialized when the encoding for the fill value did not match the encoding specified. For example, 'Buffer.alloc0x100, "This is not correctly encoded", "hex";' The buffer implementation was updated such that the buffer will...

CVE-2017-15896

Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSLread due to TLS handshake failure. The result was that an active network attacker could send application data to Node.js using the TLS or HTTP2 modules in a way that bypassed TLS authentication and encryption...

CVE-2017-15896

Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSLread due to TLS handshake failure. The result was that an active network attacker could send application data to Node.js using the TLS or HTTP2 modules in a way that bypassed TLS authentication and encryption...

PT-2017-14274 · Node.Js +2 · Node.Js +2

Name of the Vulnerable Software and Affected Versions: Node.js affected versions not specified Description: The issue concerns a TLS handshake failure due to the use of SSL read, allowing an active network attacker to send application data to Node.js using the TLS or HTTP2 modules, bypassing TLS...

PT-2017-14275 · Node.Js +1 · Node.Js +1

Name of the Vulnerable Software and Affected Versions: Node.js versions 8.X through 9.X Description: The issue arises when the encoding for the fill value does not match the encoding specified, causing buffers to not be initialized correctly. For example, 'Buffer.alloc0x100, "This is not correctl...

Node.js third-party modules: [lactate] Static Web Server Directory Traversal via Crafted GET Request

Hi @vdeturckheim, A crafted GET request can be leveraged to traverse the directory structure of a host using the lactate web server package, and request arbitrary files outside of the specified web root. Module specification Name: lactate Version: 0.13.12 latest release build Verified conditions...

Node.js third-party modules: [augustine] Static Web Server Directory Traversal via Crafted GET Request

Hi, A crafted GET request can be leveraged to traverse the directory structure of a host using the augustine web server package, and request arbitrary files outside of the specified web root. Module specification Name: augustine Version: 0.2.3 latest release build Verified conditions Test server:...

Node.js third-party modules: [serve-here] Static Web Server Directory Traversal via Crafted GET Request

Hi, A crafted GET request can be leveraged to traverse the directory structure of a host using the serve-here web server package, and request arbitrary files outside of the specified web root. Module specification Name: serve-here Version: 3.2.0 latest release build Verified conditions Test serve...

Data Confidentiality/Integrity Vulnerability, December 2017

Data Confidentiality/Integrity Vulnerability, December 2017 Update 7-December-2017 Security releases available Summary Updates are now available for all active Node.js release lines. These include the fix for the vulnerability identified in the initial announcement. In addition the updates for 8....

node.js -- Data Confidentiality/Integrity Vulnerability, December 2017

Node.js reports: Data Confidentiality/Integrity Vulnerability - CVE-2017-15896 Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSLread due to TLS handshake failure. The result was that an active network attacker could send application data to Node.js using the...

CVE-2017-14919

Node.js before 4.8.5, 6.x before 6.11.5, and 8.x before 8.8.0 allows remote attackers to cause a denial of service uncaught exception and crash by leveraging a change in the zlib module 1.2.9 making 8 an invalid value for the windowBits parameter...

CVE-2017-1000188

nodejs ejs version older than 2.5.5 is vulnerable to a Cross-site-scripting in the ejs.renderFile resulting in code injection...

Input validation

nodejs ejs version older than 2.5.5 is vulnerable to a denial-of-service due to weak input validation in the ejs.renderFile...

CVE-2017-1000228

CVE-2017-1000228 affects nodejs ejs: any versions older than 2.5.3 are vulnerable to remote code execution due to weak input validation in ejs.renderFile(). Explanation: this is a concrete vulnerability with multiple coordinated disclosures (NVD entry and corroborating reports in GHSA, Debian, CN...

CVE-2017-1000219

npm/KyleRoss windows-cpu all versions vulnerable to command injection resulting in code execution as Node.js user...

Command injection

npm/KyleRoss windows-cpu all versions vulnerable to command injection resulting in code execution as Node.js user...