CVE-2023-30590 vulnerabilities

Vulnerabilities for packages: nodejs...

MGASA-2023-0299 Updated nodejs packages fix security vulnerabilities

This is a security release. The following CVEs are fixed in this release: CVE-2023-44487: nghttp2 Security Release High CVE-2023-45143: undici Security Release High CVE-2023-38552: Integrity checks according to policies can be circumvented Medium CVE-2023-39333: Code injection via WebAssembly...

MGASA-2023-0264 Updated nodejs packages fix security vulnerability

This is a security release. As well, it fixes v8 headers detection mga28809 The following CVEs are fixed in this release: CVE-2023-32002: Policies can be bypassed via Module.load High CVE-2023-32006: Policies can be bypassed by module.constructor.createRequire Medium CVE-2023-32559: Policies can ...

Developer Alert: NPM Packages for Node.js Hiding Dangerous TurkoRat Malware

Two malicious packages discovered in the npm package repository have been found to conceal an open source information stealer malware called TurkoRat. The packages – named nodejs-encrypt-agent and nodejs-cookie-proxy-agent – were collectively downloaded approximately 1,200 times and were availabl...

46c-sector (>=1.0.0 <=1.2.1), @aatishgh/antora_site_generator_lunr_custom (>=0.4.0 <=0.4.3) +430 more potentially affected by CVE-2023-0163 via convict (>=0.0.6 <=6.2.3)

convict NPM version =0.0.6, =1.0.0, =0.4.0, =0.0.1, =0.0.2, =1.0.0, =1.0.0, =1.0.0, =2.2.0, =0.0.1, =1.0.0, =0.0.1, =2.1.0, =2.0.0, =3.0.2 and more Source cves: CVE-2023-0163 Source advisory: OSV:GHSA-4JRM-C32X-W4JF...

2broke2wait (=0.1.0), 2ch-fetcher-with-proxy (>=1.0.0 <=1.0.1) +4015 more potentially affected by CVE-2022-25893 via vm2 (>=1.0.1 <=3.9.1)

vm2 NPM version =1.0.1, =1.0.0, =15.0.0, =5.1.3, =1.0.2, =1.0.1, =0.1.0, =0.1.0, =0.1.0, =0.0.1, =0.2.48, =0.12.5-20190619040852, =0.23.0-alpha.1 and more Source cves: CVE-2022-25893 Source advisory: OSV:GHSA-4W2J-2RG4-5MJW...

MGASA-2022-0294 Updated nodejs packages fix security vulnerability

The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to have bee...

Important Photon OS Security Update - PHSA-2022-3.0-0426

Updates of 'nodejs' packages of Photon OS have been released...

@aarconada/urserver (>=0.0.1 <=0.0.990), @alterior/core (>=0.0.1 <=2.0.0-b1) +195 more potentially affected by CVE-2022-27261 via express-fileupload (>=0.0.5 <=1.3.1)

express-fileupload NPM version =0.0.5, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.1.155, =2.0.0-alpha.0, =1.0.0, =0.12.0, =0.0.2-90, =0.0.1-alpha.151, =0.0.1-alpha.44, =0.0.1, =1.0.0, =1.0.0, =1.0.1 and more Source cves: CVE-2022-27261 Source advisory: OSV:GHSA-W4M6-X6C2-J5C9...

116zm_atm (=1.0.0), 11_mybank (=1.0.0) +612 more potentially affected by CVE-2021-23567 via faker (=6.6.6)

faker NPM version =6.6.6 is affected by a known vulnerability. The following packages have a transitive dependency on faker and may be impacted: - 116zmatm =1.0.0 - 11mybank =1.0.0 - @acceleratxr/react-shared =1.1.0, =0.1.0, =1.0.0, =1.2.1, =1.1.0, =1.3.0, =1.0.0, =1.1.0, =1.2.0, =1.1.0, =1.2.0,...

MGASA-2021-0463 Updated nodejs packages fix security vulnerability

Multiple security fixes for nodejs. See references for details...

MGASA-2021-0372 Updated nodejs packages fix security vulnerabilities

This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require'y18n'; y18n.setLocale'proto'; y18n.updateLocalepolluted: true; console.logpolluted; // true CVE-2020-7774. The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Servic...

MGASA-2021-0170 Updated nodejs-yargs-parser packages fix security vulnerability

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload CVE-2020-7608...

Important Photon OS Security Update - PHSA-2020-3.0-0150

Updates of 'nodejs' packages of Photon OS have been released...

09-nodejs (=1.0.0), 11.17r (=1.0.0) +1752 more potentially affected by unknown CVE via concat-stream (>=1.5.0 <=1.5.1)

concat-stream NPM version =1.5.0, =0.0.1, =1.0.1, =0.0.2, =0.0.1, =0.1.0, =0.1.0, =1.0.1-0.beta.1, =1.0.0-beta.1, =1.1.5-beta.4 - @arezooq/webserverpackage =1.0.0 and more Source cves: unknown CVE Source advisory: OSV:GHSA-G74R-FFVR-5Q9F...

AZL-41949 CVE-2019-10906 affecting package nodejs for versions less than 20.14.0-1

In Pallets Jinja before 2.10.1, str.formatmap allows a sandbox escape...

192.168.0.172 (=4.6.1), 1campus_nodedsa (>=0.0.1 <=0.0.4) +10304 more potentially affected by CVE-2017-16026 via request (>=2.2.6 <=2.67.0)

request NPM version =2.2.6, =0.0.1, =0.1.1, =0.1.1, =1.0.0, =0.2.2, =0.1.0, =0.1.0, =0.1.0, =0.0.1, =0.0.1, =0.0.1, =0.0.3 and more Source cves: CVE-2017-16026 Source advisory: OSV:GHSA-7XFP-9C55-5VQJ...

MGASA-2016-0307 Updated nodejs packages fix security vulnerability

Under certain conditions, V8 may improperly expand memory allocations in the Zone::New function. This could potentially be used to cause a Denial of Service via buffer overflow or as a trigger for a remote code execution CVE-2016-1669. The primary npm registry has used HTTP bearer tokens to...