MiracleLinux 8 : nodejs:10 (AXSA:2020-281:01)

The remote MiracleLinux 8 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2020-281:01 advisory. ICU: Integer overflow in UnicodeString::doAppend CVE-2020-10531 Tenable has extracted the preceding description block directly from the MiracleLinux security...

Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a hang which could result in a Denial of Service. In order to address this vulnerability the implementations of Buffer.alloc() and Buffer.fill() were updated so that they zero fill instead of hanging in these cases. All versions of Node.js 6.x (LTS "Boron") 8.x (LTS "Carbon") and 9.x are vulnerable. All versions of Node.js 10.x (Current) are NOT vulnerable.

...

DEBIAN-CVE-2017-18869

A TOCTOU issue in the chownr package before 1.1.0 for Node.js 10.10 could allow a local attacker to trick it into descending into unintended directories via symlink attacks...

DEBIAN-CVE-2019-15605

HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed...