SUSE-SU-2023:0408-1 Security update for nodejs18

This update for nodejs18 fixes the following issues: This update ships nodejs18 jscPED-2097 Update to NodejJS 18.13.0 LTS: build: disable v8 snapshot compression by default crypto: update root certificates deps: update ICU to 72.1 doc: + add doc-only deprecation for headers/trailers setters + add...

AZL-41581 CVE-2021-22918 affecting package pytorch for versions less than 2.2.2-4

Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uvidnatoascii is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to...

OPENSUSE-SU-2021:0065-1 Security update for nodejs10

This update for nodejs10 fixes the following issues: - New upstream LTS version 10.23.1: CVE-2020-8265: use-after-free in TLSWrap High bug in TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as...

Node.js third-party modules: [plain-object-merge] Prototype pollution

I would like to report a prototype pollution vulnerability in plain-object-merge module. It allows an attacker to inject properties on Object.prototype. Module module name: plain-object-merge version: 1.0.1 npm page: https://www.npmjs.com/package/plain-object-merge Module Description Extremely fa...

Node.js third-party modules: [blamer] RCE via insecure command formatting

I would like to report a RCE issue in the blamer module. It allows to execute arbitrary commands remotely inside the victim's PC Module module name: blamer version: 0.1.13 npm page: https://www.npmjs.com/package/blamer Module Description Blamer is a tool for get information about author of code...

Node.js third-party modules: [git-promise] RCE via insecure command formatting

I would like to report a RCE issue in the git-promise module. It allows to execute arbitrary commands remotely inside the victim's PC Module module name: git-promise version: 0.3.1 npm page: https://www.npmjs.com/package/git-promise Module Description Simple wrapper that allows you to run any git...

Node.js third-party modules: [expressjs-ip-control] Whitelist IP bypass leads to authorization bypass and sensitive info disclosure

I would like to report a unauthenticated access/authorization bypass issue in the expressjs-ip-control module. It allows to bypass the whitelist IP check in order to bypass the authorization check and possibly expose sensitive datas. Module module name: MODULE NAME version: MODULE VERSION npm pag...

OPENSUSE-SU-2019:1846-1 Security update for nodejs10

This update for nodejs10 to version 10.16.0 fixes the following issues: Security issue fixed: - CVE-2019-13173: Fixed a potential file overwrite via hardlink in fstream.DirWriter bsc1140290. Non-security issue fixed: - Update to new upstream LTS version 10.16.0, including npm version 6.9.0 and...

SUSE-SU-2019:2099-1 Security update for nodejs10

This update for nodejs10 to version 10.16.0 fixes the following issues: Security issue fixed: - CVE-2019-13173: Fixed a potential file overwrite via hardlink in fstream.DirWriter bsc1140290. Non-security issue fixed: - Update to new upstream LTS version 10.16.0, including npm version 6.9.0 and...

Node.js third-party modules: [md-fileserver] Path Traversal

I would like to report path traversal in md-fileserver modulee It allows an attacker to read system files via path traversal through commandline Module module name: md-fileserver version: 1.3.2 npm page: https://www.npmjs.com/package/md-fileserver Module Description Starts a local server to rende...

UBUNTU-CVE-2018-12120

Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with node --debug or node debug, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate...

Node.js third-party modules: Bypass to defective fix of Path Traversal

I would like to report a Path Traversal vulnerability in localhost-now. It allows to read arbitrary files on the server. This is a bypass on the mitigation of 312889 . Module module name: localhost-now version: 1.0.2 npm page: https://www.npmjs.com/package/localhost-now Module Description Am I th...

SUSE-SU-2017:0855-1 Security update for nodejs4

This update for nodejs4 fixes the following issues: - New upstream LTS release 4.7.3 The embedded openssl sources were updated to 1.0.2k CVE-2017-3731, CVE-2017-3732, CVE-2016-7055, bsc1022085, bsc1022086, bsc1009528 - No changes in LTS version 4.7.2 - New upstream LTS release 4.7.1 build: shared...