Important Photon OS Security Update - PHSA-2024-5.0-0318

Updates of 'nodejs' packages of Photon OS have been released...

RHEL 9 : nodejs (RHSA-2024:4559)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:4559 advisory. Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language...

OPENSUSE-SU-2024:14193-1 nodejs-electron-30.2.0-1.1 on GA media

These are all security issues fixed in the nodejs-electron-30.2.0-1.1 package on the GA media of openSUSE Tumbleweed...

RHEL 8 : nodejs (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 8 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. - nodejs: integrity checks according to policies can be circumvented CVE-2023-38552 - Maliciously crafted...

RHEL 8 : pcs (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 8 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. - nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl CVE-2021-23362 ...

RHEL 9 : nodejs (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 9 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. - nodejs: integrity checks according to policies can be circumvented CVE-2023-38552 - Maliciously crafted...

RHEL 8 : grafana (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 8 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. - nodejs-underscore: Arbitrary code execution via the template function CVE-2021-23358 - node-fetch is...

CBL Mariner 2.0 Security Update: nodejs / nodejs18 / reaper (CVE-2024-28863)

The version of nodejs / nodejs18 / reaper installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-28863 advisory. - node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the numbe...

CBL Mariner 2.0 Security Update: fluent-bit / nghttp2 / nodejs / nodejs18 (CVE-2024-28182)

The version of fluent-bit / nghttp2 / nodejs / nodejs18 installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-28182 advisory. - nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 ...

SUSE CVE-2024-22018

A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used. This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious actors can retrieve...

DEBIAN-CVE-2024-22018

A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used. This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious actors can retrieve...

AZL-43213 CVE-2024-22018 affecting package nodejs 20.14.0-13

A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used. This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious actors can retrieve...

CVE-2024-22018 vulnerabilities

Vulnerabilities for packages: nodejs...

Authorization Bypass

Overview Affected versions of this package are vulnerable to Authorization Bypass due to a failure to restrict file stats through the fs.lstat API that allows attackers to retrieve stats from files to which they do not have explicit read access. Note: This is exploitable only for users of the...

Authorization Bypass

Overview Affected versions of this package are vulnerable to Authorization Bypass via fs.fchown or fs.fchmod operations which can use a "read-only" file descriptor to change the owner and permissions of a file. Note: This is only exploitable for users using the experimental permission when the...

AZL-43216 CVE-2024-22020 affecting package nodejs18 for versions less than 18.20.3-3

A security flaw in Node.js allows a bypass of network import restrictions. By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security. Verified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports...

CVE-2024-22020 vulnerabilities

Vulnerabilities for packages: nodejs...

AZL-43195 CVE-2024-22020 affecting package nodejs for versions less than 20.14.0-5

A security flaw in Node.js allows a bypass of network import restrictions. By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security. Verified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports...

undici Security breach

undici is an HTTP/1.1 client. A security vulnerability exists in undici version 6.14.0 through versions prior to 6.19.2, which stems from the response.arrayBuffer function potentially containing portions of memory from a Node.js process...

CBL Mariner 2.0 Security Update: c-ares / nodejs / python-gevent / grpc (CVE-2022-4904)

The version of c-ares / nodejs / python-gevent / grpc installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2022-4904 advisory. - A flaw was found in the c-ares package. The aressetsortlist is missing checks...