MAL-2024-1345 Malicious code in generic-synthetic-nodejs (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware e3db423ccee00e5cf1e26ff844a773827eec7a87a0f1d2a41fa7d587d99b7c5c Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in generic-synthetic-nodejs (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware e3db423ccee00e5cf1e26ff844a773827eec7a87a0f1d2a41fa7d587d99b7c5c Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

AZL-40444 CVE-2024-34064 affecting package nodejs18 for versions less than 18.20.3-4

Jinja is an extensible templating engine. The xmlattr filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, /, , or =, as each would then be interpreted as starting a separate attribute. If an application accepts keys as...

AZL-40420 CVE-2024-34064 affecting package nodejs for versions less than 20.14.0-1

Jinja is an extensible templating engine. The xmlattr filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, /, , or =, as each would then be interpreted as starting a separate attribute. If an application accepts keys as...

AZL-75801 CVE-2024-34064 affecting package nodejs24 for versions less than 24.13.0-1

Jinja is an extensible templating engine. The xmlattr filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, /, , or =, as each would then be interpreted as starting a separate attribute. If an application accepts keys as...

Important: nodejs20

Issue Overview: NOTE: https://nodejs.org/en/blog/vulnerability/april-2024-security-releases/ CVE-2024-27982 An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data i...

Important: nodejs

Issue Overview: An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the...

nodejs: reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks

A flaw was found in Node.js due to a lack of safeguards on chunk extension bytes. The server may read an unbounded number of bytes from a single connection, which can allow an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and a denial of...

libxmljs 安全漏洞

libxmljs is the LibXML binding for node.js. A security vulnerability exists in libxmljs that stems from the presence of a type confusion vulnerability...

Fedora 40 : nodejs-undici (2024-a5dc987f91)

The remote Fedora 40 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-a5dc987f91 advisory. Update to version 6.11.1. Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has not...

DEBIAN-CVE-2024-33883

The ejs aka Embedded JavaScript templates package before 3.1.10 for Node.js lacks certain pollution protection...

RHEL 7 / 8 : Red Hat Ansible Automation Platform 1.2.2 (RHSA-2021:0781)

The remote Redhat Enterprise Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:0781 advisory. Red Hat Ansible Automation Platform integrates Red Hat's automation suite consisting of Red Hat Ansible Tower, Red Hat Ansible Engine,...

RHEL 6 / 7 : rh-nodejs4-nodejs (RHSA-2017:3002)

The remote Redhat Enterprise Linux 6 / 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2017:3002 advisory. Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven,...

RHEL 6 / 7 : rh-nodejs6-nodejs (RHSA-2018:2944)

The remote Redhat Enterprise Linux 6 / 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2018:2944 advisory. - nodejs: Out of bounds OOB write via UCS-2 encoding CVE-2018-12115 Note that Nessus has not tested for this issue but has instead relied only on...

RHEL 6 / 7 : rh-nodejs4-nodejs-tough-cookie (RHSA-2017:2912)

The remote Redhat Enterprise Linux 6 / 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2017:2912 advisory. Tough-Cookie is a Node.js module that offers RFC6265 Cookies and Cookie Jar. The following packages have been upgraded to a later upstre...

RHEL 6 / 7 : rh-nodejs6-nodejs-tough-cookie (RHSA-2017:2913)

The remote Redhat Enterprise Linux 6 / 7 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2017:2913 advisory. Tough-Cookie is a Node.js module that offers RFC6265 Cookies and Cookie Jar. The following packages have been upgraded to a later upstream versio...

RHEL 7 : rh-nodejs8-nodejs (RHSA-2018:2949)

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2018:2949 advisory. Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The...

AZL-39968 CVE-2023-6237 affecting package nodejs18 for versions less than 18.20.2-1

Issue summary: Checking excessively long invalid RSA public keys may take a long time. Impact summary: Applications that use the function EVPPKEYpubliccheck to check RSA public keys may experience long delays. Where the key that is being checked has been obtained from an untrusted source this may...

nodejs: reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks

A flaw was found in Node.js due to a lack of safeguards on chunk extension bytes. The server may read an unbounded number of bytes from a single connection, which can allow an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and a denial of...

nodejs: vulnerable to timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding (Marvin)

A flaw was found in Node.js. The privateDecrypt API of the crypto library may allow a covert timing side-channel during PKCS1 v1.5 padding error handling. This issue revealed significant timing differences in decryption for valid and invalid ciphertexts, which may allow a remote attacker to decry...