4323 matches found
Druva 注入漏洞
Druva is a large-scale SaaS platform from US-based Druva, Inc. bringing the simplicity, scalability and security of the public cloud to enterprise data protection and management. A security vulnerability exists in Druva version 6.9.0 that stems from a URL injection vulnerability in the inSync...
CVE-2022-32222
A vulnerability was found in NodeJS. The issue occurs when Node.js starts on Linux based systems and attempts to read /home/iojs/build/ws/out/Release/obj.target/deps/openssl/openssl.cnf, which ordinarily does not exist. This flaw allows an attacker on some shared systems to create this file and...
CVE-2022-32215
A vulnerability was found in NodeJS due to the llhttp parser in the HTTP module incorrectly handling multi-line Transfer-Encoding headers. This issue can lead to HTTP Request Smuggling HRS. This flaw allows a remote attacker to send a specially crafted HTTP request to the server and smuggle...
CVE-2022-32213
A vulnerability was found in NodeJS due to improper validation of HTTP requests. The llhttp parser in the http module does not correctly parse and validate Transfer-Encoding headers. This issue can lead to HTTP Request Smuggling HRS, causing web cache poisoning, and conducting XSS attacks...
CVE-2022-32212
A vulnerability was found in NodeJS, where the IsAllowedHost check can be easily bypassed because IsIPAddress does not properly check if an IP address is invalid or not. When an invalid IPv4 address is provided for instance, 10.0.2.555 is provided, browsers such as Firefox will make DNS requests ...
Node.js 环境问题漏洞
Node.js is an open source, cross-platform JavaScript runtime environment. An environmental issue vulnerability exists in Node.js that stems from the llhttp parser in the Node.js http module not properly parsing and validating the Transfer-Encoding header, which could result in HTTP Request...
Node.js 环境问题漏洞
Node.js is an open source, cross-platform JavaScript runtime environment. An environmental issue vulnerability exists in Node.js that stems from the llhttp parser in the Node.js http module not properly parsing and validating the Transfer-Encoding header, which could result in HTTP Request...
Important: Red Hat Security Advisory: Red Hat Fuse 7.11.0 release and security update
A minor version update from 7.10 to 7.11 is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scorin...
nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes
A regular expression denial of service ReDoS vulnerability was found in nodejs-ansi-regex. This could possibly cause an application using ansi-regex to use an excessive amount of CPU time when matching crafted ANSI escape codes...
Malicious Package
Overview nodejs-resilient-client is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if this...
nodejs: Certificate Verification Bypass via String Injection
It was found that node.js did not safely read the x509 certificate generalName format properly, resulting in data injection. A certificate could use a specially crafted extension in order to be successfully validated, permitting an attacker to impersonate a trusted host...
nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite
A flaw was found in the npm package "tar" aka node-tar. Extracting tar files that contain both a directory and a symlink with the same name, where the symlink and directory names in the archive entry used backslashes as a path separator, made it possible to bypass node-tar symlink checks on...
Important: Red Hat Enhancement Advisory: nodejs:12 bug fix and enhancement update
An update for the nodejs:12 module is now available for Red Hat Enterprise Linux 8.2 Extended Update Support. Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Bug Fixes and Enhancements: nodejs:12/nodejs: rebase...
validate-data denial-of-service vulnerability (CNVD-2022-66399)
validate-data is a NodeJs backend library by Anoop P R Individual Developer. It is used to validate data according to the provided rules. A denial of service vulnerability exists in validate-data version v0.1.1, which stems from not properly handling incoming error messages and can be exploited b...
Debian DSA-5170-1 : nodejs - security update
The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5170 advisory. - The parser in accepts requests with a space SP right after the header name before the colon. This can lead to HTTP Request Smuggling HRS in llhttp v2.1.4 and...
DSA-5170-1 nodejs - security update
Bulletin has no description...
Malicious Package
Overview heroku-nodejs-plugin is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if this...
Malicious Package
Overview nodejs-email is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if this package was...
nodejs: Certificate Verification Bypass via String Injection
It was found that node.js did not safely read the x509 certificate generalName format properly, resulting in data injection. A certificate could use a specially crafted extension in order to be successfully validated, permitting an attacker to impersonate a trusted host...
nodejs: Improper handling of URI Subject Alternative Names
A flaw was found in node.js where it accepted a certificate's Subject Alternative Names SAN entry, as opposed to what is specified by the HTTPS protocol. This flaw allows an active person-in-the-middle to forge a certificate and impersonate a trusted host...