CentOS 8 : nodejs:14 (CESA-2021:0744)

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2021:0744 advisory. - nodejs: HTTP2 'unknownProtocol' cause DoS by resource exhaustion CVE-2021-22883 - nodejs: DNS rebinding in --inspect CVE-2021-22884 Note that Nessus...

RHEL 8 : nodejs:12 (RHSA-2021:0740)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:0740 advisory. Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The...

RHEL 8 : nodejs:10 (RHSA-2021:0741)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:0741 advisory. Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The...

RHEL 8 : nodejs:12 (RHSA-2021:0734)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:0734 advisory. Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The...

nodejs: DNS rebinding in --inspect

A flaw was found in nodejs. A denial of service is possible when the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS over the network. If the attacker controls the victim's DNS server or can spoof its response...

nodejs: HTTP2 'unknownProtocol' cause DoS by resource exhaustion

A flaw was found in nodejs. When too many connection attempts with an 'unknownProtocol' are established a leak of file descriptors can occur leading to a potential denial of service. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and...

Important: Red Hat Security Advisory: nodejs:12 security update

An update for the nodejs:12 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

RHEL 8 : nodejs:10 (RHSA-2021:0735)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:0735 advisory. Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The...

CentOS 8 : nodejs:12 (CESA-2021:0734)

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2021:0734 advisory. - nodejs: HTTP2 'unknownProtocol' cause DoS by resource exhaustion CVE-2021-22883 - nodejs: DNS rebinding in --inspect CVE-2021-22884 Note that Nessus...

DEBIAN-CVE-2021-22884

Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DN...

DEBIAN-CVE-2021-22883

Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unabl...

CVE-2021-27516

A flaw was found in nodejs-urijs where URI.js urijs mishandles certain uses of the backslash such as http:/ and interprets the URI as a relative path. The highest threat from this vulnerability is to confidentiality...

@3kmfi6hp/nodejs-proxy (>=1.0.0 <=1.0.4), @aarhus-university/au-designsystem-delphinus (>=1.0.0 <=1.2.0) +342 more potentially affected by CVE-2021-21353 via pug-code-gen (>=0.0.0 <=1.1.1)

pug-code-gen NPM version =0.0.0, =1.0.0, =1.0.0, =1.0.0, =2.0.0, =0.2.0, =0.0.1, =0.0.2, =0.8.10, =0.0.9, =1.0.0, =2.1.1-alpha.1 and more Source cves: CVE-2021-21353 Source advisory: OSV:GHSA-P493-635Q-R6GR...

SUSE-SU-2021:0673-1 Security update for nodejs10

This update for nodejs10 fixes the following issues: New upstream LTS version 10.24.0: - CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion bsc1182619 - CVE-2021-22884: DNS rebinding in --inspect bsc1182620 - CVE-2021-23840: OpenSSL - Integer overflow in...

OPENSUSE-SU-2021:0357-1 Security update for nodejs12

This update for nodejs12 fixes the following issues: New upstream LTS version 12.21.0: - CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion bsc1182619 - CVE-2021-22884: DNS rebinding in --inspect bsc1182620 - CVE-2021-23840: OpenSSL - Integer overflow in...

CVE-2021-21298

Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier has a vulnerability which allows arbitrary path traversal via the Projects API. If the Projects feature is enabled, a user with projects.read permission is able to access any file via t...

CVE-2021-21298

CVE-2021-21298 affects Node-RED up to v1.2.7 with a path traversal vulnerability via the Projects API. When the Projects feature is enabled, a user with projects.read can access arbitrary files through the Projects API. The issue has been fixed in Node-RED v1.2.8. The vulnerability applies only t...

CVE-2021-21298 Path traversal in Node-Red

Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier has a vulnerability which allows arbitrary path traversal via the Projects API. If the Projects feature is enabled, a user with projects.read permission is able to access any file via t...

CVE-2021-21297 Prototype Pollution in Node-Red

Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default...

CVE-2021-21297

Node-RED CVE-2021-21297 affects Node-RED 1.2.7 and earlier, with a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object, potentially altering Node-RED runtime behavior. The issue is fixed in version 1.2.8; a practical...