Information disclosure

A flaw was found in all versions of Keycloak before 10.0.0, where the NodeJS adapter did not support the verify-token-audience. This flaw results in some users having access to sensitive information outside of their permissions...

CVE-2020-1694

A flaw was found in all versions of Keycloak before 10.0.0, where the NodeJS adapter did not support the verify-token-audience. This flaw results in some users having access to sensitive information outside of their permissions...

CVE-2020-1694

Summary: CVE-2020-1694 affects Keycloak before 10.0.0 where the NodeJS adapter did not support verify-token-audience, enabling some users to access sensitive information outside their permissions. What’s affected: Keycloak (and Red Hat SSO built on Keycloak) with the NodeJS adapter lacking verify...

@cowlick/analyzer (>=0.9.0 <=0.9.1), @cowlick/kag-compiler (>=0.9.0 <=0.9.1) +4 more potentially affected by CVE-2020-8244 via bl (=2.0.1)

bl NPM version =2.0.1 is affected by a known vulnerability. The following packages have a transitive dependency on bl and may be impacted: - @cowlick/analyzer =0.9.0, =0.9.0, =4.1.6, =1.2.0, =1.0.0, =1.0.0, =1.1.37 Source cves: CVE-2020-8244 Source advisory: OSV:GHSA-PP7H-53GX-MX7R...

alfred-material-manager (>=1.0.0 <=1.0.5) potentially affected by unknown CVE via alfred-workflow-nodejs (=2.0.4)

alfred-workflow-nodejs NPM version =2.0.4 is affected by a known vulnerability. The following packages have a transitive dependency on alfred-workflow-nodejs and may be impacted: - alfred-material-manager =1.0.0, =1.0.5 Source cves: unknown CVE Source advisory: SNYK:JS-ALFREDWORKFLOWNODEJS-608975...

Command Injection

Overview alfred-workflow-nodejs is an Alfred workflow nodejs module Affected versions of this package are vulnerable to Command Injection. It is possible to inject arbitrary commands by using a semicolon char in any of the key values. PoC var AlfredNode = require'alfred-workflow-nodejs'; var util...

Oracle Linux 8 : nodejs:10 (ELSA-2020-0579)

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2020-0579 advisory. - Rebase to 10.19.0 to fix CVE-2019-15604 to CVE-2019-15606 - Rebase to 10.16.3 to fix CVE-2019-9511 to CVE-2019-9518 Tenable has extracted the precedi...

Node.js: `fs.realpath.native` on darwin may cause buffer overflow

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary: The libuv's implementation of...

grunt-kevoree (>=0.3.0 <=6.0.0-alpha.1), grunt-kevoree-registry (>=3.0.0 <=4.0.0-alpha) +9 more potentially affected by CVE-2020-7724 via tiny-conf (=1.1.0)

tiny-conf NPM version =1.1.0 is affected by a known vulnerability. The following packages have a transitive dependency on tiny-conf and may be impacted: - grunt-kevoree =0.3.0, =3.0.0, =5.7.0, =4.0.0, =5.5.0-alpha, =0.3.0, =1.6.0, =1.0.0-alpha, =1.0.1, =1.0.0, =1.0.2 Source cves: CVE-2020-7724...

Prototype Pollution

Overview tiny-conf is a Node.js configuration with files, environment variables, command-line arguments, ... pluggable architecture in order to work in the browser & server-side Affected versions of this package are vulnerable to Prototype Pollution via the set function. POC const tinyConf =...

Fedora: Security Advisory for nodejs (FEDORA-2020-754b711a58)

The remote host is missing an update for the SPDX-FileCopyrightText: 2020 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Oracle Linux 8 : nodejs:12 (ELSA-2020-1293)

The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2020-1293 advisory. - Fix CVE-2020-10531 Tenable has extracted the preceding description block directly from the Oracle Linux security advisory. Note that Nessus has not tested for...

Oracle Linux 8 : nodejs:10 (ELSA-2020-1317)

The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2020-1317 advisory. - Rebase to 10.19.0 to fix CVE-2019-15604 to CVE-2019-15606 - Rebase to 10.16.3 to fix CVE-2019-9511 to CVE-2019-9518 Tenable has extracted the preceding...

Fedora: Security Advisory for nodejs (FEDORA-2020-fed59ab473)

The remote host is missing an update for the SPDX-FileCopyrightText: 2020 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Oracle Linux 8 : nodejs:12 (ELSA-2020-2852)

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2020-2852 advisory. - Fix CVE-2020-10531 Tenable has extracted the preceding description block directly from the Oracle Linux security advisory. Note that Nessus has not...

CVE-2020-8116

A prototype pollution flaw was found in nodejs-dot-prop. The function set could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype, or proto paths. The highest threat from this vulnerability is to data confidentiality and integrity as well a...

Fedora 32 : 1:nodejs (2020-754b711a58)

Update to 12.18.3 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. C Tenable Network Security, Inc...

Fedora 31 : 1:nodejs (2020-fed59ab473)

Update to 12.18.3 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. C Tenable Network Security, Inc...

Photon OS 1.0: Nodejs PHSA-2020-1.0-0312

An update of the nodejs package has been released. C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from VMware Security Advisory PHSA-2020-1.0-0312. The text itself is copyright C VMware, Inc. include'compat.inc'; if description scriptid13950...

Photon OS 2.0: Nodejs PHSA-2020-2.0-0269

An update of the nodejs package has been released. C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from VMware Security Advisory PHSA-2020-2.0-0269. The text itself is copyright C VMware, Inc. include'compat.inc'; if description scriptid13951...