Important: Red Hat Security Advisory: Red Hat Single Sign-On 7.4.1 security update

A security update is now available for Red Hat Single Sign-On 7.4 from the Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

CVE-2020-1694

A flaw was found in Keycloak, where the NodeJS adapter did not support the verify-token-audience. This flaw results in some users having access to sensitive information outside of their permissions...

Denial of Service in nescalante/urlregex

Overview urlregex No-dependency URL validation for Node and the browser. This package is vulnerable to Regular Expression Denial of Service ReDoS. An attacker providing a long string in String.test can cause a Denial of Service attack. PoC node const urlRegex = require"urlregex"; const isValid =...

CVE-2020-7676

A XSS flaw was found in nodejs-angular. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping "" elements in "" ones changes parsing behavior, leading to possibly unsanitizing code...

Node.js third-party modules: bunyan - RCE via insecure command formatting

I would like to report RCE in bunyan It allows arbitrary commands remotely inside the victim's PC Module module name: bunyan version: 1.8.12 npm page: https://www.npmjs.com/package/bunyan Module Description Bunyan is a simple and fast JSON logging library for node.js services: Module Stats 920,19...

nodejs-sshpk: ReDoS when parsing crafted invalid public keys in lib/formats/ssh.js

sshpk is vulnerable to ReDoS when parsing crafted invalid public keys...

nodejs-deep-extend: Prototype pollution can allow attackers to modify object properties

The utilities function in all versions = 0.5.0 of the deep-extend node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all object...

nodejs-brace-expansion: Regular expression denial of service

index.js in brace-expansion before 1.1.7 is vulnerable to Regular Expression Denial of Service ReDoS attacks, as demonstrated by an expand argument containing many comma characters...

DEBIAN-CVE-2017-18869

A TOCTOU issue in the chownr package before 1.1.0 for Node.js 10.10 could allow a local attacker to trick it into descending into unintended directories via symlink attacks...

UBUNTU-CVE-2017-18869

A TOCTOU issue in the chownr package before 1.1.0 for Node.js 10.10 could allow a local attacker to trick it into descending into unintended directories via symlink attacks...

SUSE-SU-2020:1606-1 Security update for nodejs12

This update for nodejs12 fixes the following issues: nodejs12 was updated to version 12.18.0 - CVE-2020-8174: Fixed multiple memory corruption in napigetvaluestring bsc1172443. - CVE-2020-8172: Fixed am issue where TLS session reuse could have led to host certificate verification bypass bsc117244...

Photon OS 1.0: Nodejs PHSA-2020-1.0-0298

An update of the nodejs package has been released. C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from VMware Security Advisory PHSA-2020-1.0-0298. The text itself is copyright C VMware, Inc. include'compat.inc'; if description scriptid13732...

SUSE-SU-2020:1576-1 Security update for nodejs8

This update for nodejs8 fixes the following issues: - CVE-2020-8174: Fixed multiple memory corruption in napigetvaluestring bsc1172443. - CVE-2020-11080: Fixed a potential denial of service when receiving unreasonably large HTTP/2 SETTINGS frames bsc1172442. - CVE-2020-7598: Fixed an issue which...

SUSE-SU-2020:1568-1 Security update for nodejs10

This update for nodejs10 fixes the following issues: nodejs10 was updated to version 10.21.0 - CVE-2020-8174: Fixed multiple memory corruption in napigetvaluestring bsc1172443. - CVE-2020-11080: Fixed a potential denial of service when receiving unreasonably large HTTP/2 SETTINGS frames bsc117244...

CVE-2020-8172

A TLS Hostname verification bypass vulnerability exists in NodeJS. This flaw allows an attacker to bypass TLS Hostname verification when a TLS client reuses HTTPS sessions...

CVE-2020-8174

A flaw was found in nodejs. Calling napigetvaluestringlatin1, napigetvaluestringutf8, or napigetvaluestringutf16 with a non-NULL buf, and a bufsize of 0 will cause the entire string value to be written to buf, probably overrunning the length of the buffer...

Debian DSA-4696-1 : nodejs - security update

Two vulnerabilities were discovered in Node.js, which could result in denial of service and potentially the execution of arbitrary code. C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from Debian Security Advisory DSA-4696. The text itself i...

Debian: Security Advisory (DSA-4696-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2020 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

DSA-4696-1 nodejs - security update

Bulletin has no description...

Arbitrary Code Execution

Overview mosc is an a simple inline object model builder for NodeJS A small port exists for client-side javascript. Affected versions of this package are vulnerable to Arbitrary Code Execution. User input provided to properties argument is executed by the eval function, resulting in code executio...