25 matches found
Linux Distros Unpatched Vulnerability : CVE-2021-43616
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json...
Rocky Linux 8 : nodejs:16 (RLSA-2022:4796)
The remote Rocky Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2022:4796 advisory. - DISPUTED The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from...
Weak Encryption
github.com/cheqd/cheqd-node is vulnerable to weak encryption. The vulnerability exists in package-lock.json because it does not properly validate the inter-blockchain communication protocol...
CVE-2023-34098
Shopware is an open source e-commerce software. Due to an incorrect configuration in the .htaccess file, the configuration file of the Javascript could be read in production environments themes/package-lock.json. With this information, the specific Shopware version in a deployment might be...
CVE-2023-34098
CVE-2023-34098 affects Shopware (open source e-commerce software). Amisconfigured .htaccess allows reading the Javascript configuration file in production environments (themes/package-lock.json), enabling an attacker to determine the specific Shopware version deployed. This is an information‑disc...
CVE-2023-34098 Dependency configuration exposed in Shopware
Shopware is an open source e-commerce software. Due to an incorrect configuration in the .htaccess file, the configuration file of the Javascript could be read in production environments themes/package-lock.json. With this information, the specific Shopware version in a deployment might be...
Amazon Linux 2023 : nodejs, nodejs-devel, nodejs-full-i18n (ALAS2023-2023-084)
It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2023-084 advisory. An HTTP Request Smuggling HRS vulnerability was found in the llhttp library, used by Node.JS. Spaces as part of the header names were accepted as valid. In situations where HTTP conversations a...
SUSE CVE-2021-43616
The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to have bee...
Amazon Linux 2022 : nodejs, nodejs-devel, nodejs-full-i18n (ALAS2022-2022-048)
It is, therefore, affected by a vulnerability as referenced in the ALAS2022-2022-048 advisory. A flaw was found in npm. The npm ci command proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the...
Mageia: Security Advisory (MGASA-2022-0294)
The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
MAL-2022-5181 Malicious code in package-lock.json-dependency (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 17f4f74e56327edc4722f9551e44e52c814f98d54ca2c810f2fcc1d988c8123f Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in package-lock.json-dependency (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 17f4f74e56327edc4722f9551e44e52c814f98d54ca2c810f2fcc1d988c8123f Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
AlmaLinux 8 : nodejs:16 (ALSA-2022:4796)
The remote AlmaLinux 8 host has packages installed that are affected by a vulnerability as referenced in the ALSA-2022:4796 advisory. npm: npm ci succeeds when package-lock.json doesn't match package.json CVE-2021-43616 Tenable has extracted the preceding description block directly from the...
CentOS 8 : nodejs:16 (CESA-2022:4796)
The remote CentOS Linux 8 host has a package installed that is affected by a vulnerability as referenced in the CESA-2022:4796 advisory. - npm: npm ci succeeds when package-lock.json doesn't match package.json CVE-2021-43616 Note that Nessus has not tested for this issue but has instead relied on...
CVE-2021-43616
A flaw was found in npm. The npm ci command proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation and makes it easier for attackers to install malware that was supposed to have been blocked...
Malicious Package
npm is a malicious package. An attacker can install malware through the library as it does not properly match the package-lock.json with package.json...
CVE-2021-43616
The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to have bee...
CVE-2021-43616
The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to have bee...
Design/Logic Flaw
DISPUTED The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to...
CVE-2021-43616
The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to have bee...