Amazon Linux 2023 : nodejs20, nodejs20-devel, nodejs20-full-i18n (ALAS2023-2024-544)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2024-544 advisory. 2024-03-13: CVE-2024-22025 was added to this advisory. The Node.js Permission Model does not clarify in the documentation that wildcards should be only used as the last character of a file...

SUSE SLES15 Security Update : nodejs14 (SUSE-SU-2024:0732-1)

The remote SUSE Linux SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:0732-1 advisory. - A vulnerability in the privateDecrypt API of the crypto library, allowed a covert timing side-channel during PKCS1 v1.5 padding...

CVE-2024-22017

A flaw was found in Node.js, where the setuid does not affect libuv's internal iouring operations if initialized before the call to setuid. This issue allows the process to perform privileged operations despite presumably having dropped such privileges through a call to setuid...

SUSE CVE-2024-22017

setuid does not affect libuv's internal iouring operations if initialized before the call to setuid. This allows the process to perform privileged operations despite presumably having dropped such privileges through a call to setuid. This vulnerability affects all users using version greater or...

Node.js 20.x < 20.11.1, 21.x < 21.6.2 Multiple Vulnerabilities - Mac OS X

Node.js is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:nodejs:node.js"; ifdescription...

PT-2024-3904

Name of the Vulnerable Software and Affected Versions: Node.js versions 18.18.0 and later Node.js versions 20.4.0 and later Node.js versions 21 and later Description: The issue is related to the setuid function not affecting libuv's internal io uring operations if initialized before the call to...

Wednesday February 14 2024 Security Releases

Wednesday February 14 2024 Security Releases Update 14-February-2024 Security releases available Updates are now available for the v18.x, v20.x and v21.x Node.js release lines for the following issues. This security release includes the following dependency updates to address public...

NTFS-3G: buffer overflow issue in NTFS-3G can cause code execution via crafted metadata in an NTFS image

A buffer overflow flaw was found in NTFS-3G. This issue occurs via a crafted metadata in an NTFS image that can cause code execution. A local attacker can exploit this issue if the NTFS-3G binary is setuid root. A physically proximate attacker can exploit this issue if the NTFS-3G software is...

EulerOS 2.0 SP11 : golang (EulerOS-SA-2023-2842)

According to the versions of the golang packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which...

EulerOS 2.0 SP11 : screen (EulerOS-SA-2023-2667)

According to the versions of the screen package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - socket.c in GNU Screen through 4.9.0, when installed setuid or setgid the default on platforms such as Arch Linux and FreeBSD, allows local users...

EulerOS 2.0 SP11 : ncurses (EulerOS-SA-2023-2699)

According to the versions of the ncurses packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security- relevant memory corruption via malforme...

EulerOS 2.0 SP10 : golang (EulerOS-SA-2023-2786)

According to the versions of the golang packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The encoding/xml package in Go all versions does not correctly preserve the semantics of attribute namespace prefixes during tokenization...

EulerOS 2.0 SP11 : golang (EulerOS-SA-2023-2859)

According to the versions of the golang packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which...

EulerOS 2.0 SP10 : golang (EulerOS-SA-2023-2810)

According to the versions of the golang packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The encoding/xml package in Go all versions does not correctly preserve the semantics of attribute namespace prefixes during tokenization...

Siemens SCALANCE LPE9403 Incorrect Permission Assignment for Critical Resource (CVE-2021-41091)

A vulnerability was found in Moby Docker Engine where the data directory typically /var/lib/docker contained subdirectories with insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included...

cpio 2.13 Privilege Escalation

cpio privilege escalation vulnerability via setuid files in cpio archive Happy New Year, let in 2024 happiness be with you! : When extracting archives cpio at least version 2.13 preserves the setuid flag, which might lead to privilege escalation. One example is r00t extracts to /tmp/ and scidiot...

cpio 2.13 Privilege Escalation Vulnerability

cpio version 2.13 suffers from a privilege escalation vulnerability via setuid files in a cpio archive. cpio privilege escalation vulnerability via setuid files in cpio archive Happy New Year, let in 2024 happiness be with you! : When extracting archives cpio at least version 2.13 preserves the...

PT-2023-33072 · Lxd · Lxd

Name of the Vulnerable Software and Affected Versions: LXD affected versions not specified Description: A security issue allows users with restricted access to a project to gain root access on the system by creating a disk device with shift=true and creating a setuid root executable. This is...

Debian dla-3682 : lib32ncurses-dev - security update

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3682 advisory. ------------------------------------------------------------------------- Debian LTS Advisory DLA-3682-1 [email protected]...

ncurses: Local users can trigger security-relevant memory corruption via malformed data

A vulnerability was found in ncurses and occurs when used by a setuid application. This flaw allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable...