MiracleLinux 9 : nodejs-16.17.1-1.el9 (AXSA:2022-4091:01)

The remote MiracleLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2022-4091:01 advisory. nodejs: weak randomness in WebCrypto keygen CVE-2022-35255 nodejs: HTTP Request Smuggling due to incorrect parsing of header fields CVE-2022-35256...

EUVD-2018-16908

Malware in sbrugna...

EUVD-2017-16797

Malware in sbrugna...

EUVD-2022-38146

Malicious code in bioql PyPI...

EUVD-2023-0629

Malicious code in bioql PyPI...

BIT-NODE-MIN-2022-35255

A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource in SecretKeyGenTraits::DoKeyGen in src/crypto/cryptokeygen.cc. There are two problems with this: 1 It does not check the return value, it assumes EntropySource always succeeds, but it can a...

BIT-NODE-2022-35255

A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource in SecretKeyGenTraits::DoKeyGen in src/crypto/cryptokeygen.cc. There are two problems with this: 1 It does not check the return value, it assumes EntropySource always succeeds, but it can a...

Rocky Linux 8 : nodejs:18 (RLSA-2022:7821)

The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2022:7821 advisory. - A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource in SecretKeyGenTraits::DoKeyGen in...

Internet Bug Bounty: Use of Cryptographically Weak Pseudo-Random Number Generator in WebCrypto keygen

A weak randomness vulnerability existed in WebCrypto keygen in Node.js 18, due to a change in EntropySource in SecretKeyGenTraits::DoKeyGen in src/crypto/cryptokeygen.cc. The vulnerability allowed for the possibility of non-cryptographically strong random data being used as keying material...

Denial Of Service (DoS)

node-jose is vulnerable to Denial Of Service DoS. The vulnerability exists due to an infinite loop in the internal calculation for some ECC operations when using the library's non-default "fallback" crypto back-end, when either WebCrypto or the crypto module is unavailable, which allows an attack...

Input validation

node-jose is a JavaScript implementation of the JSON Object Signing and Encryption JOSE for web browsers and node.js-based servers. Prior to version 2.2.0, when using the non-default "fallback" crypto back-end, ECC operations in node-jose can trigger a Denial-of-Service DoS condition, due to a...

Improper calculations in ECC implementation can trigger a Denial-of-Service (DoS)

Description When using the non-default "fallback" crypto back-end, ECC operations in node-jose can trigger a Denial-of-Service DoS condition, due to a possible infinite loop in an internal calculation. For some ECC operations, this condition is triggered randomly; for others, it can be triggered ...

SUSE SLES15 / openSUSE 15 Security Update : nodejs18 (SUSE-SU-2023:0419-1)

The remote SUSE Linux SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:0419-1 advisory. - A OS Command Injection vulnerability exists in Node.js versions 14.20.0, 16.20.0, 18.5.0 due to an insufficient...

SUSE CVE-2017-7822

The AES-GCM implementation in WebCrypto API accepts 0-length IV when it should require a length of 1 according to the NIST Special Publication 800-38D specification. This might allow for the authentication key to be determined in some instances. This vulnerability affects Firefox 56...

SUSE CVE-2018-5122

A potential integer overflow in the "DoCrypt" function of WebCrypto was identified. If a means was found of exploiting it, it could result in an out-of-bounds write. This vulnerability affects Firefox 58...

SUSE CVE-2022-35255

A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource in SecretKeyGenTraits::DoKeyGen in src/crypto/cryptokeygen.cc. There are two problems with this: 1 It does not check the return value, it assumes EntropySource always succeeds, but it can a...

Rocky Linux 9 : nodejs (RLSA-2022:6963)

The remote Rocky Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2022:6963 advisory. - A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource in SecretKeyGenTraits::DoKeyGen in...

Debian DSA-5326-1 : nodejs - security update

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5326 advisory. - A OS Command Injection vulnerability exists in Node.js versions 14.20.0, 16.16.0, 18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed...

Fedora 35 : nodejs (2022-de515f765f)

The remote Fedora 35 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2022-de515f765f advisory. November 2022 Security Updates https://nodejs.org/en/blog/vulnerability/november-2022-security-releases/ ---- September Security Updates for Node.js...

CVE-2022-35255

A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource in SecretKeyGenTraits::DoKeyGen in src/crypto/cryptokeygen.cc. There are two problems with this: 1 It does not check the return value, it assumes EntropySource always succeeds, but it can a...