14 matches found
CVE-2022-0778
CVE-2022-0778 describes an infinite loop in BN_mod_sqrt() when parsing certain ASN.1 elliptic-curve parameters, enabling DoS during certificate or key processing. Affected OpenSSL versions include 1.0.2, 1.1.1, and 3.0 (specific ranges: 1.0.2 (1.0.2–1.0.2zc), 1.1.1 (1.1.1–1.1.1m), 3.0 (3.0.0–3.0....
CVE-2014-0224
CVE-2014-0224 describes an OpenSSL ChangeCipherSpec (CCS) handling flaw that can enable a Man-in-the-Middle to force use of weak key material in TLS/SSL sessions, allowing traffic decryption or modification between vulnerable client and server. The initial OpenSSL disclosures specify affected ser...
CVE-2018-5407
CVE-2018-5407 is a PortSmash timing-side channel vulnerability in SMT/Hyper-Threading affecting OpenSSL. Local attackers could exploit a timing leakage during cryptographic operations to gain information. Documented in multiple advisories (e.g., ALAS/ALAS2 for OpenSSL) with remediation stating to...
CVE-2020-8174
CVE-2020-8174 is a Node.js vulnerability where napi_get_value_string_*() can trigger memory corruption in affected releases. Affected are Node.js runtimes prior to 10.21.0, 12.18.0, and prior to 14.4.0. Documented mitigations/include patches update Node.js to 10.21.0, 12.18.2, and 14.4.0 respecti...
CVE-2024-3566
Technical details about CVE-2024-3566 are not provided in the connected documents. The initial description notes a command injection risk, but no affected products, versions, impact, or fixes are specified here. Monitor for updated technical disclosures.
CVE-2021-44531
CVE-2021-44531 affects Node.js and stems from improper handling of URI SAN types in X.509 certificate hostname verification. Older Node.js releases accepted URI SANs by default and could bypass name-constrained intermediates when PKIs aren’t defined for that SAN type; URI matching could also fail...
CVE-2016-6303
CVE-2016-6303 involves an overflow in MDC2_Update() in OpenSSL (pre-1.1.0). The vulnerability allows a remote attacker to crash the application via an out‑of‑bounds write, i.e., a denial of service, with potential other impacts depending on the context. Publicly documented fixed releases show Ope...
CVE-2021-44533
CVE-2021-44533 affects Node.js by improper handling of multi-value Relative Distinguished Names, potentially allowing bypass of certificate subject verification. Affected are Node.js versions < 12.22.9, < 14.18.3, < 16.13.2, and
CVE-2021-44532
CVE-2021-44532 affects Node.js where SAN handling converts Subject Alternative Names to a string to validate hostnames. The vulnerability allows bypass of certificate name constraints when present in a certificate chain. Affected versions include Node.js <12.22.9, <14.18.3, <16.13.2, and
CVE-2018-12115
CVE-2018-12115 is an out-of-bounds write in Node.js Buffer when using UCS-2/UTF-16LE encodings. Affected: all Node.js versions before 6.14.4, 8.11.4, and 10.9.0. Impact: writes starting near the buffer end can miscalculate max input length, enabling memory writes outside the buffer and potentiall...
CVE-2018-7167
CVE-2018-7167 targets Node.js Buffer APIs. Affected: Node.js 6.x, 8.x, and 9.x (LTS boron/carbon and 9.x) with Buffer.fill() or Buffer.alloc() can hang, potentially enabling a DoS. The vulnerability stems from parameters that trigger a hang instead of proceeding to zero-fill. The issue was addres...
CVE-2018-21270
CVE-2018-21270 affects the Node.js stringstream module: versions
CVE-2015-0278
CVE-2015-0278 affects libuv where setgroups is not invoked before setuid/setgid, enabling context-dependent privilege escalation. The vulnerability is present in libuv up to version prior to 0.10.34 and is also embedded in Node.js releases (e.g., IBM SDK for Node.js). Remediation per connected do...
CVE-2017-16024
The CVE-2017-16024 entry concerns the sync-exec module, used to simulate Node.js child_process.execSync in Node versions