10 matches found
CVE-2020-1971
CVE-2020-1971 is described across multiple connected sources as a NULL-dereference in OpenSSL’s GENERAL_NAME_cmp when EDIPARTYNAME is present, potentially enabling a denial-of-service crash. Affected OpenSSL versions include all 1.1.1 and 1.0.2 lines; fixes are published in OpenSSL 1.1.1i and Ope...
CVE-2021-3449
CVE-2021-3449 affects OpenSSL 1.1.1.x where a TLSv1.2 server may crash (DoS) if it receives a renegotiation ClientHello that omits the signature_algorithms extension but includes signature_algorithms_cert. The issue is a NULL pointer dereference leading to a denial of service; OpenSSL clients are...
CVE-2021-23840
CVE-2021-23840 describes an integer-length overflow in EVP_CipherUpdate, EVP_EncryptUpdate, and EVP_DecryptUpdate that can cause a negative output length value when input length is near the platform’s integer limit. This can lead to application crashes or incorrect behavior. Affected OpenSSL rele...
CVE-2021-3450
CVE-2021-3450 affects OpenSSL 1.1.1h–1.1.1j where a bug in the X509_V_FLAG_X509_STRICT path overwrote a prior CA-check result, bypassing the non-CA certificates prohibition unless a programmed purpose is used. When a purpose is configured, the certificate chain is still rejected; the issue is fix...
CVE-2020-8287
CVE-2020-8287 affects Node.js releases prior to 10.23.1, 12.20.1, 14.15.4, and 15.5.1, where two copies of an HTTP header field (e.g., two Transfer-Encoding headers) can be parsed incorrectly. The first header is kept and the second ignored, enabling HTTP Request Smuggling. Documentation in conne...
CVE-2020-8277
CVE-2020-8277 centers on a DoS due to DNS resolution behavior in Node.js (triggering requests that cause many DNS responses). Public details in the initial CVE describe the impact and fixed versions: Node.js releases 15.2.1, 14.15.1, and 12.19.1 address the issue. Connected documents show affecte...
CVE-2021-22884
CVE-2021-22884 affects Node.js runtimes prior to 10.24.0, 12.21.0, 14.16.0 and 15.10.0, where the DNS rebinding protection can be bypassed due to a whitelist entry for “localhost6”. If an attacker controls or spoofs the victim’s DNS responses, they can exploit the DNS rebinding weakness to connec...
CVE-2021-22883
Node.js versions prior to 10.24.0, 12.21.0, 14.16.0, and 15.10.0 are vulnerable to a denial-of-service from excessive unknownProtocol connection attempts, causing file descriptor leaks and potential memory exhaustion. Affected releases can be mitigated by upgrading to patched releases (e.g., Node...
CVE-2020-8265
The CVE-2020-8265 issue is a use-after-free in Node.js TLS handling that affects 10.x, 12.x, 14.x, and 15.x lines. The vulnerability arises when writing to a TLS-enabled socket: node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap; if DoWrite returns no error, t...
CVE-2022-35255
CVE-2022-35255 describes a weakness in Node.js 18 WebCrypto key generation where EntropySource() is invoked but its return value is not checked, and the data returned may not be cryptographically strong. The underlying issue occurs in SecretKeyGenTraits::DoKeyGen() and can lead to weaker key mate...