11 matches found
CVE-2018-5407
CVE-2018-5407 is a PortSmash timing-side channel vulnerability in SMT/Hyper-Threading affecting OpenSSL. Local attackers could exploit a timing leakage during cryptographic operations to gain information. Documented in multiple advisories (e.g., ALAS/ALAS2 for OpenSSL) with remediation stating to...
CVE-2018-0734
CVE-2018-0734 (OpenSSL) describes a timing side-channel in the DSA signature algorithm that could enable private key recovery. The initial entry notes fixes in OpenSSL releases 1.1.1a (and 1.1.0j, 1.0.2q) for affected branches. Connected advisories (CloudLinux, Arch Linux, Amazon/Linux distributi...
CVE-2018-0732
CVE-2018-0732 : OpenSSL vulnerability where, during TLS handshakes using DH(E) ciphersuites, a malicious server could send an excessively large prime, causing the client to spend an unreasonably long time computing a key and hang (DoS). The issue is specific to DH parameters during the Server Key...
CVE-2018-12121
CVE-2018-12121 affects Node.js before versions 6.15.0, 8.14.0, 10.14.0 and 11.3.0. A Denial of Service can be triggered by sending many requests with maximum-sized HTTP headers (around 80 KB per connection) and carefully timed header completion, causing the HTTP server to abort due to heap alloca...
CVE-2018-12116
CVE-2018-12116 in Node.js is an HTTP request splitting vulnerability: if an unsanitized Unicode path is supplied, a second user-defined HTTP request can be generated to the same server. Affected are all Node.js versions prior to 6.15.0 and 8.14.0. The vulnerability may enable DoS and, per related...
CVE-2018-7159
CVE-2018-7159 affects the Node.js http-parser component: the HTTP parser ignores spaces in Content-Length, allowing Content-Length: 1 2 to be treated as 12. The risk is described as very low in the CVE entry, with exploitation considered difficult. Connected sources confirm this affects http-pars...
CVE-2018-7160
CVE-2018-7160 affects Node.js inspector (6.x and later) and describes a DNS rebinding vulnerability that enables remote code execution if a Node.js process has an open debug port on localhost or a local-network host. An attacker-originating website can trigger a DNS rebinding to bypass same-origi...
CVE-2018-12122
CVE-2018-12122 affects Node.js versions before 6.15.0, 8.14.0, 10.14.0 and 11.3.0. It enables a Slowloris-style DoS by sending HTTP/HTTPS headers very slowly, keeping connections alive and consuming resources. A 40-second headersTimeout patch (adjustable via server.headersTimeout) helps defend, a...
CVE-2018-12123
CVE-2018-12123 concerns Node.js: hostname spoofing in the URL parser for the javascript protocol when using url.parse(). Affected are Node.js versions prior to 6.15.0, 8.14.0, 10.14.0 and 11.3.0. The issue allows a mixed-case javascript: URL to spoof the hostname, potentially causing security dec...
CVE-2018-12115
CVE-2018-12115 is an out-of-bounds write in Node.js Buffer when using UCS-2/UTF-16LE encodings. Affected: all Node.js versions before 6.14.4, 8.11.4, and 10.9.0. Impact: writes starting near the buffer end can miscalculate max input length, enabling memory writes outside the buffer and potentiall...
CVE-2018-7161
CVE-2018-7161 affects Node.js 8.x–10.x. A DoS can be triggered by interacting with an http2 server in a way that exposes a cleanup bug where objects are used in native code after release. The issue is addressed by updating the http2 implementation. Connected advisories indicate the vulnerability ...