CVE-2017-3738

CVE-2017-3738 is an overflow bug in the AVX2 Montgomery multiplication used for 1024-bit moduli in OpenSSL. The issue affects x86_64 builds with AVX2 (not ADX) and can, in very unlikely cases, enable private-key recovery on affected architectures. OpenSSL 1.0.2n fixes the flaw; OpenSSL 1.1.0 is n...

CVE-2018-7159

CVE-2018-7159 affects the Node.js http-parser component: the HTTP parser ignores spaces in Content-Length, allowing Content-Length: 1 2 to be treated as 12. The risk is described as very low in the CVE entry, with exploitation considered difficult. Connected sources confirm this affects http-pars...

CVE-2018-7160

CVE-2018-7160 affects Node.js inspector (6.x and later) and describes a DNS rebinding vulnerability that enables remote code execution if a Node.js process has an open debug port on localhost or a local-network host. An attacker-originating website can trigger a DNS rebinding to bypass same-origi...

CVE-2018-1000168

CVE-2018-1000168 affects nghttp2 versions 1.10.0 through 1.31.0, where an improper input validation in ALTSVC frame handling can cause a segmentation fault and denial of service. The vulnerability is exploitable via network clients. Public advisories confirm the issue is fixed in nghttp2 >= 1....

CVE-2018-7167

CVE-2018-7167 targets Node.js Buffer APIs. Affected: Node.js 6.x, 8.x, and 9.x (LTS boron/carbon and 9.x) with Buffer.fill() or Buffer.alloc() can hang, potentially enabling a DoS. The vulnerability stems from parameters that trigger a hang instead of proceeding to zero-fill. The issue was addres...

CVE-2018-7161

CVE-2018-7161 affects Node.js 8.x–10.x. A DoS can be triggered by interacting with an http2 server in a way that exposes a cleanup bug where objects are used in native code after release. The issue is addressed by updating the http2 implementation. Connected advisories indicate the vulnerability ...

CVE-2017-15896

CVE-2017-15896 maps to OpenSSL CVE-2017-3737 (Read/write after SSL object in error state) affecting Node.js through its OpenSSL stack. The vulnerability allows an attacker to bypass TLS authentication/encryption by abusing SSL_read()/SSL_write() after a fatal error during a handshake, as describe...

CVE-2017-15897

CVE-2017-15897 affects Node.js versions 8.x and 9.x. The root cause is a buffer initialization bug where buffers were not initialized when the encoding for the fill value did not match the encoding specified, potentially allowing information disclosure. Public descriptions in connected docs corro...

CVE-2018-7162

CVE-2018-7162 affects Node.js 9.x and 10.x where a TLS handshake with duplicate/unexpected messages can crash a node http server, causing DoS. Root cause is a TLS handling issue in vulnerable Node.js versions. The vulnerability is addressed by updating the TLS implementation. Affected software is...