Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ubuntuUbuntuUSN-4796-1
HistoryMar 15, 2021 - 12:00 a.m.

Node.js vulnerabilities

2021-03-1500:00:00
ubuntu.com
44

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.9 High

AI Score

Confidence

High

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.033 Low

EPSS

Percentile

91.1%

JSON

Releases

  • Ubuntu 18.04 ESM
  • Ubuntu 16.04 ESM
  • Ubuntu 14.04 ESM

Packages

  • nodejs - evented I/O for V8 javascript

Details

Alexander Minozhenko and James Bunton discovered that Node.js did not
properly handle wildcards in name fields of X.509 TLS certificates. An
attacker could use this vulnerability to execute a machine-in-the-middle-
attack. This issue only affected Ubuntu 14.04 ESM and 16.04 ESM. (CVE-2016-7099)

It was discovered that Node.js incorrectly handled certain NAPTR responses.
A remote attacker could possibly use this issue to cause applications using
Node.js to crash, resulting in a denial of service. This issue only affected
Ubuntu 16.04 ESM. (CVE-2017-1000381)

Nikita Skovoroda discovered that Node.js mishandled certain input, leading
to an out of bounds write. An attacker could use this vulnerability to
cause a denial of service (crash) or possibly execute arbitrary code. This
issue was only fixed in Ubuntu 18.04 ESM. (CVE-2018-12115)

Arkadiy Tetelman discovered that Node.js improperly handled certain
malformed HTTP requests. An attacker could use this vulnerability to inject
unexpected HTTP requests. This issue only affected Ubuntu 18.04 ESM.
(CVE-2018-12116)

Jan Maybach discovered that Node.js did not time out if incomplete
HTTP/HTTPS headers were received. An attacker could use this vulnerability
to cause a denial of service by keeping HTTP/HTTPS connections alive for a
long period of time. This issue was only fixed in Ubuntu 18.04 ESM.
(CVE-2018-12122)

Martin Bajanik discovered that the url.parse() method would return
incorrect results if it received specially crafted input. An attacker could
use this vulnerability to spoof the hostname and bypass hostname-specific
security controls. This issue was only fixed in Ubuntu 18.04 ESM.
(CVE-2018-12123)

It was discovered that Node.js is vulnerable to a DNS rebinding attack which
could be exploited to perform remote code execution. An attack is possible
from malicious websites open in a web browser with network access to the system
running the Node.js process. This issue only affected Ubuntu 18.04 ESM.
(CVE-2018-7160)

It was discovered that the Buffer.fill() and Buffer.alloc() methods
improperly handled certain inputs. An attacker could use this vulnerability
to cause a denial of service. This issue was only fixed in Ubuntu 18.04 ESM.
(CVE-2018-7167)

Marco Pracucci discovered that Node.js mishandled HTTP and HTTPS
connections. An attacker could use this vulnerability to cause a denial of
service. This issue was only fixed in Ubuntu 18.04 ESM. (CVE-2019-5737)

OSVersionArchitecturePackageVersionFilename
Ubuntu18.04noarchnodejs-dev< 8.10.0~dfsg-2ubuntu0.4+esm1UNKNOWN
Ubuntu18.04noarchnodejs< 8.10.0~dfsg-2ubuntu0.4UNKNOWN
Ubuntu18.04noarchnodejs-dbgsym< 8.10.0~dfsg-2ubuntu0.4UNKNOWN
Ubuntu18.04noarchnodejs-dev< 8.10.0~dfsg-2ubuntu0.4UNKNOWN
Ubuntu18.04noarchnodejs-doc< 8.10.0~dfsg-2ubuntu0.4UNKNOWN
Ubuntu18.04noarchnodejs-doc< 8.10.0~dfsg-2ubuntu0.4+esm1UNKNOWN
Ubuntu18.04noarchnodejs< 8.10.0~dfsg-2ubuntu0.4+esm1UNKNOWN
Ubuntu16.04noarchnodejs-dev< 4.2.6~dfsg-1ubuntu4.2+esm1UNKNOWN
Ubuntu16.04noarchnodejs< 4.2.6~dfsg-1ubuntu4.2UNKNOWN
Ubuntu16.04noarchnodejs-dbg< 4.2.6~dfsg-1ubuntu4.2UNKNOWN
Rows per page:
1-10 of 241

Related

osv 9
openvas 37
nessus 36
mageia 2
f5 3
redhat 3
ibm 20
suse 5
redhatcve 9
gentoo 1
altlinux 2
freebsd 1
nodejsblog 2
prion 7
alpinelinux 6
debiancve 8
cve 7
veracode 10
ubuntucve 8
huntr 1
fedora 10
debian 1
ubuntu 1
attackerkb 1
amazon 1
cloudfoundry 1
archlinux 1
cbl_mariner 5
hackerone 1
osv
osv
nodejs vulnerabilities
2021-03-15 21:18:37
CVE-2018-12115
2018-08-21 12:29:00
CVE-2017-1000381
2017-07-07 17:29:00
openvas
openvas
Ubuntu: Security Advisory (USN-4796-1)
2023-01-27 00:00:00
Mageia: Security Advisory (MGASA-2019-0277)
2022-01-28 00:00:00
SUSE: Security Advisory (SUSE-SU-2019:0118-1)
2021-06-09 00:00:00
nessus
nessus
Ubuntu 16.04 ESM / 18.04 ESM : Node.js vulnerabilities (USN-4796-1)
2023-10-16 00:00:00
F5 Networks BIG-IP : Node.js vulnerabilities (K000137093)
2023-10-02 00:00:00
SUSE SLES15 Security Update : nodejs8 (SUSE-SU-2019:0118-1)
2019-01-22 00:00:00
mageia
mageia
Updated nodejs packages fix security vulnerabilities
2019-09-15 16:24:16
Updated c-ares packages fix security vulnerability
2017-07-23 22:58:56
f5
f5
K000137093 : Node.js vulnerabilities CVE-2018-7167, CVE-2018-12115, and CVE-2018-12116
2023-10-02 00:00:00
K000137090 : Node.js vulnerabilities CVE-2018-12121, CVE-2018-12122, and CVE-2018-12123
2023-10-02 00:00:00
K63025104 : NodeJS vulnerability CVE-2018-7160
2019-11-25 00:00:00
redhat
redhat
(RHSA-2019:1821) Important: rh-nodejs8-nodejs security update
2019-07-22 13:09:06
(RHSA-2018:2949) Important: rh-nodejs8-nodejs security update
2018-10-18 09:47:33
(RHSA-2018:2944) Important: rh-nodejs6-nodejs security update
2018-10-18 07:19:51
ibm
ibm
Security Bulletin: Multiple security vulnerabilities in Node.js affect IBM Voice Gateway
2019-02-20 18:30:01
Security Bulletin: API Connect is impacted by multiple nodeJS vulnerabilities (CVE-2018-12122 CVE-2018-12121 CVE-2018-12123 CVE-2018-12116)
2019-03-27 22:45:01
Security Bulletin: Multiple vulnerabilities in Node.js affect IBM Integration Bus & IBM App Connect Enterprise V11
2020-03-23 20:41:52
suse
suse
Security update for nodejs8 (important)
2019-01-28 00:00:00
Security update for nodejs6 (important)
2019-02-22 00:00:00
Security update for nodejs4 (important)
2019-01-25 00:00:00
redhatcve
redhatcve
CVE-2019-5737
2020-03-01 07:37:24
CVE-2018-12115
2019-10-22 05:58:44
CVE-2018-12123
2020-02-02 02:37:48
gentoo
gentoo
Node.js: Multiple vulnerabilities
2020-03-20 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 10 package node version 10.14.1-alt1
2018-11-30 00:00:00
Security fix for the ALT Linux 10 package node version 10.15.3-alt1
2019-03-09 00:00:00
freebsd
freebsd
node.js -- multiple vulnerabilities
2018-11-27 00:00:00
nodejsblog
nodejsblog
February 2019 Security Releases
2019-02-28 00:00:00
November 2018 Security Releases
2018-11-28 00:00:00
prion
prion
Design/Logic Flaw
2018-11-28 17:29:00
Design/Logic Flaw
2018-08-21 12:29:00
Design/Logic Flaw
2016-10-10 16:59:00
alpinelinux
alpinelinux
CVE-2018-12115
2018-08-21 12:29:00
CVE-2017-1000381
2017-07-07 17:29:00
CVE-2018-12116
2018-11-28 17:29:00
debiancve
debiancve
CVE-2018-12115
2018-08-21 12:29:00
CVE-2018-12123
2018-11-28 17:29:00
CVE-2016-7099
2016-10-10 16:59:00
cve
cve
CVE-2017-1000381
2017-07-07 17:29:00
CVE-2016-7099
2016-10-10 16:59:00
CVE-2018-12116
2018-11-28 17:29:00
veracode
veracode
Out-of-Bounds (OOB) Write
2018-08-17 07:37:44
Out-of-Bounds (OOB) Write
2019-01-15 09:26:04
Man-in-the-Middle (MitM)
2018-09-24 07:23:39
ubuntucve
ubuntucve
CVE-2016-7099
2016-10-10 00:00:00
CVE-2018-12123
2018-11-28 00:00:00
CVE-2018-12122
2018-11-28 00:00:00
huntr
huntr
hostname spoofing via javascript
2022-03-04 10:29:25
fedora
fedora
[SECURITY] Fedora 25 Update: nodejs-6.7.0-107.fc25
2016-10-09 03:20:39
[SECURITY] Fedora 24 Update: nodejs-4.8.4-6.fc24
2017-07-24 22:50:16
[SECURITY] Fedora 25 Update: nodejs-6.11.1-1.fc25
2017-07-25 00:29:04
debian
debian
[SECURITY] [DLA 998-1] c-ares security update
2017-06-22 20:13:18
ubuntu
ubuntu
c-ares vulnerability
2017-08-17 00:00:00
attackerkb
attackerkb
CVE-2018-12122
2018-11-28 00:00:00
amazon
amazon
Medium: c-ares
2017-07-20 01:22:00
cloudfoundry
cloudfoundry
Multiple Node.js Vulnerabilities | Cloud Foundry
2017-07-20 00:00:00
archlinux
archlinux
[ASA-201707-21] c-ares: information disclosure
2017-07-18 00:00:00
cbl_mariner
cbl_mariner
CVE-2018-12123 affecting package nodejs 8.11.4-7
2021-08-11 06:39:34
CVE-2019-5737 affecting package nodejs 8.11.4-7
2021-08-11 06:39:34
CVE-2018-12116 affecting package nodejs 8.11.4-7
2021-08-11 06:39:34
hackerone
hackerone
Node.js: Fix for CVE-2018-12122 can be bypassed via keep-alive requests
2018-12-01 10:03:22

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.9 High

AI Score

Confidence

High

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.033 Low

EPSS

Percentile

91.1%

JSON
Related for USN-4796-1
osv9openvas37nessus36mageia2f53redhat3ibm20suse5redhatcve9gentoo1altlinux2freebsd1nodejsblog2prion7alpinelinux6debiancve8cve7veracode10ubuntucve8huntr1fedora10debian1ubuntu1attackerkb1amazon1cloudfoundry1archlinux1cbl_mariner5hackerone1