All the vulnerabilites related to The Node.js Project - Node.js
cve-2018-7162
Vulnerability from cvelistv5
Published
2018-06-13 16:00
Modified
2024-09-16 19:46
Severity ?
EPSS score ?
Summary
All versions of Node.js 9.x and 10.x are vulnerable and the severity is HIGH. An attacker can cause a denial of service (DoS) by causing a node process which provides an http server supporting TLS server to crash. This can be accomplished by sending duplicate/unexpected messages during the handshake. This vulnerability has been addressed by updating the TLS implementation.
References
| ▼ | URL | Tags |
|---|---|---|
| https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/ | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/104468 | vdb-entry, x_refsource_BID | |
| https://security.gentoo.org/glsa/202003-48 | vendor-advisory, x_refsource_GENTOO |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| The Node.js Project | Node.js |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:24:11.187Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/"
},
{
"name": "104468",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/104468"
},
{
"name": "GLSA-202003-48",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202003-48"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Node.js",
"vendor": "The Node.js Project",
"versions": [
{
"status": "affected",
"version": "9.x+"
},
{
"status": "affected",
"version": "10.x+"
}
]
}
],
"datePublic": "2018-06-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "All versions of Node.js 9.x and 10.x are vulnerable and the severity is HIGH. An attacker can cause a denial of service (DoS) by causing a node process which provides an http server supporting TLS server to crash. This can be accomplished by sending duplicate/unexpected messages during the handshake. This vulnerability has been addressed by updating the TLS implementation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Denial of Service",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-20T20:06:06",
"orgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
"shortName": "nodejs"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/"
},
{
"name": "104468",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/104468"
},
{
"name": "GLSA-202003-48",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202003-48"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-request@iojs.org",
"DATE_PUBLIC": "2018-06-12T00:00:00",
"ID": "CVE-2018-7162",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Node.js",
"version": {
"version_data": [
{
"version_value": "9.x+"
},
{
"version_value": "10.x+"
}
]
}
}
]
},
"vendor_name": "The Node.js Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "All versions of Node.js 9.x and 10.x are vulnerable and the severity is HIGH. An attacker can cause a denial of service (DoS) by causing a node process which provides an http server supporting TLS server to crash. This can be accomplished by sending duplicate/unexpected messages during the handshake. This vulnerability has been addressed by updating the TLS implementation."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/",
"refsource": "CONFIRM",
"url": "https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/"
},
{
"name": "104468",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/104468"
},
{
"name": "GLSA-202003-48",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202003-48"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
"assignerShortName": "nodejs",
"cveId": "CVE-2018-7162",
"datePublished": "2018-06-13T16:00:00Z",
"dateReserved": "2018-02-15T00:00:00",
"dateUpdated": "2024-09-16T19:46:23.920Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-7159
Vulnerability from cvelistv5
Published
2018-05-17 14:00
Modified
2024-09-17 01:06
Severity ?
EPSS score ?
Summary
The HTTP parser in all current versions of Node.js ignores spaces in the `Content-Length` header, allowing input such as `Content-Length: 1 2` to be interpreted as having a value of `12`. The HTTP specification does not allow for spaces in the `Content-Length` value and the Node.js HTTP parser has been brought into line on this particular difference. The security risk of this flaw to Node.js users is considered to be VERY LOW as it is difficult, and may be impossible, to craft an attack that makes use of this flaw in a way that could not already be achieved by supplying an incorrect value for `Content-Length`. Vulnerabilities may exist in user-code that make incorrect assumptions about the potential accuracy of this value compared to the actual length of the data supplied. Node.js users crafting lower-level HTTP utilities are advised to re-check the length of any input supplied after parsing is complete.
References
| ▼ | URL | Tags |
|---|---|---|
| https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/ | x_refsource_CONFIRM | |
| https://access.redhat.com/errata/RHSA-2019:2258 | vendor-advisory, x_refsource_REDHAT | |
| https://support.f5.com/csp/article/K27228191?utm_source=f5support&%3Butm_medium=RSS | x_refsource_CONFIRM |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| The Node.js Project | Node.js |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:24:10.511Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/"
},
{
"name": "RHSA-2019:2258",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2258"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.f5.com/csp/article/K27228191?utm_source=f5support\u0026amp%3Butm_medium=RSS"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Node.js",
"vendor": "The Node.js Project",
"versions": [
{
"status": "affected",
"version": "4.x"
},
{
"status": "affected",
"version": "6.x"
},
{
"status": "affected",
"version": "8.x"
},
{
"status": "affected",
"version": "9.x"
}
]
}
],
"datePublic": "2018-03-21T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The HTTP parser in all current versions of Node.js ignores spaces in the `Content-Length` header, allowing input such as `Content-Length: 1 2` to be interpreted as having a value of `12`. The HTTP specification does not allow for spaces in the `Content-Length` value and the Node.js HTTP parser has been brought into line on this particular difference. The security risk of this flaw to Node.js users is considered to be VERY LOW as it is difficult, and may be impossible, to craft an attack that makes use of this flaw in a way that could not already be achieved by supplying an incorrect value for `Content-Length`. Vulnerabilities may exist in user-code that make incorrect assumptions about the potential accuracy of this value compared to the actual length of the data supplied. Node.js users crafting lower-level HTTP utilities are advised to re-check the length of any input supplied after parsing is complete."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-115",
"description": "CWE-115: Misinterpretation of Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-09T19:07:41",
"orgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
"shortName": "nodejs"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/"
},
{
"name": "RHSA-2019:2258",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2258"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.f5.com/csp/article/K27228191?utm_source=f5support\u0026amp%3Butm_medium=RSS"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-request@iojs.org",
"DATE_PUBLIC": "2018-03-21T00:00:00",
"ID": "CVE-2018-7159",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Node.js",
"version": {
"version_data": [
{
"version_value": "4.x"
},
{
"version_value": "6.x"
},
{
"version_value": "8.x"
},
{
"version_value": "9.x"
}
]
}
}
]
},
"vendor_name": "The Node.js Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The HTTP parser in all current versions of Node.js ignores spaces in the `Content-Length` header, allowing input such as `Content-Length: 1 2` to be interpreted as having a value of `12`. The HTTP specification does not allow for spaces in the `Content-Length` value and the Node.js HTTP parser has been brought into line on this particular difference. The security risk of this flaw to Node.js users is considered to be VERY LOW as it is difficult, and may be impossible, to craft an attack that makes use of this flaw in a way that could not already be achieved by supplying an incorrect value for `Content-Length`. Vulnerabilities may exist in user-code that make incorrect assumptions about the potential accuracy of this value compared to the actual length of the data supplied. Node.js users crafting lower-level HTTP utilities are advised to re-check the length of any input supplied after parsing is complete."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-115: Misinterpretation of Input"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/",
"refsource": "CONFIRM",
"url": "https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/"
},
{
"name": "RHSA-2019:2258",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:2258"
},
{
"name": "https://support.f5.com/csp/article/K27228191?utm_source=f5support\u0026amp;utm_medium=RSS",
"refsource": "CONFIRM",
"url": "https://support.f5.com/csp/article/K27228191?utm_source=f5support\u0026amp;utm_medium=RSS"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
"assignerShortName": "nodejs",
"cveId": "CVE-2018-7159",
"datePublished": "2018-05-17T14:00:00Z",
"dateReserved": "2018-02-15T00:00:00",
"dateUpdated": "2024-09-17T01:06:04.658Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-12122
Vulnerability from cvelistv5
Published
2018-11-28 17:00
Modified
2024-08-05 08:24
Severity ?
EPSS score ?
Summary
Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Slowloris HTTP Denial of Service: An attacker can cause a Denial of Service (DoS) by sending headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time.
References
| ▼ | URL | Tags |
|---|---|---|
| https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/ | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/106043 | vdb-entry, x_refsource_BID | |
| https://access.redhat.com/errata/RHSA-2019:1821 | vendor-advisory, x_refsource_REDHAT | |
| https://security.gentoo.org/glsa/202003-48 | vendor-advisory, x_refsource_GENTOO |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| The Node.js Project | Node.js |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T08:24:03.654Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
},
{
"name": "106043",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/106043"
},
{
"name": "RHSA-2019:1821",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1821"
},
{
"name": "GLSA-202003-48",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202003-48"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Node.js",
"vendor": "The Node.js Project",
"versions": [
{
"status": "affected",
"version": "All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0"
}
]
}
],
"datePublic": "2018-11-28T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Slowloris HTTP Denial of Service: An attacker can cause a Denial of Service (DoS) by sending headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption / Denial of Service",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-20T20:06:05",
"orgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
"shortName": "nodejs"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
},
{
"name": "106043",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/106043"
},
{
"name": "RHSA-2019:1821",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1821"
},
{
"name": "GLSA-202003-48",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202003-48"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-request@iojs.org",
"ID": "CVE-2018-12122",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Node.js",
"version": {
"version_data": [
{
"version_value": "All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0"
}
]
}
}
]
},
"vendor_name": "The Node.js Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Slowloris HTTP Denial of Service: An attacker can cause a Denial of Service (DoS) by sending headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400: Uncontrolled Resource Consumption / Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/",
"refsource": "CONFIRM",
"url": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
},
{
"name": "106043",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/106043"
},
{
"name": "RHSA-2019:1821",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:1821"
},
{
"name": "GLSA-202003-48",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202003-48"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
"assignerShortName": "nodejs",
"cveId": "CVE-2018-12122",
"datePublished": "2018-11-28T17:00:00",
"dateReserved": "2018-06-11T00:00:00",
"dateUpdated": "2024-08-05T08:24:03.654Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-7164
Vulnerability from cvelistv5
Published
2018-06-13 16:00
Modified
2024-09-17 00:56
Severity ?
EPSS score ?
Summary
Node.js versions 9.7.0 and later and 10.x are vulnerable and the severity is MEDIUM. A bug introduced in 9.7.0 increases the memory consumed when reading from the network into JavaScript using the net.Socket object directly as a stream. An attacker could use this cause a denial of service by sending tiny chunks of data in short succession. This vulnerability was restored by reverting to the prior behaviour.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/104463 | vdb-entry, x_refsource_BID | |
| https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/ | x_refsource_CONFIRM | |
| https://security.gentoo.org/glsa/202003-48 | vendor-advisory, x_refsource_GENTOO |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| The Node.js Project | Node.js |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:24:10.469Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "104463",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/104463"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/"
},
{
"name": "GLSA-202003-48",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202003-48"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Node.js",
"vendor": "The Node.js Project",
"versions": [
{
"status": "affected",
"version": "9.7.X+"
},
{
"status": "affected",
"version": "10.x+"
}
]
}
],
"datePublic": "2018-06-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Node.js versions 9.7.0 and later and 10.x are vulnerable and the severity is MEDIUM. A bug introduced in 9.7.0 increases the memory consumed when reading from the network into JavaScript using the net.Socket object directly as a stream. An attacker could use this cause a denial of service by sending tiny chunks of data in short succession. This vulnerability was restored by reverting to the prior behaviour."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Denial of Service",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-20T20:06:08",
"orgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
"shortName": "nodejs"
},
"references": [
{
"name": "104463",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/104463"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/"
},
{
"name": "GLSA-202003-48",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202003-48"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-request@iojs.org",
"DATE_PUBLIC": "2018-06-12T00:00:00",
"ID": "CVE-2018-7164",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Node.js",
"version": {
"version_data": [
{
"version_value": "9.7.X+"
},
{
"version_value": "10.x+"
}
]
}
}
]
},
"vendor_name": "The Node.js Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Node.js versions 9.7.0 and later and 10.x are vulnerable and the severity is MEDIUM. A bug introduced in 9.7.0 increases the memory consumed when reading from the network into JavaScript using the net.Socket object directly as a stream. An attacker could use this cause a denial of service by sending tiny chunks of data in short succession. This vulnerability was restored by reverting to the prior behaviour."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "104463",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/104463"
},
{
"name": "https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/",
"refsource": "CONFIRM",
"url": "https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/"
},
{
"name": "GLSA-202003-48",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202003-48"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
"assignerShortName": "nodejs",
"cveId": "CVE-2018-7164",
"datePublished": "2018-06-13T16:00:00Z",
"dateReserved": "2018-02-15T00:00:00",
"dateUpdated": "2024-09-17T00:56:13.228Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-7166
Vulnerability from cvelistv5
Published
2018-08-21 13:00
Modified
2024-09-17 00:26
Severity ?
EPSS score ?
Summary
In all versions of Node.js 10 prior to 10.9.0, an argument processing flaw can cause `Buffer.alloc()` to return uninitialized memory. This method is intended to be safe and only return initialized, or cleared, memory. The third argument specifying `encoding` can be passed as a number, this is misinterpreted by `Buffer's` internal "fill" method as the `start` to a fill operation. This flaw may be abused where `Buffer.alloc()` arguments are derived from user input to return uncleared memory blocks that may contain sensitive information.
References
| ▼ | URL | Tags |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2018:2553 | vendor-advisory, x_refsource_REDHAT | |
| https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/ | x_refsource_CONFIRM |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| The Node.js Project | Node.js |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:24:11.399Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2018:2553",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2553"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Node.js",
"vendor": "The Node.js Project",
"versions": [
{
"status": "affected",
"version": "All versions of Node.js 10 prior to 10.9.0"
}
]
}
],
"datePublic": "2018-08-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In all versions of Node.js 10 prior to 10.9.0, an argument processing flaw can cause `Buffer.alloc()` to return uninitialized memory. This method is intended to be safe and only return initialized, or cleared, memory. The third argument specifying `encoding` can be passed as a number, this is misinterpreted by `Buffer\u0027s` internal \"fill\" method as the `start` to a fill operation. This flaw may be abused where `Buffer.alloc()` arguments are derived from user input to return uncleared memory blocks that may contain sensitive information."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-226",
"description": "CWE-226: Sensitive Information Uncleared Before Release",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-08-23T09:57:01",
"orgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
"shortName": "nodejs"
},
"references": [
{
"name": "RHSA-2018:2553",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2553"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-request@iojs.org",
"DATE_PUBLIC": "2018-08-12T00:00:00",
"ID": "CVE-2018-7166",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Node.js",
"version": {
"version_data": [
{
"version_value": "All versions of Node.js 10 prior to 10.9.0"
}
]
}
}
]
},
"vendor_name": "The Node.js Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In all versions of Node.js 10 prior to 10.9.0, an argument processing flaw can cause `Buffer.alloc()` to return uninitialized memory. This method is intended to be safe and only return initialized, or cleared, memory. The third argument specifying `encoding` can be passed as a number, this is misinterpreted by `Buffer\u0027s` internal \"fill\" method as the `start` to a fill operation. This flaw may be abused where `Buffer.alloc()` arguments are derived from user input to return uncleared memory blocks that may contain sensitive information."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-226: Sensitive Information Uncleared Before Release"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "RHSA-2018:2553",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:2553"
},
{
"name": "https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/",
"refsource": "CONFIRM",
"url": "https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
"assignerShortName": "nodejs",
"cveId": "CVE-2018-7166",
"datePublished": "2018-08-21T13:00:00Z",
"dateReserved": "2018-02-15T00:00:00",
"dateUpdated": "2024-09-17T00:26:00.258Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-7158
Vulnerability from cvelistv5
Published
2018-05-17 14:00
Modified
2024-09-16 16:48
Severity ?
EPSS score ?
Summary
The `'path'` module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. The code in question was replaced in Node.js 6.x and later so this vulnerability only impacts all versions of Node.js 4.x. The regular expression, `splitPathRe`, used within the `'path'` module for the various path parsing functions, including `path.dirname()`, `path.extname()` and `path.parse()` was structured in such a way as to allow an attacker to craft a string, that when passed through one of these functions, could take a significant amount of time to evaluate, potentially leading to a full denial of service.
References
| ▼ | URL | Tags |
|---|---|---|
| https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/ | x_refsource_CONFIRM |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| The Node.js Project | Node.js |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:24:10.491Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Node.js",
"vendor": "The Node.js Project",
"versions": [
{
"status": "affected",
"version": "4.x"
}
]
}
],
"datePublic": "2018-03-21T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The `\u0027path\u0027` module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. The code in question was replaced in Node.js 6.x and later so this vulnerability only impacts all versions of Node.js 4.x. The regular expression, `splitPathRe`, used within the `\u0027path\u0027` module for the various path parsing functions, including `path.dirname()`, `path.extname()` and `path.parse()` was structured in such a way as to allow an attacker to craft a string, that when passed through one of these functions, could take a significant amount of time to evaluate, potentially leading to a full denial of service."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-185",
"description": "CWE-185: Incorrect Regular Expression",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-05-17T13:57:01",
"orgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
"shortName": "nodejs"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-request@iojs.org",
"DATE_PUBLIC": "2018-03-21T00:00:00",
"ID": "CVE-2018-7158",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Node.js",
"version": {
"version_data": [
{
"version_value": "4.x"
}
]
}
}
]
},
"vendor_name": "The Node.js Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The `\u0027path\u0027` module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. The code in question was replaced in Node.js 6.x and later so this vulnerability only impacts all versions of Node.js 4.x. The regular expression, `splitPathRe`, used within the `\u0027path\u0027` module for the various path parsing functions, including `path.dirname()`, `path.extname()` and `path.parse()` was structured in such a way as to allow an attacker to craft a string, that when passed through one of these functions, could take a significant amount of time to evaluate, potentially leading to a full denial of service."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-185: Incorrect Regular Expression"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/",
"refsource": "CONFIRM",
"url": "https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
"assignerShortName": "nodejs",
"cveId": "CVE-2018-7158",
"datePublished": "2018-05-17T14:00:00Z",
"dateReserved": "2018-02-15T00:00:00",
"dateUpdated": "2024-09-16T16:48:51.289Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-12115
Vulnerability from cvelistv5
Published
2018-08-21 13:00
Modified
2024-09-16 16:48
Severity ?
EPSS score ?
Summary
In all versions of Node.js prior to 6.14.4, 8.11.4 and 10.9.0 when used with UCS-2 encoding (recognized by Node.js under the names `'ucs2'`, `'ucs-2'`, `'utf16le'` and `'utf-16le'`), `Buffer#write()` can be abused to write outside of the bounds of a single `Buffer`. Writes that start from the second-to-last position of a buffer cause a miscalculation of the maximum length of the input bytes to be written.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/105127 | vdb-entry, x_refsource_BID | |
| https://access.redhat.com/errata/RHSA-2018:2552 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2018:2553 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2018:2944 | vendor-advisory, x_refsource_REDHAT | |
| https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/ | x_refsource_CONFIRM | |
| https://access.redhat.com/errata/RHSA-2018:3537 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2018:2949 | vendor-advisory, x_refsource_REDHAT | |
| https://security.gentoo.org/glsa/202003-48 | vendor-advisory, x_refsource_GENTOO |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| The Node.js Project | Node.js |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T08:24:03.759Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "105127",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/105127"
},
{
"name": "RHSA-2018:2552",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2552"
},
{
"name": "RHSA-2018:2553",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2553"
},
{
"name": "RHSA-2018:2944",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2944"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/"
},
{
"name": "RHSA-2018:3537",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3537"
},
{
"name": "RHSA-2018:2949",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2949"
},
{
"name": "GLSA-202003-48",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202003-48"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Node.js",
"vendor": "The Node.js Project",
"versions": [
{
"status": "affected",
"version": "All versions of Node.js prior to 6.14.4, 8.11.4 and 10.9.0"
}
]
}
],
"datePublic": "2018-08-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In all versions of Node.js prior to 6.14.4, 8.11.4 and 10.9.0 when used with UCS-2 encoding (recognized by Node.js under the names `\u0027ucs2\u0027`, `\u0027ucs-2\u0027`, `\u0027utf16le\u0027` and `\u0027utf-16le\u0027`), `Buffer#write()` can be abused to write outside of the bounds of a single `Buffer`. Writes that start from the second-to-last position of a buffer cause a miscalculation of the maximum length of the input bytes to be written."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787: Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-20T20:06:12",
"orgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
"shortName": "nodejs"
},
"references": [
{
"name": "105127",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/105127"
},
{
"name": "RHSA-2018:2552",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2552"
},
{
"name": "RHSA-2018:2553",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2553"
},
{
"name": "RHSA-2018:2944",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2944"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/"
},
{
"name": "RHSA-2018:3537",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3537"
},
{
"name": "RHSA-2018:2949",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2949"
},
{
"name": "GLSA-202003-48",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202003-48"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-request@iojs.org",
"DATE_PUBLIC": "2018-08-12T00:00:00",
"ID": "CVE-2018-12115",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Node.js",
"version": {
"version_data": [
{
"version_value": "All versions of Node.js prior to 6.14.4, 8.11.4 and 10.9.0"
}
]
}
}
]
},
"vendor_name": "The Node.js Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In all versions of Node.js prior to 6.14.4, 8.11.4 and 10.9.0 when used with UCS-2 encoding (recognized by Node.js under the names `\u0027ucs2\u0027`, `\u0027ucs-2\u0027`, `\u0027utf16le\u0027` and `\u0027utf-16le\u0027`), `Buffer#write()` can be abused to write outside of the bounds of a single `Buffer`. Writes that start from the second-to-last position of a buffer cause a miscalculation of the maximum length of the input bytes to be written."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-787: Out-of-bounds Write"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "105127",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/105127"
},
{
"name": "RHSA-2018:2552",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:2552"
},
{
"name": "RHSA-2018:2553",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:2553"
},
{
"name": "RHSA-2018:2944",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:2944"
},
{
"name": "https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/",
"refsource": "CONFIRM",
"url": "https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/"
},
{
"name": "RHSA-2018:3537",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:3537"
},
{
"name": "RHSA-2018:2949",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:2949"
},
{
"name": "GLSA-202003-48",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202003-48"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
"assignerShortName": "nodejs",
"cveId": "CVE-2018-12115",
"datePublished": "2018-08-21T13:00:00Z",
"dateReserved": "2018-06-11T00:00:00",
"dateUpdated": "2024-09-16T16:48:58.679Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-12123
Vulnerability from cvelistv5
Published
2018-11-28 17:00
Modified
2024-08-05 08:24
Severity ?
EPSS score ?
Summary
Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case "javascript:" (e.g. "javAscript:") protocol (other protocols are not affected). If security decisions are made about the URL based on the hostname, they may be incorrect.
References
| ▼ | URL | Tags |
|---|---|---|
| https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/ | x_refsource_CONFIRM | |
| https://access.redhat.com/errata/RHSA-2019:1821 | vendor-advisory, x_refsource_REDHAT | |
| https://security.gentoo.org/glsa/202003-48 | vendor-advisory, x_refsource_GENTOO |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| The Node.js Project | Node.js |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T08:24:03.774Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
},
{
"name": "RHSA-2019:1821",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1821"
},
{
"name": "GLSA-202003-48",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202003-48"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Node.js",
"vendor": "The Node.js Project",
"versions": [
{
"status": "affected",
"version": "All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0"
}
]
}
],
"datePublic": "2018-11-28T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case \"javascript:\" (e.g. \"javAscript:\") protocol (other protocols are not affected). If security decisions are made about the URL based on the hostname, they may be incorrect."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-115",
"description": "CWE-115: Misinterpretation of Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-20T20:06:13",
"orgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
"shortName": "nodejs"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
},
{
"name": "RHSA-2019:1821",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1821"
},
{
"name": "GLSA-202003-48",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202003-48"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-request@iojs.org",
"ID": "CVE-2018-12123",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Node.js",
"version": {
"version_data": [
{
"version_value": "All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0"
}
]
}
}
]
},
"vendor_name": "The Node.js Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case \"javascript:\" (e.g. \"javAscript:\") protocol (other protocols are not affected). If security decisions are made about the URL based on the hostname, they may be incorrect."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-115: Misinterpretation of Input"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/",
"refsource": "CONFIRM",
"url": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
},
{
"name": "RHSA-2019:1821",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:1821"
},
{
"name": "GLSA-202003-48",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202003-48"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
"assignerShortName": "nodejs",
"cveId": "CVE-2018-12123",
"datePublished": "2018-11-28T17:00:00",
"dateReserved": "2018-06-11T00:00:00",
"dateUpdated": "2024-08-05T08:24:03.774Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-15896
Vulnerability from cvelistv5
Published
2017-12-11 21:00
Modified
2024-09-16 19:50
Severity ?
EPSS score ?
Summary
Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake failure. The result was that an active network attacker could send application data to Node.js using the TLS or HTTP2 modules in a way that bypassed TLS authentication and encryption.
References
| ▼ | URL | Tags |
|---|---|---|
| https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/ | x_refsource_CONFIRM |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| The Node.js Project | Node.js |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:04:50.477Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Node.js",
"vendor": "The Node.js Project",
"versions": [
{
"status": "affected",
"version": "4.0.0 and higher"
},
{
"status": "affected",
"version": "6.0.0 and higher"
},
{
"status": "affected",
"version": "8.0.0 and higher"
},
{
"status": "affected",
"version": "9.0.0 and higher"
}
]
}
],
"datePublic": "2017-12-07T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake failure. The result was that an active network attacker could send application data to Node.js using the TLS or HTTP2 modules in a way that bypassed TLS authentication and encryption."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Data Confidentiality/Integrity",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-12-11T20:57:01",
"orgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
"shortName": "nodejs"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-request@iojs.org",
"DATE_PUBLIC": "2017-12-07T00:00:00",
"ID": "CVE-2017-15896",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Node.js",
"version": {
"version_data": [
{
"version_value": "4.0.0 and higher"
},
{
"version_value": "6.0.0 and higher"
},
{
"version_value": "8.0.0 and higher"
},
{
"version_value": "9.0.0 and higher"
}
]
}
}
]
},
"vendor_name": "The Node.js Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake failure. The result was that an active network attacker could send application data to Node.js using the TLS or HTTP2 modules in a way that bypassed TLS authentication and encryption."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Data Confidentiality/Integrity"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/",
"refsource": "CONFIRM",
"url": "https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
"assignerShortName": "nodejs",
"cveId": "CVE-2017-15896",
"datePublished": "2017-12-11T21:00:00Z",
"dateReserved": "2017-10-25T00:00:00",
"dateUpdated": "2024-09-16T19:50:49.572Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-7161
Vulnerability from cvelistv5
Published
2018-06-13 16:00
Modified
2024-09-17 01:06
Severity ?
EPSS score ?
Summary
All versions of Node.js 8.x, 9.x, and 10.x are vulnerable and the severity is HIGH. An attacker can cause a denial of service (DoS) by causing a node server providing an http2 server to crash. This can be accomplished by interacting with the http2 server in a manner that triggers a cleanup bug where objects are used in native code after they are no longer available. This has been addressed by updating the http2 implementation.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/106363 | vdb-entry, x_refsource_BID | |
| https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/ | x_refsource_CONFIRM | |
| https://security.gentoo.org/glsa/202003-48 | vendor-advisory, x_refsource_GENTOO |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| The Node.js Project | Node.js |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:24:10.503Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "106363",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/106363"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/"
},
{
"name": "GLSA-202003-48",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202003-48"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Node.js",
"vendor": "The Node.js Project",
"versions": [
{
"status": "affected",
"version": "8.x+"
},
{
"status": "affected",
"version": "9.x+"
},
{
"status": "affected",
"version": "10.x+"
}
]
}
],
"datePublic": "2018-06-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "All versions of Node.js 8.x, 9.x, and 10.x are vulnerable and the severity is HIGH. An attacker can cause a denial of service (DoS) by causing a node server providing an http2 server to crash. This can be accomplished by interacting with the http2 server in a manner that triggers a cleanup bug where objects are used in native code after they are no longer available. This has been addressed by updating the http2 implementation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Denial of Service",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-20T20:06:11",
"orgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
"shortName": "nodejs"
},
"references": [
{
"name": "106363",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/106363"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/"
},
{
"name": "GLSA-202003-48",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202003-48"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-request@iojs.org",
"DATE_PUBLIC": "2018-06-12T00:00:00",
"ID": "CVE-2018-7161",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Node.js",
"version": {
"version_data": [
{
"version_value": "8.x+"
},
{
"version_value": "9.x+"
},
{
"version_value": "10.x+"
}
]
}
}
]
},
"vendor_name": "The Node.js Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "All versions of Node.js 8.x, 9.x, and 10.x are vulnerable and the severity is HIGH. An attacker can cause a denial of service (DoS) by causing a node server providing an http2 server to crash. This can be accomplished by interacting with the http2 server in a manner that triggers a cleanup bug where objects are used in native code after they are no longer available. This has been addressed by updating the http2 implementation."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "106363",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/106363"
},
{
"name": "https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/",
"refsource": "CONFIRM",
"url": "https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/"
},
{
"name": "GLSA-202003-48",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202003-48"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
"assignerShortName": "nodejs",
"cveId": "CVE-2018-7161",
"datePublished": "2018-06-13T16:00:00Z",
"dateReserved": "2018-02-15T00:00:00",
"dateUpdated": "2024-09-17T01:06:27.892Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-12121
Vulnerability from cvelistv5
Published
2018-11-28 17:00
Modified
2024-08-05 08:24
Severity ?
EPSS score ?
Summary
Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers (almost 80 KB per connection), and carefully timed completion of the headers, it is possible to cause the HTTP server to abort from heap allocation failure. Attack potential is mitigated by the use of a load balancer or other proxy layer.
References
| ▼ | URL | Tags |
|---|---|---|
| https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/ | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/106043 | vdb-entry, x_refsource_BID | |
| https://access.redhat.com/errata/RHSA-2019:1821 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2019:2258 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2019:3497 | vendor-advisory, x_refsource_REDHAT | |
| https://security.gentoo.org/glsa/202003-48 | vendor-advisory, x_refsource_GENTOO |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| The Node.js Project | Node.js |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T08:24:03.906Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
},
{
"name": "106043",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/106043"
},
{
"name": "RHSA-2019:1821",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1821"
},
{
"name": "RHSA-2019:2258",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2258"
},
{
"name": "RHSA-2019:3497",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:3497"
},
{
"name": "GLSA-202003-48",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202003-48"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Node.js",
"vendor": "The Node.js Project",
"versions": [
{
"status": "affected",
"version": "All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0"
}
]
}
],
"datePublic": "2018-11-28T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers (almost 80 KB per connection), and carefully timed completion of the headers, it is possible to cause the HTTP server to abort from heap allocation failure. Attack potential is mitigated by the use of a load balancer or other proxy layer."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption / Denial of Service",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-20T20:06:06",
"orgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
"shortName": "nodejs"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
},
{
"name": "106043",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/106043"
},
{
"name": "RHSA-2019:1821",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1821"
},
{
"name": "RHSA-2019:2258",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2258"
},
{
"name": "RHSA-2019:3497",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:3497"
},
{
"name": "GLSA-202003-48",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202003-48"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-request@iojs.org",
"ID": "CVE-2018-12121",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Node.js",
"version": {
"version_data": [
{
"version_value": "All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0"
}
]
}
}
]
},
"vendor_name": "The Node.js Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers (almost 80 KB per connection), and carefully timed completion of the headers, it is possible to cause the HTTP server to abort from heap allocation failure. Attack potential is mitigated by the use of a load balancer or other proxy layer."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400: Uncontrolled Resource Consumption / Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/",
"refsource": "CONFIRM",
"url": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
},
{
"name": "106043",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/106043"
},
{
"name": "RHSA-2019:1821",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:1821"
},
{
"name": "RHSA-2019:2258",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:2258"
},
{
"name": "RHSA-2019:3497",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:3497"
},
{
"name": "GLSA-202003-48",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202003-48"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
"assignerShortName": "nodejs",
"cveId": "CVE-2018-12121",
"datePublished": "2018-11-28T17:00:00",
"dateReserved": "2018-06-11T00:00:00",
"dateUpdated": "2024-08-05T08:24:03.906Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-12116
Vulnerability from cvelistv5
Published
2018-11-28 17:00
Modified
2024-08-05 08:24
Severity ?
EPSS score ?
Summary
Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to made to the same server.
References
| ▼ | URL | Tags |
|---|---|---|
| https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/ | x_refsource_CONFIRM | |
| https://access.redhat.com/errata/RHSA-2019:1821 | vendor-advisory, x_refsource_REDHAT | |
| https://security.gentoo.org/glsa/202003-48 | vendor-advisory, x_refsource_GENTOO |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| The Node.js Project | Node.js |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T08:24:03.673Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
},
{
"name": "RHSA-2019:1821",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1821"
},
{
"name": "GLSA-202003-48",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202003-48"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Node.js",
"vendor": "The Node.js Project",
"versions": [
{
"status": "affected",
"version": "All versions prior to Node.js 6.15.0 and 8.14.0"
}
]
}
],
"datePublic": "2018-11-28T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to made to the same server."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-115",
"description": "CWE-115: Misinterpretation of Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-20T20:06:04",
"orgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
"shortName": "nodejs"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
},
{
"name": "RHSA-2019:1821",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1821"
},
{
"name": "GLSA-202003-48",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202003-48"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-request@iojs.org",
"ID": "CVE-2018-12116",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Node.js",
"version": {
"version_data": [
{
"version_value": "All versions prior to Node.js 6.15.0 and 8.14.0"
}
]
}
}
]
},
"vendor_name": "The Node.js Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to made to the same server."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-115: Misinterpretation of Input"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/",
"refsource": "CONFIRM",
"url": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
},
{
"name": "RHSA-2019:1821",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:1821"
},
{
"name": "GLSA-202003-48",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202003-48"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
"assignerShortName": "nodejs",
"cveId": "CVE-2018-12116",
"datePublished": "2018-11-28T17:00:00",
"dateReserved": "2018-06-11T00:00:00",
"dateUpdated": "2024-08-05T08:24:03.673Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-7167
Vulnerability from cvelistv5
Published
2018-06-13 16:00
Modified
2024-09-17 02:00
Severity ?
EPSS score ?
Summary
Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a hang which could result in a Denial of Service. In order to address this vulnerability, the implementations of Buffer.alloc() and Buffer.fill() were updated so that they zero fill instead of hanging in these cases. All versions of Node.js 6.x (LTS "Boron"), 8.x (LTS "Carbon"), and 9.x are vulnerable. All versions of Node.js 10.x (Current) are NOT vulnerable.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/106363 | vdb-entry, x_refsource_BID | |
| https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/ | x_refsource_CONFIRM | |
| https://security.gentoo.org/glsa/202003-48 | vendor-advisory, x_refsource_GENTOO |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| The Node.js Project | Node.js |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:24:10.496Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "106363",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/106363"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/"
},
{
"name": "GLSA-202003-48",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202003-48"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Node.js",
"vendor": "The Node.js Project",
"versions": [
{
"status": "affected",
"version": "6.x+"
},
{
"status": "affected",
"version": "8.x+"
},
{
"status": "affected",
"version": "9.x+"
},
{
"status": "affected",
"version": "10.x+"
}
]
}
],
"datePublic": "2018-06-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a hang which could result in a Denial of Service. In order to address this vulnerability, the implementations of Buffer.alloc() and Buffer.fill() were updated so that they zero fill instead of hanging in these cases. All versions of Node.js 6.x (LTS \"Boron\"), 8.x (LTS \"Carbon\"), and 9.x are vulnerable. All versions of Node.js 10.x (Current) are NOT vulnerable."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Denial of Service",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-20T20:06:09",
"orgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
"shortName": "nodejs"
},
"references": [
{
"name": "106363",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/106363"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/"
},
{
"name": "GLSA-202003-48",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202003-48"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-request@iojs.org",
"DATE_PUBLIC": "2018-06-12T00:00:00",
"ID": "CVE-2018-7167",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Node.js",
"version": {
"version_data": [
{
"version_value": "6.x+"
},
{
"version_value": "8.x+"
},
{
"version_value": "9.x+"
},
{
"version_value": "10.x+"
}
]
}
}
]
},
"vendor_name": "The Node.js Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a hang which could result in a Denial of Service. In order to address this vulnerability, the implementations of Buffer.alloc() and Buffer.fill() were updated so that they zero fill instead of hanging in these cases. All versions of Node.js 6.x (LTS \"Boron\"), 8.x (LTS \"Carbon\"), and 9.x are vulnerable. All versions of Node.js 10.x (Current) are NOT vulnerable."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "106363",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/106363"
},
{
"name": "https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/",
"refsource": "CONFIRM",
"url": "https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/"
},
{
"name": "GLSA-202003-48",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202003-48"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
"assignerShortName": "nodejs",
"cveId": "CVE-2018-7167",
"datePublished": "2018-06-13T16:00:00Z",
"dateReserved": "2018-02-15T00:00:00",
"dateUpdated": "2024-09-17T02:00:52.959Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-15897
Vulnerability from cvelistv5
Published
2017-12-11 21:00
Modified
2024-09-17 03:42
Severity ?
EPSS score ?
Summary
Node.js had a bug in versions 8.X and 9.X which caused buffers to not be initialized when the encoding for the fill value did not match the encoding specified. For example, 'Buffer.alloc(0x100, "This is not correctly encoded", "hex");' The buffer implementation was updated such that the buffer will be initialized to all zeros in these cases.
References
| ▼ | URL | Tags |
|---|---|---|
| https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/ | x_refsource_CONFIRM |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| The Node.js Project | Node.js |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:04:50.511Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Node.js",
"vendor": "The Node.js Project",
"versions": [
{
"status": "affected",
"version": "8.0 and higher"
},
{
"status": "affected",
"version": "9.0 and higher"
}
]
}
],
"datePublic": "2017-12-07T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Node.js had a bug in versions 8.X and 9.X which caused buffers to not be initialized when the encoding for the fill value did not match the encoding specified. For example, \u0027Buffer.alloc(0x100, \"This is not correctly encoded\", \"hex\");\u0027 The buffer implementation was updated such that the buffer will be initialized to all zeros in these cases."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Un-initialized Data",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-12-11T20:57:01",
"orgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
"shortName": "nodejs"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-request@iojs.org",
"DATE_PUBLIC": "2017-12-07T00:00:00",
"ID": "CVE-2017-15897",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Node.js",
"version": {
"version_data": [
{
"version_value": "8.0 and higher"
},
{
"version_value": "9.0 and higher"
}
]
}
}
]
},
"vendor_name": "The Node.js Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Node.js had a bug in versions 8.X and 9.X which caused buffers to not be initialized when the encoding for the fill value did not match the encoding specified. For example, \u0027Buffer.alloc(0x100, \"This is not correctly encoded\", \"hex\");\u0027 The buffer implementation was updated such that the buffer will be initialized to all zeros in these cases."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Un-initialized Data"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/",
"refsource": "CONFIRM",
"url": "https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
"assignerShortName": "nodejs",
"cveId": "CVE-2017-15897",
"datePublished": "2017-12-11T21:00:00Z",
"dateReserved": "2017-10-25T00:00:00",
"dateUpdated": "2024-09-17T03:42:59.193Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-7160
Vulnerability from cvelistv5
Published
2018-05-17 14:00
Modified
2024-09-17 01:35
Severity ?
EPSS score ?
Summary
The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. An attack is possible from malicious websites open in a web browser on the same computer, or another computer with network access to the computer running the Node.js process. A malicious website could use a DNS rebinding attack to trick the web browser to bypass same-origin-policy checks and to allow HTTP connections to localhost or to hosts on the local network. If a Node.js process with the debug port active is running on localhost or on a host on the local network, the malicious website could connect to it as a debugger, and get full code execution access.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.oracle.com//security-alerts/cpujul2021.html | x_refsource_MISC | |
| https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/ | x_refsource_CONFIRM | |
| https://support.f5.com/csp/article/K63025104?utm_source=f5support&%3Butm_medium=RSS | x_refsource_CONFIRM |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| The Node.js Project | Node.js |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:24:10.499Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.f5.com/csp/article/K63025104?utm_source=f5support\u0026amp%3Butm_medium=RSS"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Node.js",
"vendor": "The Node.js Project",
"versions": [
{
"status": "affected",
"version": "^6.0.0 || ^8.0.0 || ^9.0.0"
}
]
}
],
"datePublic": "2018-03-21T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. An attack is possible from malicious websites open in a web browser on the same computer, or another computer with network access to the computer running the Node.js process. A malicious website could use a DNS rebinding attack to trick the web browser to bypass same-origin-policy checks and to allow HTTP connections to localhost or to hosts on the local network. If a Node.js process with the debug port active is running on localhost or on a host on the local network, the malicious website could connect to it as a debugger, and get full code execution access."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-350",
"description": "CWE-350: Reliance on Reverse DNS Resolution for a Security-Critical Action",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-20T22:53:16",
"orgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
"shortName": "nodejs"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.f5.com/csp/article/K63025104?utm_source=f5support\u0026amp%3Butm_medium=RSS"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-request@iojs.org",
"DATE_PUBLIC": "2018-03-21T00:00:00",
"ID": "CVE-2018-7160",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Node.js",
"version": {
"version_data": [
{
"version_value": "^6.0.0 || ^8.0.0 || ^9.0.0"
}
]
}
}
]
},
"vendor_name": "The Node.js Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. An attack is possible from malicious websites open in a web browser on the same computer, or another computer with network access to the computer running the Node.js process. A malicious website could use a DNS rebinding attack to trick the web browser to bypass same-origin-policy checks and to allow HTTP connections to localhost or to hosts on the local network. If a Node.js process with the debug port active is running on localhost or on a host on the local network, the malicious website could connect to it as a debugger, and get full code execution access."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-350: Reliance on Reverse DNS Resolution for a Security-Critical Action"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.oracle.com//security-alerts/cpujul2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"name": "https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/",
"refsource": "CONFIRM",
"url": "https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/"
},
{
"name": "https://support.f5.com/csp/article/K63025104?utm_source=f5support\u0026amp;utm_medium=RSS",
"refsource": "CONFIRM",
"url": "https://support.f5.com/csp/article/K63025104?utm_source=f5support\u0026amp;utm_medium=RSS"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
"assignerShortName": "nodejs",
"cveId": "CVE-2018-7160",
"datePublished": "2018-05-17T14:00:00Z",
"dateReserved": "2018-02-15T00:00:00",
"dateUpdated": "2024-09-17T01:35:37.449Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-12120
Vulnerability from cvelistv5
Published
2018-11-28 17:00
Modified
2024-08-05 08:24
Severity ?
EPSS score ?
Summary
Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as `node --debug=localhost`. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable.
References
| ▼ | URL | Tags |
|---|---|---|
| https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/ | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/106040 | vdb-entry, x_refsource_BID |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| The Node.js Project | Node.js |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T08:24:03.745Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
},
{
"name": "106040",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/106040"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Node.js",
"vendor": "The Node.js Project",
"versions": [
{
"status": "affected",
"version": "All versions prior to Node.js 6.15.0"
}
]
}
],
"datePublic": "2018-11-28T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as `node --debug=localhost`. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-419",
"description": "CWE-419: Unprotected Primary Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-11-29T10:57:01",
"orgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
"shortName": "nodejs"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
},
{
"name": "106040",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/106040"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-request@iojs.org",
"ID": "CVE-2018-12120",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Node.js",
"version": {
"version_data": [
{
"version_value": "All versions prior to Node.js 6.15.0"
}
]
}
}
]
},
"vendor_name": "The Node.js Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as `node --debug=localhost`. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-419: Unprotected Primary Channel"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/",
"refsource": "CONFIRM",
"url": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
},
{
"name": "106040",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/106040"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
"assignerShortName": "nodejs",
"cveId": "CVE-2018-12120",
"datePublished": "2018-11-28T17:00:00",
"dateReserved": "2018-06-11T00:00:00",
"dateUpdated": "2024-08-05T08:24:03.745Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}