Action not permitted
Modal body text goes here.
Modal Title
Modal Body
cve-2018-12120
Vulnerability from cvelistv5
Published
2018-11-28 17:00
Modified
2024-08-05 08:24
Severity ?
EPSS score ?
Summary
Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as `node --debug=localhost`. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve-request@iojs.org | http://www.securityfocus.com/bid/106040 | Third Party Advisory, VDB Entry | |
| cve-request@iojs.org | https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/ | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/106040 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/ | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The Node.js Project | Node.js |
Version: All versions prior to Node.js 6.15.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T08:24:03.745Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/", }, { name: "106040", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/106040", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Node.js", vendor: "The Node.js Project", versions: [ { status: "affected", version: "All versions prior to Node.js 6.15.0", }, ], }, ], datePublic: "2018-11-28T00:00:00", descriptions: [ { lang: "en", value: "Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as `node --debug=localhost`. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-419", description: "CWE-419: Unprotected Primary Channel", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2018-11-29T10:57:01", orgId: "386269d4-a6c6-4eaa-bf8e-bc0b0d010558", shortName: "nodejs", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/", }, { name: "106040", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/106040", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve-request@iojs.org", ID: "CVE-2018-12120", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Node.js", version: { version_data: [ { version_value: "All versions prior to Node.js 6.15.0", }, ], }, }, ], }, vendor_name: "The Node.js Project", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as `node --debug=localhost`. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-419: Unprotected Primary Channel", }, ], }, ], }, references: { reference_data: [ { name: "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/", refsource: "CONFIRM", url: "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/", }, { name: "106040", refsource: "BID", url: "http://www.securityfocus.com/bid/106040", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "386269d4-a6c6-4eaa-bf8e-bc0b0d010558", assignerShortName: "nodejs", cveId: "CVE-2018-12120", datePublished: "2018-11-28T17:00:00", dateReserved: "2018-06-11T00:00:00", dateUpdated: "2024-08-05T08:24:03.745Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", "vulnerability-lookup:meta": { fkie_nvd: { configurations: "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*\", \"versionStartIncluding\": \"6.0.0\", \"versionEndExcluding\": \"6.15.0\", \"matchCriteriaId\": \"30C30A13-A774-48C1-A0FC-1F31327DE909\"}]}]}]", descriptions: "[{\"lang\": \"en\", \"value\": \"Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as `node --debug=localhost`. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable.\"}, {\"lang\": \"es\", \"value\": \"Node.js: Todas las versiones anteriores a la 6.15.0: El puerto de depuraci\\u00f3n 5858 escucha en cualquier interfaz por defecto. Cuando el depurador est\\u00e1 habilitado con \\\"node --debug\\\" o \\\"node debug\\\", escucha en el puerto 5858 en todas las interfaces por defecto. Esto podr\\u00eda permitir que los ordenadores remotos se conecten al puerto de depuraci\\u00f3n y eval\\u00faen JavaScript arbitrario. La interfaz por defecto es ahora localhost. Siempre ha sido posible iniciar el depurador en una interfaz concreta, como \\\"node --debug=localhost\\\". El depurador fue eliminado en Node.js 8 y se sustituy\\u00f3 por el inspector, por lo que no hay versiones vulnerables a partir de la 8.\"}]", id: "CVE-2018-12120", lastModified: "2024-11-21T03:44:38.050", metrics: "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.1, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.2, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:P/I:P/A:P\", \"baseScore\": 6.8, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}", published: "2018-11-28T17:29:00.290", references: "[{\"url\": \"http://www.securityfocus.com/bid/106040\", \"source\": \"cve-request@iojs.org\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/\", \"source\": \"cve-request@iojs.org\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"http://www.securityfocus.com/bid/106040\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}]", sourceIdentifier: "cve-request@iojs.org", vulnStatus: "Modified", weaknesses: "[{\"source\": \"cve-request@iojs.org\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-419\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-829\"}]}]", }, nvd: "{\"cve\":{\"id\":\"CVE-2018-12120\",\"sourceIdentifier\":\"cve-request@iojs.org\",\"published\":\"2018-11-28T17:29:00.290\",\"lastModified\":\"2024-11-21T03:44:38.050\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as `node --debug=localhost`. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable.\"},{\"lang\":\"es\",\"value\":\"Node.js: Todas las versiones anteriores a la 6.15.0: El puerto de depuración 5858 escucha en cualquier interfaz por defecto. Cuando el depurador está habilitado con \\\"node --debug\\\" o \\\"node debug\\\", escucha en el puerto 5858 en todas las interfaces por defecto. Esto podría permitir que los ordenadores remotos se conecten al puerto de depuración y evalúen JavaScript arbitrario. La interfaz por defecto es ahora localhost. Siempre ha sido posible iniciar el depurador en una interfaz concreta, como \\\"node --debug=localhost\\\". El depurador fue eliminado en Node.js 8 y se sustituyó por el inspector, por lo que no hay versiones vulnerables a partir de la 8.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:P/A:P\",\"baseScore\":6.8,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"cve-request@iojs.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-419\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-829\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*\",\"versionStartIncluding\":\"6.0.0\",\"versionEndExcluding\":\"6.15.0\",\"matchCriteriaId\":\"30C30A13-A774-48C1-A0FC-1F31327DE909\"}]}]}],\"references\":[{\"url\":\"http://www.securityfocus.com/bid/106040\",\"source\":\"cve-request@iojs.org\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/\",\"source\":\"cve-request@iojs.org\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/106040\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]}]}}", }, }
gsd-2018-12120
Vulnerability from gsd
Modified
2023-12-13 01:22
Details
Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as `node --debug=localhost`. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable.
Aliases
Aliases
{ GSD: { alias: "CVE-2018-12120", description: "Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as `node --debug=localhost`. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable.", id: "GSD-2018-12120", references: [ "https://www.suse.com/security/cve/CVE-2018-12120.html", "https://advisories.mageia.org/CVE-2018-12120.html", ], }, gsd: { metadata: { exploitCode: "unknown", remediation: "unknown", reportConfidence: "confirmed", type: "vulnerability", }, osvSchema: { aliases: [ "CVE-2018-12120", ], details: "Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as `node --debug=localhost`. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable.", id: "GSD-2018-12120", modified: "2023-12-13T01:22:29.852550Z", schema_version: "1.4.0", }, }, namespaces: { "cve.org": { CVE_data_meta: { ASSIGNER: "cve-request@iojs.org", ID: "CVE-2018-12120", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Node.js", version: { version_data: [ { version_value: "All versions prior to Node.js 6.15.0", }, ], }, }, ], }, vendor_name: "The Node.js Project", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as `node --debug=localhost`. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-419: Unprotected Primary Channel", }, ], }, ], }, references: { reference_data: [ { name: "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/", refsource: "CONFIRM", url: "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/", }, { name: "106040", refsource: "BID", url: "http://www.securityfocus.com/bid/106040", }, ], }, }, "nvd.nist.gov": { configurations: { CVE_data_version: "4.0", nodes: [ { children: [], cpe_match: [ { cpe23Uri: "cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*", cpe_name: [], versionEndExcluding: "6.15.0", versionStartIncluding: "6.0.0", vulnerable: true, }, ], operator: "OR", }, ], }, cve: { CVE_data_meta: { ASSIGNER: "cve-request@iojs.org", ID: "CVE-2018-12120", }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "en", value: "Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as `node --debug=localhost`. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "en", value: "CWE-829", }, ], }, ], }, references: { reference_data: [ { name: "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/", refsource: "CONFIRM", tags: [ "Vendor Advisory", "Patch", ], url: "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/", }, { name: "106040", refsource: "BID", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/106040", }, ], }, }, impact: { baseMetricV2: { acInsufInfo: false, cvssV2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, severity: "MEDIUM", userInteractionRequired: false, }, baseMetricV3: { cvssV3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.2, impactScore: 5.9, }, }, lastModifiedDate: "2022-09-06T18:00Z", publishedDate: "2018-11-28T17:29Z", }, }, }
suse-su-2019:0117-1
Vulnerability from csaf_suse
Published
2019-01-18 10:52
Modified
2019-01-18 10:52
Summary
Security update for nodejs4
Notes
Title of the patch
Security update for nodejs4
Description of the patch
This update for nodejs4 fixes the following issues:
Security issues fixed:
- CVE-2018-0734: Fixed a timing vulnerability in the DSA signature generation (bsc#1113652)
- CVE-2018-5407: Fixed a hyperthread port content side channel attack (aka 'PortSmash') (bsc#1113534)
- CVE-2018-12120: Fixed that the debugger listens on any interface by default (bsc#1117625)
- CVE-2018-12121: Fixed a denial of Service with large HTTP headers (bsc#1117626)
- CVE-2018-12122: Fixed the 'Slowloris' HTTP Denial of Service (bsc#1117627)
- CVE-2018-12116: Fixed HTTP request splitting (bsc#1117630)
- CVE-2018-12123: Fixed hostname spoofing in URL parser for javascript protocol (bsc#1117629)
Patchnames
SUSE-2019-117,SUSE-SLE-Module-Web-Scripting-12-2019-117,SUSE-Storage-4-2019-117
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ document: { aggregate_severity: { namespace: "https://www.suse.com/support/security/rating/", text: "important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright 2024 SUSE LLC. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Security update for nodejs4", title: "Title of the patch", }, { category: "description", text: "This update for nodejs4 fixes the following issues:\n\nSecurity issues fixed:\n\n- CVE-2018-0734: Fixed a timing vulnerability in the DSA signature generation (bsc#1113652)\n- CVE-2018-5407: Fixed a hyperthread port content side channel attack (aka 'PortSmash') (bsc#1113534)\n- CVE-2018-12120: Fixed that the debugger listens on any interface by default (bsc#1117625)\n- CVE-2018-12121: Fixed a denial of Service with large HTTP headers (bsc#1117626)\n- CVE-2018-12122: Fixed the 'Slowloris' HTTP Denial of Service (bsc#1117627)\n- CVE-2018-12116: Fixed HTTP request splitting (bsc#1117630)\n- CVE-2018-12123: Fixed hostname spoofing in URL parser for javascript protocol (bsc#1117629)\n", title: "Description of the patch", }, { category: "details", text: "SUSE-2019-117,SUSE-SLE-Module-Web-Scripting-12-2019-117,SUSE-Storage-4-2019-117", title: "Patchnames", }, { category: "legal_disclaimer", text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", title: "Terms of use", }, ], publisher: { category: "vendor", contact_details: "https://www.suse.com/support/security/contact/", name: "SUSE Product Security Team", namespace: "https://www.suse.com/", }, references: [ { category: "external", summary: "SUSE ratings", url: "https://www.suse.com/support/security/rating/", }, { category: "self", summary: "URL of this CSAF notice", url: "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2019_0117-1.json", }, { category: "self", summary: "URL for SUSE-SU-2019:0117-1", url: "https://www.suse.com/support/update/announcement/2019/suse-su-20190117-1/", }, { category: "self", summary: "E-Mail link for SUSE-SU-2019:0117-1", url: "https://lists.suse.com/pipermail/sle-security-updates/2019-January/005042.html", }, { category: "self", summary: "SUSE Bug 1113534", url: "https://bugzilla.suse.com/1113534", }, { category: "self", summary: "SUSE Bug 1113652", url: "https://bugzilla.suse.com/1113652", }, { category: "self", summary: "SUSE Bug 1117625", url: "https://bugzilla.suse.com/1117625", }, { category: "self", summary: "SUSE Bug 1117626", url: "https://bugzilla.suse.com/1117626", }, { category: "self", summary: "SUSE Bug 1117627", url: "https://bugzilla.suse.com/1117627", }, { category: "self", summary: "SUSE Bug 1117629", url: "https://bugzilla.suse.com/1117629", }, { category: "self", summary: "SUSE Bug 1117630", url: "https://bugzilla.suse.com/1117630", }, { category: "self", summary: "SUSE CVE CVE-2018-0734 page", url: "https://www.suse.com/security/cve/CVE-2018-0734/", }, { category: "self", summary: "SUSE CVE CVE-2018-12116 page", url: "https://www.suse.com/security/cve/CVE-2018-12116/", }, { category: "self", summary: "SUSE CVE CVE-2018-12120 page", url: "https://www.suse.com/security/cve/CVE-2018-12120/", }, { category: "self", summary: "SUSE CVE CVE-2018-12121 page", url: "https://www.suse.com/security/cve/CVE-2018-12121/", }, { category: "self", summary: "SUSE CVE CVE-2018-12122 page", url: "https://www.suse.com/security/cve/CVE-2018-12122/", }, { category: "self", summary: "SUSE CVE CVE-2018-12123 page", url: "https://www.suse.com/security/cve/CVE-2018-12123/", }, { category: "self", summary: "SUSE CVE CVE-2018-5407 page", url: "https://www.suse.com/security/cve/CVE-2018-5407/", }, ], title: "Security update for nodejs4", tracking: { current_release_date: "2019-01-18T10:52:41Z", generator: { date: "2019-01-18T10:52:41Z", engine: { name: "cve-database.git:bin/generate-csaf.pl", version: "1", }, }, id: "SUSE-SU-2019:0117-1", initial_release_date: "2019-01-18T10:52:41Z", revision_history: [ { date: "2019-01-18T10:52:41Z", number: "1", summary: "Current version", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "nodejs4-4.9.1-15.17.1.aarch64", product: { name: "nodejs4-4.9.1-15.17.1.aarch64", product_id: "nodejs4-4.9.1-15.17.1.aarch64", }, }, { category: "product_version", name: "nodejs4-devel-4.9.1-15.17.1.aarch64", product: { name: "nodejs4-devel-4.9.1-15.17.1.aarch64", product_id: "nodejs4-devel-4.9.1-15.17.1.aarch64", }, }, { category: "product_version", name: "npm4-4.9.1-15.17.1.aarch64", product: { name: "npm4-4.9.1-15.17.1.aarch64", product_id: "npm4-4.9.1-15.17.1.aarch64", }, }, ], category: "architecture", name: "aarch64", }, { branches: [ { category: "product_version", name: "nodejs4-4.9.1-15.17.1.i586", product: { name: "nodejs4-4.9.1-15.17.1.i586", product_id: "nodejs4-4.9.1-15.17.1.i586", }, }, { category: "product_version", name: "nodejs4-devel-4.9.1-15.17.1.i586", product: { name: "nodejs4-devel-4.9.1-15.17.1.i586", product_id: "nodejs4-devel-4.9.1-15.17.1.i586", }, }, { category: "product_version", name: "npm4-4.9.1-15.17.1.i586", product: { name: "npm4-4.9.1-15.17.1.i586", product_id: "npm4-4.9.1-15.17.1.i586", }, }, ], category: "architecture", name: "i586", }, { branches: [ { category: "product_version", name: "nodejs4-docs-4.9.1-15.17.1.noarch", product: { name: "nodejs4-docs-4.9.1-15.17.1.noarch", product_id: "nodejs4-docs-4.9.1-15.17.1.noarch", }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_version", name: "nodejs4-4.9.1-15.17.1.ppc64le", product: { name: "nodejs4-4.9.1-15.17.1.ppc64le", product_id: "nodejs4-4.9.1-15.17.1.ppc64le", }, }, { category: "product_version", name: "nodejs4-devel-4.9.1-15.17.1.ppc64le", product: { name: "nodejs4-devel-4.9.1-15.17.1.ppc64le", product_id: "nodejs4-devel-4.9.1-15.17.1.ppc64le", }, }, { category: "product_version", name: "npm4-4.9.1-15.17.1.ppc64le", product: { name: "npm4-4.9.1-15.17.1.ppc64le", product_id: "npm4-4.9.1-15.17.1.ppc64le", }, }, ], category: "architecture", name: "ppc64le", }, { branches: [ { category: "product_version", name: "nodejs4-4.9.1-15.17.1.x86_64", product: { name: "nodejs4-4.9.1-15.17.1.x86_64", product_id: "nodejs4-4.9.1-15.17.1.x86_64", }, }, { category: "product_version", name: "nodejs4-devel-4.9.1-15.17.1.x86_64", product: { name: "nodejs4-devel-4.9.1-15.17.1.x86_64", product_id: "nodejs4-devel-4.9.1-15.17.1.x86_64", }, }, { category: "product_version", name: "npm4-4.9.1-15.17.1.x86_64", product: { name: "npm4-4.9.1-15.17.1.x86_64", product_id: "npm4-4.9.1-15.17.1.x86_64", }, }, ], category: "architecture", name: "x86_64", }, { branches: [ { category: "product_name", name: "SUSE Linux Enterprise Module for Web and Scripting 12", product: { name: "SUSE Linux Enterprise Module for Web and Scripting 12", product_id: "SUSE Linux Enterprise Module for Web and Scripting 12", product_identification_helper: { cpe: "cpe:/o:suse:sle-module-web-scripting:12", }, }, }, { category: "product_name", name: "SUSE Enterprise Storage 4", product: { name: "SUSE Enterprise Storage 4", product_id: "SUSE Enterprise Storage 4", product_identification_helper: { cpe: "cpe:/o:suse:ses:4", }, }, }, ], category: "product_family", name: "SUSE Linux Enterprise", }, ], category: "vendor", name: "SUSE", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "nodejs4-4.9.1-15.17.1.aarch64 as component of SUSE Linux Enterprise Module for Web and Scripting 12", product_id: "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.aarch64", }, product_reference: "nodejs4-4.9.1-15.17.1.aarch64", relates_to_product_reference: "SUSE Linux Enterprise Module for Web and Scripting 12", }, { category: "default_component_of", full_product_name: { name: "nodejs4-4.9.1-15.17.1.ppc64le as component of SUSE Linux Enterprise Module for Web and Scripting 12", product_id: "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.ppc64le", }, product_reference: "nodejs4-4.9.1-15.17.1.ppc64le", relates_to_product_reference: "SUSE Linux Enterprise Module for Web and Scripting 12", }, { category: "default_component_of", full_product_name: { name: "nodejs4-4.9.1-15.17.1.x86_64 as component of SUSE Linux Enterprise Module for Web and Scripting 12", product_id: "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.x86_64", }, product_reference: "nodejs4-4.9.1-15.17.1.x86_64", relates_to_product_reference: "SUSE Linux Enterprise Module for Web and Scripting 12", }, { category: "default_component_of", full_product_name: { name: "nodejs4-devel-4.9.1-15.17.1.aarch64 as component of SUSE Linux Enterprise Module for Web and Scripting 12", product_id: "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.aarch64", }, product_reference: "nodejs4-devel-4.9.1-15.17.1.aarch64", relates_to_product_reference: "SUSE Linux Enterprise Module for Web and Scripting 12", }, { category: "default_component_of", full_product_name: { name: "nodejs4-devel-4.9.1-15.17.1.ppc64le as component of SUSE Linux Enterprise Module for Web and Scripting 12", product_id: "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.ppc64le", }, product_reference: "nodejs4-devel-4.9.1-15.17.1.ppc64le", relates_to_product_reference: "SUSE Linux Enterprise Module for Web and Scripting 12", }, { category: "default_component_of", full_product_name: { name: "nodejs4-devel-4.9.1-15.17.1.x86_64 as component of SUSE Linux Enterprise Module for Web and Scripting 12", product_id: "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.x86_64", }, product_reference: "nodejs4-devel-4.9.1-15.17.1.x86_64", relates_to_product_reference: "SUSE Linux Enterprise Module for Web and Scripting 12", }, { category: "default_component_of", full_product_name: { name: "nodejs4-docs-4.9.1-15.17.1.noarch as component of SUSE Linux Enterprise Module for Web and Scripting 12", product_id: "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-docs-4.9.1-15.17.1.noarch", }, product_reference: "nodejs4-docs-4.9.1-15.17.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Module for Web and Scripting 12", }, { category: "default_component_of", full_product_name: { name: "npm4-4.9.1-15.17.1.aarch64 as component of SUSE Linux Enterprise Module for Web and Scripting 12", product_id: "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.aarch64", }, product_reference: "npm4-4.9.1-15.17.1.aarch64", relates_to_product_reference: "SUSE Linux Enterprise Module for Web and Scripting 12", }, { category: "default_component_of", full_product_name: { name: "npm4-4.9.1-15.17.1.ppc64le as component of SUSE Linux Enterprise Module for Web and Scripting 12", product_id: "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.ppc64le", }, product_reference: "npm4-4.9.1-15.17.1.ppc64le", relates_to_product_reference: "SUSE Linux Enterprise Module for Web and Scripting 12", }, { category: "default_component_of", full_product_name: { name: "npm4-4.9.1-15.17.1.x86_64 as component of SUSE Linux Enterprise Module for Web and Scripting 12", product_id: "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.x86_64", }, product_reference: "npm4-4.9.1-15.17.1.x86_64", relates_to_product_reference: "SUSE Linux Enterprise Module for Web and Scripting 12", }, { category: "default_component_of", full_product_name: { name: "nodejs4-4.9.1-15.17.1.aarch64 as component of SUSE Enterprise Storage 4", product_id: "SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.aarch64", }, product_reference: "nodejs4-4.9.1-15.17.1.aarch64", relates_to_product_reference: "SUSE Enterprise Storage 4", }, { category: "default_component_of", full_product_name: { name: "nodejs4-4.9.1-15.17.1.x86_64 as component of SUSE Enterprise Storage 4", product_id: "SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.x86_64", }, product_reference: "nodejs4-4.9.1-15.17.1.x86_64", relates_to_product_reference: "SUSE Enterprise Storage 4", }, ], }, vulnerabilities: [ { cve: "CVE-2018-0734", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2018-0734", }, ], notes: [ { category: "general", text: "The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.aarch64", "SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-docs-4.9.1-15.17.1.noarch", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2018-0734", url: "https://www.suse.com/security/cve/CVE-2018-0734", }, { category: "external", summary: "SUSE Bug 1113534 for CVE-2018-0734", url: "https://bugzilla.suse.com/1113534", }, { category: "external", summary: "SUSE Bug 1113652 for CVE-2018-0734", url: "https://bugzilla.suse.com/1113652", }, { category: "external", summary: "SUSE Bug 1113742 for CVE-2018-0734", url: "https://bugzilla.suse.com/1113742", }, { category: "external", summary: "SUSE Bug 1122198 for CVE-2018-0734", url: "https://bugzilla.suse.com/1122198", }, { category: "external", summary: "SUSE Bug 1122212 for CVE-2018-0734", url: "https://bugzilla.suse.com/1122212", }, { category: "external", summary: "SUSE Bug 1126909 for CVE-2018-0734", url: "https://bugzilla.suse.com/1126909", }, { category: "external", summary: "SUSE Bug 1148697 for CVE-2018-0734", url: "https://bugzilla.suse.com/1148697", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.aarch64", "SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-docs-4.9.1-15.17.1.noarch", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 5.9, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N", version: "3.0", }, products: [ "SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.aarch64", "SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-docs-4.9.1-15.17.1.noarch", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2019-01-18T10:52:41Z", details: "moderate", }, ], title: "CVE-2018-0734", }, { cve: "CVE-2018-12116", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2018-12116", }, ], notes: [ { category: "general", text: "Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to made to the same server.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.aarch64", "SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-docs-4.9.1-15.17.1.noarch", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2018-12116", url: "https://www.suse.com/security/cve/CVE-2018-12116", }, { category: "external", summary: "SUSE Bug 1117630 for CVE-2018-12116", url: "https://bugzilla.suse.com/1117630", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.aarch64", "SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-docs-4.9.1-15.17.1.noarch", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 4.2, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.aarch64", "SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-docs-4.9.1-15.17.1.noarch", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2019-01-18T10:52:41Z", details: "moderate", }, ], title: "CVE-2018-12116", }, { cve: "CVE-2018-12120", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2018-12120", }, ], notes: [ { category: "general", text: "Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as `node --debug=localhost`. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.aarch64", "SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-docs-4.9.1-15.17.1.noarch", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2018-12120", url: "https://www.suse.com/security/cve/CVE-2018-12120", }, { category: "external", summary: "SUSE Bug 1117625 for CVE-2018-12120", url: "https://bugzilla.suse.com/1117625", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.aarch64", "SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-docs-4.9.1-15.17.1.noarch", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.aarch64", "SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-docs-4.9.1-15.17.1.noarch", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2019-01-18T10:52:41Z", details: "critical", }, ], title: "CVE-2018-12120", }, { cve: "CVE-2018-12121", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2018-12121", }, ], notes: [ { category: "general", text: "Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers (almost 80 KB per connection), and carefully timed completion of the headers, it is possible to cause the HTTP server to abort from heap allocation failure. Attack potential is mitigated by the use of a load balancer or other proxy layer.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.aarch64", "SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-docs-4.9.1-15.17.1.noarch", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2018-12121", url: "https://www.suse.com/security/cve/CVE-2018-12121", }, { category: "external", summary: "SUSE Bug 1117626 for CVE-2018-12121", url: "https://bugzilla.suse.com/1117626", }, { category: "external", summary: "SUSE Bug 1127532 for CVE-2018-12121", url: "https://bugzilla.suse.com/1127532", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.aarch64", "SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-docs-4.9.1-15.17.1.noarch", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.aarch64", "SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-docs-4.9.1-15.17.1.noarch", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2019-01-18T10:52:41Z", details: "important", }, ], title: "CVE-2018-12121", }, { cve: "CVE-2018-12122", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2018-12122", }, ], notes: [ { category: "general", text: "Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Slowloris HTTP Denial of Service: An attacker can cause a Denial of Service (DoS) by sending headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.aarch64", "SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-docs-4.9.1-15.17.1.noarch", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2018-12122", url: "https://www.suse.com/security/cve/CVE-2018-12122", }, { category: "external", summary: "SUSE Bug 1117627 for CVE-2018-12122", url: "https://bugzilla.suse.com/1117627", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.aarch64", "SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-docs-4.9.1-15.17.1.noarch", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.aarch64", "SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-docs-4.9.1-15.17.1.noarch", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2019-01-18T10:52:41Z", details: "important", }, ], title: "CVE-2018-12122", }, { cve: "CVE-2018-12123", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2018-12123", }, ], notes: [ { category: "general", text: "Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case \"javascript:\" (e.g. \"javAscript:\") protocol (other protocols are not affected). If security decisions are made about the URL based on the hostname, they may be incorrect.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.aarch64", "SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-docs-4.9.1-15.17.1.noarch", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2018-12123", url: "https://www.suse.com/security/cve/CVE-2018-12123", }, { category: "external", summary: "SUSE Bug 1117629 for CVE-2018-12123", url: "https://bugzilla.suse.com/1117629", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.aarch64", "SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-docs-4.9.1-15.17.1.noarch", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 5.1, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.aarch64", "SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-docs-4.9.1-15.17.1.noarch", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2019-01-18T10:52:41Z", details: "moderate", }, ], title: "CVE-2018-12123", }, { cve: "CVE-2018-5407", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2018-5407", }, ], notes: [ { category: "general", text: "Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.aarch64", "SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-docs-4.9.1-15.17.1.noarch", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2018-5407", url: "https://www.suse.com/security/cve/CVE-2018-5407", }, { category: "external", summary: "SUSE Bug 1113534 for CVE-2018-5407", url: "https://bugzilla.suse.com/1113534", }, { category: "external", summary: "SUSE Bug 1116195 for CVE-2018-5407", url: "https://bugzilla.suse.com/1116195", }, { category: "external", summary: "SUSE Bug 1126909 for CVE-2018-5407", url: "https://bugzilla.suse.com/1126909", }, { category: "external", summary: "SUSE Bug 1148697 for CVE-2018-5407", url: "https://bugzilla.suse.com/1148697", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.aarch64", "SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-docs-4.9.1-15.17.1.noarch", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 4.8, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:P/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", version: "3.0", }, products: [ "SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.aarch64", "SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-docs-4.9.1-15.17.1.noarch", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2019-01-18T10:52:41Z", details: "moderate", }, ], title: "CVE-2018-5407", }, ], }
suse-su-2019:0395-1
Vulnerability from csaf_suse
Published
2019-02-14 13:59
Modified
2019-02-14 13:59
Summary
Security update for nodejs6
Notes
Title of the patch
Security update for nodejs6
Description of the patch
This update for nodejs6 to version 6.16.0 fixes the following issues:
Security issues fixed:
- CVE-2018-0734: Fixed a timing vulnerability in the DSA signature generation (bsc#1113652)
- CVE-2018-5407: Fixed a hyperthread port content side channel attack (aka 'PortSmash') (bsc#1113534)
- CVE-2018-12120: Fixed that the debugger listens on any interface by default (bsc#1117625)
- CVE-2018-12121: Fixed a denial of Service with large HTTP headers (bsc#1117626)
- CVE-2018-12122: Fixed the 'Slowloris' HTTP Denial of Service (bsc#1117627)
- CVE-2018-12116: Fixed HTTP request splitting (bsc#1117630)
- CVE-2018-12123: Fixed hostname spoofing in URL parser for javascript protocol (bsc#1117629)
Patchnames
SUSE-2019-395,SUSE-OpenStack-Cloud-7-2019-395,SUSE-OpenStack-Cloud-Crowbar-8-2019-395,SUSE-SLE-Module-Web-Scripting-12-2019-395,SUSE-Storage-4-2019-395
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ document: { aggregate_severity: { namespace: "https://www.suse.com/support/security/rating/", text: "important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright 2024 SUSE LLC. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Security update for nodejs6", title: "Title of the patch", }, { category: "description", text: "This update for nodejs6 to version 6.16.0 fixes the following issues:\n\nSecurity issues fixed:\n\n- CVE-2018-0734: Fixed a timing vulnerability in the DSA signature generation (bsc#1113652)\n- CVE-2018-5407: Fixed a hyperthread port content side channel attack (aka 'PortSmash') (bsc#1113534)\n- CVE-2018-12120: Fixed that the debugger listens on any interface by default (bsc#1117625)\n- CVE-2018-12121: Fixed a denial of Service with large HTTP headers (bsc#1117626)\n- CVE-2018-12122: Fixed the 'Slowloris' HTTP Denial of Service (bsc#1117627)\n- CVE-2018-12116: Fixed HTTP request splitting (bsc#1117630)\n- CVE-2018-12123: Fixed hostname spoofing in URL parser for javascript protocol (bsc#1117629)\n", title: "Description of the patch", }, { category: "details", text: "SUSE-2019-395,SUSE-OpenStack-Cloud-7-2019-395,SUSE-OpenStack-Cloud-Crowbar-8-2019-395,SUSE-SLE-Module-Web-Scripting-12-2019-395,SUSE-Storage-4-2019-395", title: "Patchnames", }, { category: "legal_disclaimer", text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", title: "Terms of use", }, ], publisher: { category: "vendor", contact_details: "https://www.suse.com/support/security/contact/", name: "SUSE Product Security Team", namespace: "https://www.suse.com/", }, references: [ { category: "external", summary: "SUSE ratings", url: "https://www.suse.com/support/security/rating/", }, { category: "self", summary: "URL of this CSAF notice", url: "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2019_0395-1.json", }, { category: "self", summary: "URL for SUSE-SU-2019:0395-1", url: "https://www.suse.com/support/update/announcement/2019/suse-su-20190395-1/", }, { category: "self", summary: "E-Mail link for SUSE-SU-2019:0395-1", url: "https://lists.suse.com/pipermail/sle-security-updates/2019-February/005121.html", }, { category: "self", summary: "SUSE Bug 1113534", url: "https://bugzilla.suse.com/1113534", }, { category: "self", summary: "SUSE Bug 1113652", url: "https://bugzilla.suse.com/1113652", }, { category: "self", summary: "SUSE Bug 1117625", url: "https://bugzilla.suse.com/1117625", }, { category: "self", summary: "SUSE Bug 1117626", url: "https://bugzilla.suse.com/1117626", }, { category: "self", summary: "SUSE Bug 1117627", url: "https://bugzilla.suse.com/1117627", }, { category: "self", summary: "SUSE Bug 1117629", url: "https://bugzilla.suse.com/1117629", }, { category: "self", summary: "SUSE Bug 1117630", url: "https://bugzilla.suse.com/1117630", }, { category: "self", summary: "SUSE CVE CVE-2018-0734 page", url: "https://www.suse.com/security/cve/CVE-2018-0734/", }, { category: "self", summary: "SUSE CVE CVE-2018-12116 page", url: "https://www.suse.com/security/cve/CVE-2018-12116/", }, { category: "self", summary: "SUSE CVE CVE-2018-12120 page", url: "https://www.suse.com/security/cve/CVE-2018-12120/", }, { category: "self", summary: "SUSE CVE CVE-2018-12121 page", url: "https://www.suse.com/security/cve/CVE-2018-12121/", }, { category: "self", summary: "SUSE CVE CVE-2018-12122 page", url: "https://www.suse.com/security/cve/CVE-2018-12122/", }, { category: "self", summary: "SUSE CVE CVE-2018-12123 page", url: "https://www.suse.com/security/cve/CVE-2018-12123/", }, { category: "self", summary: "SUSE CVE CVE-2018-5407 page", url: "https://www.suse.com/security/cve/CVE-2018-5407/", }, ], title: "Security update for nodejs6", tracking: { current_release_date: "2019-02-14T13:59:06Z", generator: { date: "2019-02-14T13:59:06Z", engine: { name: "cve-database.git:bin/generate-csaf.pl", version: "1", }, }, id: "SUSE-SU-2019:0395-1", initial_release_date: "2019-02-14T13:59:06Z", revision_history: [ { date: "2019-02-14T13:59:06Z", number: "1", summary: "Current version", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "nodejs6-6.16.0-11.21.1.aarch64", product: { name: "nodejs6-6.16.0-11.21.1.aarch64", product_id: "nodejs6-6.16.0-11.21.1.aarch64", }, }, { category: "product_version", name: "nodejs6-devel-6.16.0-11.21.1.aarch64", product: { name: "nodejs6-devel-6.16.0-11.21.1.aarch64", product_id: "nodejs6-devel-6.16.0-11.21.1.aarch64", }, }, { category: "product_version", name: "npm6-6.16.0-11.21.1.aarch64", product: { name: "npm6-6.16.0-11.21.1.aarch64", product_id: "npm6-6.16.0-11.21.1.aarch64", }, }, ], category: "architecture", name: "aarch64", }, { branches: [ { category: "product_version", name: "nodejs6-6.16.0-11.21.1.i586", product: { name: "nodejs6-6.16.0-11.21.1.i586", product_id: "nodejs6-6.16.0-11.21.1.i586", }, }, { category: "product_version", name: "nodejs6-devel-6.16.0-11.21.1.i586", product: { name: "nodejs6-devel-6.16.0-11.21.1.i586", product_id: "nodejs6-devel-6.16.0-11.21.1.i586", }, }, { category: "product_version", name: "npm6-6.16.0-11.21.1.i586", product: { name: "npm6-6.16.0-11.21.1.i586", product_id: "npm6-6.16.0-11.21.1.i586", }, }, ], category: "architecture", name: "i586", }, { branches: [ { category: "product_version", name: "nodejs6-docs-6.16.0-11.21.1.noarch", product: { name: "nodejs6-docs-6.16.0-11.21.1.noarch", product_id: "nodejs6-docs-6.16.0-11.21.1.noarch", }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_version", name: "nodejs6-6.16.0-11.21.1.ppc64le", product: { name: "nodejs6-6.16.0-11.21.1.ppc64le", product_id: "nodejs6-6.16.0-11.21.1.ppc64le", }, }, { category: "product_version", name: "nodejs6-devel-6.16.0-11.21.1.ppc64le", product: { name: "nodejs6-devel-6.16.0-11.21.1.ppc64le", product_id: "nodejs6-devel-6.16.0-11.21.1.ppc64le", }, }, { category: "product_version", name: "npm6-6.16.0-11.21.1.ppc64le", product: { name: "npm6-6.16.0-11.21.1.ppc64le", product_id: "npm6-6.16.0-11.21.1.ppc64le", }, }, ], category: "architecture", name: "ppc64le", }, { branches: [ { category: "product_version", name: "nodejs6-6.16.0-11.21.1.s390", product: { name: "nodejs6-6.16.0-11.21.1.s390", product_id: "nodejs6-6.16.0-11.21.1.s390", }, }, { category: "product_version", name: "nodejs6-devel-6.16.0-11.21.1.s390", product: { name: "nodejs6-devel-6.16.0-11.21.1.s390", product_id: "nodejs6-devel-6.16.0-11.21.1.s390", }, }, { category: "product_version", name: "npm6-6.16.0-11.21.1.s390", product: { name: "npm6-6.16.0-11.21.1.s390", product_id: "npm6-6.16.0-11.21.1.s390", }, }, ], category: "architecture", name: "s390", }, { branches: [ { category: "product_version", name: "nodejs6-6.16.0-11.21.1.s390x", product: { name: "nodejs6-6.16.0-11.21.1.s390x", product_id: "nodejs6-6.16.0-11.21.1.s390x", }, }, { category: "product_version", name: "nodejs6-devel-6.16.0-11.21.1.s390x", product: { name: "nodejs6-devel-6.16.0-11.21.1.s390x", product_id: "nodejs6-devel-6.16.0-11.21.1.s390x", }, }, { category: "product_version", name: "npm6-6.16.0-11.21.1.s390x", product: { name: "npm6-6.16.0-11.21.1.s390x", product_id: "npm6-6.16.0-11.21.1.s390x", }, }, ], category: "architecture", name: "s390x", }, { branches: [ { category: "product_version", name: "nodejs6-6.16.0-11.21.1.x86_64", product: { name: "nodejs6-6.16.0-11.21.1.x86_64", product_id: "nodejs6-6.16.0-11.21.1.x86_64", }, }, { category: "product_version", name: "nodejs6-devel-6.16.0-11.21.1.x86_64", product: { name: "nodejs6-devel-6.16.0-11.21.1.x86_64", product_id: "nodejs6-devel-6.16.0-11.21.1.x86_64", }, }, { category: "product_version", name: "npm6-6.16.0-11.21.1.x86_64", product: { name: "npm6-6.16.0-11.21.1.x86_64", product_id: "npm6-6.16.0-11.21.1.x86_64", }, }, ], category: "architecture", name: "x86_64", }, { branches: [ { category: "product_name", name: "SUSE OpenStack Cloud 7", product: { name: "SUSE OpenStack Cloud 7", product_id: "SUSE OpenStack Cloud 7", product_identification_helper: { cpe: "cpe:/o:suse:suse-openstack-cloud:7", }, }, }, { category: "product_name", name: "SUSE OpenStack Cloud Crowbar 8", product: { name: "SUSE OpenStack Cloud Crowbar 8", product_id: "SUSE OpenStack Cloud Crowbar 8", product_identification_helper: { cpe: "cpe:/o:suse:suse-openstack-cloud-crowbar:8", }, }, }, { category: "product_name", name: "SUSE Linux Enterprise Module for Web and Scripting 12", product: { name: "SUSE Linux Enterprise Module for Web and Scripting 12", product_id: "SUSE Linux Enterprise Module for Web and Scripting 12", product_identification_helper: { cpe: "cpe:/o:suse:sle-module-web-scripting:12", }, }, }, { category: "product_name", name: "SUSE Enterprise Storage 4", product: { name: "SUSE Enterprise Storage 4", product_id: "SUSE Enterprise Storage 4", product_identification_helper: { cpe: "cpe:/o:suse:ses:4", }, }, }, ], category: "product_family", name: "SUSE Linux Enterprise", }, ], category: "vendor", name: "SUSE", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "nodejs6-6.16.0-11.21.1.aarch64 as component of SUSE OpenStack Cloud 7", product_id: "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.aarch64", }, product_reference: "nodejs6-6.16.0-11.21.1.aarch64", relates_to_product_reference: "SUSE OpenStack Cloud 7", }, { category: "default_component_of", full_product_name: { name: "nodejs6-6.16.0-11.21.1.s390x as component of SUSE OpenStack Cloud 7", product_id: "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.s390x", }, product_reference: "nodejs6-6.16.0-11.21.1.s390x", relates_to_product_reference: "SUSE OpenStack Cloud 7", }, { category: "default_component_of", full_product_name: { name: "nodejs6-6.16.0-11.21.1.x86_64 as component of SUSE OpenStack Cloud 7", product_id: "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.x86_64", }, product_reference: "nodejs6-6.16.0-11.21.1.x86_64", relates_to_product_reference: "SUSE OpenStack Cloud 7", }, { category: "default_component_of", full_product_name: { name: "nodejs6-6.16.0-11.21.1.x86_64 as component of SUSE OpenStack Cloud Crowbar 8", product_id: "SUSE OpenStack Cloud Crowbar 8:nodejs6-6.16.0-11.21.1.x86_64", }, product_reference: "nodejs6-6.16.0-11.21.1.x86_64", relates_to_product_reference: "SUSE OpenStack Cloud Crowbar 8", }, { category: "default_component_of", full_product_name: { name: "nodejs6-6.16.0-11.21.1.aarch64 as component of SUSE Linux Enterprise Module for Web and Scripting 12", product_id: "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.aarch64", }, product_reference: "nodejs6-6.16.0-11.21.1.aarch64", relates_to_product_reference: "SUSE Linux Enterprise Module for Web and Scripting 12", }, { category: "default_component_of", full_product_name: { name: "nodejs6-6.16.0-11.21.1.ppc64le as component of SUSE Linux Enterprise Module for Web and Scripting 12", product_id: "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.ppc64le", }, product_reference: "nodejs6-6.16.0-11.21.1.ppc64le", relates_to_product_reference: "SUSE Linux Enterprise Module for Web and Scripting 12", }, { category: "default_component_of", full_product_name: { name: "nodejs6-6.16.0-11.21.1.s390x as component of SUSE Linux Enterprise Module for Web and Scripting 12", product_id: "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.s390x", }, product_reference: "nodejs6-6.16.0-11.21.1.s390x", relates_to_product_reference: "SUSE Linux Enterprise Module for Web and Scripting 12", }, { category: "default_component_of", full_product_name: { name: "nodejs6-6.16.0-11.21.1.x86_64 as component of SUSE Linux Enterprise Module for Web and Scripting 12", product_id: "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.x86_64", }, product_reference: "nodejs6-6.16.0-11.21.1.x86_64", relates_to_product_reference: "SUSE Linux Enterprise Module for Web and Scripting 12", }, { category: "default_component_of", full_product_name: { name: "nodejs6-devel-6.16.0-11.21.1.aarch64 as component of SUSE Linux Enterprise Module for Web and Scripting 12", product_id: "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.aarch64", }, product_reference: "nodejs6-devel-6.16.0-11.21.1.aarch64", relates_to_product_reference: "SUSE Linux Enterprise Module for Web and Scripting 12", }, { category: "default_component_of", full_product_name: { name: "nodejs6-devel-6.16.0-11.21.1.ppc64le as component of SUSE Linux Enterprise Module for Web and Scripting 12", product_id: "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.ppc64le", }, product_reference: "nodejs6-devel-6.16.0-11.21.1.ppc64le", relates_to_product_reference: "SUSE Linux Enterprise Module for Web and Scripting 12", }, { category: "default_component_of", full_product_name: { name: "nodejs6-devel-6.16.0-11.21.1.s390x as component of SUSE Linux Enterprise Module for Web and Scripting 12", product_id: "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.s390x", }, product_reference: "nodejs6-devel-6.16.0-11.21.1.s390x", relates_to_product_reference: "SUSE Linux Enterprise Module for Web and Scripting 12", }, { category: "default_component_of", full_product_name: { name: "nodejs6-devel-6.16.0-11.21.1.x86_64 as component of SUSE Linux Enterprise Module for Web and Scripting 12", product_id: "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.x86_64", }, product_reference: "nodejs6-devel-6.16.0-11.21.1.x86_64", relates_to_product_reference: "SUSE Linux Enterprise Module for Web and Scripting 12", }, { category: "default_component_of", full_product_name: { name: "nodejs6-docs-6.16.0-11.21.1.noarch as component of SUSE Linux Enterprise Module for Web and Scripting 12", product_id: "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.16.0-11.21.1.noarch", }, product_reference: "nodejs6-docs-6.16.0-11.21.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Module for Web and Scripting 12", }, { category: "default_component_of", full_product_name: { name: "npm6-6.16.0-11.21.1.aarch64 as component of SUSE Linux Enterprise Module for Web and Scripting 12", product_id: "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.aarch64", }, product_reference: "npm6-6.16.0-11.21.1.aarch64", relates_to_product_reference: "SUSE Linux Enterprise Module for Web and Scripting 12", }, { category: "default_component_of", full_product_name: { name: "npm6-6.16.0-11.21.1.ppc64le as component of SUSE Linux Enterprise Module for Web and Scripting 12", product_id: "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.ppc64le", }, product_reference: "npm6-6.16.0-11.21.1.ppc64le", relates_to_product_reference: "SUSE Linux Enterprise Module for Web and Scripting 12", }, { category: "default_component_of", full_product_name: { name: "npm6-6.16.0-11.21.1.s390x as component of SUSE Linux Enterprise Module for Web and Scripting 12", product_id: "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.s390x", }, product_reference: "npm6-6.16.0-11.21.1.s390x", relates_to_product_reference: "SUSE Linux Enterprise Module for Web and Scripting 12", }, { category: "default_component_of", full_product_name: { name: "npm6-6.16.0-11.21.1.x86_64 as component of SUSE Linux Enterprise Module for Web and Scripting 12", product_id: "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.x86_64", }, product_reference: "npm6-6.16.0-11.21.1.x86_64", relates_to_product_reference: "SUSE Linux Enterprise Module for Web and Scripting 12", }, { category: "default_component_of", full_product_name: { name: "nodejs6-6.16.0-11.21.1.aarch64 as component of SUSE Enterprise Storage 4", product_id: "SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.aarch64", }, product_reference: "nodejs6-6.16.0-11.21.1.aarch64", relates_to_product_reference: "SUSE Enterprise Storage 4", }, { category: "default_component_of", full_product_name: { name: "nodejs6-6.16.0-11.21.1.x86_64 as component of SUSE Enterprise Storage 4", product_id: "SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.x86_64", }, product_reference: "nodejs6-6.16.0-11.21.1.x86_64", relates_to_product_reference: "SUSE Enterprise Storage 4", }, ], }, vulnerabilities: [ { cve: "CVE-2018-0734", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2018-0734", }, ], notes: [ { category: "general", text: "The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.aarch64", "SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.16.0-11.21.1.noarch", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.x86_64", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.aarch64", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.s390x", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.x86_64", "SUSE OpenStack Cloud Crowbar 8:nodejs6-6.16.0-11.21.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2018-0734", url: "https://www.suse.com/security/cve/CVE-2018-0734", }, { category: "external", summary: "SUSE Bug 1113534 for CVE-2018-0734", url: "https://bugzilla.suse.com/1113534", }, { category: "external", summary: "SUSE Bug 1113652 for CVE-2018-0734", url: "https://bugzilla.suse.com/1113652", }, { category: "external", summary: "SUSE Bug 1113742 for CVE-2018-0734", url: "https://bugzilla.suse.com/1113742", }, { category: "external", summary: "SUSE Bug 1122198 for CVE-2018-0734", url: "https://bugzilla.suse.com/1122198", }, { category: "external", summary: "SUSE Bug 1122212 for CVE-2018-0734", url: "https://bugzilla.suse.com/1122212", }, { category: "external", summary: "SUSE Bug 1126909 for CVE-2018-0734", url: "https://bugzilla.suse.com/1126909", }, { category: "external", summary: "SUSE Bug 1148697 for CVE-2018-0734", url: "https://bugzilla.suse.com/1148697", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.aarch64", "SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.16.0-11.21.1.noarch", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.x86_64", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.aarch64", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.s390x", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.x86_64", "SUSE OpenStack Cloud Crowbar 8:nodejs6-6.16.0-11.21.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 5.9, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N", version: "3.0", }, products: [ "SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.aarch64", "SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.16.0-11.21.1.noarch", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.x86_64", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.aarch64", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.s390x", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.x86_64", "SUSE OpenStack Cloud Crowbar 8:nodejs6-6.16.0-11.21.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2019-02-14T13:59:06Z", details: "moderate", }, ], title: "CVE-2018-0734", }, { cve: "CVE-2018-12116", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2018-12116", }, ], notes: [ { category: "general", text: "Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to made to the same server.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.aarch64", "SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.16.0-11.21.1.noarch", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.x86_64", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.aarch64", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.s390x", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.x86_64", "SUSE OpenStack Cloud Crowbar 8:nodejs6-6.16.0-11.21.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2018-12116", url: "https://www.suse.com/security/cve/CVE-2018-12116", }, { category: "external", summary: "SUSE Bug 1117630 for CVE-2018-12116", url: "https://bugzilla.suse.com/1117630", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.aarch64", "SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.16.0-11.21.1.noarch", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.x86_64", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.aarch64", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.s390x", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.x86_64", "SUSE OpenStack Cloud Crowbar 8:nodejs6-6.16.0-11.21.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 4.2, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.aarch64", "SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.16.0-11.21.1.noarch", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.x86_64", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.aarch64", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.s390x", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.x86_64", "SUSE OpenStack Cloud Crowbar 8:nodejs6-6.16.0-11.21.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2019-02-14T13:59:06Z", details: "moderate", }, ], title: "CVE-2018-12116", }, { cve: "CVE-2018-12120", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2018-12120", }, ], notes: [ { category: "general", text: "Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as `node --debug=localhost`. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.aarch64", "SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.16.0-11.21.1.noarch", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.x86_64", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.aarch64", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.s390x", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.x86_64", "SUSE OpenStack Cloud Crowbar 8:nodejs6-6.16.0-11.21.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2018-12120", url: "https://www.suse.com/security/cve/CVE-2018-12120", }, { category: "external", summary: "SUSE Bug 1117625 for CVE-2018-12120", url: "https://bugzilla.suse.com/1117625", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.aarch64", "SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.16.0-11.21.1.noarch", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.x86_64", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.aarch64", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.s390x", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.x86_64", "SUSE OpenStack Cloud Crowbar 8:nodejs6-6.16.0-11.21.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.aarch64", "SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.16.0-11.21.1.noarch", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.x86_64", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.aarch64", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.s390x", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.x86_64", "SUSE OpenStack Cloud Crowbar 8:nodejs6-6.16.0-11.21.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2019-02-14T13:59:06Z", details: "critical", }, ], title: "CVE-2018-12120", }, { cve: "CVE-2018-12121", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2018-12121", }, ], notes: [ { category: "general", text: "Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers (almost 80 KB per connection), and carefully timed completion of the headers, it is possible to cause the HTTP server to abort from heap allocation failure. Attack potential is mitigated by the use of a load balancer or other proxy layer.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.aarch64", "SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.16.0-11.21.1.noarch", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.x86_64", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.aarch64", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.s390x", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.x86_64", "SUSE OpenStack Cloud Crowbar 8:nodejs6-6.16.0-11.21.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2018-12121", url: "https://www.suse.com/security/cve/CVE-2018-12121", }, { category: "external", summary: "SUSE Bug 1117626 for CVE-2018-12121", url: "https://bugzilla.suse.com/1117626", }, { category: "external", summary: "SUSE Bug 1127532 for CVE-2018-12121", url: "https://bugzilla.suse.com/1127532", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.aarch64", "SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.16.0-11.21.1.noarch", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.x86_64", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.aarch64", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.s390x", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.x86_64", "SUSE OpenStack Cloud Crowbar 8:nodejs6-6.16.0-11.21.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.aarch64", "SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.16.0-11.21.1.noarch", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.x86_64", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.aarch64", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.s390x", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.x86_64", "SUSE OpenStack Cloud Crowbar 8:nodejs6-6.16.0-11.21.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2019-02-14T13:59:06Z", details: "important", }, ], title: "CVE-2018-12121", }, { cve: "CVE-2018-12122", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2018-12122", }, ], notes: [ { category: "general", text: "Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Slowloris HTTP Denial of Service: An attacker can cause a Denial of Service (DoS) by sending headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.aarch64", "SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.16.0-11.21.1.noarch", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.x86_64", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.aarch64", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.s390x", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.x86_64", "SUSE OpenStack Cloud Crowbar 8:nodejs6-6.16.0-11.21.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2018-12122", url: "https://www.suse.com/security/cve/CVE-2018-12122", }, { category: "external", summary: "SUSE Bug 1117627 for CVE-2018-12122", url: "https://bugzilla.suse.com/1117627", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.aarch64", "SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.16.0-11.21.1.noarch", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.x86_64", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.aarch64", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.s390x", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.x86_64", "SUSE OpenStack Cloud Crowbar 8:nodejs6-6.16.0-11.21.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.aarch64", "SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.16.0-11.21.1.noarch", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.x86_64", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.aarch64", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.s390x", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.x86_64", "SUSE OpenStack Cloud Crowbar 8:nodejs6-6.16.0-11.21.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2019-02-14T13:59:06Z", details: "important", }, ], title: "CVE-2018-12122", }, { cve: "CVE-2018-12123", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2018-12123", }, ], notes: [ { category: "general", text: "Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case \"javascript:\" (e.g. \"javAscript:\") protocol (other protocols are not affected). If security decisions are made about the URL based on the hostname, they may be incorrect.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.aarch64", "SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.16.0-11.21.1.noarch", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.x86_64", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.aarch64", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.s390x", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.x86_64", "SUSE OpenStack Cloud Crowbar 8:nodejs6-6.16.0-11.21.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2018-12123", url: "https://www.suse.com/security/cve/CVE-2018-12123", }, { category: "external", summary: "SUSE Bug 1117629 for CVE-2018-12123", url: "https://bugzilla.suse.com/1117629", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.aarch64", "SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.16.0-11.21.1.noarch", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.x86_64", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.aarch64", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.s390x", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.x86_64", "SUSE OpenStack Cloud Crowbar 8:nodejs6-6.16.0-11.21.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 5.1, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.aarch64", "SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.16.0-11.21.1.noarch", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.x86_64", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.aarch64", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.s390x", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.x86_64", "SUSE OpenStack Cloud Crowbar 8:nodejs6-6.16.0-11.21.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2019-02-14T13:59:06Z", details: "moderate", }, ], title: "CVE-2018-12123", }, { cve: "CVE-2018-5407", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2018-5407", }, ], notes: [ { category: "general", text: "Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.aarch64", "SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.16.0-11.21.1.noarch", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.x86_64", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.aarch64", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.s390x", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.x86_64", "SUSE OpenStack Cloud Crowbar 8:nodejs6-6.16.0-11.21.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2018-5407", url: "https://www.suse.com/security/cve/CVE-2018-5407", }, { category: "external", summary: "SUSE Bug 1113534 for CVE-2018-5407", url: "https://bugzilla.suse.com/1113534", }, { category: "external", summary: "SUSE Bug 1116195 for CVE-2018-5407", url: "https://bugzilla.suse.com/1116195", }, { category: "external", summary: "SUSE Bug 1126909 for CVE-2018-5407", url: "https://bugzilla.suse.com/1126909", }, { category: "external", summary: "SUSE Bug 1148697 for CVE-2018-5407", url: "https://bugzilla.suse.com/1148697", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.aarch64", "SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.16.0-11.21.1.noarch", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.x86_64", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.aarch64", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.s390x", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.x86_64", "SUSE OpenStack Cloud Crowbar 8:nodejs6-6.16.0-11.21.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 4.8, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:P/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", version: "3.0", }, products: [ "SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.aarch64", "SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.x86_64", "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.16.0-11.21.1.noarch", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.aarch64", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.ppc64le", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.s390x", "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.x86_64", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.aarch64", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.s390x", "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.x86_64", "SUSE OpenStack Cloud Crowbar 8:nodejs6-6.16.0-11.21.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2019-02-14T13:59:06Z", details: "moderate", }, ], title: "CVE-2018-5407", }, ], }
fkie_cve-2018-12120
Vulnerability from fkie_nvd
Published
2018-11-28 17:29
Modified
2024-11-21 03:44
Severity ?
Summary
Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as `node --debug=localhost`. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve-request@iojs.org | http://www.securityfocus.com/bid/106040 | Third Party Advisory, VDB Entry | |
| cve-request@iojs.org | https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/ | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/106040 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/ | Patch, Vendor Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*", matchCriteriaId: "30C30A13-A774-48C1-A0FC-1F31327DE909", versionEndExcluding: "6.15.0", versionStartIncluding: "6.0.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as `node --debug=localhost`. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable.", }, { lang: "es", value: "Node.js: Todas las versiones anteriores a la 6.15.0: El puerto de depuración 5858 escucha en cualquier interfaz por defecto. Cuando el depurador está habilitado con \"node --debug\" o \"node debug\", escucha en el puerto 5858 en todas las interfaces por defecto. Esto podría permitir que los ordenadores remotos se conecten al puerto de depuración y evalúen JavaScript arbitrario. La interfaz por defecto es ahora localhost. Siempre ha sido posible iniciar el depurador en una interfaz concreta, como \"node --debug=localhost\". El depurador fue eliminado en Node.js 8 y se sustituyó por el inspector, por lo que no hay versiones vulnerables a partir de la 8.", }, ], id: "CVE-2018-12120", lastModified: "2024-11-21T03:44:38.050", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.2, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2018-11-28T17:29:00.290", references: [ { source: "cve-request@iojs.org", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/106040", }, { source: "cve-request@iojs.org", tags: [ "Patch", "Vendor Advisory", ], url: "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/106040", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Vendor Advisory", ], url: "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/", }, ], sourceIdentifier: "cve-request@iojs.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-419", }, ], source: "cve-request@iojs.org", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-829", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
ghsa-8fqw-43x4-4q75
Vulnerability from github
Published
2022-05-13 01:34
Modified
2022-05-13 01:34
Severity ?
Details
Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with node --debug or node debug, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as node --debug=localhost. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable.
{ affected: [], aliases: [ "CVE-2018-12120", ], database_specific: { cwe_ids: [ "CWE-829", ], github_reviewed: false, github_reviewed_at: null, nvd_published_at: "2018-11-28T17:29:00Z", severity: "HIGH", }, details: "Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as `node --debug=localhost`. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable.", id: "GHSA-8fqw-43x4-4q75", modified: "2022-05-13T01:34:48Z", published: "2022-05-13T01:34:48Z", references: [ { type: "ADVISORY", url: "https://nvd.nist.gov/vuln/detail/CVE-2018-12120", }, { type: "WEB", url: "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases", }, { type: "WEB", url: "http://www.securityfocus.com/bid/106040", }, ], schema_version: "1.4.0", severity: [ { score: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", type: "CVSS_V3", }, ], }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.