This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Nodejs First view 2013-07-31
Product Node.Js Last view 2023-02-23
Version * Type Application
Update *  
Edition *  
Language *  
Sofware Edition -  
Target Software *  
Target Hardware *  
Other *  
 
CPE Product cpe:2.3:a:nodejs:node.js

Activity : Overall

Related : CVE

This CPE have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
  Date Alert Description
4.2 2023-02-23 CVE-2023-23920

An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges.

7.5 2023-02-23 CVE-2023-23919

A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases did does not clear the OpenSSL error stack after operations that may set it. This may lead to false positive errors during subsequent cryptographic operations that happen to be on the same thread. This in turn could be used to cause a denial of service.

7.5 2023-02-23 CVE-2023-23918

A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permissions option with --experimental-policy.

5.4 2023-02-16 CVE-2023-23936

Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici.

8.1 2022-12-05 CVE-2022-43548

A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.The fix for this issue in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212 was incomplete and this new CVE is to complete the fix.

6.5 2022-12-05 CVE-2022-35256

The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.

9.1 2022-12-05 CVE-2022-35255

A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with this: 1) It does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail. 2) The random data returned byEntropySource() may not be cryptographically strong and therefore not suitable as keying material.

7.5 2022-11-01 CVE-2022-3786

A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.' character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects.

7.5 2022-11-01 CVE-2022-3602

A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution. The risk may be further mitigated based on stack layout for any given platform/compiler. Pre-announcements of CVE-2022-3602 described this issue as CRITICAL. Further analysis based on some of the mitigating factors described above have led this to be downgraded to HIGH. Users are still encouraged to upgrade to a new version as soon as possible. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Fixed in OpenSSL 3.0.7 (Affected 3.0.0,3.0.1,3.0.2,3.0.3,3.0.4,3.0.5,3.0.6).

7.3 2022-07-14 CVE-2022-32223

Node.js is vulnerable to Hijack Execution Flow: DLL Hijacking under certain conditions on Windows platforms.This vulnerability can be exploited if the victim has the following dependencies on a Windows machine:* OpenSSL has been installed and “C:\Program Files\Common Files\SSL\openssl.cnf†exists.Whenever the above conditions are present, `node.exe` will search for `providers.dll` in the current user directory.After that, `node.exe` will try to search for `providers.dll` by the DLL Search Order in Windows.It is possible for an attacker to place the malicious file `providers.dll` under a variety of paths and exploit this vulnerability.

5.3 2022-07-14 CVE-2022-32222

A cryptographic vulnerability exists on Node.js on linux in versions of 18.x prior to 18.40.0 which allowed a default path for openssl.cnf that might be accessible under some circumstances to a non-admin user instead of /etc/ssl as was the case in versions prior to the upgrade to OpenSSL 3.

6.5 2022-07-14 CVE-2022-32215

The llhttp parser

6.5 2022-07-14 CVE-2022-32214

The llhttp parser

6.5 2022-07-14 CVE-2022-32213

The llhttp parser

8.1 2022-07-14 CVE-2022-32212

A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.

7.5 2022-03-15 CVE-2022-0778

The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).

8.2 2022-02-24 CVE-2022-21824

Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "__proto__". The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js >= 12.22.9, >= 14.18.3, >= 16.13.2, and >= 17.3.1 use a null protoype for the object these properties are being assigned to.

5.3 2022-02-24 CVE-2021-44533

Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification.Affected versions of Node.js that do not accept multi-value Relative Distinguished Names and are thus not vulnerable to such attacks themselves. However, third-party code that uses node's ambiguous presentation of certificate subjects may be vulnerable.

5.3 2022-02-24 CVE-2021-44532

Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option.

7.4 2022-02-24 CVE-2021-44531

Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the --security-revert command-line option.

7.5 2021-12-14 CVE-2021-4044

Internally libssl in OpenSSL calls X509_verify_cert() on the client side to verify a certificate supplied by a server. That function may return a negative return value to indicate an internal error (for example out of memory). Such a negative return value is mishandled by OpenSSL and will cause an IO function (such as SSL_connect() or SSL_do_handshake()) to not indicate success and a subsequent call to SSL_get_error() to return the value SSL_ERROR_WANT_RETRY_VERIFY. This return value is only supposed to be returned by OpenSSL if the application has previously called SSL_CTX_set_cert_verify_callback(). Since most applications do not do this the SSL_ERROR_WANT_RETRY_VERIFY return value from SSL_get_error() will be totally unexpected and applications may not behave correctly as a result. The exact behaviour will depend on the application but it could result in crashes, infinite loops or other similar incorrect responses. This issue is made more serious in combination with a separate bug in OpenSSL 3.0 that will cause X509_verify_cert() to indicate an internal error when processing a certificate chain. This will occur where a certificate does not include the Subject Alternative Name extension but where a Certificate Authority has enforced name constraints. This issue can occur even with valid chains. By combining the two issues an attacker could induce incorrect, application dependent behaviour. Fixed in OpenSSL 3.0.1 (Affected 3.0.0).

5.6 2021-11-23 CVE-2021-3672

A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability.

9.8 2021-10-07 CVE-2021-22930

Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.

7.5 2021-08-16 CVE-2021-22940

Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.

5.3 2021-08-16 CVE-2021-22939

If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.

CWE : Common Weakness Enumeration

This CPE have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
%idName
10% (10) CWE-200 Information Exposure
7% (7) CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggli...
6% (6) CWE-295 Certificate Issues
6% (6) CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting')
6% (6) CWE-20 Improper Input Validation
5% (5) CWE-476 NULL Pointer Dereference
5% (5) CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
4% (4) CWE-787 Out-of-bounds Write
4% (4) CWE-399 Resource Management Errors
4% (4) CWE-125 Out-of-bounds Read
4% (4) CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer
3% (3) CWE-416 Use After Free
3% (3) CWE-203 Information Exposure Through Discrepancy
3% (3) CWE-190 Integer Overflow or Wraparound
3% (3) CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflo...
2% (2) CWE-770 Allocation of Resources Without Limits or Throttling
2% (2) CWE-327 Use of a Broken or Risky Cryptographic Algorithm
2% (2) CWE-326 Inadequate Encryption Strength
2% (2) CWE-78 Improper Sanitization of Special Elements used in an OS Command ('O...
1% (1) CWE-772 Missing Release of Resource after Effective Lifetime
1% (1) CWE-732 Incorrect Permission Assignment for Critical Resource
1% (1) CWE-707 Improper Enforcement of Message or Data Structure
1% (1) CWE-665 Improper Initialization
1% (1) CWE-427 Uncontrolled Search Path Element
1% (1) CWE-426 Untrusted Search Path

Information Assurance Vulnerability Management (IAVM)

id Description
2015-A-0113 Multiple Vulnerabilities in Juniper Networks CTPOS
Severity: Category I - VMSKEY: V0060737
2014-B-0103 Multiple Vulnerabilities in VMware Horizon View Client
Severity: Category I - VMSKEY: V0053509
2014-B-0102 Multiple Vulnerabilities in VMware vCenter Converter Standalone 5.5
Severity: Category I - VMSKEY: V0053507
2014-B-0101 Multiple Vulnerabilities in VMware vCenter Converter Standalone 5.1
Severity: Category I - VMSKEY: V0053505
2014-A-0115 Multiple Vulnerabilities in VMware Horizon View
Severity: Category I - VMSKEY: V0053501
2014-B-0097 Multiple Vulnerabilities in VMware ESXi 5.0
Severity: Category I - VMSKEY: V0053319
2014-A-0103 Multiple Vulnerabilities in Oracle E-Business
Severity: Category I - VMSKEY: V0053195
2014-A-0109 Multiple Vulnerabilities in VMware Fusion
Severity: Category I - VMSKEY: V0053183
2014-A-0110 Multiple Vulnerabilities in VMware Player
Severity: Category I - VMSKEY: V0053181
2014-A-0111 Multiple Vulnerabilities in VMware Workstation
Severity: Category I - VMSKEY: V0053179
2014-B-0095 Multiple Vulnerabilities in Splunk
Severity: Category I - VMSKEY: V0053177
2014-B-0089 Multiple Vulnerabilities in VMware ESXi 5.1
Severity: Category I - VMSKEY: V0052909
2014-B-0088 Multiple Vulnerabilities in VMware ESXi 5.5
Severity: Category I - VMSKEY: V0052911
2014-B-0091 Multiple Vulnerabilities in VMware vCenter Update Manager 5.5
Severity: Category I - VMSKEY: V0052907
2014-B-0084 HP Onboard Administrator Information Disclosure Vulnerability
Severity: Category I - VMSKEY: V0052901
2014-B-0085 Multiple Vulnerabilities in HP System Management Homepage (SMH)
Severity: Category I - VMSKEY: V0052899
2014-B-0092 Multiple Vulnerabilities in VMware vSphere Client 5.5
Severity: Category I - VMSKEY: V0052893
2014-A-0089 Multiple Vulnerabilities in Juniper Pulse Secure Access Service (IVE)
Severity: Category I - VMSKEY: V0052805
2014-B-0079 Multiple Vulnerabilities in IBM AIX
Severity: Category I - VMSKEY: V0052641
2014-B-0078 Multiple Vulnerabilities in Blue Coat ProxySG
Severity: Category I - VMSKEY: V0052639
2014-A-0087 Multiple Vulnerabilities in McAfee ePolicy Orchestrator
Severity: Category I - VMSKEY: V0052637
2014-B-0080 Multiple Vulnerabilities in Stunnel
Severity: Category I - VMSKEY: V0052627
2014-B-0077 Multiple Vulnerabilities in McAfee Web Gateway
Severity: Category I - VMSKEY: V0052625
2014-A-0083 Multiple Vulnerabilities in OpenSSL
Severity: Category I - VMSKEY: V0052495
2014-B-0023 Multiple Vulnerabilities in Google Chrome
Severity: Category I - VMSKEY: V0045283

Snort® IPS/IDS

Date Description
2020-01-21 OpenSSL SSL ChangeCipherSpec man-in-the-middle attempt
RuleID : 52487 - Type : SERVER-OTHER - Revision : 1
2016-11-08 OpenSSL OCSP Status Request Extension denial of service attempt
RuleID : 40360 - Type : SERVER-OTHER - Revision : 3
2016-10-18 SSH weak blowfish cipher suite use attempt
RuleID : 40190 - Type : POLICY-OTHER - Revision : 2
2016-10-18 SSH weak 3DES cipher suite use attempt
RuleID : 40189 - Type : POLICY-OTHER - Revision : 2
2016-10-18 SSL weak 3DES cipher suite use attempt
RuleID : 40188 - Type : POLICY-OTHER - Revision : 2
2016-10-18 SSL weak 3DES cipher suite use attempt
RuleID : 40187 - Type : POLICY-OTHER - Revision : 2
2016-10-18 SSL weak 3DES cipher suite use attempt
RuleID : 40186 - Type : POLICY-OTHER - Revision : 2
2016-03-14 OpenSSL invalid RSASSA-PSS certificate denial of service attempt
RuleID : 37155 - Type : SERVER-OTHER - Revision : 2
2016-03-14 OpenSSL invalid RSASSA-PSS certificate denial of service attempt
RuleID : 37154 - Type : SERVER-OTHER - Revision : 2
2014-11-16 OpenSSL TLSv1.2 ChangeCipherSpec man-in-the-middle exploitation attempt
RuleID : 31484 - Type : SERVER-OTHER - Revision : 3
2014-11-16 OpenSSL TLSv1.1 ChangeCipherSpec man-in-the-middle exploitation attempt
RuleID : 31483 - Type : SERVER-OTHER - Revision : 3
2014-11-16 OpenSSL TLSv1.0 ChangeCipherSpec man-in-the-middle exploitation attempt
RuleID : 31482 - Type : SERVER-OTHER - Revision : 3
2014-11-16 OpenSSL SSL ChangeCipherSpec man-in-the-middle exploitation attempt
RuleID : 31481 - Type : SERVER-OTHER - Revision : 3
2014-11-16 OpenSSL TLSv1.2 ChangeCipherSpec man-in-the-middle exploitation attempt
RuleID : 31480 - Type : SERVER-OTHER - Revision : 3
2014-11-16 OpenSSL TLSv1.1 ChangeCipherSpec man-in-the-middle exploitation attempt
RuleID : 31479 - Type : SERVER-OTHER - Revision : 3
2014-11-16 OpenSSL TLSv1.0 ChangeCipherSpec man-in-the-middle exploitation attempt
RuleID : 31478 - Type : SERVER-OTHER - Revision : 3
2014-11-16 OpenSSL SSL ChangeCipherSpec man-in-the-middle exploitation attempt
RuleID : 31477 - Type : SERVER-OTHER - Revision : 3

Nessus® Vulnerability Scanner

This CPE have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
id Description
2019-01-18 Name: The remote Fedora host is missing a security update.
File: fedora_2019-a8ffcff7ee.nasl - Type: ACT_GATHER_INFO
2019-01-17 Name: The remote database server is affected by multiple vulnerabilities.
File: mysql_5_6_43.nasl - Type: ACT_GATHER_INFO
2019-01-17 Name: The remote database server is affected by multiple vulnerabilities.
File: mysql_5_7_25.nasl - Type: ACT_GATHER_INFO
2019-01-17 Name: The remote database server is affected by multiple vulnerabilities.
File: mysql_8_0_14.nasl - Type: ACT_GATHER_INFO
2019-01-16 Name: The remote database server is affected by multiple vulnerabilities
File: mariadb_10_0_37.nasl - Type: ACT_GATHER_INFO
2019-01-11 Name: The remote device is missing a vendor-supplied security patch.
File: juniper_jsa10919.nasl - Type: ACT_GATHER_INFO
2019-01-08 Name: The remote EulerOS host is missing multiple security updates.
File: EulerOS_SA-2019-1009.nasl - Type: ACT_GATHER_INFO
2019-01-03 Name: The remote Fedora host is missing a security update.
File: fedora_2018-242f6c1a41.nasl - Type: ACT_GATHER_INFO
2019-01-03 Name: The remote Fedora host is missing a security update.
File: fedora_2018-520e4c5b4e.nasl - Type: ACT_GATHER_INFO
2019-01-03 Name: The remote Fedora host is missing a security update.
File: fedora_2018-55b875c1ac.nasl - Type: ACT_GATHER_INFO
2019-01-03 Name: The remote Fedora host is missing a security update.
File: fedora_2018-8049b2c488.nasl - Type: ACT_GATHER_INFO
2019-01-03 Name: The remote Fedora host is missing a security update.
File: fedora_2018-bdefa5e5bb.nasl - Type: ACT_GATHER_INFO
2019-01-03 Name: The remote Fedora host is missing a security update.
File: fedora_2018-f59d961d7b.nasl - Type: ACT_GATHER_INFO
2019-01-02 Name: Tenable Nessus running on the remote host is affected by multiple vulnerabili...
File: nessus_tns_2018_16.nasl - Type: ACT_GATHER_INFO
2019-01-02 Name: Tenable Nessus running on the remote host is affected by multiple vulnerabili...
File: nessus_tns_2018_17.nasl - Type: ACT_GATHER_INFO
2018-12-28 Name: The remote EulerOS host is missing multiple security updates.
File: EulerOS_SA-2018-1420.nasl - Type: ACT_GATHER_INFO
2018-12-28 Name: The remote EulerOS host is missing a security update.
File: EulerOS_SA-2018-1434.nasl - Type: ACT_GATHER_INFO
2018-12-28 Name: Node.js - JavaScript run-time environment is affected by multiple vulnerabili...
File: nodejs_2018_nov.nasl - Type: ACT_GATHER_INFO
2018-12-20 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-4355.nasl - Type: ACT_GATHER_INFO
2018-12-10 Name: The remote EulerOS host is missing multiple security updates.
File: EulerOS_SA-2018-1392.nasl - Type: ACT_GATHER_INFO
2018-12-10 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_2a86f45afc3c11e8a41400155d006b02.nasl - Type: ACT_GATHER_INFO
2018-12-07 Name: The remote Amazon Linux AMI host is missing a security update.
File: ala_ALAS-2018-1114.nasl - Type: ACT_GATHER_INFO
2018-12-07 Name: The remote Amazon Linux AMI host is missing a security update.
File: ala_ALAS-2018-1115.nasl - Type: ACT_GATHER_INFO
2018-12-07 Name: The remote Amazon Linux AMI host is missing a security update.
File: ala_ALAS-2018-1116.nasl - Type: ACT_GATHER_INFO
2018-12-01 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-4348.nasl - Type: ACT_GATHER_INFO