This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Nodejs First view 2018-05-08
Product Node.Js Last view 2020-07-24
Version 10.14.0 Type Application
Update *  
Edition *  
Language *  
Sofware Edition lts  
Target Software *  
Target Hardware *  
Other *  
 
CPE Product cpe:2.3:a:nodejs:node.js

Activity : Overall

Related : CVE

  Date Alert Description
9.8 2020-07-24 CVE-2020-8174

napi_get_value_string_*() allows various kinds of memory corruption in node < 10.21.0, 12.18.0, and < 14.4.0.

7.4 2020-06-08 CVE-2020-8172

TLS session reuse can lead to host certificate verification bypass in node version < 12.18.0 and < 14.4.0.

9.8 2020-02-07 CVE-2019-15606

Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons

9.8 2020-02-07 CVE-2019-15605

HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed

7.5 2020-02-07 CVE-2019-15604

Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a crafted X.509 certificate

7.5 2019-03-28 CVE-2019-5737

In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1, an attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep-alive mode and by sending headers very slowly. This keeps the connection and associated resources alive for a long period of time. Potential attacks are mitigated by the use of a load balancer or other proxy layer. This vulnerability is an extension of CVE-2018-12121, addressed in November and impacts all active Node.js release lines including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1.

4.3 2018-11-28 CVE-2018-12123

Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case "javascript:" (e.g. "javAscript:") protocol (other protocols are not affected). If security decisions are made about the URL based on the hostname, they may be incorrect.

7.5 2018-11-28 CVE-2018-12122

Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Slowloris HTTP Denial of Service: An attacker can cause a Denial of Service (DoS) by sending headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time.

7.5 2018-11-28 CVE-2018-12121

Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers (almost 80 KB per connection), and carefully timed completion of the headers, it is possible to cause the HTTP server to abort from heap allocation failure. Attack potential is mitigated by the use of a load balancer or other proxy layer.

7.5 2018-11-28 CVE-2018-12116

Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to made to the same server.

5.9 2018-10-30 CVE-2018-0734

The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).

5.9 2018-10-29 CVE-2018-0735

The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.1.1a (Affected 1.1.1).

7.5 2018-05-08 CVE-2018-1000168

nghttp2 version >= 1.10.0 and nghttp2 <= v1.31.0 contains an Improper Input Validation CWE-20 vulnerability in ALTSVC frame handling that can result in segmentation fault leading to denial of service. This attack appears to be exploitable via network client. This vulnerability appears to have been fixed in >= 1.31.1.

CWE : Common Weakness Enumeration

%idName
23% (3) CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
15% (2) CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggli...
15% (2) CWE-320 Key Management Errors
15% (2) CWE-295 Certificate Issues
15% (2) CWE-20 Improper Input Validation
7% (1) CWE-476 NULL Pointer Dereference
7% (1) CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer

Nessus® Vulnerability Scanner

id Description
2019-01-18 Name: The remote Fedora host is missing a security update.
File: fedora_2019-a8ffcff7ee.nasl - Type: ACT_GATHER_INFO
2019-01-17 Name: The remote database server is affected by multiple vulnerabilities.
File: mysql_8_0_14.nasl - Type: ACT_GATHER_INFO
2019-01-17 Name: The remote database server is affected by multiple vulnerabilities.
File: mysql_5_7_25.nasl - Type: ACT_GATHER_INFO
2019-01-17 Name: The remote database server is affected by multiple vulnerabilities.
File: mysql_5_6_43.nasl - Type: ACT_GATHER_INFO
2019-01-03 Name: The remote Fedora host is missing a security update.
File: fedora_2018-bdefa5e5bb.nasl - Type: ACT_GATHER_INFO
2019-01-02 Name: Tenable Nessus running on the remote host is affected by multiple vulnerabili...
File: nessus_tns_2018_17.nasl - Type: ACT_GATHER_INFO
2019-01-02 Name: Tenable Nessus running on the remote host is affected by multiple vulnerabili...
File: nessus_tns_2018_16.nasl - Type: ACT_GATHER_INFO
2018-12-28 Name: Node.js - JavaScript run-time environment is affected by multiple vulnerabili...
File: nodejs_2018_nov.nasl - Type: ACT_GATHER_INFO
2018-12-20 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-4355.nasl - Type: ACT_GATHER_INFO
2018-12-10 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_2a86f45afc3c11e8a41400155d006b02.nasl - Type: ACT_GATHER_INFO
2018-12-01 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-4348.nasl - Type: ACT_GATHER_INFO
2018-11-23 Name: The remote Debian host is missing a security update.
File: debian_DLA-1586.nasl - Type: ACT_GATHER_INFO
2018-11-23 Name: The remote Slackware host is missing a security update.
File: Slackware_SSA_2018-325-01.nasl - Type: ACT_GATHER_INFO
2018-11-14 Name: Node.js - JavaScript run-time environment is affected by multiple vulnerabili...
File: nodejs_2018_jul.nasl - Type: ACT_GATHER_INFO
2018-10-30 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_238ae7dedba211e8b713b499baebfeaf.nasl - Type: ACT_GATHER_INFO
2018-07-24 Name: The remote PhotonOS host is missing multiple security updates.
File: PhotonOS_PHSA-2018-1_0-0150.nasl - Type: ACT_GATHER_INFO
2018-06-15 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_45b8e2eb705611e88fab63ca6e0e13a2.nasl - Type: ACT_GATHER_INFO
2018-05-30 Name: The remote Amazon Linux 2 host is missing a security update.
File: al2_ALAS-2018-1020.nasl - Type: ACT_GATHER_INFO
2018-04-23 Name: The remote Fedora host is missing a security update.
File: fedora_2018-cec96a9c41.nasl - Type: ACT_GATHER_INFO
2018-04-16 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_1fccb25e8451438ca2b96a021e4d7a31.nasl - Type: ACT_GATHER_INFO