nodejs14 (SUSE:Linux Enterprise High Performance Computing 15 SP2-LTSS) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the SUSE:Linux Enterprise High Performance Computing 15 SP2-LTSS package nodejs14, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (31)
CVE-2023-32002 — CVSS 9.8 (critical): The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module…
CVE-2021-3918 — CVSS 9.8 (critical): json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2023-32006 — CVSS 8.8 (high): The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition…
CVE-2021-32803 — CVSS 8.2 (high): The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability…
CVE-2021-32804 — CVSS 8.2 (high): The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability…
CVE-2024-27983 — CVSS 8.2 (high): An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2…
CVE-2022-32212 — CVSS 8.1 (high): A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that…
CVE-2022-43548 — CVSS 8.1 (high): A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost…
CVE-2023-23918 — CVSS 7.5 (high): A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the…
CVE-2022-0778 — CVSS 7.5 (high): The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli…
CVE-2023-30581 — CVSS 7.5 (high): The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the…
CVE-2023-30589 — CVSS 7.5 (high): The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to…
CVE-2023-30590 — CVSS 7.5 (high): The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only…
CVE-2023-32559 — CVSS 7.5 (high): A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use…
CVE-2023-38552 — CVSS 7.5 (high): When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation…
CVE-2024-22019 — CVSS 7.5 (high): A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to…
CVE-2023-46809 — CVSS 7.4 (high): Node.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked version of OpenSSL which are unpatched…
CVE-2024-24806 — CVSS 7.3 (high): libuv is a multi-platform support library with a focus on asynchronous I/O. The `uv_getaddrinfo` function in `src/unix/getaddrinfo.c` (and…
CVE-2022-32215 — CVSS 6.5 (medium): The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding…
CVE-2024-22025 — CVSS 6.5 (medium): A vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack through resource exhaustion when using the…
CVE-2022-32214 — CVSS 6.5 (medium): The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP…
CVE-2022-32213 — CVSS 6.5 (medium): The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding…
CVE-2024-27982 — CVSS 6.5 (medium): The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to…
CVE-2022-25881 — CVSS 5.3 (medium): This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent…
CVE-2021-23343 — CVSS 5.3 (medium): All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and…
CVE-2023-23920 — CVSS 4.2 (medium): An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search…
CVE-2021-44907: Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation…