nodejs10 (SUSE:Linux Enterprise Module for Web and Scripting 12) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the SUSE:Linux Enterprise Module for Web and Scripting 12 package nodejs10, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (44)
CVE-2021-22930 — CVSS 9.8 (critical): Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory…
CVE-2019-15606 — CVSS 9.8 (critical): Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value…
CVE-2019-15605 — CVSS 9.8 (critical): HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed
CVE-2021-3918 — CVSS 9.8 (critical): json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2021-22931 — CVSS 9.8 (critical): Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input…
CVE-2020-10531 — CVSS 8.8 (high): An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based…
CVE-2022-21824 — CVSS 8.2 (high): Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the…
CVE-2021-32804 — CVSS 8.2 (high): The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability…
CVE-2021-32803 — CVSS 8.2 (high): The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability…
CVE-2020-8174 — CVSS 8.1 (high): napi_get_value_string_*() allows various kinds of memory corruption in node < 10.21.0, 12.18.0, and < 14.4.0.
CVE-2020-8265 — CVSS 8.1 (high): Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to…
CVE-2020-8252 — CVSS 7.8 (high): The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly determined the buffer size which…
CVE-2019-16777 — CVSS 7.7 (high): Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed…
CVE-2019-16776 — CVSS 7.7 (high): Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the…
CVE-2019-16775 — CVSS 7.7 (high): Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files…
CVE-2019-9513 — CVSS 7.5 (high): Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple…
CVE-2019-15604 — CVSS 7.5 (high): Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a crafted X.509 certificate
CVE-2019-5737 — CVSS 7.5 (high): In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1, an attacker can cause a Denial of…
CVE-2019-9511 — CVSS 7.5 (high): Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a…
CVE-2019-9512 — CVSS 7.5 (high): Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings…
CVE-2019-13173 — CVSS 7.5 (high): fstream before 1.0.12 is vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in…
CVE-2019-9514 — CVSS 7.5 (high): Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of…
CVE-2019-9515 — CVSS 7.5 (high): Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of…
CVE-2019-9517 — CVSS 7.5 (high): Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The…
CVE-2019-9518 — CVSS 7.5 (high): Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a…
CVE-2021-22883 — CVSS 7.5 (high): Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an…
CVE-2021-22884 — CVSS 7.5 (high): Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”…
CVE-2021-23840 — CVSS 7.5 (high): Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input…
CVE-2021-27290 — CVSS 7.5 (high): ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs…
CVE-2021-3450 — CVSS 7.4 (high): The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by…
CVE-2020-8287 — CVSS 6.5 (medium): Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two…
CVE-2019-9516 — CVSS 6.5 (medium): Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of…
CVE-2020-1971 — CVSS 5.9 (medium): The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName…
CVE-2021-3449 — CVSS 5.9 (medium): An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation…
CVE-2020-7598 — CVSS 5.6 (medium): minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "__proto__" payload.
CVE-2021-3672 — CVSS 5.6 (medium): A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to…
CVE-2021-23362 — CVSS 5.3 (medium): The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression…
CVE-2021-23343 — CVSS 5.3 (medium): All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and…
CVE-2021-22939 — CVSS 5.3 (medium): If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned…
CVE-2021-22918 — CVSS 5.3 (medium): Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII…
CVE-2020-15095 — CVSS 4.4 (medium): Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs…
CVE-2020-11080 — CVSS 3.7 (low): In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack…