nodejs18 (SUSE:Linux Enterprise Module for Web and Scripting 15 SP4) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the SUSE:Linux Enterprise Module for Web and Scripting 15 SP4 package nodejs18, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (29)
CVE-2023-32002 — CVSS 9.8 (critical): The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module…
CVE-2022-35255 — CVSS 9.1 (critical): A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGe…
CVE-2023-32006 — CVSS 8.8 (high): The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition…
CVE-2022-43548 — CVSS 8.1 (high): A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost…
CVE-2022-32212 — CVSS 8.1 (high): A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that…
CVE-2023-32067 — CVSS 7.5 (high): c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker…
CVE-2023-30581 — CVSS 7.5 (high): The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the…
CVE-2023-30585 — CVSS 7.5 (high): A vulnerability has been identified in the Node.js (.msi version) installation process, specifically affecting Windows users who install…
CVE-2023-30589 — CVSS 7.5 (high): The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to…
CVE-2023-30590 — CVSS 7.5 (high): The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only…
CVE-2023-38552 — CVSS 7.5 (high): When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation…
CVE-2023-32559 — CVSS 7.5 (high): A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use…
CVE-2023-23918 — CVSS 7.5 (high): A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the…
CVE-2023-23919 — CVSS 7.5 (high): A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases did does not clear the OpenSSL…
CVE-2023-24807 — CVSS 7.5 (high): Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods are vulnerable to…
CVE-2022-35256 — CVSS 6.5 (medium): The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may…
CVE-2022-32213 — CVSS 6.5 (medium): The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding…
CVE-2022-32215 — CVSS 6.5 (medium): The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding…
CVE-2022-32214 — CVSS 6.5 (medium): The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP…
CVE-2023-23936 — CVSS 6.5 (medium): Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect…
CVE-2023-31147 — CVSS 5.9 (medium): c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random…
CVE-2022-25881 — CVSS 5.3 (medium): This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent…
CVE-2023-30588 — CVSS 5.3 (medium): When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination occurs…
CVE-2023-39333 — CVSS 5.3 (medium): Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The injected code may be able to access data…
CVE-2023-23920 — CVSS 4.2 (medium): An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search…
CVE-2023-31130 — CVSS 4.1 (medium): c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in…
CVE-2023-45143 — CVSS 3.9 (low): Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on…
CVE-2023-31124 — CVSS 3.7 (low): c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be…