nodejs20 (SUSE:Linux Enterprise Module for Web and Scripting 15 SP5) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the SUSE:Linux Enterprise Module for Web and Scripting 15 SP5 package nodejs20, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (21)
CVE-2024-21896 — CVSS 9.8 (critical): The permission model protects itself against path traversal attacks by calling path.resolve() on any paths given by the user. If the path…
CVE-2024-21891 — CVSS 8.8 (high): Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions, which can be overwitten with…
CVE-2024-27983 — CVSS 8.2 (high): An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2…
CVE-2024-27980 — CVSS 8.1 (high): Due to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject…
CVE-2024-36138 — CVSS 8.1 (high): Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via…
CVE-2024-21892 — CVSS 7.8 (high): On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user while the process is running…
CVE-2024-22019 — CVSS 7.5 (high): A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to…
CVE-2024-21538 — CVSS 7.5 (high): Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service…
CVE-2023-46809 — CVSS 7.4 (high): Node.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked version of OpenSSL which are unpatched…
CVE-2024-24806 — CVSS 7.3 (high): libuv is a multi-platform support library with a focus on asynchronous I/O. The `uv_getaddrinfo` function in `src/unix/getaddrinfo.c` (and…
CVE-2024-22017 — CVSS 7.3 (high): setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid(). This allows the process to…
CVE-2024-22025 — CVSS 6.5 (medium): A vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack through resource exhaustion when using the…
CVE-2024-21890 — CVSS 6.5 (medium): The Node.js Permission Model does not clarify in the documentation that wildcards should be only used as the last character of a file path…
CVE-2024-22020 — CVSS 6.5 (medium): A security flaw in Node.js allows a bypass of network import restrictions. By embedding non-network imports in data URLs, an attacker can…
CVE-2024-27982 — CVSS 6.5 (medium): The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to…
CVE-2024-24758 — CVSS 3.9 (low): Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but…
CVE-2024-30260 — CVSS 3.9 (low): Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`…
CVE-2024-37372 — CVSS 3.6 (low): The Permission Model assumes that any path starting with two backslashes \ has a four-character prefix that can be ignored, which is not…
CVE-2024-36137 — CVSS 3.3 (low): A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is…
CVE-2024-22018 — CVSS 2.9 (low): A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used…
CVE-2024-30261 — CVSS 2.6 (low): Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the `integrity` option passed to `fetch()`, allowing…