| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2023-23936 |
74 |
|
|
2023-02-16 |
2023-02-24 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici. |
|
2 |
CVE-2023-23920 |
426 |
|
|
2023-02-23 |
2023-05-03 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges. |
|
3 |
CVE-2023-23919 |
|
|
DoS |
2023-02-23 |
2023-03-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases did does not clear the OpenSSL error stack after operations that may set it. This may lead to false positive errors during subsequent cryptographic operations that happen to be on the same thread. This in turn could be used to cause a denial of service. |
|
4 |
CVE-2023-23918 |
863 |
|
Bypass |
2023-02-23 |
2023-03-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permissions option with --experimental-policy. |
|
5 |
CVE-2022-43548 |
78 |
|
Bypass |
2022-12-05 |
2023-04-27 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.The fix for this issue in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212 was incomplete and this new CVE is to complete the fix. |
|
6 |
CVE-2022-35256 |
444 |
|
|
2022-12-05 |
2023-05-12 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling. |
|
7 |
CVE-2022-35255 |
338 |
|
|
2022-12-05 |
2023-03-01 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with this: 1) It does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail. 2) The random data returned byEntropySource() may not be cryptographically strong and therefore not suitable as keying material. |
|
8 |
CVE-2022-32222 |
326 |
|
|
2022-07-14 |
2023-02-23 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A cryptographic vulnerability exists on Node.js on linux in versions of 18.x prior to 18.40.0 which allowed a default path for openssl.cnf that might be accessible under some circumstances to a non-admin user instead of /etc/ssl as was the case in versions prior to the upgrade to OpenSSL 3. |
|
9 |
CVE-2022-32215 |
444 |
|
|
2022-07-14 |
2023-02-23 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS). |
|
10 |
CVE-2022-32214 |
444 |
|
|
2022-07-14 |
2023-02-23 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). |
|
11 |
CVE-2022-32213 |
444 |
|
|
2022-07-14 |
2023-02-23 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS). |
|
12 |
CVE-2022-32212 |
78 |
|
Bypass |
2022-07-14 |
2023-02-23 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks. |
|
13 |
CVE-2022-21824 |
1321 |
|
|
2022-02-24 |
2022-11-10 |
6.4 |
None |
Remote |
Low |
Not required |
None |
Partial |
Partial |
|
Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "__proto__". The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js >= 12.22.9, >= 14.18.3, >= 16.13.2, and >= 17.3.1 use a null protoype for the object these properties are being assigned to. |
|
14 |
CVE-2022-3786 |
120 |
|
DoS Overflow |
2022-11-01 |
2023-01-19 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.' character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. |
|
15 |
CVE-2022-3602 |
120 |
|
DoS Exec Code Overflow |
2022-11-01 |
2023-01-19 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution. The risk may be further mitigated based on stack layout for any given platform/compiler. Pre-announcements of CVE-2022-3602 described this issue as CRITICAL. Further analysis based on some of the mitigating factors described above have led this to be downgraded to HIGH. Users are still encouraged to upgrade to a new version as soon as possible. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Fixed in OpenSSL 3.0.7 (Affected 3.0.0,3.0.1,3.0.2,3.0.3,3.0.4,3.0.5,3.0.6). |
|
16 |
CVE-2022-0778 |
835 |
|
DoS |
2022-03-15 |
2022-11-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc). |
|
17 |
CVE-2021-44533 |
295 |
|
Bypass |
2022-02-24 |
2022-10-06 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification.Affected versions of Node.js that do not accept multi-value Relative Distinguished Names and are thus not vulnerable to such attacks themselves. However, third-party code that uses node's ambiguous presentation of certificate subjects may be vulnerable. |
|
18 |
CVE-2021-44532 |
295 |
|
Bypass |
2022-02-24 |
2022-10-05 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option. |
|
19 |
CVE-2021-44531 |
295 |
|
Bypass |
2022-02-24 |
2022-10-05 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the --security-revert command-line option. |
|
20 |
CVE-2021-43803 |
|
|
|
2021-12-10 |
2022-02-17 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Next.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3, invalid or malformed URLs could lead to a server crash. In order to be affected by this issue, the deployment must use Next.js versions above 11.1.0 and below 12.0.5, Node.js above 15.0.0, and next start or a custom server. Deployments on Vercel are not affected, along with similar environments where invalid requests are filtered before reaching Next.js. Versions 12.0.5 and 11.1.3 contain patches for this issue. |
|
21 |
CVE-2021-23840 |
190 |
|
Overflow |
2021-02-16 |
2022-08-29 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x). |
|
22 |
CVE-2021-22940 |
416 |
|
Mem. Corr. |
2021-08-16 |
2022-11-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior. |
|
23 |
CVE-2021-22939 |
295 |
|
|
2021-08-16 |
2022-11-07 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted. |
|
24 |
CVE-2021-22931 |
20 |
|
Exec Code XSS |
2021-08-16 |
2022-08-12 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library. |
|
25 |
CVE-2021-22930 |
416 |
|
Mem. Corr. |
2021-10-07 |
2022-11-03 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior. |
|
26 |
CVE-2021-22918 |
125 |
|
|
2021-07-12 |
2022-04-06 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo(). |
|
27 |
CVE-2021-22884 |
|
|
Bypass |
2021-03-03 |
2022-04-06 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160. |
|
28 |
CVE-2021-22883 |
772 |
|
DoS |
2021-03-03 |
2022-10-24 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory. |
|
29 |
CVE-2021-4044 |
835 |
|
|
2021-12-14 |
2022-08-29 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Internally libssl in OpenSSL calls X509_verify_cert() on the client side to verify a certificate supplied by a server. That function may return a negative return value to indicate an internal error (for example out of memory). Such a negative return value is mishandled by OpenSSL and will cause an IO function (such as SSL_connect() or SSL_do_handshake()) to not indicate success and a subsequent call to SSL_get_error() to return the value SSL_ERROR_WANT_RETRY_VERIFY. This return value is only supposed to be returned by OpenSSL if the application has previously called SSL_CTX_set_cert_verify_callback(). Since most applications do not do this the SSL_ERROR_WANT_RETRY_VERIFY return value from SSL_get_error() will be totally unexpected and applications may not behave correctly as a result. The exact behaviour will depend on the application but it could result in crashes, infinite loops or other similar incorrect responses. This issue is made more serious in combination with a separate bug in OpenSSL 3.0 that will cause X509_verify_cert() to indicate an internal error when processing a certificate chain. This will occur where a certificate does not include the Subject Alternative Name extension but where a Certificate Authority has enforced name constraints. This issue can occur even with valid chains. By combining the two issues an attacker could induce incorrect, application dependent behaviour. Fixed in OpenSSL 3.0.1 (Affected 3.0.0). |
|
30 |
CVE-2021-3672 |
79 |
|
XSS |
2021-11-23 |
2022-10-18 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability. |
|
31 |
CVE-2021-3449 |
476 |
|
DoS |
2021-03-25 |
2022-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j). |
|
32 |
CVE-2020-11080 |
707 |
|
DoS |
2020-06-03 |
2022-08-29 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection. |
|
33 |
CVE-2020-10531 |
787 |
|
Overflow |
2020-03-12 |
2022-08-12 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp. |
|
34 |
CVE-2020-8287 |
444 |
|
|
2021-01-06 |
2023-02-03 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
|
Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling. |
|
35 |
CVE-2020-8277 |
400 |
|
DoS |
2020-11-19 |
2022-05-10 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed in 15.2.1, 14.15.1, and 12.19.1. |
|
36 |
CVE-2020-8265 |
416 |
|
DoS |
2021-01-06 |
2022-04-06 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits. |
|
37 |
CVE-2020-8252 |
120 |
|
Overflow |
2020-09-18 |
2022-05-24 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes. |
|
38 |
CVE-2020-8251 |
400 |
|
DoS |
2020-09-18 |
2022-05-24 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Node.js < 14.11.0 is vulnerable to HTTP denial of service (DoS) attacks based on delayed requests submission which can make the server unable to accept new connections. |
|
39 |
CVE-2020-8201 |
444 |
|
|
2020-09-18 |
2022-05-24 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system. The attack was possible due to a bug in processing of carrier-return symbols in the HTTP header names. |
|
40 |
CVE-2020-8174 |
191 |
|
Mem. Corr. |
2020-07-24 |
2022-05-12 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
napi_get_value_string_*() allows various kinds of memory corruption in node < 10.21.0, 12.18.0, and < 14.4.0. |
|
41 |
CVE-2020-8172 |
295 |
|
Bypass |
2020-06-08 |
2022-05-12 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
TLS session reuse can lead to host certificate verification bypass in node version < 12.18.0 and < 14.4.0. |
|
42 |
CVE-2020-1971 |
476 |
|
DoS |
2020-12-08 |
2022-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the "-crl_download" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w). |
|
43 |
CVE-2019-15606 |
|
|
Bypass |
2020-02-07 |
2022-10-05 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons |
|
44 |
CVE-2019-15605 |
444 |
|
|
2020-02-07 |
2022-11-16 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed |
|
45 |
CVE-2019-15604 |
295 |
|
|
2020-02-07 |
2022-11-16 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a crafted X.509 certificate |
|
46 |
CVE-2019-9518 |
770 |
|
DoS |
2019-08-13 |
2022-08-12 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU. |
|
47 |
CVE-2019-9517 |
770 |
|
DoS |
2019-08-13 |
2023-01-19 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both. |
|
48 |
CVE-2019-9516 |
770 |
|
DoS |
2019-08-13 |
2022-08-05 |
6.8 |
None |
Remote |
Low |
??? |
None |
None |
Complete |
|
Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory. |
|
49 |
CVE-2019-9515 |
770 |
|
DoS |
2019-08-13 |
2022-08-12 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. |
|
50 |
CVE-2019-9514 |
770 |
|
DoS |
2019-08-13 |
2022-08-12 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both. |
