Action not permitted
Modal body text goes here.
Modal Title
Modal Body
wid-sec-w-2023-2535
Vulnerability from csaf_certbund
Published
2019-07-22 22:00
Modified
2023-10-03 22:00
Summary
Red Hat rh-nodejs8-nodejs: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Red Hat Enterprise Linux (RHEL) ist eine populäre Linux-Distribution.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Red Hat rh-nodejs8-nodejs ausnutzen, um Dateien zu manipulieren.
Betroffene Betriebssysteme
- Linux
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Red Hat Enterprise Linux (RHEL) ist eine popul\u00e4re Linux-Distribution.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Red Hat rh-nodejs8-nodejs ausnutzen, um Dateien zu manipulieren.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2023-2535 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2019/wid-sec-w-2023-2535.json"
},
{
"category": "self",
"summary": "WID-SEC-2023-2535 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-2535"
},
{
"category": "external",
"summary": "F5 Security Advisory K000137093 vom 2023-10-02",
"url": "https://my.f5.com/manage/s/article/K000137093"
},
{
"category": "external",
"summary": "F5 Security Advisory K000137090 vom 2023-10-02",
"url": "https://my.f5.com/manage/s/article/K000137090"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2019:1821 vom 2019-07-22",
"url": "https://access.redhat.com/errata/RHSA-2019:1821"
}
],
"source_lang": "en-US",
"title": "Red Hat rh-nodejs8-nodejs: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2023-10-03T22:00:00.000+00:00",
"generator": {
"date": "2024-08-15T17:59:19.823+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.5"
}
},
"id": "WID-SEC-W-2023-2535",
"initial_release_date": "2019-07-22T22:00:00.000+00:00",
"revision_history": [
{
"date": "2019-07-22T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2023-10-03T22:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von F5 aufgenommen"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "F5 BIG-IP",
"product": {
"name": "F5 BIG-IP",
"product_id": "T001663",
"product_identification_helper": {
"cpe": "cpe:/a:f5:big-ip:-"
}
}
}
],
"category": "vendor",
"name": "F5"
},
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux",
"product": {
"name": "Red Hat Enterprise Linux",
"product_id": "67646",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:-"
}
}
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-12116",
"notes": [
{
"category": "description",
"text": "In Red Hat Enterprise Linux existieren mehrere Schwachstellen in rh-nodejs8-nodejs. Ein Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsvorkehrungen zu umgehen, Informationen offenzulegen oder einen Denial of Service zu verursachen. Zur Ausnutzung eines Teils dieser Schwachstellen ist eine Interaktion des Angegriffenen n\u00f6tig."
}
],
"product_status": {
"known_affected": [
"67646",
"T001663"
]
},
"release_date": "2019-07-22T22:00:00.000+00:00",
"title": "CVE-2018-12116"
},
{
"cve": "CVE-2018-12121",
"notes": [
{
"category": "description",
"text": "In Red Hat Enterprise Linux existieren mehrere Schwachstellen in rh-nodejs8-nodejs. Ein Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsvorkehrungen zu umgehen, Informationen offenzulegen oder einen Denial of Service zu verursachen. Zur Ausnutzung eines Teils dieser Schwachstellen ist eine Interaktion des Angegriffenen n\u00f6tig."
}
],
"product_status": {
"known_affected": [
"67646",
"T001663"
]
},
"release_date": "2019-07-22T22:00:00.000+00:00",
"title": "CVE-2018-12121"
},
{
"cve": "CVE-2018-12122",
"notes": [
{
"category": "description",
"text": "In Red Hat Enterprise Linux existieren mehrere Schwachstellen in rh-nodejs8-nodejs. Ein Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsvorkehrungen zu umgehen, Informationen offenzulegen oder einen Denial of Service zu verursachen. Zur Ausnutzung eines Teils dieser Schwachstellen ist eine Interaktion des Angegriffenen n\u00f6tig."
}
],
"product_status": {
"known_affected": [
"67646",
"T001663"
]
},
"release_date": "2019-07-22T22:00:00.000+00:00",
"title": "CVE-2018-12122"
},
{
"cve": "CVE-2018-12123",
"notes": [
{
"category": "description",
"text": "In Red Hat Enterprise Linux existieren mehrere Schwachstellen in rh-nodejs8-nodejs. Ein Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsvorkehrungen zu umgehen, Informationen offenzulegen oder einen Denial of Service zu verursachen. Zur Ausnutzung eines Teils dieser Schwachstellen ist eine Interaktion des Angegriffenen n\u00f6tig."
}
],
"product_status": {
"known_affected": [
"67646",
"T001663"
]
},
"release_date": "2019-07-22T22:00:00.000+00:00",
"title": "CVE-2018-12123"
},
{
"cve": "CVE-2018-20834",
"notes": [
{
"category": "description",
"text": "In Red Hat Enterprise Linux existieren mehrere Schwachstellen in rh-nodejs8-nodejs. Ein Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsvorkehrungen zu umgehen, Informationen offenzulegen oder einen Denial of Service zu verursachen. Zur Ausnutzung eines Teils dieser Schwachstellen ist eine Interaktion des Angegriffenen n\u00f6tig."
}
],
"product_status": {
"known_affected": [
"67646",
"T001663"
]
},
"release_date": "2019-07-22T22:00:00.000+00:00",
"title": "CVE-2018-20834"
},
{
"cve": "CVE-2019-5737",
"notes": [
{
"category": "description",
"text": "In Red Hat Enterprise Linux existieren mehrere Schwachstellen in rh-nodejs8-nodejs. Ein Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsvorkehrungen zu umgehen, Informationen offenzulegen oder einen Denial of Service zu verursachen. Zur Ausnutzung eines Teils dieser Schwachstellen ist eine Interaktion des Angegriffenen n\u00f6tig."
}
],
"product_status": {
"known_affected": [
"67646",
"T001663"
]
},
"release_date": "2019-07-22T22:00:00.000+00:00",
"title": "CVE-2019-5737"
}
]
}
CVE-2018-12122 (GCVE-0-2018-12122)
Vulnerability from cvelistv5
Published
2018-11-28 17:00
Modified
2024-12-13 13:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-400 - Uncontrolled Resource Consumption / Denial of Service
Summary
Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Slowloris HTTP Denial of Service: An attacker can cause a Denial of Service (DoS) by sending headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The Node.js Project | Node.js |
Version: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-12-13T13:09:20.260Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
},
{
"name": "106043",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/106043"
},
{
"name": "RHSA-2019:1821",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1821"
},
{
"name": "GLSA-202003-48",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202003-48"
},
{
"url": "https://security.netapp.com/advisory/ntap-20241213-0009/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Node.js",
"vendor": "The Node.js Project",
"versions": [
{
"status": "affected",
"version": "All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0"
}
]
}
],
"datePublic": "2018-11-28T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Slowloris HTTP Denial of Service: An attacker can cause a Denial of Service (DoS) by sending headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption / Denial of Service",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-20T20:06:05",
"orgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
"shortName": "nodejs"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
},
{
"name": "106043",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/106043"
},
{
"name": "RHSA-2019:1821",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1821"
},
{
"name": "GLSA-202003-48",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202003-48"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-request@iojs.org",
"ID": "CVE-2018-12122",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Node.js",
"version": {
"version_data": [
{
"version_value": "All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0"
}
]
}
}
]
},
"vendor_name": "The Node.js Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Slowloris HTTP Denial of Service: An attacker can cause a Denial of Service (DoS) by sending headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400: Uncontrolled Resource Consumption / Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/",
"refsource": "CONFIRM",
"url": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
},
{
"name": "106043",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/106043"
},
{
"name": "RHSA-2019:1821",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:1821"
},
{
"name": "GLSA-202003-48",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202003-48"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
"assignerShortName": "nodejs",
"cveId": "CVE-2018-12122",
"datePublished": "2018-11-28T17:00:00",
"dateReserved": "2018-06-11T00:00:00",
"dateUpdated": "2024-12-13T13:09:20.260Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-12121 (GCVE-0-2018-12121)
Vulnerability from cvelistv5
Published
2018-11-28 17:00
Modified
2024-12-27 16:02
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-400 - Uncontrolled Resource Consumption / Denial of Service
Summary
Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers (almost 80 KB per connection), and carefully timed completion of the headers, it is possible to cause the HTTP server to abort from heap allocation failure. Attack potential is mitigated by the use of a load balancer or other proxy layer.
References
| ► | URL | Tags | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The Node.js Project | Node.js |
Version: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-12-27T16:02:58.114Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
},
{
"name": "106043",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/106043"
},
{
"name": "RHSA-2019:1821",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1821"
},
{
"name": "RHSA-2019:2258",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2258"
},
{
"name": "RHSA-2019:3497",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:3497"
},
{
"name": "GLSA-202003-48",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202003-48"
},
{
"url": "https://security.netapp.com/advisory/ntap-20241227-0008/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Node.js",
"vendor": "The Node.js Project",
"versions": [
{
"status": "affected",
"version": "All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0"
}
]
}
],
"datePublic": "2018-11-28T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers (almost 80 KB per connection), and carefully timed completion of the headers, it is possible to cause the HTTP server to abort from heap allocation failure. Attack potential is mitigated by the use of a load balancer or other proxy layer."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption / Denial of Service",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-20T20:06:06",
"orgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
"shortName": "nodejs"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
},
{
"name": "106043",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/106043"
},
{
"name": "RHSA-2019:1821",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1821"
},
{
"name": "RHSA-2019:2258",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2258"
},
{
"name": "RHSA-2019:3497",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:3497"
},
{
"name": "GLSA-202003-48",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202003-48"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-request@iojs.org",
"ID": "CVE-2018-12121",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Node.js",
"version": {
"version_data": [
{
"version_value": "All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0"
}
]
}
}
]
},
"vendor_name": "The Node.js Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers (almost 80 KB per connection), and carefully timed completion of the headers, it is possible to cause the HTTP server to abort from heap allocation failure. Attack potential is mitigated by the use of a load balancer or other proxy layer."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400: Uncontrolled Resource Consumption / Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/",
"refsource": "CONFIRM",
"url": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
},
{
"name": "106043",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/106043"
},
{
"name": "RHSA-2019:1821",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:1821"
},
{
"name": "RHSA-2019:2258",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:2258"
},
{
"name": "RHSA-2019:3497",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:3497"
},
{
"name": "GLSA-202003-48",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202003-48"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
"assignerShortName": "nodejs",
"cveId": "CVE-2018-12121",
"datePublished": "2018-11-28T17:00:00",
"dateReserved": "2018-06-11T00:00:00",
"dateUpdated": "2024-12-27T16:02:58.114Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-12116 (GCVE-0-2018-12116)
Vulnerability from cvelistv5
Published
2018-11-28 17:00
Modified
2024-08-05 08:24
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-115 - Misinterpretation of Input
Summary
Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to made to the same server.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The Node.js Project | Node.js |
Version: All versions prior to Node.js 6.15.0 and 8.14.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T08:24:03.673Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
},
{
"name": "RHSA-2019:1821",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1821"
},
{
"name": "GLSA-202003-48",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202003-48"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Node.js",
"vendor": "The Node.js Project",
"versions": [
{
"status": "affected",
"version": "All versions prior to Node.js 6.15.0 and 8.14.0"
}
]
}
],
"datePublic": "2018-11-28T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to made to the same server."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-115",
"description": "CWE-115: Misinterpretation of Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-20T20:06:04",
"orgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
"shortName": "nodejs"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
},
{
"name": "RHSA-2019:1821",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1821"
},
{
"name": "GLSA-202003-48",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202003-48"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-request@iojs.org",
"ID": "CVE-2018-12116",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Node.js",
"version": {
"version_data": [
{
"version_value": "All versions prior to Node.js 6.15.0 and 8.14.0"
}
]
}
}
]
},
"vendor_name": "The Node.js Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to made to the same server."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-115: Misinterpretation of Input"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/",
"refsource": "CONFIRM",
"url": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
},
{
"name": "RHSA-2019:1821",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:1821"
},
{
"name": "GLSA-202003-48",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202003-48"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
"assignerShortName": "nodejs",
"cveId": "CVE-2018-12116",
"datePublished": "2018-11-28T17:00:00",
"dateReserved": "2018-06-11T00:00:00",
"dateUpdated": "2024-08-05T08:24:03.673Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-20834 (GCVE-0-2018-20834)
Vulnerability from cvelistv5
Published
2019-04-30 18:01
Modified
2024-08-05 12:12
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2).
References
| ► | URL | Tags | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:12:27.376Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/344595"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/npm/node-tar/commit/b0c58433c22f5e7fe8b1c76373f27e3f81dcd4c8"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/npm/node-tar/compare/58a8d43...a5f7779"
},
{
"name": "RHSA-2019:1821",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1821"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20834"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/npm/node-tar/commit/7ecef07da6a9e72cc0c4d0c9c6a8e85b6b52395d"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/npm/node-tar/commits/v2.2.2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-09-04T19:04:47",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/344595"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/npm/node-tar/commit/b0c58433c22f5e7fe8b1c76373f27e3f81dcd4c8"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/npm/node-tar/compare/58a8d43...a5f7779"
},
{
"name": "RHSA-2019:1821",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1821"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20834"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/npm/node-tar/commit/7ecef07da6a9e72cc0c4d0c9c6a8e85b6b52395d"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/npm/node-tar/commits/v2.2.2"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-20834",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/344595",
"refsource": "MISC",
"url": "https://hackerone.com/reports/344595"
},
{
"name": "https://github.com/npm/node-tar/commit/b0c58433c22f5e7fe8b1c76373f27e3f81dcd4c8",
"refsource": "MISC",
"url": "https://github.com/npm/node-tar/commit/b0c58433c22f5e7fe8b1c76373f27e3f81dcd4c8"
},
{
"name": "https://github.com/npm/node-tar/compare/58a8d43...a5f7779",
"refsource": "MISC",
"url": "https://github.com/npm/node-tar/compare/58a8d43...a5f7779"
},
{
"name": "RHSA-2019:1821",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:1821"
},
{
"name": "https://nvd.nist.gov/vuln/detail/CVE-2018-20834",
"refsource": "MISC",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20834"
},
{
"name": "https://github.com/npm/node-tar/commit/7ecef07da6a9e72cc0c4d0c9c6a8e85b6b52395d",
"refsource": "MISC",
"url": "https://github.com/npm/node-tar/commit/7ecef07da6a9e72cc0c4d0c9c6a8e85b6b52395d"
},
{
"name": "https://github.com/npm/node-tar/commits/v2.2.2",
"refsource": "MISC",
"url": "https://github.com/npm/node-tar/commits/v2.2.2"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-20834",
"datePublished": "2019-04-30T18:01:58",
"dateReserved": "2019-04-30T00:00:00",
"dateUpdated": "2024-08-05T12:12:27.376Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-5737 (GCVE-0-2019-5737)
Vulnerability from cvelistv5
Published
2019-03-28 16:20
Modified
2024-08-04 20:01
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-400 - Uncontrolled Resource Consumption / Denial of Service
Summary
In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1, an attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep-alive mode and by sending headers very slowly. This keeps the connection and associated resources alive for a long period of time. Potential attacks are mitigated by the use of a load balancer or other proxy layer. This vulnerability is an extension of CVE-2018-12121, addressed in November and impacts all active Node.js release lines including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1.
References
| ► | URL | Tags | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T20:01:52.386Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/"
},
{
"name": "openSUSE-SU-2019:1076",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html"
},
{
"name": "openSUSE-SU-2019:1173",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html"
},
{
"name": "openSUSE-SU-2019:1211",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00059.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20190502-0008/"
},
{
"name": "RHSA-2019:1821",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1821"
},
{
"name": "GLSA-202003-48",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202003-48"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Node.js",
"vendor": "Node.js",
"versions": [
{
"status": "affected",
"version": "All versions prior to 6.17.0"
},
{
"status": "affected",
"version": "All versions prior to 8.15.1"
},
{
"status": "affected",
"version": "All versions prior to 10.15.2"
},
{
"status": "affected",
"version": "All versions prior to 11.10.1"
}
]
}
],
"datePublic": "2019-02-28T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1, an attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep-alive mode and by sending headers very slowly. This keeps the connection and associated resources alive for a long period of time. Potential attacks are mitigated by the use of a load balancer or other proxy layer. This vulnerability is an extension of CVE-2018-12121, addressed in November and impacts all active Node.js release lines including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption / Denial of Service",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-20T20:06:11",
"orgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
"shortName": "nodejs"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/"
},
{
"name": "openSUSE-SU-2019:1076",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html"
},
{
"name": "openSUSE-SU-2019:1173",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html"
},
{
"name": "openSUSE-SU-2019:1211",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00059.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20190502-0008/"
},
{
"name": "RHSA-2019:1821",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1821"
},
{
"name": "GLSA-202003-48",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202003-48"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-request@iojs.org",
"ID": "CVE-2019-5737",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Node.js",
"version": {
"version_data": [
{
"version_value": "All versions prior to 6.17.0"
},
{
"version_value": "All versions prior to 8.15.1"
},
{
"version_value": "All versions prior to 10.15.2"
},
{
"version_value": "All versions prior to 11.10.1"
}
]
}
}
]
},
"vendor_name": "Node.js"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1, an attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep-alive mode and by sending headers very slowly. This keeps the connection and associated resources alive for a long period of time. Potential attacks are mitigated by the use of a load balancer or other proxy layer. This vulnerability is an extension of CVE-2018-12121, addressed in November and impacts all active Node.js release lines including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400: Uncontrolled Resource Consumption / Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/",
"refsource": "MISC",
"url": "https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/"
},
{
"name": "openSUSE-SU-2019:1076",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html"
},
{
"name": "openSUSE-SU-2019:1173",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html"
},
{
"name": "openSUSE-SU-2019:1211",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00059.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20190502-0008/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20190502-0008/"
},
{
"name": "RHSA-2019:1821",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:1821"
},
{
"name": "GLSA-202003-48",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202003-48"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
"assignerShortName": "nodejs",
"cveId": "CVE-2019-5737",
"datePublished": "2019-03-28T16:20:28",
"dateReserved": "2019-01-09T00:00:00",
"dateUpdated": "2024-08-04T20:01:52.386Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-12123 (GCVE-0-2018-12123)
Vulnerability from cvelistv5
Published
2018-11-28 17:00
Modified
2024-12-13 13:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-115 - Misinterpretation of Input
Summary
Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case "javascript:" (e.g. "javAscript:") protocol (other protocols are not affected). If security decisions are made about the URL based on the hostname, they may be incorrect.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The Node.js Project | Node.js |
Version: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-12-13T13:09:21.262Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
},
{
"name": "RHSA-2019:1821",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1821"
},
{
"name": "GLSA-202003-48",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202003-48"
},
{
"url": "https://security.netapp.com/advisory/ntap-20241213-0008/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Node.js",
"vendor": "The Node.js Project",
"versions": [
{
"status": "affected",
"version": "All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0"
}
]
}
],
"datePublic": "2018-11-28T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case \"javascript:\" (e.g. \"javAscript:\") protocol (other protocols are not affected). If security decisions are made about the URL based on the hostname, they may be incorrect."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-115",
"description": "CWE-115: Misinterpretation of Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-20T20:06:13",
"orgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
"shortName": "nodejs"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
},
{
"name": "RHSA-2019:1821",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1821"
},
{
"name": "GLSA-202003-48",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202003-48"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-request@iojs.org",
"ID": "CVE-2018-12123",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Node.js",
"version": {
"version_data": [
{
"version_value": "All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0"
}
]
}
}
]
},
"vendor_name": "The Node.js Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case \"javascript:\" (e.g. \"javAscript:\") protocol (other protocols are not affected). If security decisions are made about the URL based on the hostname, they may be incorrect."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-115: Misinterpretation of Input"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/",
"refsource": "CONFIRM",
"url": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
},
{
"name": "RHSA-2019:1821",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:1821"
},
{
"name": "GLSA-202003-48",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202003-48"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
"assignerShortName": "nodejs",
"cveId": "CVE-2018-12123",
"datePublished": "2018-11-28T17:00:00",
"dateReserved": "2018-06-11T00:00:00",
"dateUpdated": "2024-12-13T13:09:21.262Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…