From d3253f175bb7f981eb4390164af468eb01c840bc Mon Sep 17 00:00:00 2001 From: RafaelGSS Date: Fri, 13 Oct 2023 18:54:39 -0300 Subject: [PATCH] vuln: add october 2023 security release vulns --- vuln/core/125.json | 8 +++++ vuln/core/126.json | 8 +++++ vuln/core/127.json | 8 +++++ vuln/core/128.json | 8 +++++ vuln/core/129.json | 8 +++++ vuln/core/130.json | 8 +++++ vuln/core/index.json | 72 ++++++++++++++++++++++++++++++++++++++++++++ 7 files changed, 120 insertions(+) create mode 100644 vuln/core/125.json create mode 100644 vuln/core/126.json create mode 100644 vuln/core/127.json create mode 100644 vuln/core/128.json create mode 100644 vuln/core/129.json create mode 100644 vuln/core/130.json diff --git a/vuln/core/125.json b/vuln/core/125.json new file mode 100644 index 00000000..8b8cbecb --- /dev/null +++ b/vuln/core/125.json @@ -0,0 +1,8 @@ +{ + "cve": ["CVE-2023-45143"], + "vulnerable": "18.x || 20.x", + "patched": "^18.18.2 || ^20.8.1", + "ref": "https://nodejs.org/en/blog/vulnerability/october-2023-security-releases/", + "overview": "Cookie headers are not cleared in cross-domain redirect in undici-fetch (High)", + "affectedEnvironments": ["all"] +} diff --git a/vuln/core/126.json b/vuln/core/126.json new file mode 100644 index 00000000..36ef214e --- /dev/null +++ b/vuln/core/126.json @@ -0,0 +1,8 @@ +{ + "cve": ["CVE-2023-44487"], + "vulnerable": "18.x || 20.x", + "patched": "^18.18.2 || ^20.8.1", + "ref": "https://nodejs.org/en/blog/vulnerability/october-2023-security-releases/", + "overview": "Rapidly creating and cancelling streams (HEADERS frame immediately followed by RST_STREAM) without bound cause denial of service (High)", + "affectedEnvironments": ["all"] +} diff --git a/vuln/core/127.json b/vuln/core/127.json new file mode 100644 index 00000000..82951518 --- /dev/null +++ b/vuln/core/127.json @@ -0,0 +1,8 @@ +{ + "cve": ["CVE-2023-39331"], + "vulnerable": "20.x", + "patched": "^20.8.1", + "ref": "https://nodejs.org/en/blog/vulnerability/october-2023-security-releases/", + "overview": "A previously disclosed vulnerability (CVE-2023-30584) was patched insufficiently. The implementation does not protect itself against the application overwriting built-in utility functions with user-defined implementations (High)", + "affectedEnvironments": ["all"] +} diff --git a/vuln/core/128.json b/vuln/core/128.json new file mode 100644 index 00000000..9d09ebde --- /dev/null +++ b/vuln/core/128.json @@ -0,0 +1,8 @@ +{ + "cve": ["CVE-2023-39332"], + "vulnerable": "20.x", + "patched": "^20.8.1", + "ref": "https://nodejs.org/en/blog/vulnerability/october-2023-security-releases/", + "overview": "Path traversal through path stored in Uint8Array (High)", + "affectedEnvironments": ["all"] +} diff --git a/vuln/core/129.json b/vuln/core/129.json new file mode 100644 index 00000000..c7e84c6b --- /dev/null +++ b/vuln/core/129.json @@ -0,0 +1,8 @@ +{ + "cve": ["CVE-2023-38552"], + "vulnerable": "18.x || 20.x", + "patched": "^18.18.2 || ^20.8.1", + "ref": "https://nodejs.org/en/blog/vulnerability/october-2023-security-releases/", + "overview": "Integrity checks according to experimental policies can be circumvented (Medium)", + "affectedEnvironments": ["all"] +} diff --git a/vuln/core/130.json b/vuln/core/130.json new file mode 100644 index 00000000..98099d8d --- /dev/null +++ b/vuln/core/130.json @@ -0,0 +1,8 @@ +{ + "cve": ["CVE-2023-39333"], + "vulnerable": "18.x || 20.x", + "patched": "^18.18.2 || ^20.8.1", + "ref": "https://nodejs.org/en/blog/vulnerability/october-2023-security-releases/", + "overview": "Code injection via WebAssembly export names (Low)", + "affectedEnvironments": ["all"] +} diff --git a/vuln/core/index.json b/vuln/core/index.json index af398008..7c6565eb 100644 --- a/vuln/core/index.json +++ b/vuln/core/index.json @@ -1546,5 +1546,77 @@ "affectedEnvironments": [ "all" ] + }, + "125": { + "cve": [ + "CVE-2023-45143" + ], + "vulnerable": "18.x || 20.x", + "patched": "^18.18.2 || ^20.8.1", + "ref": "https://nodejs.org/en/blog/vulnerability/october-2023-security-releases/", + "overview": "Cookie headers are not cleared in cross-domain redirect in undici-fetch (High)", + "affectedEnvironments": [ + "all" + ] + }, + "126": { + "cve": [ + "CVE-2023-44487" + ], + "vulnerable": "18.x || 20.x", + "patched": "^18.18.2 || ^20.8.1", + "ref": "https://nodejs.org/en/blog/vulnerability/october-2023-security-releases/", + "overview": "Rapidly creating and cancelling streams (HEADERS frame immediately followed by RST_STREAM) without bound cause denial of service (High)", + "affectedEnvironments": [ + "all" + ] + }, + "127": { + "cve": [ + "CVE-2023-39331" + ], + "vulnerable": "20.x", + "patched": "^20.8.1", + "ref": "https://nodejs.org/en/blog/vulnerability/october-2023-security-releases/", + "overview": "A previously disclosed vulnerability (CVE-2023-30584) was patched insufficiently. The implementation does not protect itself against the application overwriting built-in utility functions with user-defined implementations (High)", + "affectedEnvironments": [ + "all" + ] + }, + "128": { + "cve": [ + "CVE-2023-39332" + ], + "vulnerable": "20.x", + "patched": "^20.8.1", + "ref": "https://nodejs.org/en/blog/vulnerability/october-2023-security-releases/", + "overview": "Path traversal through path stored in Uint8Array (High)", + "affectedEnvironments": [ + "all" + ] + }, + "129": { + "cve": [ + "CVE-2023-38552" + ], + "vulnerable": "18.x || 20.x", + "patched": "^18.18.2 || ^20.8.1", + "ref": "https://nodejs.org/en/blog/vulnerability/october-2023-security-releases/", + "overview": "Integrity checks according to experimental policies can be circumvented (Medium)", + "affectedEnvironments": [ + "all" + ] + }, + "130": { + "cve": [ + "CVE-2023-39333" + ], + "vulnerable": "18.x || 20.x", + "patched": "^18.18.2 || ^20.8.1", + "ref": "https://nodejs.org/en/blog/vulnerability/october-2023-security-releases/", + "overview": "Code injection via WebAssembly export names (Low)", + "affectedEnvironments": [ + "all" + ] } } \ No newline at end of file