-
Notifications
You must be signed in to change notification settings - Fork 122
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
f1dfdea
commit d79e4e4
Showing
147 changed files
with
891 additions
and
301 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,8 +1,13 @@ | ||
{ | ||
"cve": ["CVE-2022-35256"], | ||
"cve": [ | ||
"CVE-2022-35256" | ||
], | ||
"vulnerable": "14.x || 16.x || 18.x", | ||
"patched": "^14.20.1 || ^16.17.1 || ^18.9.1", | ||
"ref": "https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/", | ||
"overview": "The llhttp parser in the http module in Node.js v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.", | ||
"affectedEnvironments": ["all"] | ||
"affectedEnvironments": [ | ||
"all" | ||
], | ||
"severity": "medium" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,8 +1,13 @@ | ||
{ | ||
"cve": ["CVE-2022-35255"], | ||
"cve": [ | ||
"CVE-2022-35255" | ||
], | ||
"vulnerable": "18.x", | ||
"patched": "^18.9.1", | ||
"ref": "https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/", | ||
"overview": "Node.js made calls to EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. However, it does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail.", | ||
"affectedEnvironments": ["all"] | ||
"affectedEnvironments": [ | ||
"all" | ||
], | ||
"severity": "high" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,8 +1,13 @@ | ||
{ | ||
"cve": ["CVE-2022-43548"], | ||
"cve": [ | ||
"CVE-2022-43548" | ||
], | ||
"vulnerable": "14.x || 16.x || 18.x || 19.x", | ||
"patched": "^14.21.1 || ^16.18.1 || ^18.12.1 || ^19.0.1", | ||
"ref": "https://nodejs.org/en/blog/vulnerability/november-2022-security-releases/", | ||
"overview": "The Node.js rebinding protector for --inspect still allows invalid IP address, specifically, the octal format.", | ||
"affectedEnvironments": ["all"] | ||
"affectedEnvironments": [ | ||
"all" | ||
], | ||
"severity": "medium" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,8 +1,13 @@ | ||
{ | ||
"cve": ["CVE-2023-23918"], | ||
"cve": [ | ||
"CVE-2023-23918" | ||
], | ||
"vulnerable": "14.x || 16.x || 18.x || 19.x", | ||
"patched": "^14.21.3 || ^16.19.1 || ^18.14.1 || ^19.6.1", | ||
"ref": "https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/", | ||
"overview": "It was possible to bypass Permissions and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permissions option with --experimental-policy.", | ||
"affectedEnvironments": ["all"] | ||
"affectedEnvironments": [ | ||
"all" | ||
], | ||
"severity": "high" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,8 +1,13 @@ | ||
{ | ||
"cve": ["CVE-2023-23919"], | ||
"cve": [ | ||
"CVE-2023-23919" | ||
], | ||
"vulnerable": "14.x || 16.x || 18.x || 19.x", | ||
"patched": "^14.21.3 || ^16.19.1 || ^18.14.1 || ^19.2.0", | ||
"ref": "https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/", | ||
"overview": "In some cases Node.js did does not clear the OpenSSL error stack after operations that may set it. This may lead to false positive errors during subsequent cryptographic operations that happen to be on the same thread. This in turn could be used to cause a denial of service.", | ||
"affectedEnvironments": ["all"] | ||
"affectedEnvironments": [ | ||
"all" | ||
], | ||
"severity": "medium" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,8 +1,13 @@ | ||
{ | ||
"cve": ["CVE-2023-23936"], | ||
"cve": [ | ||
"CVE-2023-23936" | ||
], | ||
"vulnerable": "14.x || 16.x || 18.x || 19.x", | ||
"patched": "^14.21.3 || ^16.19.1 || ^18.14.1 || ^19.6.1", | ||
"ref": "https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/", | ||
"overview": "The fetch API in Node.js did not prevent CRLF injection in the 'host' header potentially allowing attacks such as HTTP response splitting and HTTP header injection.", | ||
"affectedEnvironments": ["all"] | ||
"affectedEnvironments": [ | ||
"all" | ||
], | ||
"severity": "medium" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,8 +1,13 @@ | ||
{ | ||
"cve": ["CVE-2023-24807"], | ||
"cve": [ | ||
"CVE-2023-24807" | ||
], | ||
"vulnerable": "14.x || 16.x || 18.x || 19.x", | ||
"patched": "^14.21.3 || ^16.19.1 || ^18.14.1 || ^19.6.1", | ||
"ref": "https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/", | ||
"overview": "The Headers.set() and Headers.append() methods in the fetch API in Node.js where vulnerable to Regular a Expression Denial of Service (ReDoS) attacks.", | ||
"affectedEnvironments": ["all"] | ||
"affectedEnvironments": [ | ||
"all" | ||
], | ||
"severity": "low" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,8 +1,13 @@ | ||
{ | ||
"cve": ["CVE-2023-23920"], | ||
"cve": [ | ||
"CVE-2023-23920" | ||
], | ||
"vulnerable": "14.x || 16.x || 18.x || 19.x", | ||
"patched": "^14.21.3 || ^16.19.1 || ^18.14.1 || ^19.6.1", | ||
"ref": "https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/", | ||
"overview": "Node.js would search and potentially load ICU data when running with elevated priviledges. Node.js was modified to build with ICU_NO_USER_DATA_OVERRIDE to avoid this.", | ||
"affectedEnvironments": ["all"] | ||
"affectedEnvironments": [ | ||
"all" | ||
], | ||
"severity": "low" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,8 +1,13 @@ | ||
{ | ||
"cve": ["CVE-2023-30581"], | ||
"cve": [ | ||
"CVE-2023-30581" | ||
], | ||
"vulnerable": "16.x || 18.x || 20.x", | ||
"patched": "^16.20.1 || ^18.16.1 || ^20.3.1", | ||
"ref": "https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/", | ||
"overview": "The use of proto in process.mainModule.proto.require() can bypass the policy mechanism and require modules outside of the policy.json definition", | ||
"affectedEnvironments": ["all"] | ||
"affectedEnvironments": [ | ||
"all" | ||
], | ||
"severity": "high" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,8 +1,13 @@ | ||
{ | ||
"cve": ["CVE-2023-30582"], | ||
"cve": [ | ||
"CVE-2023-30582" | ||
], | ||
"vulnerable": "20.x", | ||
"patched": "^20.3.1", | ||
"ref": "https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/", | ||
"overview": "A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument.", | ||
"affectedEnvironments": ["all"] | ||
"affectedEnvironments": [ | ||
"all" | ||
], | ||
"severity": "medium" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,8 +1,13 @@ | ||
{ | ||
"cve": ["CVE-2023-30583"], | ||
"cve": [ | ||
"CVE-2023-30583" | ||
], | ||
"vulnerable": "20.x", | ||
"patched": "^20.3.1", | ||
"ref": "https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/", | ||
"overview": "fs.openAsBlob() can bypass the experimental permission model when using the file system read restriction with the --allow-fs-read flag in Node.js 20", | ||
"affectedEnvironments": ["all"] | ||
"affectedEnvironments": [ | ||
"all" | ||
], | ||
"severity": "medium" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,8 +1,13 @@ | ||
{ | ||
"cve": ["CVE-2023-30584"], | ||
"cve": [ | ||
"CVE-2023-30584" | ||
], | ||
"vulnerable": "20.x", | ||
"patched": "^20.3.1", | ||
"ref": "https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/", | ||
"overview": "A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model. This flaw relates to improper handling of path traversal bypass when verifying file permissions.", | ||
"affectedEnvironments": ["all"] | ||
"affectedEnvironments": [ | ||
"all" | ||
], | ||
"severity": "high" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,8 +1,13 @@ | ||
{ | ||
"cve": ["CVE-2023-30585"], | ||
"cve": [ | ||
"CVE-2023-30585" | ||
], | ||
"vulnerable": "16.x || 18.x || 20.x", | ||
"patched": "^16.20.1 || ^18.16.1 || ^20.3.1", | ||
"ref": "https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/", | ||
"overview": "Privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process", | ||
"affectedEnvironments": ["win32"] | ||
"affectedEnvironments": [ | ||
"win32" | ||
], | ||
"severity": "medium" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,8 +1,13 @@ | ||
{ | ||
"cve": ["CVE-2023-30586"], | ||
"cve": [ | ||
"CVE-2023-30586" | ||
], | ||
"vulnerable": "20.x", | ||
"patched": "^20.3.1", | ||
"ref": "https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/", | ||
"overview": "Node.js 20 allows loading arbitrary OpenSSL engines when the experimental permission model is enabled, which can bypass and/or disable the permission model.", | ||
"affectedEnvironments": ["all"] | ||
"affectedEnvironments": [ | ||
"all" | ||
], | ||
"severity": "medium" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,8 +1,13 @@ | ||
{ | ||
"cve": ["CVE-2023-30587"], | ||
"cve": [ | ||
"CVE-2023-30587" | ||
], | ||
"vulnerable": "20.x", | ||
"patched": "^20.3.1", | ||
"ref": "https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/", | ||
"overview": "A vulnerability in Node.js version 20 allows for bypassing restrictions set by the --experimental-permission flag using the built-in inspector module (node:inspector).", | ||
"affectedEnvironments": ["all"] | ||
"affectedEnvironments": [ | ||
"all" | ||
], | ||
"severity": "high" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,8 +1,13 @@ | ||
{ | ||
"cve": ["CVE-2023-30589"], | ||
"cve": [ | ||
"CVE-2023-30589" | ||
], | ||
"vulnerable": "16.x || 18.x || 20.x", | ||
"patched": "^16.20.1 || ^18.16.1 || ^20.3.1", | ||
"ref": "https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/", | ||
"overview": "The llhttp parser in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests.", | ||
"affectedEnvironments": ["all"] | ||
"affectedEnvironments": [ | ||
"all" | ||
], | ||
"severity": "medium" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,8 +1,13 @@ | ||
{ | ||
"cve": ["CVE-2023-30588"], | ||
"cve": [ | ||
"CVE-2023-30588" | ||
], | ||
"vulnerable": "16.x || 18.x || 20.x", | ||
"patched": "^16.20.1 || ^18.16.1 || ^20.3.1", | ||
"ref": "https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/", | ||
"overview": "When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination occurs.", | ||
"affectedEnvironments": ["all"] | ||
"affectedEnvironments": [ | ||
"all" | ||
], | ||
"severity": "medium" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,8 +1,13 @@ | ||
{ | ||
"cve": ["CVE-2023-30590"], | ||
"cve": [ | ||
"CVE-2023-30590" | ||
], | ||
"vulnerable": "16.x || 18.x || 20.x", | ||
"patched": "^16.20.1 || ^18.16.1 || ^20.3.1", | ||
"ref": "https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/", | ||
"overview": "The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet.", | ||
"affectedEnvironments": ["all"] | ||
"affectedEnvironments": [ | ||
"all" | ||
], | ||
"severity": "medium" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,8 +1,13 @@ | ||
{ | ||
"cve": ["CVE-2023-32002"], | ||
"cve": [ | ||
"CVE-2023-32002" | ||
], | ||
"vulnerable": "16.x || 18.x || 20.x", | ||
"patched": "^16.20.2 || ^18.17.1 || ^20.5.1", | ||
"ref": "https://nodejs.org/en/blog/vulnerability/august-2023-security-releases/", | ||
"overview": "The use of Module._load() can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.", | ||
"affectedEnvironments": ["all"] | ||
"affectedEnvironments": [ | ||
"all" | ||
], | ||
"severity": "unknown" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,8 +1,13 @@ | ||
{ | ||
"cve": ["CVE-2023-32004"], | ||
"cve": [ | ||
"CVE-2023-32004" | ||
], | ||
"vulnerable": "20.x", | ||
"patched": "^20.5.1", | ||
"ref": "https://nodejs.org/en/blog/vulnerability/august-2023-security-releases/", | ||
"overview": "Improper handling of Buffers in file system APIs causing a traversal path to bypass when verifying file permissions.", | ||
"affectedEnvironments": ["all"] | ||
"affectedEnvironments": [ | ||
"all" | ||
], | ||
"severity": "unknown" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,8 +1,13 @@ | ||
{ | ||
"cve": ["CVE-2023-32558"], | ||
"cve": [ | ||
"CVE-2023-32558" | ||
], | ||
"vulnerable": "20.x", | ||
"patched": "^20.5.1", | ||
"ref": "https://nodejs.org/en/blog/vulnerability/august-2023-security-releases/", | ||
"overview": "The use of the deprecated API process.binding() can bypass the permission model through path traversal.", | ||
"affectedEnvironments": ["all"] | ||
"affectedEnvironments": [ | ||
"all" | ||
], | ||
"severity": "unknown" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,8 +1,13 @@ | ||
{ | ||
"cve": ["CVE-2023-32006"], | ||
"cve": [ | ||
"CVE-2023-32006" | ||
], | ||
"vulnerable": "16.x || 18.x || 20.x", | ||
"patched": "^16.20.2 || ^18.17.1 || ^20.5.1", | ||
"ref": "https://nodejs.org/en/blog/vulnerability/august-2023-security-releases/", | ||
"overview": "The use of module.constructor.createRequire() can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.", | ||
"affectedEnvironments": ["all"] | ||
"affectedEnvironments": [ | ||
"all" | ||
], | ||
"severity": "unknown" | ||
} |
Oops, something went wrong.