Debian Nodejs vulnerabilities

CVE-2019-5737 [HIGH] CVE-2019-5737: nodejs - In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, ... In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1, an attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep-alive mode and by sending headers very slowly. This keeps the connection and associated resources alive for a long period of time. Potential attacks are mitigated by

CVE-2019-5739 [HIGH] CVE-2019-5739: nodejs - Keep-alive HTTP and HTTPS connections can remain open and inactive for up to 2 m... Keep-alive HTTP and HTTPS connections can remain open and inactive for up to 2 minutes in Node.js 6.16.0 and earlier. Node.js 8.0.0 introduced a dedicated server.keepAliveTimeout which defaults to 5 seconds. The behavior in Node.js 6.16.0 and earlier is a potential Denial of Service (DoS) attack vector. Node.js 6.17.0 introduces server.keepAliveTimeout and the 5-second

CVE-2018-12123 [MEDIUM] CVE-2018-12123: nodejs - Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostn... Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case "javascript:" (e.g. "javAscript:") protocol (other protocols are not affected). If security decisions are m

CVE-2018-7161 [HIGH] CVE-2018-7161: nodejs - All versions of Node.js 8.x, 9.x, and 10.x are vulnerable and the severity is HI... All versions of Node.js 8.x, 9.x, and 10.x are vulnerable and the severity is HIGH. An attacker can cause a denial of service (DoS) by causing a node server providing an http2 server to crash. This can be accomplished by interacting with the http2 server in a manner that triggers a cleanup bug where objects are used in native code after they are no longer available. Th

CVE-2018-12120 [HIGH] CVE-2018-12120: nodejs - Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any... Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has alwa

CVE-2018-7158 [HIGH] CVE-2018-7158: nodejs - The `'path'` module in the Node.js 4.x release line contains a potential regular... The `'path'` module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. The code in question was replaced in Node.js 6.x and later so this vulnerability only impacts all versions of Node.js 4.x. The regular expression, `splitPathRe`, used within the `'path'` module for the various path parsing functions, including `

CVE-2018-12121 [HIGH] CVE-2018-12121: nodejs - Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denia... Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers (almost 80 KB per connection), and carefully timed completion of the headers, it is possible to cause the HTTP server to abort from heap allocation failure. Attack potential is mitigat

CVE-2018-7167 [HIGH] CVE-2018-7167: nodejs - Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a hang ... Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a hang which could result in a Denial of Service. In order to address this vulnerability, the implementations of Buffer.alloc() and Buffer.fill() were updated so that they zero fill instead of hanging in these cases. All versions of Node.js 6.x (LTS "Boron"), 8.x (LTS "Carbon"), and 9.x are vulner

CVE-2018-12116 [HIGH] CVE-2018-12116: nodejs - Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting... Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to made to the same server. Scope: local bookworm: resolved (fixed in 10.1

CVE-2018-7160 [HIGH] CVE-2018-7160: nodejs - The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack ... The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. An attack is possible from malicious websites open in a web browser on the same computer, or another computer with network access to the computer running the Node.js process. A malicious website could use a DNS rebinding attack to t

CVE-2018-12115 [HIGH] CVE-2018-12115: nodejs - In all versions of Node.js prior to 6.14.4, 8.11.4 and 10.9.0 when used with UCS... In all versions of Node.js prior to 6.14.4, 8.11.4 and 10.9.0 when used with UCS-2 encoding (recognized by Node.js under the names `'ucs2'`, `'ucs-2'`, `'utf16le'` and `'utf-16le'`), `Buffer#write()` can be abused to write outside of the bounds of a single `Buffer`. Writes that start from the second-to-last position of a buffer cause a miscalculation of the maximum l

CVE-2018-7159 [MEDIUM] CVE-2018-7159: nodejs - The HTTP parser in all current versions of Node.js ignores spaces in the `Conten... The HTTP parser in all current versions of Node.js ignores spaces in the `Content-Length` header, allowing input such as `Content-Length: 1 2` to be interpreted as having a value of `12`. The HTTP specification does not allow for spaces in the `Content-Length` value and the Node.js HTTP parser has been brought into line on this particular difference. The security ris

CVE-2018-7162 [HIGH] CVE-2018-7162: nodejs - All versions of Node.js 9.x and 10.x are vulnerable and the severity is HIGH. An... All versions of Node.js 9.x and 10.x are vulnerable and the severity is HIGH. An attacker can cause a denial of service (DoS) by causing a node process which provides an http server supporting TLS server to crash. This can be accomplished by sending duplicate/unexpected messages during the handshake. This vulnerability has been addressed by updating the TLS implementat

CVE-2018-7166 [HIGH] CVE-2018-7166: nodejs - In all versions of Node.js 10 prior to 10.9.0, an argument processing flaw can c... In all versions of Node.js 10 prior to 10.9.0, an argument processing flaw can cause `Buffer.alloc()` to return uninitialized memory. This method is intended to be safe and only return initialized, or cleared, memory. The third argument specifying `encoding` can be passed as a number, this is misinterpreted by `Buffer's` internal "fill" method as the `start` to a fill

CVE-2018-7164 [HIGH] CVE-2018-7164: nodejs - Node.js versions 9.7.0 and later and 10.x are vulnerable and the severity is MED... Node.js versions 9.7.0 and later and 10.x are vulnerable and the severity is MEDIUM. A bug introduced in 9.7.0 increases the memory consumed when reading from the network into JavaScript using the net.Socket object directly as a stream. An attacker could use this cause a denial of service by sending tiny chunks of data in short succession. This vulnerability was restor

CVE-2018-12122 [HIGH] CVE-2018-12122: nodejs - Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Slowl... Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Slowloris HTTP Denial of Service: An attacker can cause a Denial of Service (DoS) by sending headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time. Scope: local bookworm: resolved (fixed in 10.15.0~dfsg-6) bullseye: resolved (fixed in 10

CVE-2017-15896 [CRITICAL] CVE-2017-15896: nodejs - Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the us... Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake failure. The result was that an active network attacker could send application data to Node.js using the TLS or HTTP2 modules in a way that bypassed TLS authentication and encryption. Scope: local bookworm: resolved bullseye: resolved forky: resolv

CVE-2017-14849 [HIGH] CVE-2017-14849: nodejs - Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, b... Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was incompatible with the pathname validation used by unspecified community modules. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2017-15897 [LOW] CVE-2017-15897: nodejs - Node.js had a bug in versions 8.X and 9.X which caused buffers to not be initial... Node.js had a bug in versions 8.X and 9.X which caused buffers to not be initialized when the encoding for the fill value did not match the encoding specified. For example, 'Buffer.alloc(0x100, "This is not correctly encoded", "hex");' The buffer implementation was updated such that the buffer will be initialized to all zeros in these cases. Scope: local bookworm: res

CVE-2017-11499 [HIGH] CVE-2017-11499: nodejs - Node.js v4.0 through v4.8.3, all versions of v5.x, v6.0 through v6.11.0, v7.0 th... Node.js v4.0 through v4.8.3, all versions of v5.x, v6.0 through v6.11.0, v7.0 through v7.10.0, and v8.0 through v8.1.3 was susceptible to hash flooding remote DoS attacks as the HashTable seed was constant across a given released version of Node.js. This was a result of building with V8 snapshots enabled by default which caused the initially randomized seed to be ove