Nodejs Node.Js vulnerabilities

CVE-2016-9841 [CRITICAL] CVE-2016-9841: inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by levera inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.

CVE-2016-9843 [CRITICAL] CVE-2016-9843: The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unsp The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation.

CVE-2016-9842 [HIGH] CWE-1335 CVE-2016-9842: The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers.

CVE-2016-9840 [HIGH] CVE-2016-9840: inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by lever inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.

CVE-2017-3731 [HIGH] CWE-125 CVE-2017-3731: If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, the If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. For OpenSSL 1.1.0, the crash can be triggered when using CHACHA20/POLY1305; users should upgrade to 1.1.0d. For Openssl 1.0.2, the crash c

CVE-2016-7055 [MEDIUM] CVE-2016-7055: There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure in Op There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure in OpenSSL 1.0.2 and 1.1.0 before 1.1.0c that handles input lengths divisible by, but longer than 256 bits. Analysis suggests that attacks against RSA, DSA and DH private keys are impossible. This is because the subroutine in question is not used in operations with

CVE-2017-3732 [MEDIUM] CVE-2017-3732: There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL 1.0.2 before There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL 1.0.2 before 1.0.2k and 1.1.0 before 1.1.0d. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (althou

CVE-2015-8860 [HIGH] CWE-59 CVE-2015-8860: The tar package before 2.0.0 for Node.js allows remote attackers to write to arbitrary files via a s The tar package before 2.0.0 for Node.js allows remote attackers to write to arbitrary files via a symlink attack in an archive.

CVE-2015-8855 [HIGH] CWE-399 CVE-2015-8855: The semver package before 4.3.2 for Node.js allows attackers to cause a denial of service (CPU consu The semver package before 4.3.2 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)."

CVE-2013-7451 [MEDIUM] CWE-79 CVE-2013-7451: The validator module before 1.1.0 for Node.js allows remote attackers to bypass the XSS filter via a The validator module before 1.1.0 for Node.js allows remote attackers to bypass the XSS filter via a nested tag.

CVE-2013-7452 [MEDIUM] CWE-79 CVE-2013-7452: The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scrip The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via a crafted javascript URI.

CVE-2013-7454 [MEDIUM] CWE-79 CVE-2013-7454: The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scrip The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via nested forbidden strings.

CVE-2014-9772 [MEDIUM] CWE-79 CVE-2014-9772: The validator package before 2.0.0 for Node.js allows remote attackers to bypass the cross-site scri The validator package before 2.0.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via hex-encoded characters.

CVE-2013-7453 [MEDIUM] CWE-79 CVE-2013-7453: The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scrip The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via vectors related to UI redressing.

CVE-2016-5325 [MEDIUM] CWE-113 CVE-2016-5325: CRLF injection vulnerability in the ServerResponse#writeHead function in Node.js 0.10.x before 0.10. CRLF injection vulnerability in the ServerResponse#writeHead function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the reason argument.

CVE-2016-7099 [MEDIUM] CWE-19 CVE-2016-7099: The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x be The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 does not properly handle wildcards in name fields of X.509 certificates, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.

CVE-2016-5180 [CRITICAL] CWE-787 CVE-2016-5180: Heap-based buffer overflow in the ares_create_query function in c-ares 1.x before 1.12.0 allows remo Heap-based buffer overflow in the ares_create_query function in c-ares 1.x before 1.12.0 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly execute arbitrary code via a hostname with an escaped trailing dot.

CVE-2016-6304 [HIGH] CWE-401 CVE-2016-6304: Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1. Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause a denial of service (memory consumption) via large OCSP Status Request extensions.

CVE-2016-7052 [HIGH] CWE-476 CVE-2016-7052: crypto/x509/x509_vfy.c in OpenSSL 1.0.2i allows remote attackers to cause a denial of service (NULL crypto/x509/x509_vfy.c in OpenSSL 1.0.2i allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) by triggering a CRL operation.

CVE-2016-6306 [MEDIUM] CWE-125 CVE-2016-6306: The certificate parser in OpenSSL before 1.0.1u and 1.0.2 before 1.0.2i might allow remote attackers The certificate parser in OpenSSL before 1.0.1u and 1.0.2 before 1.0.2i might allow remote attackers to cause a denial of service (out-of-bounds read) via crafted certificate operations, related to s3_clnt.c and s3_srvr.c.