VARIoT IoT vulnerabilities database
| VAR-202207-0708 | CVE-2022-33701 | Samsung KnoxCustomManagerService Access Control Error Vulnerability |
CVSS V2: 2.1 CVSS V3: 3.3 Severity: LOW |
Improper access control vulnerability in KnoxCustomManagerService prior to SMR Jul-2022 Release 1 allows attacker to call PowerManaer.goToSleep method which is protected by system permission by sending braodcast intent. Samsung KnoxCustomManagerService is a security solution based on the open source Android platform of Samsung (Samsung) in South Korea. It can comprehensively enhance security by combining physical means and software system, and is perfectly compatible with Android and Google ecosystems. Individual employees bring industry-leading enterprise mobility security solutions.
An access control error vulnerability exists in Samsung KnoxCustomManagerService that stems from the lack of protection for broadcast intents in KnoxCustomManagerService. An attacker could exploit this vulnerability to call PowerManaer.goToSleep by sending a broadcast intent
| VAR-202207-0931 | CVE-2022-33695 | Samsung InputManagerService Unauthorized Access Vulnerability |
CVSS V2: 4.6 CVSS V3: 7.8 Severity: HIGH |
Use of improper permission in InputManagerService prior to SMR Jul-2022 Release 1 allows unauthorized access to the service. Samsung InputManagerService is a service of Samsung (SAMSUNG) mobile devices. It is a service abstracted by Android to handle various user operations. It can be regarded as a Binder service entity, instantiated when the SystemServer process starts, and registered with ServiceManager go in.
An unauthorized access vulnerability exists in Samsung InputManagerService that stems from a lack of proper modification permissions in InputManagerService. An attacker could exploit this vulnerability to gain unauthorized access to the service
| VAR-202207-0796 | CVE-2020-29508 | Dell BSAFE Crypto-C Micro Edition and Dell BSAFE Micro Edition Suite Input verification vulnerability in |
CVSS V2: 7.5 CVSS V3: 9.8 Severity: CRITICAL |
Dell BSAFE Crypto-C Micro Edition, versions before 4.1.5, and Dell BSAFE Micro Edition Suite, versions before 4.6, contain an Improper Input Validation Vulnerability. (DoS) It may be in a state. Dell BSAFE Micro Edition Suite is a development kit that provides encryption, certificates and transport layer security for c/c++ applications, devices and systems. Dell BSAFE is a security software product that supports encryption algorithms, certificate chain verification, Transport Layer Security (TLS) cipher suites, etc. to help users achieve various security goals for their applications
| VAR-202207-0601 | CVE-2020-35167 | Dell BSAFE Crypto-C Micro Edition and and Dell BSAFE Micro Edition Suite Vulnerability in |
CVSS V2: 7.5 CVSS V3: 9.8 Severity: CRITICAL |
Dell BSAFE Crypto-C Micro Edition, versions before 4.1.5, and Dell BSAFE Micro Edition Suite, versions before 4.6, contain an Observable Timing Discrepancy Vulnerability. (DoS) It may be in a state. Dell BSAFE Micro Edition Suite is a development kit that provides encryption, certificates and transport layer security for c/c++ applications, devices and systems. Dell BSAFE is a security software product that supports encryption algorithms, certificate chain verification, Transport Layer Security (TLS) cipher suites, etc. to help users achieve various security goals for their applications
| VAR-202207-0600 | CVE-2020-35163 | Dell BSAFE Crypto-C Micro Edition and Dell BSAFE Micro Edition Suite Vulnerability in using inadequate random values in |
CVSS V2: 7.5 CVSS V3: 9.8 Severity: CRITICAL |
Dell BSAFE Crypto-C Micro Edition, versions before 4.1.5, and Dell BSAFE Micro Edition Suite, versions before 4.6, contain a Use of Insufficiently Random Values Vulnerability. (DoS) It may be in a state. Dell BSAFE Micro Edition Suite is a development kit that provides encryption, certificates and transport layer security for c/c++ applications, devices and systems. Dell BSAFE is a security software product that supports encryption algorithms, certificate chain verification, Transport Layer Security (TLS) cipher suites, etc. to help users achieve various security goals for their applications
| VAR-202207-0427 | CVE-2022-35416 | H3C SSL VPN Cross-Site Scripting Vulnerability |
CVSS V2: 4.3 CVSS V3: 6.1 Severity: MEDIUM |
H3C SSL VPN through 2022-07-10 allows wnm/login/login.json svpnlang cookie XSS.
H3C SSL VPN 2022-07-10 and previous versions have a cross-site scripting vulnerability, which can be exploited by remote attackers to allow wnm/login/login.json svpnlang cross-site scripting attacks
| VAR-202207-0505 | CVE-2020-29506 | Dell BSAFE Crypto-C Micro Edition and Dell BSAFE Micro Edition Suite Vulnerability in |
CVSS V2: 7.5 CVSS V3: 9.8 Severity: CRITICAL |
Dell BSAFE Crypto-C Micro Edition, versions before 4.1.5, and Dell BSAFE Micro Edition Suite, versions before 4.5.2, contain an Observable Timing Discrepancy Vulnerability. (DoS) It may be in a state. Dell BSAFE Micro Edition Suite is a development kit that provides encryption, certificates and transport layer security for c/c++ applications, devices and systems. Dell BSAFE is a security software product that supports encryption algorithms, certificate chain verification, Transport Layer Security (TLS) cipher suites, etc. to help users achieve various security goals for their applications
| VAR-202207-0506 | CVE-2020-35166 | Dell BSAFE Crypto-C Micro Edition and Dell BSAFE Micro Edition Suite Vulnerability in |
CVSS V2: 7.5 CVSS V3: 9.8 Severity: CRITICAL |
Dell BSAFE Crypto-C Micro Edition, versions before 4.1.5, and Dell BSAFE Micro Edition Suite, versions before 4.6, contain an Observable Timing Discrepancy Vulnerability. (DoS) It may be in a state. Dell BSAFE Micro Edition Suite is a development kit that provides encryption, certificates and transport layer security for c/c++ applications, devices and systems. Dell BSAFE is a security software product that supports encryption algorithms, certificate chain verification, Transport Layer Security (TLS) cipher suites, etc. to help users achieve various security goals for their applications
| VAR-202207-0579 | CVE-2020-29507 | Dell BSAFE Crypto-C Micro Edition and Dell BSAFE Micro Edition Suite Input verification vulnerability in |
CVSS V2: 7.5 CVSS V3: 9.8 Severity: CRITICAL |
Dell BSAFE Crypto-C Micro Edition, versions before 4.1.4, and Dell BSAFE Micro Edition Suite, versions before 4.4, contain an Improper Input Validation Vulnerability. (DoS) It may be in a state. Dell BSAFE Micro Edition Suite is a development kit that provides encryption, certificates and transport layer security for c/c++ applications, devices and systems. Dell BSAFE is a security software product that supports encryption algorithms, certificate chain verification, Transport Layer Security (TLS) cipher suites, etc. to help users achieve various security goals for their applications
| VAR-202207-0543 | CVE-2020-29505 | Dell BSAFE Crypto-C Micro Edition and Dell BSAFE Micro Edition Suite Vulnerability regarding lack of entropy in |
CVSS V2: 5.0 CVSS V3: 7.5 Severity: HIGH |
Dell BSAFE Crypto-C Micro Edition, versions before 4.1.5, and Dell BSAFE Micro Edition Suite, versions before 4.5.2, contain a Key Management Error Vulnerability. Dell BSAFE Micro Edition Suite is a development kit that provides encryption, certificates and transport layer security for c/c++ applications, devices and systems. Dell BSAFE is a security software product that supports encryption algorithms, certificate chain verification, Transport Layer Security (TLS) cipher suites, etc. to help users achieve various security goals for their applications
| VAR-202207-0507 | CVE-2020-35169 | Dell BSAFE Crypto-C Micro Edition and Dell BSAFE Micro Edition Suite Input verification vulnerability in |
CVSS V2: 7.5 CVSS V3: 9.8 Severity: CRITICAL |
Dell BSAFE Crypto-C Micro Edition, versions before 4.1.5, and Dell BSAFE Micro Edition Suite, versions before 4.5.2, contain an Improper Input Validation Vulnerability. (DoS) It may be in a state. Dell BSAFE Micro Edition Suite is a development kit that provides encryption, certificates and transport layer security for c/c++ applications, devices and systems. Dell BSAFE is a security software product that supports encryption algorithms, certificate chain verification, Transport Layer Security (TLS) cipher suites, etc. to help users achieve various security goals for their applications
| VAR-202207-0363 | CVE-2022-30792 | plural CODESYS GmbH Product resource exhaustion vulnerability |
CVSS V2: 5.0 CVSS V3: 7.5 Severity: HIGH |
In CmpChannelServer of CODESYS V3 in multiple versions an uncontrolled ressource consumption allows an unauthorized attacker to block new communication channel connections. Existing connections are not affected. control for beaglebone , control for empc-a/imx6 , CODESYS Control for IOT2000 SL etc. multiple CODESYS GmbH The product contains a resource exhaustion vulnerability.Service operation interruption (DoS) It may be in a state
| VAR-202207-0581 | CVE-2020-35168 | Dell BSAFE Crypto-C Micro Edition and and Dell BSAFE Micro Edition Suite Vulnerability in |
CVSS V2: 7.5 CVSS V3: 9.8 Severity: CRITICAL |
Dell BSAFE Crypto-C Micro Edition, versions before 4.1.5, and Dell BSAFE Micro Edition Suite, versions before 4.6, contain an Observable Timing Discrepancy Vulnerability. (DoS) It may be in a state. Dell BSAFE Micro Edition Suite is a development kit that provides encryption, certificates and transport layer security for c/c++ applications, devices and systems. Dell BSAFE is a security software product that supports encryption algorithms, certificate chain verification, Transport Layer Security (TLS) cipher suites, etc. to help users achieve various security goals for their applications
| VAR-202207-0490 | CVE-2022-30791 | plural CODESYS GmbH Product resource exhaustion vulnerability |
CVSS V2: 5.0 CVSS V3: 7.5 Severity: HIGH |
In CmpBlkDrvTcp of CODESYS V3 in multiple versions an uncontrolled ressource consumption allows an unauthorized attacker to block new TCP connections. Existing connections are not affected. control for beaglebone , control for empc-a/imx6 , CODESYS Control for IOT2000 SL etc. multiple CODESYS GmbH The product contains a resource exhaustion vulnerability.Service operation interruption (DoS) It may be in a state
| VAR-202207-0580 | CVE-2020-35164 | Dell BSAFE Crypto-C Micro Edition and Dell BSAFE Micro Edition Suite Vulnerability in |
CVSS V2: 7.5 CVSS V3: 8.1 Severity: HIGH |
Dell BSAFE Crypto-C Micro Edition, versions before 4.1.5, and Dell BSAFE Micro Edition Suite, versions before 4.6, contain an Observable Timing Discrepancy Vulnerability. (DoS) It may be in a state. Dell BSAFE Micro Edition Suite is a development kit that provides encryption, certificates and transport layer security for c/c++ applications, devices and systems. Dell BSAFE is a security software product that supports encryption algorithms, certificate chain verification, Transport Layer Security (TLS) cipher suites, etc. to help users achieve various security goals for their applications
| VAR-202207-0350 | CVE-2022-22463 | IBM Security Access Manager Appliance In SQL Injection vulnerability |
CVSS V2: 6.4 CVSS V3: 6.5 Severity: MEDIUM |
IBM Security Access Manager Appliance 10.0.0.0, 10.0.1.0, 10.0.2.0, and 10.0.3.0 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 225079. Vendors may IBM X-Force ID: 225079 It is published as.Information may be obtained and information may be tampered with
| VAR-202207-0454 | CVE-2022-22465 | IBM Security Access Manager Appliance Vulnerability in |
CVSS V2: 4.6 CVSS V3: 7.8 Severity: HIGH |
IBM Security Access Manager Appliance 10.0.0.0, 10.0.1.0, 10.0.2.0, and 10.0.3.0 could allow a local user to obtain elevated privileges due to improper access permissions. IBM X-Force ID: 225082. Vendor exploits this vulnerability IBM X-Force ID: 225082 It is published as.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
| VAR-202207-0378 | CVE-2022-32222 | Node.js Foundation of Node.js Uncontrolled Search Path Element Vulnerability in Products from Other Vendors |
CVSS V2: - CVSS V3: 5.3 Severity: MEDIUM |
A cryptographic vulnerability exists on Node.js on linux in versions of 18.x prior to 18.40.0 which allowed a default path for openssl.cnf that might be accessible under some circumstances to a non-admin user instead of /etc/ssl as was the case in versions prior to the upgrade to OpenSSL 3. Node.js Foundation of Node.js Products from multiple other vendors are vulnerable to uncontrolled search path elements.Information may be tampered with. Node.js July 7th 2022 Security Releases: Attempt to read openssl.cnf from /home/iojs/build/ upon startup. When Node.js starts on linux based systems, it attempts to read /home/iojs/build/ws/out/Release/obj.target/deps/openssl/openssl.cnf, which ordinarily doesn't exist. On some shared systems an attacker may be able create this file and therefore affect the default OpenSSL configuration for other users. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202405-29
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Low
Title: Node.js: Multiple Vulnerabilities
Date: May 08, 2024
Bugs: #772422, #781704, #800986, #805053, #807775, #811273, #817938, #831037, #835615, #857111, #865627, #872692, #879617, #918086, #918614
ID: 202405-29
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
=======
Multiple vulnerabilities have been discovered in Node.js.
Background
=========
Node.js is a JavaScript runtime built on Chrome’s V8 JavaScript engine. Please review
the CVE identifiers referenced below for details.
Impact
=====
Please review the referenced CVE identifiers for details.
Workaround
=========
There is no known workaround at this time.
Resolution
=========
All Node.js 20 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/nodejs-20.5.1"
All Node.js 18 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/nodejs-18.17.1"
All Node.js 16 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/nodejs-16.20.2"
References
=========
[ 1 ] CVE-2020-7774
https://nvd.nist.gov/vuln/detail/CVE-2020-7774
[ 2 ] CVE-2021-3672
https://nvd.nist.gov/vuln/detail/CVE-2021-3672
[ 3 ] CVE-2021-22883
https://nvd.nist.gov/vuln/detail/CVE-2021-22883
[ 4 ] CVE-2021-22884
https://nvd.nist.gov/vuln/detail/CVE-2021-22884
[ 5 ] CVE-2021-22918
https://nvd.nist.gov/vuln/detail/CVE-2021-22918
[ 6 ] CVE-2021-22930
https://nvd.nist.gov/vuln/detail/CVE-2021-22930
[ 7 ] CVE-2021-22931
https://nvd.nist.gov/vuln/detail/CVE-2021-22931
[ 8 ] CVE-2021-22939
https://nvd.nist.gov/vuln/detail/CVE-2021-22939
[ 9 ] CVE-2021-22940
https://nvd.nist.gov/vuln/detail/CVE-2021-22940
[ 10 ] CVE-2021-22959
https://nvd.nist.gov/vuln/detail/CVE-2021-22959
[ 11 ] CVE-2021-22960
https://nvd.nist.gov/vuln/detail/CVE-2021-22960
[ 12 ] CVE-2021-37701
https://nvd.nist.gov/vuln/detail/CVE-2021-37701
[ 13 ] CVE-2021-37712
https://nvd.nist.gov/vuln/detail/CVE-2021-37712
[ 14 ] CVE-2021-39134
https://nvd.nist.gov/vuln/detail/CVE-2021-39134
[ 15 ] CVE-2021-39135
https://nvd.nist.gov/vuln/detail/CVE-2021-39135
[ 16 ] CVE-2021-44531
https://nvd.nist.gov/vuln/detail/CVE-2021-44531
[ 17 ] CVE-2021-44532
https://nvd.nist.gov/vuln/detail/CVE-2021-44532
[ 18 ] CVE-2021-44533
https://nvd.nist.gov/vuln/detail/CVE-2021-44533
[ 19 ] CVE-2022-0778
https://nvd.nist.gov/vuln/detail/CVE-2022-0778
[ 20 ] CVE-2022-3602
https://nvd.nist.gov/vuln/detail/CVE-2022-3602
[ 21 ] CVE-2022-3786
https://nvd.nist.gov/vuln/detail/CVE-2022-3786
[ 22 ] CVE-2022-21824
https://nvd.nist.gov/vuln/detail/CVE-2022-21824
[ 23 ] CVE-2022-32212
https://nvd.nist.gov/vuln/detail/CVE-2022-32212
[ 24 ] CVE-2022-32213
https://nvd.nist.gov/vuln/detail/CVE-2022-32213
[ 25 ] CVE-2022-32214
https://nvd.nist.gov/vuln/detail/CVE-2022-32214
[ 26 ] CVE-2022-32215
https://nvd.nist.gov/vuln/detail/CVE-2022-32215
[ 27 ] CVE-2022-32222
https://nvd.nist.gov/vuln/detail/CVE-2022-32222
[ 28 ] CVE-2022-35255
https://nvd.nist.gov/vuln/detail/CVE-2022-35255
[ 29 ] CVE-2022-35256
https://nvd.nist.gov/vuln/detail/CVE-2022-35256
[ 30 ] CVE-2022-35948
https://nvd.nist.gov/vuln/detail/CVE-2022-35948
[ 31 ] CVE-2022-35949
https://nvd.nist.gov/vuln/detail/CVE-2022-35949
[ 32 ] CVE-2022-43548
https://nvd.nist.gov/vuln/detail/CVE-2022-43548
[ 33 ] CVE-2023-30581
https://nvd.nist.gov/vuln/detail/CVE-2023-30581
[ 34 ] CVE-2023-30582
https://nvd.nist.gov/vuln/detail/CVE-2023-30582
[ 35 ] CVE-2023-30583
https://nvd.nist.gov/vuln/detail/CVE-2023-30583
[ 36 ] CVE-2023-30584
https://nvd.nist.gov/vuln/detail/CVE-2023-30584
[ 37 ] CVE-2023-30586
https://nvd.nist.gov/vuln/detail/CVE-2023-30586
[ 38 ] CVE-2023-30587
https://nvd.nist.gov/vuln/detail/CVE-2023-30587
[ 39 ] CVE-2023-30588
https://nvd.nist.gov/vuln/detail/CVE-2023-30588
[ 40 ] CVE-2023-30589
https://nvd.nist.gov/vuln/detail/CVE-2023-30589
[ 41 ] CVE-2023-30590
https://nvd.nist.gov/vuln/detail/CVE-2023-30590
[ 42 ] CVE-2023-32002
https://nvd.nist.gov/vuln/detail/CVE-2023-32002
[ 43 ] CVE-2023-32003
https://nvd.nist.gov/vuln/detail/CVE-2023-32003
[ 44 ] CVE-2023-32004
https://nvd.nist.gov/vuln/detail/CVE-2023-32004
[ 45 ] CVE-2023-32005
https://nvd.nist.gov/vuln/detail/CVE-2023-32005
[ 46 ] CVE-2023-32006
https://nvd.nist.gov/vuln/detail/CVE-2023-32006
[ 47 ] CVE-2023-32558
https://nvd.nist.gov/vuln/detail/CVE-2023-32558
[ 48 ] CVE-2023-32559
https://nvd.nist.gov/vuln/detail/CVE-2023-32559
Availability
===========
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202405-29
Concerns?
========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
======
Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
| VAR-202207-0381 | CVE-2022-32212 | Node.js Foundation of Node.js in products from other multiple vendors OS Command injection vulnerability |
CVSS V2: - CVSS V3: 8.1 Severity: HIGH |
A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks. Node.js Foundation of Node.js For products from other vendors, OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Node.js July 7th 2022 Security Releases: DNS rebinding in --inspect via invalid IP addresses. When an invalid IPv4 address is provided (for instance 10.0.2.555 is provided), browsers (such as Firefox) will make DNS requests to the DNS server, providing a vector for an attacker-controlled DNS server or a MITM who can spoof DNS responses to perform a rebinding attack and hence connect to the WebSocket debugger, allowing for arbitrary code execution. This is a bypass of CVE-2021-22884. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Moderate: rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon security and bug fix update
Advisory ID: RHSA-2022:6389-01
Product: Red Hat Software Collections
Advisory URL: https://access.redhat.com/errata/RHSA-2022:6389
Issue date: 2022-09-08
CVE Names: CVE-2022-32212 CVE-2022-32213 CVE-2022-32214
CVE-2022-32215 CVE-2022-33987
====================================================================
1. Summary:
An update for rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon is now
available for Red Hat Software Collections.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64le, s390x, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64
3. Description:
Node.js is a software development platform for building fast and scalable
network applications in the JavaScript programming language.
The following packages have been upgraded to a later upstream version:
rh-nodejs14-nodejs (14.20.0).
Security Fix(es):
* nodejs: DNS rebinding in --inspect via invalid IP addresses
(CVE-2022-32212)
* nodejs: HTTP request smuggling due to flawed parsing of Transfer-Encoding
(CVE-2022-32213)
* nodejs: HTTP request smuggling due to improper delimiting of header
fields (CVE-2022-32214)
* nodejs: HTTP request smuggling due to incorrect parsing of multi-line
Transfer-Encoding (CVE-2022-32215)
* got: missing verification of requested URLs allows redirects to UNIX
sockets (CVE-2022-33987)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Bug Fix(es):
* rh-nodejs14-nodejs: rebase to latest upstream release (BZ#2106673)
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
2102001 - CVE-2022-33987 got: missing verification of requested URLs allows redirects to UNIX sockets
2105422 - CVE-2022-32212 nodejs: DNS rebinding in --inspect via invalid IP addresses
2105426 - CVE-2022-32215 nodejs: HTTP request smuggling due to incorrect parsing of multi-line Transfer-Encoding
2105428 - CVE-2022-32214 nodejs: HTTP request smuggling due to improper delimiting of header fields
2105430 - CVE-2022-32213 nodejs: HTTP request smuggling due to flawed parsing of Transfer-Encoding
2106673 - rh-nodejs14-nodejs: rebase to latest upstream release [rhscl-3.8.z]
6. Package List:
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):
Source:
rh-nodejs14-nodejs-14.20.0-2.el7.src.rpm
rh-nodejs14-nodejs-nodemon-2.0.19-1.el7.src.rpm
noarch:
rh-nodejs14-nodejs-docs-14.20.0-2.el7.noarch.rpm
rh-nodejs14-nodejs-nodemon-2.0.19-1.el7.noarch.rpm
ppc64le:
rh-nodejs14-nodejs-14.20.0-2.el7.ppc64le.rpm
rh-nodejs14-nodejs-debuginfo-14.20.0-2.el7.ppc64le.rpm
rh-nodejs14-nodejs-devel-14.20.0-2.el7.ppc64le.rpm
rh-nodejs14-npm-6.14.17-14.20.0.2.el7.ppc64le.rpm
s390x:
rh-nodejs14-nodejs-14.20.0-2.el7.s390x.rpm
rh-nodejs14-nodejs-debuginfo-14.20.0-2.el7.s390x.rpm
rh-nodejs14-nodejs-devel-14.20.0-2.el7.s390x.rpm
rh-nodejs14-npm-6.14.17-14.20.0.2.el7.s390x.rpm
x86_64:
rh-nodejs14-nodejs-14.20.0-2.el7.x86_64.rpm
rh-nodejs14-nodejs-debuginfo-14.20.0-2.el7.x86_64.rpm
rh-nodejs14-nodejs-devel-14.20.0-2.el7.x86_64.rpm
rh-nodejs14-npm-6.14.17-14.20.0.2.el7.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7):
Source:
rh-nodejs14-nodejs-14.20.0-2.el7.src.rpm
rh-nodejs14-nodejs-nodemon-2.0.19-1.el7.src.rpm
noarch:
rh-nodejs14-nodejs-docs-14.20.0-2.el7.noarch.rpm
rh-nodejs14-nodejs-nodemon-2.0.19-1.el7.noarch.rpm
x86_64:
rh-nodejs14-nodejs-14.20.0-2.el7.x86_64.rpm
rh-nodejs14-nodejs-debuginfo-14.20.0-2.el7.x86_64.rpm
rh-nodejs14-nodejs-devel-14.20.0-2.el7.x86_64.rpm
rh-nodejs14-npm-6.14.17-14.20.0.2.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2022-32212
https://access.redhat.com/security/cve/CVE-2022-32213
https://access.redhat.com/security/cve/CVE-2022-32214
https://access.redhat.com/security/cve/CVE-2022-32215
https://access.redhat.com/security/cve/CVE-2022-33987
https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYxnqU9zjgjWX9erEAQipBg/+NJmkBsKEPkFHZAiZhGKiwIkwaFcHK+e/
ODClFTTT9SkkMBheuc9HQDmwukaVlLMvbOJSVL/6NvuLQvOcQHtprOAJXr3I6KQm
VScJRQny4et+D/N3bJJiuhqe9YY9Bh+EP7omS4aq2UuphEhkuTSQ0V2+Fa4O8wdZ
bAhUhU660Q6aGzNGvcyz8vi7ohmOFZS94/x2Lr6cBG8LF0dmr/pIw+uPlO36ghXF
IPEM3VcGisTGQRg2Xy5yqeouK1S+YAcZ1f0QUOePP+WRhIecfmG3cj6oYTRnrOyq
+62525BHDNjIz55z6H32dKBIy+r+HT7WaOGgPwvH+ugmlH6NyKHjSyy+IJoglkfM
4+QA0zun7WhLet5y4jmsWCpT3mOCWj7h+iW6IqTlfcad3wCQ6OnySRq67W3GDq+M
3kdUdBoyfLm1vzLceEF4AK8qChj7rVl8x0b4v8OfRGv6ZEIe+BfJYNzI9HeuIE91
BYtLGe18vMs5mcWxcYMWlfAgzVSGTaqaaBie9qPtAThs00lJd9oRf/Mfga42/6vI
nBLHwE3NyPyKfaLvcyLa/oPwGnOhKyPtD8HeN2MORm6RUeUClaq9s+ihDIPvbyLX
bcKKdjGoJDWyJy2yU2GkVwrbF6gcKgdvo2uFckOpouKQ4P9KEooI/15fLy8NPIZz
hGdWoRKL34w\xcePC
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce
. 9) - aarch64, noarch, ppc64le, s390x, x86_64
3. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5326-1 security@debian.org
https://www.debian.org/security/ Aron Xu
January 24, 2023 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : nodejs
CVE ID : CVE-2022-32212 CVE-2022-32213 CVE-2022-32214 CVE-2022-32215
CVE-2022-35255 CVE-2022-35256 CVE-2022-43548
Multiple vulnerabilities were discovered in Node.js, which could result
in HTTP request smuggling, bypass of host IP address validation and weak
randomness setup.
For the stable distribution (bullseye), these problems have been fixed in
version 12.22.12~dfsg-1~deb11u3.
We recommend that you upgrade your nodejs packages.
For the detailed security status of nodejs please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/nodejs
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmPQNhIACgkQEMKTtsN8
TjaRmA/+KDFkQcd2sE/eAAx9cVikICNkfu7uIVKHpeDH9o5oq5M2nj4zHJCeAArp
WblguyZwEtqzAOO2WesbrmwfXLmglhrNZwRMOrsbu63JxSnecp7qcMwR8A4JWdmd
Txb4aZr6Prmwq6fT0G3K6oV8Hw+OeqYA/RZKenxtkBf/jdzVahGJHJ/NrFKKWVQW
xbqHwCkP7uUlm+5UR5XzNrodTRCQYHJvUmDUrjEOjM6x+sqYirKWiERN0A14kVn9
0Ufrw6+Z2tKhdKFZfU1BtDthhlH/nybz0h3aHsk+E5/vx20WAURiCEDVi7nf8+Rf
EtbCxaqV+/xVoPmXStHY/ogCo8CgRVsyYUIemgi4q5LwVx/Oqjm2CJ/xCwOKh0E2
idXLJfLSpxxBe598MUn9iKbnFFCN9DQZXf7BYs3djtn8ALFVBSHZSF1QXFoFQ86w
Y9xGhBQzfEgCoEW7H4S30ZQ+Gz+ZnOMCSH+MKIMtSpqbc7wLtrKf839DO6Uux7B7
u0WR3lZlsihi92QKq9X/VRkyy8ZiA2TYy3IE+KDKlXDHKls9FR9BUClYe9L8RiRu
boP8KPFUHUsSVaTzkufMStdKkcXCqgj/6KhJL6E9ZunTBpTmqx1Ty7/N2qktLFnH
ujrffzV3rCE6eIg7ps8OdZbjCfqUqmQk9/pV6ZDjymqjZ1LKZDs\xfeRn
-----END PGP SIGNATURE-----
. ==========================================================================
Ubuntu Security Notice USN-6491-1
November 21, 2023
nodejs vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
Summary:
Several security issues were fixed in Node.js.
Software Description:
- nodejs: An open-source, cross-platform JavaScript runtime environment.
Details:
Axel Chong discovered that Node.js incorrectly handled certain inputs. If a
user or an automated system were tricked into opening a specially crafted
input file, a remote attacker could possibly use this issue to execute
arbitrary code. (CVE-2022-32212)
Zeyu Zhang discovered that Node.js incorrectly handled certain inputs. If a
user or an automated system were tricked into opening a specially crafted
input file, a remote attacker could possibly use this issue to execute
arbitrary code. This issue only affected Ubuntu 22.04 LTS. (CVE-2022-32213,
CVE-2022-32214, CVE-2022-32215)
It was discovered that Node.js incorrectly handled certain inputs. If a user
or an automated system were tricked into opening a specially crafted input
file, a remote attacker could possibly use this issue to execute arbitrary
code. This issue only affected Ubuntu 22.04 LTS. (CVE-2022-35256)
It was discovered that Node.js incorrectly handled certain inputs. If a user
or an automated system were tricked into opening a specially crafted input
file, a remote attacker could possibly use this issue to execute arbitrary
code. This issue only affected Ubuntu 22.04 LTS. (CVE-2022-43548)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
libnode-dev 12.22.9~dfsg-1ubuntu3.2
libnode72 12.22.9~dfsg-1ubuntu3.2
nodejs 12.22.9~dfsg-1ubuntu3.2
nodejs-doc 12.22.9~dfsg-1ubuntu3.2
Ubuntu 20.04 LTS:
libnode-dev 10.19.0~dfsg-3ubuntu1.3
libnode64 10.19.0~dfsg-3ubuntu1.3
nodejs 10.19.0~dfsg-3ubuntu1.3
nodejs-doc 10.19.0~dfsg-3ubuntu1.3
Ubuntu 18.04 LTS (Available with Ubuntu Pro):
nodejs 8.10.0~dfsg-2ubuntu0.4+esm4
nodejs-dev 8.10.0~dfsg-2ubuntu0.4+esm4
nodejs-doc 8.10.0~dfsg-2ubuntu0.4+esm4
In general, a standard system update will make all the necessary changes. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202405-29
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Low
Title: Node.js: Multiple Vulnerabilities
Date: May 08, 2024
Bugs: #772422, #781704, #800986, #805053, #807775, #811273, #817938, #831037, #835615, #857111, #865627, #872692, #879617, #918086, #918614
ID: 202405-29
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
=======
Multiple vulnerabilities have been discovered in Node.js.
Background
=========
Node.js is a JavaScript runtime built on Chrome’s V8 JavaScript engine.
Affected packages
================
Package Vulnerable Unaffected
--------------- ------------ ------------
net-libs/nodejs < 16.20.2 >= 16.20.2
Description
==========
Multiple vulnerabilities have been discovered in Node.js. Please review
the CVE identifiers referenced below for details.
Impact
=====
Please review the referenced CVE identifiers for details.
Workaround
=========
There is no known workaround at this time.
Resolution
=========
All Node.js 20 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/nodejs-20.5.1"
All Node.js 18 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/nodejs-18.17.1"
All Node.js 16 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/nodejs-16.20.2"
References
=========
[ 1 ] CVE-2020-7774
https://nvd.nist.gov/vuln/detail/CVE-2020-7774
[ 2 ] CVE-2021-3672
https://nvd.nist.gov/vuln/detail/CVE-2021-3672
[ 3 ] CVE-2021-22883
https://nvd.nist.gov/vuln/detail/CVE-2021-22883
[ 4 ] CVE-2021-22884
https://nvd.nist.gov/vuln/detail/CVE-2021-22884
[ 5 ] CVE-2021-22918
https://nvd.nist.gov/vuln/detail/CVE-2021-22918
[ 6 ] CVE-2021-22930
https://nvd.nist.gov/vuln/detail/CVE-2021-22930
[ 7 ] CVE-2021-22931
https://nvd.nist.gov/vuln/detail/CVE-2021-22931
[ 8 ] CVE-2021-22939
https://nvd.nist.gov/vuln/detail/CVE-2021-22939
[ 9 ] CVE-2021-22940
https://nvd.nist.gov/vuln/detail/CVE-2021-22940
[ 10 ] CVE-2021-22959
https://nvd.nist.gov/vuln/detail/CVE-2021-22959
[ 11 ] CVE-2021-22960
https://nvd.nist.gov/vuln/detail/CVE-2021-22960
[ 12 ] CVE-2021-37701
https://nvd.nist.gov/vuln/detail/CVE-2021-37701
[ 13 ] CVE-2021-37712
https://nvd.nist.gov/vuln/detail/CVE-2021-37712
[ 14 ] CVE-2021-39134
https://nvd.nist.gov/vuln/detail/CVE-2021-39134
[ 15 ] CVE-2021-39135
https://nvd.nist.gov/vuln/detail/CVE-2021-39135
[ 16 ] CVE-2021-44531
https://nvd.nist.gov/vuln/detail/CVE-2021-44531
[ 17 ] CVE-2021-44532
https://nvd.nist.gov/vuln/detail/CVE-2021-44532
[ 18 ] CVE-2021-44533
https://nvd.nist.gov/vuln/detail/CVE-2021-44533
[ 19 ] CVE-2022-0778
https://nvd.nist.gov/vuln/detail/CVE-2022-0778
[ 20 ] CVE-2022-3602
https://nvd.nist.gov/vuln/detail/CVE-2022-3602
[ 21 ] CVE-2022-3786
https://nvd.nist.gov/vuln/detail/CVE-2022-3786
[ 22 ] CVE-2022-21824
https://nvd.nist.gov/vuln/detail/CVE-2022-21824
[ 23 ] CVE-2022-32212
https://nvd.nist.gov/vuln/detail/CVE-2022-32212
[ 24 ] CVE-2022-32213
https://nvd.nist.gov/vuln/detail/CVE-2022-32213
[ 25 ] CVE-2022-32214
https://nvd.nist.gov/vuln/detail/CVE-2022-32214
[ 26 ] CVE-2022-32215
https://nvd.nist.gov/vuln/detail/CVE-2022-32215
[ 27 ] CVE-2022-32222
https://nvd.nist.gov/vuln/detail/CVE-2022-32222
[ 28 ] CVE-2022-35255
https://nvd.nist.gov/vuln/detail/CVE-2022-35255
[ 29 ] CVE-2022-35256
https://nvd.nist.gov/vuln/detail/CVE-2022-35256
[ 30 ] CVE-2022-35948
https://nvd.nist.gov/vuln/detail/CVE-2022-35948
[ 31 ] CVE-2022-35949
https://nvd.nist.gov/vuln/detail/CVE-2022-35949
[ 32 ] CVE-2022-43548
https://nvd.nist.gov/vuln/detail/CVE-2022-43548
[ 33 ] CVE-2023-30581
https://nvd.nist.gov/vuln/detail/CVE-2023-30581
[ 34 ] CVE-2023-30582
https://nvd.nist.gov/vuln/detail/CVE-2023-30582
[ 35 ] CVE-2023-30583
https://nvd.nist.gov/vuln/detail/CVE-2023-30583
[ 36 ] CVE-2023-30584
https://nvd.nist.gov/vuln/detail/CVE-2023-30584
[ 37 ] CVE-2023-30586
https://nvd.nist.gov/vuln/detail/CVE-2023-30586
[ 38 ] CVE-2023-30587
https://nvd.nist.gov/vuln/detail/CVE-2023-30587
[ 39 ] CVE-2023-30588
https://nvd.nist.gov/vuln/detail/CVE-2023-30588
[ 40 ] CVE-2023-30589
https://nvd.nist.gov/vuln/detail/CVE-2023-30589
[ 41 ] CVE-2023-30590
https://nvd.nist.gov/vuln/detail/CVE-2023-30590
[ 42 ] CVE-2023-32002
https://nvd.nist.gov/vuln/detail/CVE-2023-32002
[ 43 ] CVE-2023-32003
https://nvd.nist.gov/vuln/detail/CVE-2023-32003
[ 44 ] CVE-2023-32004
https://nvd.nist.gov/vuln/detail/CVE-2023-32004
[ 45 ] CVE-2023-32005
https://nvd.nist.gov/vuln/detail/CVE-2023-32005
[ 46 ] CVE-2023-32006
https://nvd.nist.gov/vuln/detail/CVE-2023-32006
[ 47 ] CVE-2023-32558
https://nvd.nist.gov/vuln/detail/CVE-2023-32558
[ 48 ] CVE-2023-32559
https://nvd.nist.gov/vuln/detail/CVE-2023-32559
Availability
===========
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202405-29
Concerns?
========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
======
Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
| VAR-202207-0546 | CVE-2022-35234 | Trend Micro antivirus Multiple vulnerabilities in the cloud |
CVSS V2: - CVSS V3: 7.1 Severity: HIGH |
Trend Micro Security 2021 and 2022 (Consumer) is vulnerable to an Out-Of-Bounds Read Information Disclosure Vulnerability that could allow an attacker to read sensitive information from other memory locations and cause a crash on an affected machine. Virus Buster from Trend Micro Inc. An update for the cloud has been released. This vulnerability information is provided by the developer for the purpose of dissemination to product users. JPCERT/CC Report to JPCERT/CC Coordinated with the developer.The potential impact will vary for each vulnerability, but you may be impacted by: Please refer to the respective advisory provided by the developer for details. Cloud version 17.7 It was * Arbitrary file deletion due to link interpretation problem when accessing file in data erasure tool - CVE-2022-30687 It was * Privilege escalation due to link interpretation problems when accessing files - CVE-2022-34893 It was * Information Disclosure via Out-of-Bounds Read Vulnerability - CVE-2022-35234 , CVE-2022-37347 , CVE-2022-37348 It was * Time-of-check Time-of-use (( TOCTOU ) Privilege escalation due to race condition vulnerability - CVE-2022-48191 virus buster Cloud version 17.0 It was * Information Disclosure via Out-of-Bounds Read Vulnerability - CVE-2022-35234 , CVE-2022-37347 , CVE-2022-37348. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.The specific flaw exists within the User Mode Hooking Monitor Engine. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of SYSTEM