admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-07-29 05:56:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

- Added submissions from Node.js for November 2018 Security Releases from 2018-11-27.

Browse Source
This commit is contained in:
CVE Team 2018-11-28 11:15:25 -05:00
parent 2f0557d85f
commit f55f7e22d5
No known key found for this signature in database
GPG Key ID: 0DA1F9F56BC892E8
5 changed files with 225 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
2018/12xxx/CVE-2018-12116.json
View File

@ -1,8 +1,31 @@
{
"CVE_data_meta" : {
"ASSIGNER" : "cve@mitre.org",
"ASSIGNER" : "cve-request@iojs.org",
"ID" : "CVE-2018-12116",
"STATE" : "RESERVED"
"STATE" : "PUBLIC"
},
"affects" : {
"vendor" : {
"vendor_data" : [
{
"product" : {
"product_data" : [
{
"product_name" : "Node.js",
"version" : {
"version_data" : [
{
"version_value" : "All versions prior to Node.js 6.15.0 and 8.14.0"
}
]
}
}
]
},
"vendor_name" : "The Node.js Project"
}
]
}
},
"data_format" : "MITRE",
"data_type" : "CVE",
@ -11,7 +34,26 @@
"description_data" : [
{
"lang" : "eng",
"value" : "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value" : "HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to made to the same server."
}
]
},
"problemtype" : {
"problemtype_data" : [
{
"description" : [
{
"lang" : "eng",
"value" : "CWE-115: Misinterpretation of Input"
}
]
}
]
},
"references" : {
"reference_data" : [
{
"url" : "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
}
]
}

48
2018/12xxx/CVE-2018-12120.json
View File

@ -1,8 +1,31 @@
{
"CVE_data_meta" : {
"ASSIGNER" : "cve@mitre.org",
"ASSIGNER" : "cve-request@iojs.org",
"ID" : "CVE-2018-12120",
"STATE" : "RESERVED"
"STATE" : "PUBLIC"
},
"affects" : {
"vendor" : {
"vendor_data" : [
{
"product" : {
"product_data" : [
{
"product_name" : "Node.js",
"version" : {
"version_data" : [
{
"version_value" : "All versions prior to Node.js 6.15.0"
}
]
}
}
]
},
"vendor_name" : "The Node.js Project"
}
]
}
},
"data_format" : "MITRE",
"data_type" : "CVE",
@ -11,7 +34,26 @@
"description_data" : [
{
"lang" : "eng",
"value" : "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value" : "Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as `node --debug=localhost`. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable."
}
]
},
"problemtype" : {
"problemtype_data" : [
{
"description" : [
{
"lang" : "eng",
"value" : "CWE-419: Unprotected Primary Channel"
}
]
}
]
},
"references" : {
"reference_data" : [
{
"url" : "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
}
]
}

48
2018/12xxx/CVE-2018-12121.json
View File

@ -1,8 +1,31 @@
{
"CVE_data_meta" : {
"ASSIGNER" : "cve@mitre.org",
"ASSIGNER" : "cve-request@iojs.org",
"ID" : "CVE-2018-12121",
"STATE" : "RESERVED"
"STATE" : "PUBLIC"
},
"affects" : {
"vendor" : {
"vendor_data" : [
{
"product" : {
"product_data" : [
{
"product_name" : "Node.js",
"version" : {
"version_data" : [
{
"version_value" : "All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0"
}
]
}
}
]
},
"vendor_name" : "The Node.js Project"
}
]
}
},
"data_format" : "MITRE",
"data_type" : "CVE",
@ -11,7 +34,26 @@
"description_data" : [
{
"lang" : "eng",
"value" : "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value" : "Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers (almost 80 KB per connection), and carefully timed completion of the headers, it is possible to cause the HTTP server to abort from heap allocation failure. Attack potential is mitigated by the use of a load balancer or other proxy layer."
}
]
},
"problemtype" : {
"problemtype_data" : [
{
"description" : [
{
"lang" : "eng",
"value" : "CWE-400: Uncontrolled Resource Consumption / Denial of Service"
}
]
}
]
},
"references" : {
"reference_data" : [
{
"url" : "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
}
]
}

48
2018/12xxx/CVE-2018-12122.json
View File

@ -1,8 +1,31 @@
{
"CVE_data_meta" : {
"ASSIGNER" : "cve@mitre.org",
"ASSIGNER" : "cve-request@iojs.org",
"ID" : "CVE-2018-12122",
"STATE" : "RESERVED"
"STATE" : "PUBLIC"
},
"affects" : {
"vendor" : {
"vendor_data" : [
{
"product" : {
"product_data" : [
{
"product_name" : "Node.js",
"version" : {
"version_data" : [
{
"version_value" : "All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0"
}
]
}
}
]
},
"vendor_name" : "The Node.js Project"
}
]
}
},
"data_format" : "MITRE",
"data_type" : "CVE",
@ -11,7 +34,26 @@
"description_data" : [
{
"lang" : "eng",
"value" : "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value" : "Slowloris HTTP Denial of Service: An attacker can cause a Denial of Service (DoS) by sending headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time."
}
]
},
"problemtype" : {
"problemtype_data" : [
{
"description" : [
{
"lang" : "eng",
"value" : "CWE-400: Uncontrolled Resource Consumption / Denial of Service"
}
]
}
]
},
"references" : {
"reference_data" : [
{
"url" : "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
}
]
}

48
2018/12xxx/CVE-2018-12123.json
View File

@ -1,8 +1,31 @@
{
"CVE_data_meta" : {
"ASSIGNER" : "cve@mitre.org",
"ASSIGNER" : "cve-request@iojs.org",
"ID" : "CVE-2018-12123",
"STATE" : "RESERVED"
"STATE" : "PUBLIC"
},
"affects" : {
"vendor" : {
"vendor_data" : [
{
"product" : {
"product_data" : [
{
"product_name" : "Node.js",
"version" : {
"version_data" : [
{
"version_value" : "All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0"
}
]
}
}
]
},
"vendor_name" : "The Node.js Project"
}
]
}
},
"data_format" : "MITRE",
"data_type" : "CVE",
@ -11,7 +34,26 @@
"description_data" : [
{
"lang" : "eng",
"value" : "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value" : "Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case \"javascript:\" (e.g. \"javAscript:\") protocol (other protocols are not affected). If security decisions are made about the URL based on the hostname, they may be incorrect."
}
]
},
"problemtype" : {
"problemtype_data" : [
{
"description" : [
{
"lang" : "eng",
"value" : "CWE-115: Misinterpretation of Input"
}
]
}
]
},
"references" : {
"reference_data" : [
{
"url" : "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
}
]
}