admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-05-05 18:28:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

"-Synchronized-Data."

Browse Source
This commit is contained in:
CVE Team 2025-04-30 23:00:39 +00:00
parent 6ab421505d
commit f9f9b36e7b
No known key found for this signature in database
GPG Key ID: BC5FD8F2443B23B7
23 changed files with 2379 additions and 912 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

178
2019/15xxx/CVE-2019-15604.json
View File

@ -1,25 +1,93 @@
{ {
"data_version": "4.0",
"data_type": "CVE", "data_type": "CVE",
"data_format": "MITRE", "data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": { "CVE_data_meta": {
"ID": "CVE-2019-15604", "ID": "CVE-2019-15604",
"ASSIGNER": "support@hackerone.com", "ASSIGNER": "support@hackerone.com",
"STATE": "PUBLIC" "STATE": "PUBLIC"
}, },
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a crafted X.509 certificate"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Certificate Validation (CWE-295)",
"cweId": "CWE-295"
}
]
}
]
},
"affects": { "affects": {
"vendor": { "vendor": {
"vendor_data": [ "vendor_data": [
{ {
"vendor_name": "n/a", "vendor_name": "NodeJS",
"product": { "product": {
"product_data": [ "product_data": [
{ {
"product_name": "https://github.com/nodejs/node", "product_name": "Node",
"version": { "version": {
"version_data": [ "version_data": [
{ {
"version_value": "10.19.0, 12.15.0, 13.8.0" "version_affected": "<",
"version_name": "4.0",
"version_value": "4.*"
},
{
"version_affected": "<",
"version_name": "5.0",
"version_value": "5.*"
},
{
"version_affected": "<",
"version_name": "6.0",
"version_value": "6.*"
},
{
"version_affected": "<",
"version_name": "7.0",
"version_value": "7.*"
},
{
"version_affected": "<",
"version_name": "8.0",
"version_value": "8.*"
},
{
"version_affected": "<",
"version_name": "9.0",
"version_value": "9.*"
},
{
"version_affected": "<",
"version_name": "10.0",
"version_value": "10.19.0"
},
{
"version_affected": "<",
"version_name": "11.0",
"version_value": "11.*"
},
{
"version_affected": "<",
"version_name": "12.0",
"version_value": "12.15.0"
},
{
"version_affected": "<",
"version_name": "13.0",
"version_value": "13.8.0"
} }
] ]
} }
@ -30,59 +98,47 @@
] ]
} }
}, },
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Certificate Validation (CWE-295)"
}
]
}
]
},
"references": { "references": {
"reference_data": [ "reference_data": [
{ {
"refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2020:0573",
"name": "RHSA-2020:0573", "refsource": "MISC",
"url": "https://access.redhat.com/errata/RHSA-2020:0573" "name": "https://access.redhat.com/errata/RHSA-2020:0573"
}, },
{ {
"refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2020:0579",
"name": "RHSA-2020:0579", "refsource": "MISC",
"url": "https://access.redhat.com/errata/RHSA-2020:0579" "name": "https://access.redhat.com/errata/RHSA-2020:0579"
}, },
{ {
"refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2020:0597",
"name": "RHSA-2020:0597", "refsource": "MISC",
"url": "https://access.redhat.com/errata/RHSA-2020:0597" "name": "https://access.redhat.com/errata/RHSA-2020:0597"
}, },
{ {
"refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2020:0598",
"name": "RHSA-2020:0598", "refsource": "MISC",
"url": "https://access.redhat.com/errata/RHSA-2020:0598" "name": "https://access.redhat.com/errata/RHSA-2020:0598"
}, },
{ {
"refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2020:0602",
"name": "RHSA-2020:0602", "refsource": "MISC",
"url": "https://access.redhat.com/errata/RHSA-2020:0602" "name": "https://access.redhat.com/errata/RHSA-2020:0602"
}, },
{ {
"refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html",
"name": "openSUSE-SU-2020:0293", "refsource": "MISC",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html" "name": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html"
}, },
{ {
"refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202003-48",
"name": "GLSA-202003-48", "refsource": "MISC",
"url": "https://security.gentoo.org/glsa/202003-48" "name": "https://security.gentoo.org/glsa/202003-48"
}, },
{ {
"refsource": "DEBIAN", "url": "https://www.debian.org/security/2020/dsa-4669",
"name": "DSA-4669", "refsource": "MISC",
"url": "https://www.debian.org/security/2020/dsa-4669" "name": "https://www.debian.org/security/2020/dsa-4669"
}, },
{ {
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html",
@ -95,42 +151,34 @@
"name": "https://www.oracle.com//security-alerts/cpujul2021.html" "name": "https://www.oracle.com//security-alerts/cpujul2021.html"
}, },
{ {
"url": "https://hackerone.com/reports/746733",
"refsource": "MISC", "refsource": "MISC",
"name": "https://hackerone.com/reports/746733", "name": "https://hackerone.com/reports/746733"
"url": "https://hackerone.com/reports/746733"
}, },
{ {
"refsource": "CONFIRM", "url": "https://nodejs.org/en/blog/release/v13.8.0/",
"name": "https://nodejs.org/en/blog/release/v13.8.0/", "refsource": "MISC",
"url": "https://nodejs.org/en/blog/release/v13.8.0/" "name": "https://nodejs.org/en/blog/release/v13.8.0/"
}, },
{ {
"refsource": "CONFIRM", "url": "https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/",
"name": "https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/", "refsource": "MISC",
"url": "https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/" "name": "https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/"
}, },
{ {
"refsource": "CONFIRM", "url": "https://nodejs.org/en/blog/release/v10.19.0/",
"name": "https://nodejs.org/en/blog/release/v10.19.0/", "refsource": "MISC",
"url": "https://nodejs.org/en/blog/release/v10.19.0/" "name": "https://nodejs.org/en/blog/release/v10.19.0/"
}, },
{ {
"refsource": "CONFIRM", "url": "https://nodejs.org/en/blog/release/v12.15.0/",
"name": "https://nodejs.org/en/blog/release/v12.15.0/", "refsource": "MISC",
"url": "https://nodejs.org/en/blog/release/v12.15.0/" "name": "https://nodejs.org/en/blog/release/v12.15.0/"
}, },
{ {
"refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20200221-0004/",
"name": "https://security.netapp.com/advisory/ntap-20200221-0004/", "refsource": "MISC",
"url": "https://security.netapp.com/advisory/ntap-20200221-0004/" "name": "https://security.netapp.com/advisory/ntap-20200221-0004/"
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a crafted X.509 certificate"
} }
] ]
} }

226
2019/15xxx/CVE-2019-15605.json
View File

@ -1,25 +1,93 @@
{ {
"data_version": "4.0",
"data_type": "CVE", "data_type": "CVE",
"data_format": "MITRE", "data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": { "CVE_data_meta": {
"ID": "CVE-2019-15605", "ID": "CVE-2019-15605",
"ASSIGNER": "support@hackerone.com", "ASSIGNER": "support@hackerone.com",
"STATE": "PUBLIC" "STATE": "PUBLIC"
}, },
"description": {
"description_data": [
{
"lang": "eng",
"value": "HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "HTTP Request Smuggling (CWE-444)",
"cweId": "CWE-444"
}
]
}
]
},
"affects": { "affects": {
"vendor": { "vendor": {
"vendor_data": [ "vendor_data": [
{ {
"vendor_name": "n/a", "vendor_name": "NodeJS",
"product": { "product": {
"product_data": [ "product_data": [
{ {
"product_name": "https://github.com/nodejs/node", "product_name": "Node",
"version": { "version": {
"version_data": [ "version_data": [
{ {
"version_value": "10.19.0, 12.15.0, 13.8.0" "version_affected": "<",
"version_name": "4.0",
"version_value": "4.*"
},
{
"version_affected": "<",
"version_name": "5.0",
"version_value": "5.*"
},
{
"version_affected": "<",
"version_name": "6.0",
"version_value": "6.*"
},
{
"version_affected": "<",
"version_name": "7.0",
"version_value": "7.*"
},
{
"version_affected": "<",
"version_name": "8.0",
"version_value": "8.*"
},
{
"version_affected": "<",
"version_name": "9.0",
"version_value": "9.*"
},
{
"version_affected": "<",
"version_name": "10.0",
"version_value": "10.19.0"
},
{
"version_affected": "<",
"version_name": "11.0",
"version_value": "11.*"
},
{
"version_affected": "<",
"version_name": "12.0",
"version_value": "12.15.0"
},
{
"version_affected": "<",
"version_name": "13.0",
"version_value": "13.8.0"
} }
] ]
} }
@ -30,84 +98,72 @@
] ]
} }
}, },
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "HTTP Request Smuggling (CWE-444)"
}
]
}
]
},
"references": { "references": {
"reference_data": [ "reference_data": [
{ {
"refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLB676PDU4RJQLWQUA277YNGYYNEYGWO/",
"name": "FEDORA-2020-3838c8ea98", "refsource": "MISC",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLB676PDU4RJQLWQUA277YNGYYNEYGWO/" "name": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLB676PDU4RJQLWQUA277YNGYYNEYGWO/"
}, },
{ {
"refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CT3WTR4P5VAJ3GJGKPYEDUPTNZ3IEDUR/",
"name": "FEDORA-2020-47efc31973", "refsource": "MISC",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CT3WTR4P5VAJ3GJGKPYEDUPTNZ3IEDUR/" "name": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CT3WTR4P5VAJ3GJGKPYEDUPTNZ3IEDUR/"
}, },
{ {
"refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2020:0573",
"name": "RHSA-2020:0573", "refsource": "MISC",
"url": "https://access.redhat.com/errata/RHSA-2020:0573" "name": "https://access.redhat.com/errata/RHSA-2020:0573"
}, },
{ {
"refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2020:0579",
"name": "RHSA-2020:0579", "refsource": "MISC",
"url": "https://access.redhat.com/errata/RHSA-2020:0579" "name": "https://access.redhat.com/errata/RHSA-2020:0579"
}, },
{ {
"refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2020:0597",
"name": "RHSA-2020:0597", "refsource": "MISC",
"url": "https://access.redhat.com/errata/RHSA-2020:0597" "name": "https://access.redhat.com/errata/RHSA-2020:0597"
}, },
{ {
"refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2020:0598",
"name": "RHSA-2020:0598", "refsource": "MISC",
"url": "https://access.redhat.com/errata/RHSA-2020:0598" "name": "https://access.redhat.com/errata/RHSA-2020:0598"
}, },
{ {
"refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2020:0602",
"name": "RHSA-2020:0602", "refsource": "MISC",
"url": "https://access.redhat.com/errata/RHSA-2020:0602" "name": "https://access.redhat.com/errata/RHSA-2020:0602"
}, },
{ {
"refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html",
"name": "openSUSE-SU-2020:0293", "refsource": "MISC",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html" "name": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html"
}, },
{ {
"refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2020:0703",
"name": "RHSA-2020:0703", "refsource": "MISC",
"url": "https://access.redhat.com/errata/RHSA-2020:0703" "name": "https://access.redhat.com/errata/RHSA-2020:0703"
}, },
{ {
"refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2020:0707",
"name": "RHSA-2020:0707", "refsource": "MISC",
"url": "https://access.redhat.com/errata/RHSA-2020:0707" "name": "https://access.redhat.com/errata/RHSA-2020:0707"
}, },
{ {
"refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2020:0708",
"name": "RHSA-2020:0708", "refsource": "MISC",
"url": "https://access.redhat.com/errata/RHSA-2020:0708" "name": "https://access.redhat.com/errata/RHSA-2020:0708"
}, },
{ {
"refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202003-48",
"name": "GLSA-202003-48", "refsource": "MISC",
"url": "https://security.gentoo.org/glsa/202003-48" "name": "https://security.gentoo.org/glsa/202003-48"
}, },
{ {
"refsource": "DEBIAN", "url": "https://www.debian.org/security/2020/dsa-4669",
"name": "DSA-4669", "refsource": "MISC",
"url": "https://www.debian.org/security/2020/dsa-4669" "name": "https://www.debian.org/security/2020/dsa-4669"
}, },
{ {
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html",
@ -120,42 +176,34 @@
"name": "https://www.oracle.com//security-alerts/cpujul2021.html" "name": "https://www.oracle.com//security-alerts/cpujul2021.html"
}, },
{ {
"refsource": "CONFIRM", "url": "https://nodejs.org/en/blog/release/v13.8.0/",
"name": "https://nodejs.org/en/blog/release/v13.8.0/",
"url": "https://nodejs.org/en/blog/release/v13.8.0/"
},
{
"refsource": "CONFIRM",
"name": "https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/",
"url": "https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/"
},
{
"refsource": "CONFIRM",
"name": "https://nodejs.org/en/blog/release/v10.19.0/",
"url": "https://nodejs.org/en/blog/release/v10.19.0/"
},
{
"refsource": "CONFIRM",
"name": "https://nodejs.org/en/blog/release/v12.15.0/",
"url": "https://nodejs.org/en/blog/release/v12.15.0/"
},
{
"refsource": "CONFIRM",
"name": "https://security.netapp.com/advisory/ntap-20200221-0004/",
"url": "https://security.netapp.com/advisory/ntap-20200221-0004/"
},
{
"refsource": "MISC", "refsource": "MISC",
"name": "https://hackerone.com/reports/735748", "name": "https://nodejs.org/en/blog/release/v13.8.0/"
"url": "https://hackerone.com/reports/735748" },
}
]
},
"description": {
"description_data": [
{ {
"lang": "eng", "url": "https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/",
"value": "HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed" "refsource": "MISC",
"name": "https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/"
},
{
"url": "https://nodejs.org/en/blog/release/v10.19.0/",
"refsource": "MISC",
"name": "https://nodejs.org/en/blog/release/v10.19.0/"
},
{
"url": "https://nodejs.org/en/blog/release/v12.15.0/",
"refsource": "MISC",
"name": "https://nodejs.org/en/blog/release/v12.15.0/"
},
{
"url": "https://security.netapp.com/advisory/ntap-20200221-0004/",
"refsource": "MISC",
"name": "https://security.netapp.com/advisory/ntap-20200221-0004/"
},
{
"url": "https://hackerone.com/reports/735748",
"refsource": "MISC",
"name": "https://hackerone.com/reports/735748"
} }
] ]
} }

196
2019/15xxx/CVE-2019-15606.json
View File

@ -1,25 +1,93 @@
{ {
"data_version": "4.0",
"data_type": "CVE", "data_type": "CVE",
"data_format": "MITRE", "data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": { "CVE_data_meta": {
"ID": "CVE-2019-15606", "ID": "CVE-2019-15606",
"ASSIGNER": "support@hackerone.com", "ASSIGNER": "support@hackerone.com",
"STATE": "PUBLIC" "STATE": "PUBLIC"
}, },
"description": {
"description_data": [
{
"lang": "eng",
"value": "Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Input Validation (CWE-20)",
"cweId": "CWE-20"
}
]
}
]
},
"affects": { "affects": {
"vendor": { "vendor": {
"vendor_data": [ "vendor_data": [
{ {
"vendor_name": "n/a", "vendor_name": "NodeJS",
"product": { "product": {
"product_data": [ "product_data": [
{ {
"product_name": "https://github.com/nodejs/node", "product_name": "Node",
"version": { "version": {
"version_data": [ "version_data": [
{ {
"version_value": "10.19.0, 12.15.0, 13.8.0" "version_affected": "<",
"version_name": "4.0",
"version_value": "4.*"
},
{
"version_affected": "<",
"version_name": "5.0",
"version_value": "5.*"
},
{
"version_affected": "<",
"version_name": "6.0",
"version_value": "6.*"
},
{
"version_affected": "<",
"version_name": "7.0",
"version_value": "7.*"
},
{
"version_affected": "<",
"version_name": "8.0",
"version_value": "8.*"
},
{
"version_affected": "<",
"version_name": "9.0",
"version_value": "9.*"
},
{
"version_affected": "<",
"version_name": "10.0",
"version_value": "10.19.0"
},
{
"version_affected": "<",
"version_name": "11.0",
"version_value": "11.*"
},
{
"version_affected": "<",
"version_name": "12.0",
"version_value": "12.15.0"
},
{
"version_affected": "<",
"version_name": "13.0",
"version_value": "13.8.0"
} }
] ]
} }
@ -30,59 +98,47 @@
] ]
} }
}, },
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Input Validation (CWE-20)"
}
]
}
]
},
"references": { "references": {
"reference_data": [ "reference_data": [
{ {
"refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2020:0573",
"name": "RHSA-2020:0573", "refsource": "MISC",
"url": "https://access.redhat.com/errata/RHSA-2020:0573" "name": "https://access.redhat.com/errata/RHSA-2020:0573"
}, },
{ {
"refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2020:0579",
"name": "RHSA-2020:0579", "refsource": "MISC",
"url": "https://access.redhat.com/errata/RHSA-2020:0579" "name": "https://access.redhat.com/errata/RHSA-2020:0579"
}, },
{ {
"refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2020:0597",
"name": "RHSA-2020:0597", "refsource": "MISC",
"url": "https://access.redhat.com/errata/RHSA-2020:0597" "name": "https://access.redhat.com/errata/RHSA-2020:0597"
}, },
{ {
"refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2020:0598",
"name": "RHSA-2020:0598", "refsource": "MISC",
"url": "https://access.redhat.com/errata/RHSA-2020:0598" "name": "https://access.redhat.com/errata/RHSA-2020:0598"
}, },
{ {
"refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2020:0602",
"name": "RHSA-2020:0602", "refsource": "MISC",
"url": "https://access.redhat.com/errata/RHSA-2020:0602" "name": "https://access.redhat.com/errata/RHSA-2020:0602"
}, },
{ {
"refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html",
"name": "openSUSE-SU-2020:0293", "refsource": "MISC",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html" "name": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html"
}, },
{ {
"refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202003-48",
"name": "GLSA-202003-48", "refsource": "MISC",
"url": "https://security.gentoo.org/glsa/202003-48" "name": "https://security.gentoo.org/glsa/202003-48"
}, },
{ {
"refsource": "DEBIAN", "url": "https://www.debian.org/security/2020/dsa-4669",
"name": "DSA-4669", "refsource": "MISC",
"url": "https://www.debian.org/security/2020/dsa-4669" "name": "https://www.debian.org/security/2020/dsa-4669"
}, },
{ {
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html",
@ -95,42 +151,34 @@
"name": "https://www.oracle.com//security-alerts/cpujul2021.html" "name": "https://www.oracle.com//security-alerts/cpujul2021.html"
}, },
{ {
"refsource": "CONFIRM", "url": "https://nodejs.org/en/blog/release/v13.8.0/",
"name": "https://nodejs.org/en/blog/release/v13.8.0/",
"url": "https://nodejs.org/en/blog/release/v13.8.0/"
},
{
"refsource": "CONFIRM",
"name": "https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/",
"url": "https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/"
},
{
"refsource": "CONFIRM",
"name": "https://nodejs.org/en/blog/release/v10.19.0/",
"url": "https://nodejs.org/en/blog/release/v10.19.0/"
},
{
"refsource": "CONFIRM",
"name": "https://nodejs.org/en/blog/release/v12.15.0/",
"url": "https://nodejs.org/en/blog/release/v12.15.0/"
},
{
"refsource": "CONFIRM",
"name": "https://security.netapp.com/advisory/ntap-20200221-0004/",
"url": "https://security.netapp.com/advisory/ntap-20200221-0004/"
},
{
"refsource": "MISC", "refsource": "MISC",
"name": "https://hackerone.com/reports/730779", "name": "https://nodejs.org/en/blog/release/v13.8.0/"
"url": "https://hackerone.com/reports/730779" },
}
]
},
"description": {
"description_data": [
{ {
"lang": "eng", "url": "https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/",
"value": "Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons" "refsource": "MISC",
"name": "https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/"
},
{
"url": "https://nodejs.org/en/blog/release/v10.19.0/",
"refsource": "MISC",
"name": "https://nodejs.org/en/blog/release/v10.19.0/"
},
{
"url": "https://nodejs.org/en/blog/release/v12.15.0/",
"refsource": "MISC",
"name": "https://nodejs.org/en/blog/release/v12.15.0/"
},
{
"url": "https://security.netapp.com/advisory/ntap-20200221-0004/",
"refsource": "MISC",
"name": "https://security.netapp.com/advisory/ntap-20200221-0004/"
},
{
"url": "https://hackerone.com/reports/730779",
"refsource": "MISC",
"name": "https://hackerone.com/reports/730779"
} }
] ]
} }

128
2020/8xxx/CVE-2020-8201.json
View File

@ -1,25 +1,93 @@
{ {
"data_version": "4.0",
"data_type": "CVE", "data_type": "CVE",
"data_format": "MITRE", "data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": { "CVE_data_meta": {
"ID": "CVE-2020-8201", "ID": "CVE-2020-8201",
"ASSIGNER": "support@hackerone.com", "ASSIGNER": "support@hackerone.com",
"STATE": "PUBLIC" "STATE": "PUBLIC"
}, },
"description": {
"description_data": [
{
"lang": "eng",
"value": "Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system. The attack was possible due to a bug in processing of carrier-return symbols in the HTTP header names."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "HTTP Request Smuggling (CWE-444)",
"cweId": "CWE-444"
}
]
}
]
},
"affects": { "affects": {
"vendor": { "vendor": {
"vendor_data": [ "vendor_data": [
{ {
"vendor_name": "n/a", "vendor_name": "NodeJS",
"product": { "product": {
"product_data": [ "product_data": [
{ {
"product_name": "https://github.com/nodejs/node", "product_name": "Node",
"version": { "version": {
"version_data": [ "version_data": [
{ {
"version_value": "Fixed in 12.18.4 and 14.11" "version_affected": "<",
"version_name": "4.0",
"version_value": "4.*"
},
{
"version_affected": "<",
"version_name": "5.0",
"version_value": "5.*"
},
{
"version_affected": "<",
"version_name": "6.0",
"version_value": "6.*"
},
{
"version_affected": "<",
"version_name": "7.0",
"version_value": "7.*"
},
{
"version_affected": "<",
"version_name": "8.0",
"version_value": "8.*"
},
{
"version_affected": "<",
"version_name": "9.0",
"version_value": "9.*"
},
{
"version_affected": "<",
"version_name": "11.0",
"version_value": "11.*"
},
{
"version_affected": "<",
"version_name": "12.0",
"version_value": "12.18.4"
},
{
"version_affected": "<",
"version_name": "13.0",
"version_value": "13.*"
},
{
"version_affected": "<",
"version_name": "14.0",
"version_value": "14.11.0"
} }
] ]
} }
@ -30,57 +98,37 @@
] ]
} }
}, },
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "HTTP Request Smuggling (CWE-444)"
}
]
}
]
},
"references": { "references": {
"reference_data": [ "reference_data": [
{ {
"url": "https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/",
"refsource": "MISC", "refsource": "MISC",
"name": "https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/", "name": "https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/"
"url": "https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/"
}, },
{ {
"url": "https://hackerone.com/reports/922597",
"refsource": "MISC", "refsource": "MISC",
"name": "https://hackerone.com/reports/922597", "name": "https://hackerone.com/reports/922597"
"url": "https://hackerone.com/reports/922597"
}, },
{ {
"refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html",
"name": "openSUSE-SU-2020:1616", "refsource": "MISC",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html" "name": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html"
}, },
{ {
"refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20201009-0004/",
"name": "https://security.netapp.com/advisory/ntap-20201009-0004/", "refsource": "MISC",
"url": "https://security.netapp.com/advisory/ntap-20201009-0004/" "name": "https://security.netapp.com/advisory/ntap-20201009-0004/"
}, },
{ {
"refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/",
"name": "FEDORA-2020-43d5a372fc", "refsource": "MISC",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/" "name": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/"
}, },
{ {
"refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202101-07",
"name": "GLSA-202101-07", "refsource": "MISC",
"url": "https://security.gentoo.org/glsa/202101-07" "name": "https://security.gentoo.org/glsa/202101-07"
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system. The attack was possible due to a bug in processing of carrier-return symbols in the HTTP header names."
} }
] ]
} }

117
2020/8xxx/CVE-2020-8251.json
View File

@ -1,25 +1,88 @@
{ {
"data_version": "4.0",
"data_type": "CVE", "data_type": "CVE",
"data_format": "MITRE", "data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": { "CVE_data_meta": {
"ID": "CVE-2020-8251", "ID": "CVE-2020-8251",
"ASSIGNER": "support@hackerone.com", "ASSIGNER": "support@hackerone.com",
"STATE": "PUBLIC" "STATE": "PUBLIC"
}, },
"description": {
"description_data": [
{
"lang": "eng",
"value": "Node.js < 14.11.0 is vulnerable to HTTP denial of service (DoS) attacks based on delayed requests submission which can make the server unable to accept new connections."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service (CWE-400)",
"cweId": "CWE-400"
}
]
}
]
},
"affects": { "affects": {
"vendor": { "vendor": {
"vendor_data": [ "vendor_data": [
{ {
"vendor_name": "n/a", "vendor_name": "NodeJS",
"product": { "product": {
"product_data": [ "product_data": [
{ {
"product_name": "https://github.com/nodejs/node", "product_name": "Node",
"version": { "version": {
"version_data": [ "version_data": [
{ {
"version_value": "Fixed in v14.11.0" "version_affected": "<",
"version_name": "4.0",
"version_value": "4.*"
},
{
"version_affected": "<",
"version_name": "5.0",
"version_value": "5.*"
},
{
"version_affected": "<",
"version_name": "6.0",
"version_value": "6.*"
},
{
"version_affected": "<",
"version_name": "7.0",
"version_value": "7.*"
},
{
"version_affected": "<",
"version_name": "8.0",
"version_value": "8.*"
},
{
"version_affected": "<",
"version_name": "9.0",
"version_value": "9.*"
},
{
"version_affected": "<",
"version_name": "11.0",
"version_value": "11.*"
},
{
"version_affected": "<",
"version_name": "13.0",
"version_value": "13.*"
},
{
"version_affected": "<",
"version_name": "14.0",
"version_value": "14.11.0"
} }
] ]
} }
@ -30,52 +93,32 @@
] ]
} }
}, },
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service (CWE-400)"
}
]
}
]
},
"references": { "references": {
"reference_data": [ "reference_data": [
{ {
"url": "https://hackerone.com/reports/868834",
"refsource": "MISC", "refsource": "MISC",
"name": "https://hackerone.com/reports/868834", "name": "https://hackerone.com/reports/868834"
"url": "https://hackerone.com/reports/868834"
}, },
{ {
"url": "https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/",
"refsource": "MISC", "refsource": "MISC",
"name": "https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/", "name": "https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/"
"url": "https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/"
}, },
{ {
"refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20201009-0004/",
"name": "https://security.netapp.com/advisory/ntap-20201009-0004/", "refsource": "MISC",
"url": "https://security.netapp.com/advisory/ntap-20201009-0004/" "name": "https://security.netapp.com/advisory/ntap-20201009-0004/"
}, },
{ {
"refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/",
"name": "FEDORA-2020-43d5a372fc", "refsource": "MISC",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/" "name": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/"
}, },
{ {
"refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202101-07",
"name": "GLSA-202101-07", "refsource": "MISC",
"url": "https://security.gentoo.org/glsa/202101-07" "name": "https://security.gentoo.org/glsa/202101-07"
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Node.js < 14.11.0 is vulnerable to HTTP denial of service (DoS) attacks based on delayed requests submission which can make the server unable to accept new connections."
} }
] ]
} }

145
2020/8xxx/CVE-2020-8252.json
View File

@ -1,25 +1,98 @@
{ {
"data_version": "4.0",
"data_type": "CVE", "data_type": "CVE",
"data_format": "MITRE", "data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": { "CVE_data_meta": {
"ID": "CVE-2020-8252", "ID": "CVE-2020-8252",
"ASSIGNER": "support@hackerone.com", "ASSIGNER": "support@hackerone.com",
"STATE": "PUBLIC" "STATE": "PUBLIC"
}, },
"description": {
"description_data": [
{
"lang": "eng",
"value": "The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Classic Buffer Overflow (CWE-120)",
"cweId": "CWE-120"
}
]
}
]
},
"affects": { "affects": {
"vendor": { "vendor": {
"vendor_data": [ "vendor_data": [
{ {
"vendor_name": "n/a", "vendor_name": "NodeJS",
"product": { "product": {
"product_data": [ "product_data": [
{ {
"product_name": "https://github.com/nodejs/node", "product_name": "Node",
"version": { "version": {
"version_data": [ "version_data": [
{ {
"version_value": "Fixed in 10.22.1, 12.18.4, 14.9.0" "version_affected": "<",
"version_name": "4.0",
"version_value": "4.*"
},
{
"version_affected": "<",
"version_name": "5.0",
"version_value": "5.*"
},
{
"version_affected": "<",
"version_name": "6.0",
"version_value": "6.*"
},
{
"version_affected": "<",
"version_name": "7.0",
"version_value": "7.*"
},
{
"version_affected": "<",
"version_name": "8.0",
"version_value": "8.*"
},
{
"version_affected": "<",
"version_name": "9.0",
"version_value": "9.*"
},
{
"version_affected": "<",
"version_name": "10.0",
"version_value": "10.22.1"
},
{
"version_affected": "<",
"version_name": "11.0",
"version_value": "11.*"
},
{
"version_affected": "<",
"version_name": "12.0",
"version_value": "12.18.4"
},
{
"version_affected": "<",
"version_name": "13.0",
"version_value": "13.*"
},
{
"version_affected": "<",
"version_name": "14.0",
"version_value": "14.9.0"
} }
] ]
} }
@ -30,67 +103,47 @@
] ]
} }
}, },
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Classic Buffer Overflow (CWE-120)"
}
]
}
]
},
"references": { "references": {
"reference_data": [ "reference_data": [
{ {
"url": "https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/",
"refsource": "MISC", "refsource": "MISC",
"name": "https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/", "name": "https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/"
"url": "https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/"
}, },
{ {
"url": "https://hackerone.com/reports/965914",
"refsource": "MISC", "refsource": "MISC",
"name": "https://hackerone.com/reports/965914", "name": "https://hackerone.com/reports/965914"
"url": "https://hackerone.com/reports/965914"
}, },
{ {
"refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202009-15",
"name": "GLSA-202009-15", "refsource": "MISC",
"url": "https://security.gentoo.org/glsa/202009-15" "name": "https://security.gentoo.org/glsa/202009-15"
}, },
{ {
"refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4548-1/",
"name": "USN-4548-1", "refsource": "MISC",
"url": "https://usn.ubuntu.com/4548-1/" "name": "https://usn.ubuntu.com/4548-1/"
}, },
{ {
"refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html",
"name": "openSUSE-SU-2020:1616", "refsource": "MISC",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html" "name": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html"
}, },
{ {
"refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20201009-0004/",
"name": "https://security.netapp.com/advisory/ntap-20201009-0004/", "refsource": "MISC",
"url": "https://security.netapp.com/advisory/ntap-20201009-0004/" "name": "https://security.netapp.com/advisory/ntap-20201009-0004/"
}, },
{ {
"refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00023.html",
"name": "openSUSE-SU-2020:1660", "refsource": "MISC",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00023.html" "name": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00023.html"
}, },
{ {
"refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/",
"name": "FEDORA-2020-43d5a372fc", "refsource": "MISC",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/" "name": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/"
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes."
} }
] ]
} }

150
2020/8xxx/CVE-2020-8265.json
View File

@ -1,25 +1,103 @@
{ {
"data_version": "4.0",
"data_type": "CVE", "data_type": "CVE",
"data_format": "MITRE", "data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": { "CVE_data_meta": {
"ID": "CVE-2020-8265", "ID": "CVE-2020-8265",
"ASSIGNER": "support@hackerone.com", "ASSIGNER": "support@hackerone.com",
"STATE": "PUBLIC" "STATE": "PUBLIC"
}, },
"description": {
"description_data": [
{
"lang": "eng",
"value": "Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Use After Free (CWE-416)",
"cweId": "CWE-416"
}
]
}
]
},
"affects": { "affects": {
"vendor": { "vendor": {
"vendor_data": [ "vendor_data": [
{ {
"vendor_name": "n/a", "vendor_name": "NodeJS",
"product": { "product": {
"product_data": [ "product_data": [
{ {
"product_name": "https://github.com/nodejs/node", "product_name": "Node",
"version": { "version": {
"version_data": [ "version_data": [
{ {
"version_value": "Fixed in 10.23.1, 12.20.1, 14.15.4, 15.5.1" "version_affected": "<",
"version_name": "4.0",
"version_value": "4.*"
},
{
"version_affected": "<",
"version_name": "5.0",
"version_value": "5.*"
},
{
"version_affected": "<",
"version_name": "6.0",
"version_value": "6.*"
},
{
"version_affected": "<",
"version_name": "7.0",
"version_value": "7.*"
},
{
"version_affected": "<",
"version_name": "8.0",
"version_value": "8.*"
},
{
"version_affected": "<",
"version_name": "9.0",
"version_value": "9.*"
},
{
"version_affected": "<",
"version_name": "10.0",
"version_value": "10.23.1"
},
{
"version_affected": "<",
"version_name": "11.0",
"version_value": "11.*"
},
{
"version_affected": "<",
"version_name": "12.0",
"version_value": "12.20.1"
},
{
"version_affected": "<",
"version_name": "13.0",
"version_value": "13.*"
},
{
"version_affected": "<",
"version_name": "14.0",
"version_value": "14.15.4"
},
{
"version_affected": "<",
"version_name": "15.0",
"version_value": "15.5.1"
} }
] ]
} }
@ -30,49 +108,37 @@
] ]
} }
}, },
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Use After Free (CWE-416)"
}
]
}
]
},
"references": { "references": {
"reference_data": [ "reference_data": [
{ {
"url": "https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/",
"refsource": "MISC", "refsource": "MISC",
"name": "https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/", "name": "https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/"
"url": "https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/"
}, },
{ {
"url": "https://hackerone.com/reports/988103",
"refsource": "MISC", "refsource": "MISC",
"name": "https://hackerone.com/reports/988103", "name": "https://hackerone.com/reports/988103"
"url": "https://hackerone.com/reports/988103"
}, },
{ {
"refsource": "DEBIAN", "url": "https://www.debian.org/security/2021/dsa-4826",
"name": "DSA-4826", "refsource": "MISC",
"url": "https://www.debian.org/security/2021/dsa-4826" "name": "https://www.debian.org/security/2021/dsa-4826"
}, },
{ {
"refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K4I6MZNC7C7VIDQR267OL4TVCI3ZKAC4/",
"name": "FEDORA-2021-fb1a136393", "refsource": "MISC",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K4I6MZNC7C7VIDQR267OL4TVCI3ZKAC4/" "name": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K4I6MZNC7C7VIDQR267OL4TVCI3ZKAC4/"
}, },
{ {
"refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202101-07",
"name": "GLSA-202101-07", "refsource": "MISC",
"url": "https://security.gentoo.org/glsa/202101-07" "name": "https://security.gentoo.org/glsa/202101-07"
}, },
{ {
"refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H472D5HPXN6RRXCNFML3BK5OYC52CXF2/",
"name": "FEDORA-2021-d5b2c18fe6", "refsource": "MISC",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H472D5HPXN6RRXCNFML3BK5OYC52CXF2/" "name": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H472D5HPXN6RRXCNFML3BK5OYC52CXF2/"
}, },
{ {
"url": "https://www.oracle.com/security-alerts/cpujan2021.html", "url": "https://www.oracle.com/security-alerts/cpujan2021.html",
@ -80,22 +146,14 @@
"name": "https://www.oracle.com/security-alerts/cpujan2021.html" "name": "https://www.oracle.com/security-alerts/cpujan2021.html"
}, },
{ {
"refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210212-0003/",
"name": "https://security.netapp.com/advisory/ntap-20210212-0003/", "refsource": "MISC",
"url": "https://security.netapp.com/advisory/ntap-20210212-0003/" "name": "https://security.netapp.com/advisory/ntap-20210212-0003/"
}, },
{ {
"refsource": "CONFIRM", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf",
"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", "refsource": "MISC",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf" "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits."
} }
] ]
} }

147
2020/8xxx/CVE-2020-8277.json
View File

@ -1,25 +1,98 @@
{ {
"data_version": "4.0",
"data_type": "CVE", "data_type": "CVE",
"data_format": "MITRE", "data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": { "CVE_data_meta": {
"ID": "CVE-2020-8277", "ID": "CVE-2020-8277",
"ASSIGNER": "support@hackerone.com", "ASSIGNER": "support@hackerone.com",
"STATE": "PUBLIC" "STATE": "PUBLIC"
}, },
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed in 15.2.1, 14.15.1, and 12.19.1."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service (CWE-400)",
"cweId": "CWE-400"
}
]
}
]
},
"affects": { "affects": {
"vendor": { "vendor": {
"vendor_data": [ "vendor_data": [
{ {
"vendor_name": "n/a", "vendor_name": "NodeJS",
"product": { "product": {
"product_data": [ "product_data": [
{ {
"product_name": "https://github.com/nodejs/node", "product_name": "Node",
"version": { "version": {
"version_data": [ "version_data": [
{ {
"version_value": "Fixed in 15.2.1, 14.15.1, 12.19.1" "version_affected": "<",
"version_name": "4.0",
"version_value": "4.*"
},
{
"version_affected": "<",
"version_name": "5.0",
"version_value": "5.*"
},
{
"version_affected": "<",
"version_name": "6.0",
"version_value": "6.*"
},
{
"version_affected": "<",
"version_name": "7.0",
"version_value": "7.*"
},
{
"version_affected": "<",
"version_name": "8.0",
"version_value": "8.*"
},
{
"version_affected": "<",
"version_name": "9.0",
"version_value": "9.*"
},
{
"version_affected": "<",
"version_name": "11.0",
"version_value": "11.*"
},
{
"version_affected": "<",
"version_name": "12.0",
"version_value": "12.19.1"
},
{
"version_affected": "<",
"version_name": "13.0",
"version_value": "13.*"
},
{
"version_affected": "<",
"version_name": "14.0",
"version_value": "14.15.1"
},
{
"version_affected": "<",
"version_name": "15.0",
"version_value": "15.2.1"
} }
] ]
} }
@ -30,49 +103,37 @@
] ]
} }
}, },
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service (CWE-400)"
}
]
}
]
},
"references": { "references": {
"reference_data": [ "reference_data": [
{ {
"url": "https://hackerone.com/reports/1033107",
"refsource": "MISC", "refsource": "MISC",
"name": "https://hackerone.com/reports/1033107", "name": "https://hackerone.com/reports/1033107"
"url": "https://hackerone.com/reports/1033107"
}, },
{ {
"refsource": "CONFIRM", "url": "https://nodejs.org/en/blog/vulnerability/november-2020-security-releases/",
"name": "https://nodejs.org/en/blog/vulnerability/november-2020-security-releases/", "refsource": "MISC",
"url": "https://nodejs.org/en/blog/vulnerability/november-2020-security-releases/" "name": "https://nodejs.org/en/blog/vulnerability/november-2020-security-releases/"
}, },
{ {
"refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A7WH7W46OZSEUHWBHD7TCH3LRFY52V6Z/",
"name": "FEDORA-2020-7473744de1", "refsource": "MISC",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A7WH7W46OZSEUHWBHD7TCH3LRFY52V6Z/" "name": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A7WH7W46OZSEUHWBHD7TCH3LRFY52V6Z/"
}, },
{ {
"refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BEJBY3RJB3XWUOJFGZM5E3EMQ7MFM3UT/",
"name": "FEDORA-2020-307e873389", "refsource": "MISC",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BEJBY3RJB3XWUOJFGZM5E3EMQ7MFM3UT/" "name": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BEJBY3RJB3XWUOJFGZM5E3EMQ7MFM3UT/"
}, },
{ {
"refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202012-11",
"name": "GLSA-202012-11", "refsource": "MISC",
"url": "https://security.gentoo.org/glsa/202012-11" "name": "https://security.gentoo.org/glsa/202012-11"
}, },
{ {
"refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202101-07",
"name": "GLSA-202101-07", "refsource": "MISC",
"url": "https://security.gentoo.org/glsa/202101-07" "name": "https://security.gentoo.org/glsa/202101-07"
}, },
{ {
"url": "https://www.oracle.com/security-alerts/cpujan2021.html", "url": "https://www.oracle.com/security-alerts/cpujan2021.html",
@ -80,14 +141,14 @@
"name": "https://www.oracle.com/security-alerts/cpujan2021.html" "name": "https://www.oracle.com/security-alerts/cpujan2021.html"
}, },
{ {
"refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VXLJY4764LYVJPC7NCDLE2UMQ3QC5OI2/",
"name": "FEDORA-2021-afed2b904e", "refsource": "MISC",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VXLJY4764LYVJPC7NCDLE2UMQ3QC5OI2/" "name": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VXLJY4764LYVJPC7NCDLE2UMQ3QC5OI2/"
}, },
{ {
"refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEIV4CH6KNVZK63Y6EKVN2XDW7IHSJBJ/",
"name": "FEDORA-2021-ee913722db", "refsource": "MISC",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EEIV4CH6KNVZK63Y6EKVN2XDW7IHSJBJ/" "name": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEIV4CH6KNVZK63Y6EKVN2XDW7IHSJBJ/"
}, },
{ {
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html",
@ -110,13 +171,5 @@
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html" "name": "https://www.oracle.com/security-alerts/cpuapr2022.html"
} }
] ]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed in 15.2.1, 14.15.1, and 12.19.1."
}
]
} }
} }

156
2020/8xxx/CVE-2020-8287.json
View File

@ -1,25 +1,103 @@
{ {
"data_version": "4.0",
"data_type": "CVE", "data_type": "CVE",
"data_format": "MITRE", "data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": { "CVE_data_meta": {
"ID": "CVE-2020-8287", "ID": "CVE-2020-8287",
"ASSIGNER": "support@hackerone.com", "ASSIGNER": "support@hackerone.com",
"STATE": "PUBLIC" "STATE": "PUBLIC"
}, },
"description": {
"description_data": [
{
"lang": "eng",
"value": "Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "HTTP Request Smuggling (CWE-444)",
"cweId": "CWE-444"
}
]
}
]
},
"affects": { "affects": {
"vendor": { "vendor": {
"vendor_data": [ "vendor_data": [
{ {
"vendor_name": "n/a", "vendor_name": "NodeJS",
"product": { "product": {
"product_data": [ "product_data": [
{ {
"product_name": "https://github.com/nodejs/node", "product_name": "Node",
"version": { "version": {
"version_data": [ "version_data": [
{ {
"version_value": "Fixed in 10.23.1, 12.20.1, 14.15.4, 15.5.1" "version_affected": "<",
"version_name": "4.0",
"version_value": "4.*"
},
{
"version_affected": "<",
"version_name": "5.0",
"version_value": "5.*"
},
{
"version_affected": "<",
"version_name": "6.0",
"version_value": "6.*"
},
{
"version_affected": "<",
"version_name": "7.0",
"version_value": "7.*"
},
{
"version_affected": "<",
"version_name": "8.0",
"version_value": "8.*"
},
{
"version_affected": "<",
"version_name": "9.0",
"version_value": "9.*"
},
{
"version_affected": "<",
"version_name": "10.0",
"version_value": "10.23.1"
},
{
"version_affected": "<",
"version_name": "11.0",
"version_value": "11.*"
},
{
"version_affected": "<",
"version_name": "12.0",
"version_value": "12.20.1"
},
{
"version_affected": "<",
"version_name": "13.0",
"version_value": "13.*"
},
{
"version_affected": "<",
"version_name": "14.0",
"version_value": "14.15.4"
},
{
"version_affected": "<",
"version_name": "15.0",
"version_value": "15.5.1"
} }
] ]
} }
@ -30,49 +108,37 @@
] ]
} }
}, },
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "HTTP Request Smuggling (CWE-444)"
}
]
}
]
},
"references": { "references": {
"reference_data": [ "reference_data": [
{ {
"url": "https://hackerone.com/reports/1002188",
"refsource": "MISC", "refsource": "MISC",
"name": "https://hackerone.com/reports/1002188", "name": "https://hackerone.com/reports/1002188"
"url": "https://hackerone.com/reports/1002188"
}, },
{ {
"url": "https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/",
"refsource": "MISC", "refsource": "MISC",
"name": "https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/", "name": "https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/"
"url": "https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/"
}, },
{ {
"refsource": "DEBIAN", "url": "https://www.debian.org/security/2021/dsa-4826",
"name": "DSA-4826", "refsource": "MISC",
"url": "https://www.debian.org/security/2021/dsa-4826" "name": "https://www.debian.org/security/2021/dsa-4826"
}, },
{ {
"refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K4I6MZNC7C7VIDQR267OL4TVCI3ZKAC4/",
"name": "FEDORA-2021-fb1a136393", "refsource": "MISC",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K4I6MZNC7C7VIDQR267OL4TVCI3ZKAC4/" "name": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K4I6MZNC7C7VIDQR267OL4TVCI3ZKAC4/"
}, },
{ {
"refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202101-07",
"name": "GLSA-202101-07", "refsource": "MISC",
"url": "https://security.gentoo.org/glsa/202101-07" "name": "https://security.gentoo.org/glsa/202101-07"
}, },
{ {
"refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H472D5HPXN6RRXCNFML3BK5OYC52CXF2/",
"name": "FEDORA-2021-d5b2c18fe6", "refsource": "MISC",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H472D5HPXN6RRXCNFML3BK5OYC52CXF2/" "name": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H472D5HPXN6RRXCNFML3BK5OYC52CXF2/"
}, },
{ {
"url": "https://www.oracle.com/security-alerts/cpujan2021.html", "url": "https://www.oracle.com/security-alerts/cpujan2021.html",
@ -80,27 +146,19 @@
"name": "https://www.oracle.com/security-alerts/cpujan2021.html" "name": "https://www.oracle.com/security-alerts/cpujan2021.html"
}, },
{ {
"refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210212-0003/",
"name": "https://security.netapp.com/advisory/ntap-20210212-0003/", "refsource": "MISC",
"url": "https://security.netapp.com/advisory/ntap-20210212-0003/" "name": "https://security.netapp.com/advisory/ntap-20210212-0003/"
}, },
{ {
"refsource": "CONFIRM", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf",
"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", "refsource": "MISC",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf" "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
}, },
{ {
"refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00009.html",
"name": "[debian-lts-announce] 20221205 [SECURITY] [DLA 3224-1] http-parser security update", "refsource": "MISC",
"url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00009.html" "name": "https://lists.debian.org/debian-lts-announce/2022/12/msg00009.html"
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling."
} }
] ]
} }

144
2021/22xxx/CVE-2021-22883.json
View File

@ -1,25 +1,103 @@
{ {
"data_version": "4.0",
"data_type": "CVE", "data_type": "CVE",
"data_format": "MITRE", "data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": { "CVE_data_meta": {
"ID": "CVE-2021-22883", "ID": "CVE-2021-22883",
"ASSIGNER": "support@hackerone.com", "ASSIGNER": "support@hackerone.com",
"STATE": "PUBLIC" "STATE": "PUBLIC"
}, },
"description": {
"description_data": [
{
"lang": "eng",
"value": "Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service (CWE-400)",
"cweId": "CWE-400"
}
]
}
]
},
"affects": { "affects": {
"vendor": { "vendor": {
"vendor_data": [ "vendor_data": [
{ {
"vendor_name": "n/a", "vendor_name": "NodeJS",
"product": { "product": {
"product_data": [ "product_data": [
{ {
"product_name": "https://github.com/nodejs/node", "product_name": "Node",
"version": { "version": {
"version_data": [ "version_data": [
{ {
"version_value": "Fixed in 10.24.0, 12.21.0, 14.16.0, 15.10.0" "version_affected": "<",
"version_name": "4.0",
"version_value": "4.*"
},
{
"version_affected": "<",
"version_name": "5.0",
"version_value": "5.*"
},
{
"version_affected": "<",
"version_name": "6.0",
"version_value": "6.*"
},
{
"version_affected": "<",
"version_name": "7.0",
"version_value": "7.*"
},
{
"version_affected": "<",
"version_name": "8.0",
"version_value": "8.*"
},
{
"version_affected": "<",
"version_name": "9.0",
"version_value": "9.*"
},
{
"version_affected": "<",
"version_name": "10.0",
"version_value": "10.24.0"
},
{
"version_affected": "<",
"version_name": "11.0",
"version_value": "11.*"
},
{
"version_affected": "<",
"version_name": "12.0",
"version_value": "12.21.0"
},
{
"version_affected": "<",
"version_name": "13.0",
"version_value": "13.*"
},
{
"version_affected": "<",
"version_name": "14.0",
"version_value": "14.16.0"
},
{
"version_affected": "<",
"version_name": "15.0",
"version_value": "15.10.0"
} }
] ]
} }
@ -30,44 +108,32 @@
] ]
} }
}, },
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service (CWE-400)"
}
]
}
]
},
"references": { "references": {
"reference_data": [ "reference_data": [
{ {
"url": "https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/",
"refsource": "MISC", "refsource": "MISC",
"name": "https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/", "name": "https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/"
"url": "https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/"
}, },
{ {
"url": "https://hackerone.com/reports/1043360",
"refsource": "MISC", "refsource": "MISC",
"name": "https://hackerone.com/reports/1043360", "name": "https://hackerone.com/reports/1043360"
"url": "https://hackerone.com/reports/1043360"
}, },
{ {
"refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E4FRS5ZVK4ZQ7XIJQNGIKUXG2DJFHLO7/",
"name": "FEDORA-2021-a760169c3c", "refsource": "MISC",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E4FRS5ZVK4ZQ7XIJQNGIKUXG2DJFHLO7/" "name": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E4FRS5ZVK4ZQ7XIJQNGIKUXG2DJFHLO7/"
}, },
{ {
"refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F45Y7TXSU33MTKB6AGL2Q5V5ZOCNPKOG/",
"name": "FEDORA-2021-f6bd75e9d4", "refsource": "MISC",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F45Y7TXSU33MTKB6AGL2Q5V5ZOCNPKOG/" "name": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F45Y7TXSU33MTKB6AGL2Q5V5ZOCNPKOG/"
}, },
{ {
"refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HSYFUGKFUSZ27M5TEZ3FKILWTWFJTFAZ/",
"name": "FEDORA-2021-6aaba80ba2", "refsource": "MISC",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HSYFUGKFUSZ27M5TEZ3FKILWTWFJTFAZ/" "name": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HSYFUGKFUSZ27M5TEZ3FKILWTWFJTFAZ/"
}, },
{ {
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html",
@ -75,9 +141,9 @@
"name": "https://www.oracle.com/security-alerts/cpuApr2021.html" "name": "https://www.oracle.com/security-alerts/cpuApr2021.html"
}, },
{ {
"refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210416-0001/",
"name": "https://security.netapp.com/advisory/ntap-20210416-0001/", "refsource": "MISC",
"url": "https://security.netapp.com/advisory/ntap-20210416-0001/" "name": "https://security.netapp.com/advisory/ntap-20210416-0001/"
}, },
{ {
"url": "https://www.oracle.com//security-alerts/cpujul2021.html", "url": "https://www.oracle.com//security-alerts/cpujul2021.html",
@ -90,17 +156,9 @@
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html" "name": "https://www.oracle.com/security-alerts/cpuoct2021.html"
}, },
{ {
"refsource": "CONFIRM", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf",
"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", "refsource": "MISC",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf" "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory."
} }
] ]
} }

154
2021/22xxx/CVE-2021-22884.json
View File

@ -1,25 +1,103 @@
{ {
"data_version": "4.0",
"data_type": "CVE", "data_type": "CVE",
"data_format": "MITRE", "data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": { "CVE_data_meta": {
"ID": "CVE-2021-22884", "ID": "CVE-2021-22884",
"ASSIGNER": "support@hackerone.com", "ASSIGNER": "support@hackerone.com",
"STATE": "PUBLIC" "STATE": "PUBLIC"
}, },
"description": {
"description_data": [
{
"lang": "eng",
"value": "Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes \u201clocalhost6\u201d. When \u201clocalhost6\u201d is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the \u201clocalhost6\u201d domain. As long as the attacker uses the \u201clocalhost6\u201d domain, they can still apply the attack described in CVE-2018-7160."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Reliance on Reverse DNS Resolution for a Security-Critical Action (CWE-350)",
"cweId": "CWE-350"
}
]
}
]
},
"affects": { "affects": {
"vendor": { "vendor": {
"vendor_data": [ "vendor_data": [
{ {
"vendor_name": "n/a", "vendor_name": "NodeJS",
"product": { "product": {
"product_data": [ "product_data": [
{ {
"product_name": "https://github.com/nodejs/node", "product_name": "Node",
"version": { "version": {
"version_data": [ "version_data": [
{ {
"version_value": "Fixed in 10.24.0, 12.21.0, 14.16.0, 15.10.0" "version_affected": "<",
"version_name": "4.0",
"version_value": "4.*"
},
{
"version_affected": "<",
"version_name": "5.0",
"version_value": "5.*"
},
{
"version_affected": "<",
"version_name": "6.0",
"version_value": "6.*"
},
{
"version_affected": "<",
"version_name": "7.0",
"version_value": "7.*"
},
{
"version_affected": "<",
"version_name": "8.0",
"version_value": "8.*"
},
{
"version_affected": "<",
"version_name": "9.0",
"version_value": "9.*"
},
{
"version_affected": "<",
"version_name": "10.0",
"version_value": "10.24.0"
},
{
"version_affected": "<",
"version_name": "11.0",
"version_value": "11.*"
},
{
"version_affected": "<",
"version_name": "12.0",
"version_value": "12.21.0"
},
{
"version_affected": "<",
"version_name": "13.0",
"version_value": "13.*"
},
{
"version_affected": "<",
"version_name": "14.0",
"version_value": "14.16.0"
},
{
"version_affected": "<",
"version_name": "15.0",
"version_value": "15.10.0"
} }
] ]
} }
@ -30,49 +108,37 @@
] ]
} }
}, },
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Reliance on Reverse DNS Resolution for a Security-Critical Action (CWE-350)"
}
]
}
]
},
"references": { "references": {
"reference_data": [ "reference_data": [
{ {
"url": "https://hackerone.com/reports/1069487",
"refsource": "MISC", "refsource": "MISC",
"name": "https://hackerone.com/reports/1069487", "name": "https://hackerone.com/reports/1069487"
"url": "https://hackerone.com/reports/1069487"
}, },
{ {
"url": "https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/",
"refsource": "MISC", "refsource": "MISC",
"name": "https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/", "name": "https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/"
"url": "https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/"
}, },
{ {
"url": "https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/#node-js-inspector-dns-rebinding-vulnerability-cve-2018-7160",
"refsource": "MISC", "refsource": "MISC",
"name": "https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/#node-js-inspector-dns-rebinding-vulnerability-cve-2018-7160", "name": "https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/#node-js-inspector-dns-rebinding-vulnerability-cve-2018-7160"
"url": "https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/#node-js-inspector-dns-rebinding-vulnerability-cve-2018-7160"
}, },
{ {
"refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E4FRS5ZVK4ZQ7XIJQNGIKUXG2DJFHLO7/",
"name": "FEDORA-2021-a760169c3c", "refsource": "MISC",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E4FRS5ZVK4ZQ7XIJQNGIKUXG2DJFHLO7/" "name": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E4FRS5ZVK4ZQ7XIJQNGIKUXG2DJFHLO7/"
}, },
{ {
"refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F45Y7TXSU33MTKB6AGL2Q5V5ZOCNPKOG/",
"name": "FEDORA-2021-f6bd75e9d4", "refsource": "MISC",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F45Y7TXSU33MTKB6AGL2Q5V5ZOCNPKOG/" "name": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F45Y7TXSU33MTKB6AGL2Q5V5ZOCNPKOG/"
}, },
{ {
"refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HSYFUGKFUSZ27M5TEZ3FKILWTWFJTFAZ/",
"name": "FEDORA-2021-6aaba80ba2", "refsource": "MISC",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HSYFUGKFUSZ27M5TEZ3FKILWTWFJTFAZ/" "name": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HSYFUGKFUSZ27M5TEZ3FKILWTWFJTFAZ/"
}, },
{ {
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html",
@ -80,9 +146,9 @@
"name": "https://www.oracle.com/security-alerts/cpuApr2021.html" "name": "https://www.oracle.com/security-alerts/cpuApr2021.html"
}, },
{ {
"refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210416-0001/",
"name": "https://security.netapp.com/advisory/ntap-20210416-0001/", "refsource": "MISC",
"url": "https://security.netapp.com/advisory/ntap-20210416-0001/" "name": "https://security.netapp.com/advisory/ntap-20210416-0001/"
}, },
{ {
"url": "https://www.oracle.com//security-alerts/cpujul2021.html", "url": "https://www.oracle.com//security-alerts/cpujul2021.html",
@ -95,22 +161,14 @@
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html" "name": "https://www.oracle.com/security-alerts/cpuoct2021.html"
}, },
{ {
"refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210723-0001/",
"name": "https://security.netapp.com/advisory/ntap-20210723-0001/", "refsource": "MISC",
"url": "https://security.netapp.com/advisory/ntap-20210723-0001/" "name": "https://security.netapp.com/advisory/ntap-20210723-0001/"
}, },
{ {
"refsource": "CONFIRM", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf",
"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", "refsource": "MISC",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf" "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes \u201clocalhost6\u201d. When \u201clocalhost6\u201d is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the \u201clocalhost6\u201d domain. As long as the attacker uses the \u201clocalhost6\u201d domain, they can still apply the attack described in CVE-2018-7160."
} }
] ]
} }

131
2021/22xxx/CVE-2021-22921.json
View File

@ -1,25 +1,108 @@
{ {
"data_version": "4.0",
"data_type": "CVE", "data_type": "CVE",
"data_format": "MITRE", "data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": { "CVE_data_meta": {
"ID": "CVE-2021-22921", "ID": "CVE-2021-22921",
"ASSIGNER": "support@hackerone.com", "ASSIGNER": "support@hackerone.com",
"STATE": "PUBLIC" "STATE": "PUBLIC"
}, },
"description": {
"description_data": [
{
"lang": "eng",
"value": "Node.js before 16.4.1, 14.17.2, and 12.22.2 is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH and DLL hijacking."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Incorrect Permission Assignment for Critical Resource (CWE-732)",
"cweId": "CWE-732"
}
]
}
]
},
"affects": { "affects": {
"vendor": { "vendor": {
"vendor_data": [ "vendor_data": [
{ {
"vendor_name": "n/a", "vendor_name": "NodeJS",
"product": { "product": {
"product_data": [ "product_data": [
{ {
"product_name": "https://github.com/nodejs/node", "product_name": "Node",
"version": { "version": {
"version_data": [ "version_data": [
{ {
"version_value": "Fixed in 16.4.1, 14.17.2, and 12.22.2" "version_affected": "<",
"version_name": "4.0",
"version_value": "4.*"
},
{
"version_affected": "<",
"version_name": "5.0",
"version_value": "5.*"
},
{
"version_affected": "<",
"version_name": "6.0",
"version_value": "6.*"
},
{
"version_affected": "<",
"version_name": "7.0",
"version_value": "7.*"
},
{
"version_affected": "<",
"version_name": "8.0",
"version_value": "8.*"
},
{
"version_affected": "<",
"version_name": "9.0",
"version_value": "9.*"
},
{
"version_affected": "<",
"version_name": "10.0",
"version_value": "10.*"
},
{
"version_affected": "<",
"version_name": "11.0",
"version_value": "11.*"
},
{
"version_affected": "<",
"version_name": "12.0",
"version_value": "12.22.2"
},
{
"version_affected": "<",
"version_name": "13.0",
"version_value": "13.*"
},
{
"version_affected": "<",
"version_name": "14.0",
"version_value": "14.17.2"
},
{
"version_affected": "<",
"version_name": "15.0",
"version_value": "15.*"
},
{
"version_affected": "<",
"version_name": "16.0",
"version_value": "16.4.1"
} }
] ]
} }
@ -30,47 +113,27 @@
] ]
} }
}, },
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Incorrect Permission Assignment for Critical Resource (CWE-732)"
}
]
}
]
},
"references": { "references": {
"reference_data": [ "reference_data": [
{ {
"url": "https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/",
"refsource": "MISC", "refsource": "MISC",
"name": "https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/", "name": "https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/"
"url": "https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/"
}, },
{ {
"url": "https://hackerone.com/reports/1211160",
"refsource": "MISC", "refsource": "MISC",
"name": "https://hackerone.com/reports/1211160", "name": "https://hackerone.com/reports/1211160"
"url": "https://hackerone.com/reports/1211160"
}, },
{ {
"refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210805-0003/",
"name": "https://security.netapp.com/advisory/ntap-20210805-0003/", "refsource": "MISC",
"url": "https://security.netapp.com/advisory/ntap-20210805-0003/" "name": "https://security.netapp.com/advisory/ntap-20210805-0003/"
}, },
{ {
"refsource": "CONFIRM", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf",
"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", "refsource": "MISC",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf" "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Node.js before 16.4.1, 14.17.2, and 12.22.2 is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH and DLL hijacking."
} }
] ]
} }

121
2021/22xxx/CVE-2021-22959.json
View File

@ -1,25 +1,108 @@
{ {
"data_version": "4.0",
"data_type": "CVE", "data_type": "CVE",
"data_format": "MITRE", "data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": { "CVE_data_meta": {
"ID": "CVE-2021-22959", "ID": "CVE-2021-22959",
"ASSIGNER": "support@hackerone.com", "ASSIGNER": "support@hackerone.com",
"STATE": "PUBLIC" "STATE": "PUBLIC"
}, },
"description": {
"description_data": [
{
"lang": "eng",
"value": "The parser in accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "HTTP Request Smuggling (CWE-444)",
"cweId": "CWE-444"
}
]
}
]
},
"affects": { "affects": {
"vendor": { "vendor": {
"vendor_data": [ "vendor_data": [
{ {
"vendor_name": "n/a", "vendor_name": "NodeJS",
"product": { "product": {
"product_data": [ "product_data": [
{ {
"product_name": "https://github.com/nodejs/llhttp", "product_name": "Node",
"version": { "version": {
"version_data": [ "version_data": [
{ {
"version_value": "Fixed in llhttp v2.1.4 and v6.0.6" "version_affected": "<",
"version_name": "4.0",
"version_value": "4.*"
},
{
"version_affected": "<",
"version_name": "5.0",
"version_value": "5.*"
},
{
"version_affected": "<",
"version_name": "6.0",
"version_value": "6.*"
},
{
"version_affected": "<",
"version_name": "7.0",
"version_value": "7.*"
},
{
"version_affected": "<",
"version_name": "8.0",
"version_value": "8.*"
},
{
"version_affected": "<",
"version_name": "9.0",
"version_value": "9.*"
},
{
"version_affected": "<",
"version_name": "10.0",
"version_value": "10.*"
},
{
"version_affected": "<",
"version_name": "11.0",
"version_value": "11.*"
},
{
"version_affected": "<",
"version_name": "12.0",
"version_value": "12.22.7"
},
{
"version_affected": "<",
"version_name": "13.0",
"version_value": "13.*"
},
{
"version_affected": "<",
"version_name": "14.0",
"version_value": "14.18.1"
},
{
"version_affected": "<",
"version_name": "15.0",
"version_value": "15.*"
},
{
"version_affected": "<",
"version_name": "16.0",
"version_value": "16.11.1"
} }
] ]
} }
@ -30,24 +113,12 @@
] ]
} }
}, },
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "HTTP Request Smuggling (CWE-444)"
}
]
}
]
},
"references": { "references": {
"reference_data": [ "reference_data": [
{ {
"url": "https://hackerone.com/reports/1238709",
"refsource": "MISC", "refsource": "MISC",
"name": "https://hackerone.com/reports/1238709", "name": "https://hackerone.com/reports/1238709"
"url": "https://hackerone.com/reports/1238709"
}, },
{ {
"url": "https://www.oracle.com/security-alerts/cpujan2022.html", "url": "https://www.oracle.com/security-alerts/cpujan2022.html",
@ -55,17 +126,9 @@
"name": "https://www.oracle.com/security-alerts/cpujan2022.html" "name": "https://www.oracle.com/security-alerts/cpujan2022.html"
}, },
{ {
"refsource": "DEBIAN", "url": "https://www.debian.org/security/2022/dsa-5170",
"name": "DSA-5170", "refsource": "MISC",
"url": "https://www.debian.org/security/2022/dsa-5170" "name": "https://www.debian.org/security/2022/dsa-5170"
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "The parser in accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6."
} }
] ]
} }

121
2021/22xxx/CVE-2021-22960.json
View File

@ -1,25 +1,108 @@
{ {
"data_version": "4.0",
"data_type": "CVE", "data_type": "CVE",
"data_format": "MITRE", "data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": { "CVE_data_meta": {
"ID": "CVE-2021-22960", "ID": "CVE-2021-22960",
"ASSIGNER": "support@hackerone.com", "ASSIGNER": "support@hackerone.com",
"STATE": "PUBLIC" "STATE": "PUBLIC"
}, },
"description": {
"description_data": [
{
"lang": "eng",
"value": "The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "HTTP Request Smuggling (CWE-444)",
"cweId": "CWE-444"
}
]
}
]
},
"affects": { "affects": {
"vendor": { "vendor": {
"vendor_data": [ "vendor_data": [
{ {
"vendor_name": "n/a", "vendor_name": "NodeJS",
"product": { "product": {
"product_data": [ "product_data": [
{ {
"product_name": "https://github.com/nodejs/llhttp", "product_name": "Node",
"version": { "version": {
"version_data": [ "version_data": [
{ {
"version_value": "Fixed in v2.1.4 and v6.0.6" "version_affected": "<",
"version_name": "4.0",
"version_value": "4.*"
},
{
"version_affected": "<",
"version_name": "5.0",
"version_value": "5.*"
},
{
"version_affected": "<",
"version_name": "6.0",
"version_value": "6.*"
},
{
"version_affected": "<",
"version_name": "7.0",
"version_value": "7.*"
},
{
"version_affected": "<",
"version_name": "8.0",
"version_value": "8.*"
},
{
"version_affected": "<",
"version_name": "9.0",
"version_value": "9.*"
},
{
"version_affected": "<",
"version_name": "10.0",
"version_value": "10.*"
},
{
"version_affected": "<",
"version_name": "11.0",
"version_value": "11.*"
},
{
"version_affected": "<",
"version_name": "12.0",
"version_value": "12.22.7"
},
{
"version_affected": "<",
"version_name": "13.0",
"version_value": "13.*"
},
{
"version_affected": "<",
"version_name": "14.0",
"version_value": "14.18.1"
},
{
"version_affected": "<",
"version_name": "15.0",
"version_value": "15.*"
},
{
"version_affected": "<",
"version_name": "16.0",
"version_value": "16.11.1"
} }
] ]
} }
@ -30,24 +113,12 @@
] ]
} }
}, },
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "HTTP Request Smuggling (CWE-444)"
}
]
}
]
},
"references": { "references": {
"reference_data": [ "reference_data": [
{ {
"url": "https://hackerone.com/reports/1238099",
"refsource": "MISC", "refsource": "MISC",
"name": "https://hackerone.com/reports/1238099", "name": "https://hackerone.com/reports/1238099"
"url": "https://hackerone.com/reports/1238099"
}, },
{ {
"url": "https://www.oracle.com/security-alerts/cpujan2022.html", "url": "https://www.oracle.com/security-alerts/cpujan2022.html",
@ -55,17 +126,9 @@
"name": "https://www.oracle.com/security-alerts/cpujan2022.html" "name": "https://www.oracle.com/security-alerts/cpujan2022.html"
}, },
{ {
"refsource": "DEBIAN", "url": "https://www.debian.org/security/2022/dsa-5170",
"name": "DSA-5170", "refsource": "MISC",
"url": "https://www.debian.org/security/2022/dsa-5170" "name": "https://www.debian.org/security/2022/dsa-5170"
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions."
} }
] ]
} }

136
2021/44xxx/CVE-2021-44531.json
View File

@ -1,25 +1,113 @@
{ {
"data_version": "4.0",
"data_type": "CVE", "data_type": "CVE",
"data_format": "MITRE", "data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": { "CVE_data_meta": {
"ID": "CVE-2021-44531", "ID": "CVE-2021-44531",
"ASSIGNER": "support@hackerone.com", "ASSIGNER": "support@hackerone.com",
"STATE": "PUBLIC" "STATE": "PUBLIC"
}, },
"description": {
"description_data": [
{
"lang": "eng",
"value": "Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the --security-revert command-line option."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Certificate Validation (CWE-295)",
"cweId": "CWE-295"
}
]
}
]
},
"affects": { "affects": {
"vendor": { "vendor": {
"vendor_data": [ "vendor_data": [
{ {
"vendor_name": "n/a", "vendor_name": "NodeJS",
"product": { "product": {
"product_data": [ "product_data": [
{ {
"product_name": "https://github.com/nodejs/node", "product_name": "Node",
"version": { "version": {
"version_data": [ "version_data": [
{ {
"version_value": "Fixed in 12.22.9, 14.18.3, 16.13.2, 17.3.1" "version_affected": "<",
"version_name": "4.0",
"version_value": "4.*"
},
{
"version_affected": "<",
"version_name": "5.0",
"version_value": "5.*"
},
{
"version_affected": "<",
"version_name": "6.0",
"version_value": "6.*"
},
{
"version_affected": "<",
"version_name": "7.0",
"version_value": "7.*"
},
{
"version_affected": "<",
"version_name": "8.0",
"version_value": "8.*"
},
{
"version_affected": "<",
"version_name": "9.0",
"version_value": "9.*"
},
{
"version_affected": "<",
"version_name": "10.0",
"version_value": "10.*"
},
{
"version_affected": "<",
"version_name": "11.0",
"version_value": "11.*"
},
{
"version_affected": "<",
"version_name": "12.0",
"version_value": "12.22.9"
},
{
"version_affected": "<",
"version_name": "13.0",
"version_value": "13.*"
},
{
"version_affected": "<",
"version_name": "14.0",
"version_value": "14.18.3"
},
{
"version_affected": "<",
"version_name": "15.0",
"version_value": "15.*"
},
{
"version_affected": "<",
"version_name": "16.0",
"version_value": "16.13.2"
},
{
"version_affected": "<",
"version_name": "17.0",
"version_value": "17.3.1"
} }
] ]
} }
@ -30,29 +118,17 @@
] ]
} }
}, },
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Certificate Validation (CWE-295)"
}
]
}
]
},
"references": { "references": {
"reference_data": [ "reference_data": [
{ {
"url": "https://hackerone.com/reports/1429694",
"refsource": "MISC", "refsource": "MISC",
"name": "https://hackerone.com/reports/1429694", "name": "https://hackerone.com/reports/1429694"
"url": "https://hackerone.com/reports/1429694"
}, },
{ {
"url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/",
"refsource": "MISC", "refsource": "MISC",
"name": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/", "name": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/"
"url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/"
}, },
{ {
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html",
@ -60,14 +136,14 @@
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html" "name": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}, },
{ {
"refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20220325-0007/",
"name": "https://security.netapp.com/advisory/ntap-20220325-0007/", "refsource": "MISC",
"url": "https://security.netapp.com/advisory/ntap-20220325-0007/" "name": "https://security.netapp.com/advisory/ntap-20220325-0007/"
}, },
{ {
"refsource": "DEBIAN", "url": "https://www.debian.org/security/2022/dsa-5170",
"name": "DSA-5170", "refsource": "MISC",
"url": "https://www.debian.org/security/2022/dsa-5170" "name": "https://www.debian.org/security/2022/dsa-5170"
}, },
{ {
"url": "https://www.oracle.com/security-alerts/cpujul2022.html", "url": "https://www.oracle.com/security-alerts/cpujul2022.html",
@ -75,13 +151,5 @@
"name": "https://www.oracle.com/security-alerts/cpujul2022.html" "name": "https://www.oracle.com/security-alerts/cpujul2022.html"
} }
] ]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the --security-revert command-line option."
}
]
} }
} }

136
2021/44xxx/CVE-2021-44532.json
View File

@ -1,25 +1,113 @@
{ {
"data_version": "4.0",
"data_type": "CVE", "data_type": "CVE",
"data_format": "MITRE", "data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": { "CVE_data_meta": {
"ID": "CVE-2021-44532", "ID": "CVE-2021-44532",
"ASSIGNER": "support@hackerone.com", "ASSIGNER": "support@hackerone.com",
"STATE": "PUBLIC" "STATE": "PUBLIC"
}, },
"description": {
"description_data": [
{
"lang": "eng",
"value": "Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Following of a Certificate's Chain of Trust (CWE-296)",
"cweId": "CWE-296"
}
]
}
]
},
"affects": { "affects": {
"vendor": { "vendor": {
"vendor_data": [ "vendor_data": [
{ {
"vendor_name": "n/a", "vendor_name": "NodeJS",
"product": { "product": {
"product_data": [ "product_data": [
{ {
"product_name": "https://github.com/nodejs/node", "product_name": "Node",
"version": { "version": {
"version_data": [ "version_data": [
{ {
"version_value": "Fixed in 12.22.9, 14.18.3, 16.13.2, 17.3.1" "version_affected": "<",
"version_name": "4.0",
"version_value": "4.*"
},
{
"version_affected": "<",
"version_name": "5.0",
"version_value": "5.*"
},
{
"version_affected": "<",
"version_name": "6.0",
"version_value": "6.*"
},
{
"version_affected": "<",
"version_name": "7.0",
"version_value": "7.*"
},
{
"version_affected": "<",
"version_name": "8.0",
"version_value": "8.*"
},
{
"version_affected": "<",
"version_name": "9.0",
"version_value": "9.*"
},
{
"version_affected": "<",
"version_name": "10.0",
"version_value": "10.*"
},
{
"version_affected": "<",
"version_name": "11.0",
"version_value": "11.*"
},
{
"version_affected": "<",
"version_name": "12.0",
"version_value": "12.22.9"
},
{
"version_affected": "<",
"version_name": "13.0",
"version_value": "13.*"
},
{
"version_affected": "<",
"version_name": "14.0",
"version_value": "14.18.3"
},
{
"version_affected": "<",
"version_name": "15.0",
"version_value": "15.*"
},
{
"version_affected": "<",
"version_name": "16.0",
"version_value": "16.13.2"
},
{
"version_affected": "<",
"version_name": "17.0",
"version_value": "17.3.1"
} }
] ]
} }
@ -30,29 +118,17 @@
] ]
} }
}, },
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Following of a Certificate's Chain of Trust (CWE-296)"
}
]
}
]
},
"references": { "references": {
"reference_data": [ "reference_data": [
{ {
"url": "https://hackerone.com/reports/1429694",
"refsource": "MISC", "refsource": "MISC",
"name": "https://hackerone.com/reports/1429694", "name": "https://hackerone.com/reports/1429694"
"url": "https://hackerone.com/reports/1429694"
}, },
{ {
"url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/",
"refsource": "MISC", "refsource": "MISC",
"name": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/", "name": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/"
"url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/"
}, },
{ {
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html",
@ -60,14 +136,14 @@
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html" "name": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}, },
{ {
"refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20220325-0007/",
"name": "https://security.netapp.com/advisory/ntap-20220325-0007/", "refsource": "MISC",
"url": "https://security.netapp.com/advisory/ntap-20220325-0007/" "name": "https://security.netapp.com/advisory/ntap-20220325-0007/"
}, },
{ {
"refsource": "DEBIAN", "url": "https://www.debian.org/security/2022/dsa-5170",
"name": "DSA-5170", "refsource": "MISC",
"url": "https://www.debian.org/security/2022/dsa-5170" "name": "https://www.debian.org/security/2022/dsa-5170"
}, },
{ {
"url": "https://www.oracle.com/security-alerts/cpujul2022.html", "url": "https://www.oracle.com/security-alerts/cpujul2022.html",
@ -75,13 +151,5 @@
"name": "https://www.oracle.com/security-alerts/cpujul2022.html" "name": "https://www.oracle.com/security-alerts/cpujul2022.html"
} }
] ]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option."
}
]
} }
} }

136
2021/44xxx/CVE-2021-44533.json
View File

@ -1,25 +1,113 @@
{ {
"data_version": "4.0",
"data_type": "CVE", "data_type": "CVE",
"data_format": "MITRE", "data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": { "CVE_data_meta": {
"ID": "CVE-2021-44533", "ID": "CVE-2021-44533",
"ASSIGNER": "support@hackerone.com", "ASSIGNER": "support@hackerone.com",
"STATE": "PUBLIC" "STATE": "PUBLIC"
}, },
"description": {
"description_data": [
{
"lang": "eng",
"value": "Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification.Affected versions of Node.js that do not accept multi-value Relative Distinguished Names and are thus not vulnerable to such attacks themselves. However, third-party code that uses node's ambiguous presentation of certificate subjects may be vulnerable."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Certificate Validation (CWE-295)",
"cweId": "CWE-295"
}
]
}
]
},
"affects": { "affects": {
"vendor": { "vendor": {
"vendor_data": [ "vendor_data": [
{ {
"vendor_name": "n/a", "vendor_name": "NodeJS",
"product": { "product": {
"product_data": [ "product_data": [
{ {
"product_name": "https://github.com/nodejs/node", "product_name": "Node",
"version": { "version": {
"version_data": [ "version_data": [
{ {
"version_value": "Fixed in 12.22.9, 14.18.3, 16.13.2, 17.3.1" "version_affected": "<",
"version_name": "4.0",
"version_value": "4.*"
},
{
"version_affected": "<",
"version_name": "5.0",
"version_value": "5.*"
},
{
"version_affected": "<",
"version_name": "6.0",
"version_value": "6.*"
},
{
"version_affected": "<",
"version_name": "7.0",
"version_value": "7.*"
},
{
"version_affected": "<",
"version_name": "8.0",
"version_value": "8.*"
},
{
"version_affected": "<",
"version_name": "9.0",
"version_value": "9.*"
},
{
"version_affected": "<",
"version_name": "10.0",
"version_value": "10.*"
},
{
"version_affected": "<",
"version_name": "11.0",
"version_value": "11.*"
},
{
"version_affected": "<",
"version_name": "12.0",
"version_value": "12.22.9"
},
{
"version_affected": "<",
"version_name": "13.0",
"version_value": "13.*"
},
{
"version_affected": "<",
"version_name": "14.0",
"version_value": "14.18.3"
},
{
"version_affected": "<",
"version_name": "15.0",
"version_value": "15.*"
},
{
"version_affected": "<",
"version_name": "16.0",
"version_value": "16.13.2"
},
{
"version_affected": "<",
"version_name": "17.0",
"version_value": "17.3.1"
} }
] ]
} }
@ -30,29 +118,17 @@
] ]
} }
}, },
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Certificate Validation (CWE-295)"
}
]
}
]
},
"references": { "references": {
"reference_data": [ "reference_data": [
{ {
"url": "https://hackerone.com/reports/1429694",
"refsource": "MISC", "refsource": "MISC",
"name": "https://hackerone.com/reports/1429694", "name": "https://hackerone.com/reports/1429694"
"url": "https://hackerone.com/reports/1429694"
}, },
{ {
"url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/",
"refsource": "MISC", "refsource": "MISC",
"name": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/", "name": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/"
"url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/"
}, },
{ {
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html",
@ -60,14 +136,14 @@
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html" "name": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}, },
{ {
"refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20220325-0007/",
"name": "https://security.netapp.com/advisory/ntap-20220325-0007/", "refsource": "MISC",
"url": "https://security.netapp.com/advisory/ntap-20220325-0007/" "name": "https://security.netapp.com/advisory/ntap-20220325-0007/"
}, },
{ {
"refsource": "DEBIAN", "url": "https://www.debian.org/security/2022/dsa-5170",
"name": "DSA-5170", "refsource": "MISC",
"url": "https://www.debian.org/security/2022/dsa-5170" "name": "https://www.debian.org/security/2022/dsa-5170"
}, },
{ {
"url": "https://www.oracle.com/security-alerts/cpujul2022.html", "url": "https://www.oracle.com/security-alerts/cpujul2022.html",
@ -75,13 +151,5 @@
"name": "https://www.oracle.com/security-alerts/cpujul2022.html" "name": "https://www.oracle.com/security-alerts/cpujul2022.html"
} }
] ]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification.Affected versions of Node.js that do not accept multi-value Relative Distinguished Names and are thus not vulnerable to such attacks themselves. However, third-party code that uses node's ambiguous presentation of certificate subjects may be vulnerable."
}
]
} }
} }

159
2022/32xxx/CVE-2022-32213.json
View File

@ -1,25 +1,118 @@
{ {
"data_version": "4.0",
"data_type": "CVE", "data_type": "CVE",
"data_format": "MITRE", "data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": { "CVE_data_meta": {
"ID": "CVE-2022-32213", "ID": "CVE-2022-32213",
"ASSIGNER": "support@hackerone.com", "ASSIGNER": "support@hackerone.com",
"STATE": "PUBLIC" "STATE": "PUBLIC"
}, },
"description": {
"description_data": [
{
"lang": "eng",
"value": "The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "HTTP Request Smuggling (CWE-444)",
"cweId": "CWE-444"
}
]
}
]
},
"affects": { "affects": {
"vendor": { "vendor": {
"vendor_data": [ "vendor_data": [
{ {
"vendor_name": "n/a", "vendor_name": "NodeJS",
"product": { "product": {
"product_data": [ "product_data": [
{ {
"product_name": "https://github.com/nodejs/node", "product_name": "Node",
"version": { "version": {
"version_data": [ "version_data": [
{ {
"version_value": "Fixed in 14.20.1+, 16.17.1+,18.9.1+" "version_affected": "<",
"version_name": "4.0",
"version_value": "4.*"
},
{
"version_affected": "<",
"version_name": "5.0",
"version_value": "5.*"
},
{
"version_affected": "<",
"version_name": "6.0",
"version_value": "6.*"
},
{
"version_affected": "<",
"version_name": "7.0",
"version_value": "7.*"
},
{
"version_affected": "<",
"version_name": "8.0",
"version_value": "8.*"
},
{
"version_affected": "<",
"version_name": "9.0",
"version_value": "9.*"
},
{
"version_affected": "<",
"version_name": "10.0",
"version_value": "10.*"
},
{
"version_affected": "<",
"version_name": "11.0",
"version_value": "11.*"
},
{
"version_affected": "<",
"version_name": "12.0",
"version_value": "12.*"
},
{
"version_affected": "<",
"version_name": "13.0",
"version_value": "13.*"
},
{
"version_affected": "<",
"version_name": "14.0",
"version_value": "14.20.1"
},
{
"version_affected": "<",
"version_name": "15.0",
"version_value": "15.*"
},
{
"version_affected": "<",
"version_name": "16.0",
"version_value": "16.17.1"
},
{
"version_affected": "<",
"version_name": "17.0",
"version_value": "17.*"
},
{
"version_affected": "<",
"version_name": "18.0",
"version_value": "18.9.1"
} }
] ]
} }
@ -30,62 +123,42 @@
] ]
} }
}, },
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "HTTP Request Smuggling (CWE-444)"
}
]
}
]
},
"references": { "references": {
"reference_data": [ "reference_data": [
{ {
"url": "https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/",
"refsource": "MISC", "refsource": "MISC",
"name": "https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/", "name": "https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/"
"url": "https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/"
}, },
{ {
"url": "https://hackerone.com/reports/1524555",
"refsource": "MISC", "refsource": "MISC",
"name": "https://hackerone.com/reports/1524555", "name": "https://hackerone.com/reports/1524555"
"url": "https://hackerone.com/reports/1524555"
}, },
{ {
"refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VMQK5L5SBYD47QQZ67LEMHNQ662GH3OY/",
"name": "FEDORA-2022-52dec6351a", "refsource": "MISC",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VMQK5L5SBYD47QQZ67LEMHNQ662GH3OY/" "name": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VMQK5L5SBYD47QQZ67LEMHNQ662GH3OY/"
}, },
{ {
"refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCNN3YG2BCLS4ZEKJ3CLSUT6AS7AXTH3/",
"name": "FEDORA-2022-1667f7b60a", "refsource": "MISC",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QCNN3YG2BCLS4ZEKJ3CLSUT6AS7AXTH3/" "name": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCNN3YG2BCLS4ZEKJ3CLSUT6AS7AXTH3/"
}, },
{ {
"refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ICG6CSIB3GUWH5DUSQEVX53MOJW7LYK/",
"name": "FEDORA-2022-de515f765f", "refsource": "MISC",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ICG6CSIB3GUWH5DUSQEVX53MOJW7LYK/" "name": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ICG6CSIB3GUWH5DUSQEVX53MOJW7LYK/"
}, },
{ {
"refsource": "CONFIRM", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf",
"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf", "refsource": "MISC",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf" "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf"
}, },
{ {
"refsource": "DEBIAN", "url": "https://www.debian.org/security/2023/dsa-5326",
"name": "DSA-5326", "refsource": "MISC",
"url": "https://www.debian.org/security/2023/dsa-5326" "name": "https://www.debian.org/security/2023/dsa-5326"
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS)."
} }
] ]
} }

159
2022/32xxx/CVE-2022-32215.json
View File

@ -1,25 +1,118 @@
{ {
"data_version": "4.0",
"data_type": "CVE", "data_type": "CVE",
"data_format": "MITRE", "data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": { "CVE_data_meta": {
"ID": "CVE-2022-32215", "ID": "CVE-2022-32215",
"ASSIGNER": "support@hackerone.com", "ASSIGNER": "support@hackerone.com",
"STATE": "PUBLIC" "STATE": "PUBLIC"
}, },
"description": {
"description_data": [
{
"lang": "eng",
"value": "The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "HTTP Request Smuggling (CWE-444)",
"cweId": "CWE-444"
}
]
}
]
},
"affects": { "affects": {
"vendor": { "vendor": {
"vendor_data": [ "vendor_data": [
{ {
"vendor_name": "n/a", "vendor_name": "NodeJS",
"product": { "product": {
"product_data": [ "product_data": [
{ {
"product_name": "https://github.com/nodejs/node", "product_name": "Node",
"version": { "version": {
"version_data": [ "version_data": [
{ {
"version_value": "Fixed in 14.20.1+, 16.17.1+,18.9.1+" "version_affected": "<",
"version_name": "4.0",
"version_value": "4.*"
},
{
"version_affected": "<",
"version_name": "5.0",
"version_value": "5.*"
},
{
"version_affected": "<",
"version_name": "6.0",
"version_value": "6.*"
},
{
"version_affected": "<",
"version_name": "7.0",
"version_value": "7.*"
},
{
"version_affected": "<",
"version_name": "8.0",
"version_value": "8.*"
},
{
"version_affected": "<",
"version_name": "9.0",
"version_value": "9.*"
},
{
"version_affected": "<",
"version_name": "10.0",
"version_value": "10.*"
},
{
"version_affected": "<",
"version_name": "11.0",
"version_value": "11.*"
},
{
"version_affected": "<",
"version_name": "12.0",
"version_value": "12.*"
},
{
"version_affected": "<",
"version_name": "13.0",
"version_value": "13.*"
},
{
"version_affected": "<",
"version_name": "14.0",
"version_value": "14.20.1"
},
{
"version_affected": "<",
"version_name": "15.0",
"version_value": "15.*"
},
{
"version_affected": "<",
"version_name": "16.0",
"version_value": "16.17.1"
},
{
"version_affected": "<",
"version_name": "17.0",
"version_value": "17.*"
},
{
"version_affected": "<",
"version_name": "18.0",
"version_value": "18.9.1"
} }
] ]
} }
@ -30,62 +123,42 @@
] ]
} }
}, },
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "HTTP Request Smuggling (CWE-444)"
}
]
}
]
},
"references": { "references": {
"reference_data": [ "reference_data": [
{ {
"url": "https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/",
"refsource": "MISC", "refsource": "MISC",
"name": "https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/", "name": "https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/"
"url": "https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/"
}, },
{ {
"url": "https://hackerone.com/reports/1501679",
"refsource": "MISC", "refsource": "MISC",
"name": "https://hackerone.com/reports/1501679", "name": "https://hackerone.com/reports/1501679"
"url": "https://hackerone.com/reports/1501679"
}, },
{ {
"refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VMQK5L5SBYD47QQZ67LEMHNQ662GH3OY/",
"name": "FEDORA-2022-52dec6351a", "refsource": "MISC",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VMQK5L5SBYD47QQZ67LEMHNQ662GH3OY/" "name": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VMQK5L5SBYD47QQZ67LEMHNQ662GH3OY/"
}, },
{ {
"refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCNN3YG2BCLS4ZEKJ3CLSUT6AS7AXTH3/",
"name": "FEDORA-2022-1667f7b60a", "refsource": "MISC",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QCNN3YG2BCLS4ZEKJ3CLSUT6AS7AXTH3/" "name": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCNN3YG2BCLS4ZEKJ3CLSUT6AS7AXTH3/"
}, },
{ {
"refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ICG6CSIB3GUWH5DUSQEVX53MOJW7LYK/",
"name": "FEDORA-2022-de515f765f", "refsource": "MISC",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ICG6CSIB3GUWH5DUSQEVX53MOJW7LYK/" "name": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ICG6CSIB3GUWH5DUSQEVX53MOJW7LYK/"
}, },
{ {
"refsource": "CONFIRM", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf",
"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf", "refsource": "MISC",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf" "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf"
}, },
{ {
"refsource": "DEBIAN", "url": "https://www.debian.org/security/2023/dsa-5326",
"name": "DSA-5326", "refsource": "MISC",
"url": "https://www.debian.org/security/2023/dsa-5326" "name": "https://www.debian.org/security/2023/dsa-5326"
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS)."
} }
] ]
} }

135
2022/32xxx/CVE-2022-32223.json
View File

@ -1,25 +1,118 @@
{ {
"data_version": "4.0",
"data_type": "CVE", "data_type": "CVE",
"data_format": "MITRE", "data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": { "CVE_data_meta": {
"ID": "CVE-2022-32223", "ID": "CVE-2022-32223",
"ASSIGNER": "support@hackerone.com", "ASSIGNER": "support@hackerone.com",
"STATE": "PUBLIC" "STATE": "PUBLIC"
}, },
"description": {
"description_data": [
{
"lang": "eng",
"value": "Node.js is vulnerable to Hijack Execution Flow: DLL Hijacking under certain conditions on Windows platforms.This vulnerability can be exploited if the victim has the following dependencies on a Windows machine:* OpenSSL has been installed and \u201cC:\\Program Files\\Common Files\\SSL\\openssl.cnf\u201d exists.Whenever the above conditions are present, `node.exe` will search for `providers.dll` in the current user directory.After that, `node.exe` will try to search for `providers.dll` by the DLL Search Order in Windows.It is possible for an attacker to place the malicious file `providers.dll` under a variety of paths and exploit this vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Uncontrolled Search Path Element (CWE-427)",
"cweId": "CWE-427"
}
]
}
]
},
"affects": { "affects": {
"vendor": { "vendor": {
"vendor_data": [ "vendor_data": [
{ {
"vendor_name": "n/a", "vendor_name": "NodeJS",
"product": { "product": {
"product_data": [ "product_data": [
{ {
"product_name": "https://github.com/nodejs/node", "product_name": "Node",
"version": { "version": {
"version_data": [ "version_data": [
{ {
"version_value": "Fixed in 14.20.0+, 16.20.0+, 18.5.0+" "version_affected": "<",
"version_name": "4.0",
"version_value": "4.*"
},
{
"version_affected": "<",
"version_name": "5.0",
"version_value": "5.*"
},
{
"version_affected": "<",
"version_name": "6.0",
"version_value": "6.*"
},
{
"version_affected": "<",
"version_name": "7.0",
"version_value": "7.*"
},
{
"version_affected": "<",
"version_name": "8.0",
"version_value": "8.*"
},
{
"version_affected": "<",
"version_name": "9.0",
"version_value": "9.*"
},
{
"version_affected": "<",
"version_name": "10.0",
"version_value": "10.*"
},
{
"version_affected": "<",
"version_name": "11.0",
"version_value": "11.*"
},
{
"version_affected": "<",
"version_name": "12.0",
"version_value": "12.*"
},
{
"version_affected": "<",
"version_name": "13.0",
"version_value": "13.*"
},
{
"version_affected": "<",
"version_name": "14.0",
"version_value": "14.20.0"
},
{
"version_affected": "<",
"version_name": "15.0",
"version_value": "15.*"
},
{
"version_affected": "<",
"version_name": "16.0",
"version_value": "16.20.0"
},
{
"version_affected": "<",
"version_name": "17.0",
"version_value": "17.*"
},
{
"version_affected": "<",
"version_name": "18.0",
"version_value": "18.5.0"
} }
] ]
} }
@ -30,42 +123,22 @@
] ]
} }
}, },
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Uncontrolled Search Path Element (CWE-427)"
}
]
}
]
},
"references": { "references": {
"reference_data": [ "reference_data": [
{ {
"url": "https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/",
"refsource": "MISC", "refsource": "MISC",
"name": "https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/", "name": "https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/"
"url": "https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/"
}, },
{ {
"url": "https://hackerone.com/reports/1447455",
"refsource": "MISC", "refsource": "MISC",
"name": "https://hackerone.com/reports/1447455", "name": "https://hackerone.com/reports/1447455"
"url": "https://hackerone.com/reports/1447455"
}, },
{ {
"refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20220915-0001/",
"name": "https://security.netapp.com/advisory/ntap-20220915-0001/", "refsource": "MISC",
"url": "https://security.netapp.com/advisory/ntap-20220915-0001/" "name": "https://security.netapp.com/advisory/ntap-20220915-0001/"
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Node.js is vulnerable to Hijack Execution Flow: DLL Hijacking under certain conditions on Windows platforms.This vulnerability can be exploited if the victim has the following dependencies on a Windows machine:* OpenSSL has been installed and \u201cC:\\Program Files\\Common Files\\SSL\\openssl.cnf\u201d exists.Whenever the above conditions are present, `node.exe` will search for `providers.dll` in the current user directory.After that, `node.exe` will try to search for `providers.dll` by the DLL Search Order in Windows.It is possible for an attacker to place the malicious file `providers.dll` under a variety of paths and exploit this vulnerability."
} }
] ]
} }

88
2023/30xxx/CVE-2023-30589.json
View File

@ -11,7 +11,7 @@
"description_data": [ "description_data": [
{ {
"lang": "eng", "lang": "eng",
"value": "The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).\r\n\r\nThe CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20\r\n" "value": "The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).\r\n\r\nThe CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20"
} }
] ]
}, },
@ -31,27 +31,97 @@
"vendor": { "vendor": {
"vendor_data": [ "vendor_data": [
{ {
"vendor_name": "Node.js", "vendor_name": "NodeJS",
"product": { "product": {
"product_data": [ "product_data": [
{ {
"product_name": "https://github.com/nodejs/node", "product_name": "Node",
"version": { "version": {
"version_data": [ "version_data": [
{ {
"version_affected": "<", "version_affected": "<",
"version_name": "v20.3.1", "version_name": "4.0",
"version_value": "v20.3.1" "version_value": "4.*"
}, },
{ {
"version_affected": "<", "version_affected": "<",
"version_name": "v18.16.1", "version_name": "5.0",
"version_value": "v18.16.1" "version_value": "5.*"
}, },
{ {
"version_affected": "<", "version_affected": "<",
"version_name": "v16.20.1", "version_name": "6.0",
"version_value": "v16.20.1" "version_value": "6.*"
},
{
"version_affected": "<",
"version_name": "7.0",
"version_value": "7.*"
},
{
"version_affected": "<",
"version_name": "8.0",
"version_value": "8.*"
},
{
"version_affected": "<",
"version_name": "9.0",
"version_value": "9.*"
},
{
"version_affected": "<",
"version_name": "10.0",
"version_value": "10.*"
},
{
"version_affected": "<",
"version_name": "11.0",
"version_value": "11.*"
},
{
"version_affected": "<",
"version_name": "12.0",
"version_value": "12.*"
},
{
"version_affected": "<",
"version_name": "13.0",
"version_value": "13.*"
},
{
"version_affected": "<",
"version_name": "14.0",
"version_value": "14.*"
},
{
"version_affected": "<",
"version_name": "15.0",
"version_value": "15.*"
},
{
"version_affected": "<",
"version_name": "16.0",
"version_value": "16.20.1"
},
{
"version_affected": "<",
"version_name": "17.0",
"version_value": "17.*"
},
{
"version_affected": "<",
"version_name": "18.0",
"version_value": "18.16.1"
},
{
"version_affected": "<",
"version_name": "19.0",
"version_value": "19.*"
},
{
"version_affected": "<",
"version_name": "20.0",
"version_value": "20.3.1"
} }
] ]
} }

114
2025/4xxx/CVE-2025-4141.json
View File

@ -1,17 +1,123 @@
{ {
"data_version": "4.0",
"data_type": "CVE", "data_type": "CVE",
"data_format": "MITRE", "data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": { "CVE_data_meta": {
"ID": "CVE-2025-4141", "ID": "CVE-2025-4141",
"ASSIGNER": "cve@mitre.org", "ASSIGNER": "cna@vuldb.com",
"STATE": "RESERVED" "STATE": "PUBLIC"
}, },
"description": { "description": {
"description_data": [ "description_data": [
{ {
"lang": "eng", "lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." "value": "A vulnerability, which was classified as critical, was found in Netgear EX6200 1.0.3.94. This affects the function sub_3C03C. The manipulation of the argument host leads to buffer overflow. It is possible to initiate the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "deu",
"value": "Es wurde eine kritische Schwachstelle in Netgear EX6200 1.0.3.94 gefunden. Dabei betrifft es die Funktion sub_3C03C. Durch Manipulieren des Arguments host mit unbekannten Daten kann eine buffer overflow-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Buffer Overflow",
"cweId": "CWE-120"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "Memory Corruption",
"cweId": "CWE-119"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Netgear",
"product": {
"product_data": [
{
"product_name": "EX6200",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "1.0.3.94"
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://vuldb.com/?id.306633",
"refsource": "MISC",
"name": "https://vuldb.com/?id.306633"
},
{
"url": "https://vuldb.com/?ctiid.306633",
"refsource": "MISC",
"name": "https://vuldb.com/?ctiid.306633"
},
{
"url": "https://vuldb.com/?submit.560789",
"refsource": "MISC",
"name": "https://vuldb.com/?submit.560789"
},
{
"url": "https://github.com/jylsec/vuldb/blob/main/Netgear/netgear_ex6200/Buffer_overflow-sub_3C03C-bpa_server/README.md",
"refsource": "MISC",
"name": "https://github.com/jylsec/vuldb/blob/main/Netgear/netgear_ex6200/Buffer_overflow-sub_3C03C-bpa_server/README.md"
},
{
"url": "https://www.netgear.com/",
"refsource": "MISC",
"name": "https://www.netgear.com/"
}
]
},
"credits": [
{
"lang": "en",
"value": "54357 (VulDB User)"
}
],
"impact": {
"cvss": [
{
"version": "3.1",
"baseScore": 8.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"baseSeverity": "HIGH"
},
{
"version": "3.0",
"baseScore": 8.8,
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"baseSeverity": "HIGH"
},
{
"version": "2.0",
"baseScore": 9,
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C"
} }
] ]
} }

114
2025/4xxx/CVE-2025-4142.json
View File

@ -1,17 +1,123 @@
{ {
"data_version": "4.0",
"data_type": "CVE", "data_type": "CVE",
"data_format": "MITRE", "data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": { "CVE_data_meta": {
"ID": "CVE-2025-4142", "ID": "CVE-2025-4142",
"ASSIGNER": "cve@mitre.org", "ASSIGNER": "cna@vuldb.com",
"STATE": "RESERVED" "STATE": "PUBLIC"
}, },
"description": { "description": {
"description_data": [ "description_data": [
{ {
"lang": "eng", "lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." "value": "A vulnerability has been found in Netgear EX6200 1.0.3.94 and classified as critical. This vulnerability affects the function sub_3C8EC. The manipulation of the argument host leads to buffer overflow. The attack can be initiated remotely. The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "deu",
"value": "In Netgear EX6200 1.0.3.94 wurde eine kritische Schwachstelle gefunden. Hierbei betrifft es die Funktion sub_3C8EC. Durch das Beeinflussen des Arguments host mit unbekannten Daten kann eine buffer overflow-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Buffer Overflow",
"cweId": "CWE-120"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "Memory Corruption",
"cweId": "CWE-119"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Netgear",
"product": {
"product_data": [
{
"product_name": "EX6200",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "1.0.3.94"
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://vuldb.com/?id.306634",
"refsource": "MISC",
"name": "https://vuldb.com/?id.306634"
},
{
"url": "https://vuldb.com/?ctiid.306634",
"refsource": "MISC",
"name": "https://vuldb.com/?ctiid.306634"
},
{
"url": "https://vuldb.com/?submit.560790",
"refsource": "MISC",
"name": "https://vuldb.com/?submit.560790"
},
{
"url": "https://github.com/jylsec/vuldb/blob/main/Netgear/netgear_ex6200/Buffer_overflow-sub_3C8EC-gui_Wireless_Security_state/README.md",
"refsource": "MISC",
"name": "https://github.com/jylsec/vuldb/blob/main/Netgear/netgear_ex6200/Buffer_overflow-sub_3C8EC-gui_Wireless_Security_state/README.md"
},
{
"url": "https://www.netgear.com/",
"refsource": "MISC",
"name": "https://www.netgear.com/"
}
]
},
"credits": [
{
"lang": "en",
"value": "54357 (VulDB User)"
}
],
"impact": {
"cvss": [
{
"version": "3.1",
"baseScore": 8.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"baseSeverity": "HIGH"
},
{
"version": "3.0",
"baseScore": 8.8,
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"baseSeverity": "HIGH"
},
{
"version": "2.0",
"baseScore": 9,
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C"
} }
] ]
} }