Search for packages
| purl | pkg:rpm/redhat/rh-nodejs10-nodejs@10.23.1-2?arch=el7 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-4b6t-hfzu-7uf5
Aliases: CVE-2020-8116 GHSA-ff7x-qrg7-qggm |
dot-prop Prototype Pollution vulnerability Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects. | There are no reported fixed by versions. |
|
VCID-7tyw-ppyt-zqgr
Aliases: CVE-2020-7788 GHSA-qqgx-2p2h-9c37 |
ini before 1.3.6 vulnerable to Prototype Pollution via ini.parse ### Overview The `ini` npm package before version 1.3.6 has a Prototype Pollution vulnerability. If an attacker submits a malicious INI file to an application that parses it with `ini.parse`, they will pollute the prototype on the application. This can be exploited further depending on the context. ### Patches This has been patched in 1.3.6. ### Steps to reproduce payload.ini ``` [__proto__] polluted = "polluted" ``` poc.js: ``` var fs = require('fs') var ini = require('ini') var parsed = ini.parse(fs.readFileSync('./payload.ini', 'utf-8')) console.log(parsed) console.log(parsed.__proto__) console.log(polluted) ``` ``` > node poc.js {} { polluted: 'polluted' } { polluted: 'polluted' } polluted ``` | There are no reported fixed by versions. |
|
VCID-cqs6-2ryh-43gj
Aliases: CVE-2020-8252 |
A buffer overflow in libuv might allow remote attacker(s) to execute arbitrary code. | There are no reported fixed by versions. |
|
VCID-e2wc-na6c-c3cr
Aliases: CVE-2020-15095 GHSA-93f3-23rq-pjfp |
npm CLI exposing sensitive information through logs Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like `<protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>`. The password value is not redacted and is printed to stdout and also to any generated log files. | There are no reported fixed by versions. |
|
VCID-fu8u-pxaa-43be
Aliases: CVE-2020-7774 GHSA-c4w7-xm78-47vh |
Prototype Pollution in y18n ### Overview The npm package `y18n` before versions 3.2.2, 4.0.1, and 5.0.5 is vulnerable to Prototype Pollution. ### POC ```js const y18n = require('y18n')(); y18n.setLocale('__proto__'); y18n.updateLocale({polluted: true}); console.log(polluted); // true ``` ### Recommendation Upgrade to version 3.2.2, 4.0.1, 5.0.5 or later. | There are no reported fixed by versions. |
|
VCID-jqtk-shbr-nkaw
Aliases: CVE-2020-7608 GHSA-p9pc-299p-vxgp |
yargs-parser Vulnerable to Prototype Pollution Affected versions of `yargs-parser` are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of `Object`, causing the addition or modification of an existing property that will exist on all objects. Parsing the argument `--foo.__proto__.bar baz'` adds a `bar` property with value `baz` to all objects. This is only exploitable if attackers have control over the arguments being passed to `yargs-parser`. ## Recommendation Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later. | There are no reported fixed by versions. |
|
VCID-kh5k-ynnf-2bbx
Aliases: CVE-2020-15366 GHSA-v88g-cgmw-v5xw |
Prototype Pollution in Ajv An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.) | There are no reported fixed by versions. |
|
VCID-v5h1-gpt1-97bj
Aliases: CVE-2020-7754 GHSA-pw54-mh39-w3hc |
Regular expression denial of service in npm-user-validate This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters. | There are no reported fixed by versions. |
|
VCID-zj4d-e8r7-ufg3
Aliases: CVE-2020-8287 |
Multiple vulnerabilities have been found in NodeJS, the worst of which could result in the arbitrary execution of code. | There are no reported fixed by versions. |
|
VCID-ztt4-vnk7-7ycq
Aliases: CVE-2020-8265 |
Multiple vulnerabilities have been found in NodeJS, the worst of which could result in the arbitrary execution of code. | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||