Search for packages
| purl | pkg:rpm/redhat/rh-nodejs12-nodejs@12.20.1-1?arch=el7 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 4.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-75cr-t5b7-67d8
Aliases: CVE-2019-10746 GHSA-fhjf-83wg-r2j9 |
Prototype Pollution in mixin-deep Versions of `mixin-deep` prior to 2.0.1 or 1.3.2 are vulnerable to Prototype Pollution. The `mixinDeep` function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects. ## Recommendation If you are using `mixin-deep` 2.x, upgrade to version 2.0.1 or later. If you are using `mixin-deep` 1.x, upgrade to version 1.3.2 or later. | There are no reported fixed by versions. |
|
VCID-7tyw-ppyt-zqgr
Aliases: CVE-2020-7788 GHSA-qqgx-2p2h-9c37 |
ini before 1.3.6 vulnerable to Prototype Pollution via ini.parse ### Overview The `ini` npm package before version 1.3.6 has a Prototype Pollution vulnerability. If an attacker submits a malicious INI file to an application that parses it with `ini.parse`, they will pollute the prototype on the application. This can be exploited further depending on the context. ### Patches This has been patched in 1.3.6. ### Steps to reproduce payload.ini ``` [__proto__] polluted = "polluted" ``` poc.js: ``` var fs = require('fs') var ini = require('ini') var parsed = ini.parse(fs.readFileSync('./payload.ini', 'utf-8')) console.log(parsed) console.log(parsed.__proto__) console.log(polluted) ``` ``` > node poc.js {} { polluted: 'polluted' } { polluted: 'polluted' } polluted ``` | There are no reported fixed by versions. |
|
VCID-cu35-t78a-wfcj
Aliases: CVE-2019-10747 GHSA-4g88-fppr-53pp |
Prototype Pollution in set-value Versions of `set-value` prior to 3.0.1 or 2.0.1 are vulnerable to Prototype Pollution. The `set` function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects. ## Recommendation If you are using `set-value` 3.x, upgrade to version 3.0.1 or later. If you are using `set-value` 2.x, upgrade to version 2.0.1 or later. | There are no reported fixed by versions. |
|
VCID-k6bh-s1cq-n3a7
Aliases: CVE-2018-3750 GHSA-hr2v-3952-633q |
Improper Input Validation The utilities function in all versions of the deep-extend node module can be tricked into modifying the prototype of `Object` when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects. | There are no reported fixed by versions. |
|
VCID-v5h1-gpt1-97bj
Aliases: CVE-2020-7754 GHSA-pw54-mh39-w3hc |
Regular expression denial of service in npm-user-validate This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters. | There are no reported fixed by versions. |
|
VCID-zj4d-e8r7-ufg3
Aliases: CVE-2020-8287 |
Multiple vulnerabilities have been found in NodeJS, the worst of which could result in the arbitrary execution of code. | There are no reported fixed by versions. |
|
VCID-ztt4-vnk7-7ycq
Aliases: CVE-2020-8265 |
Multiple vulnerabilities have been found in NodeJS, the worst of which could result in the arbitrary execution of code. | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||