VulnerableCode Package Details - pkg:alpm/archlinux/nodejs@15.9.0-1

Search for packages

Vulnerability	Summary	Fixed by
VCID-upe7-b86x-aaae Aliases: CVE-2021-22883	Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.	15.10.0-1 Affected by 0 other vulnerabilities.
VCID-vc4y-g9fg-aaak Aliases: CVE-2021-23840 GHSA-qgm6-9472-pwq7 VC-OPENSSL-20210216-CVE-2021-23840	Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).	There are no reported fixed by versions.
VCID-wgmj-77cu-aaab Aliases: CVE-2021-22884	Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160.	15.10.0-1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-upe7-b86x-aaae
Aliases:
CVE-2021-22883

Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.

15.10.0-1
Affected by 0 other vulnerabilities.

VCID-vc4y-g9fg-aaak
Aliases:
CVE-2021-23840
GHSA-qgm6-9472-pwq7
VC-OPENSSL-20210216-CVE-2021-23840

Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).

There are no reported fixed by versions.

VCID-wgmj-77cu-aaab
Aliases:
CVE-2021-22884

Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160.

15.10.0-1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-03-28T07:47:05.018563+00:00	Arch Linux Importer	Affected by	VCID-vc4y-g9fg-aaak	https://security.archlinux.org/AVG-1605	36.0.0
2025-03-28T07:46:42.285953+00:00	Arch Linux Importer	Affected by	VCID-upe7-b86x-aaae	https://security.archlinux.org/AVG-1604	36.0.0
2025-03-28T07:46:42.267308+00:00	Arch Linux Importer	Affected by	VCID-wgmj-77cu-aaab	https://security.archlinux.org/AVG-1604	36.0.0
2024-09-18T02:02:28.467985+00:00	Arch Linux Importer	Affected by	VCID-vc4y-g9fg-aaak	https://security.archlinux.org/AVG-1605	34.0.1
2024-09-18T02:02:03.126319+00:00	Arch Linux Importer	Affected by	VCID-upe7-b86x-aaae	https://security.archlinux.org/AVG-1604	34.0.1
2024-09-18T02:02:03.105077+00:00	Arch Linux Importer	Affected by	VCID-wgmj-77cu-aaab	https://security.archlinux.org/AVG-1604	34.0.1
2024-01-03T22:28:29.331043+00:00	Arch Linux Importer	Affected by	VCID-vc4y-g9fg-aaak	https://security.archlinux.org/AVG-1605	34.0.0rc1
2024-01-03T22:28:05.934735+00:00	Arch Linux Importer	Affected by	VCID-upe7-b86x-aaae	https://security.archlinux.org/AVG-1604	34.0.0rc1
2024-01-03T22:28:05.908788+00:00	Arch Linux Importer	Affected by	VCID-wgmj-77cu-aaab	https://security.archlinux.org/AVG-1604	34.0.0rc1