Search for packages
| purl | pkg:deb/debian/nodejs@18.13.0%2Bdfsg1-1 |
| Tags | Ghost |
| Next non-vulnerable version | 20.19.2+dfsg-1 |
| Latest non-vulnerable version | 20.19.2+dfsg-1 |
| Risk | 4.4 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2hqt-4pa1-aaac
Aliases: CVE-2023-32002 |
The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js. |
Affected by 14 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-3a15-d62k-aaae
Aliases: CVE-2023-30588 |
When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination occurs making it susceptible to DoS attacks when the attacker could force interruptions of application processing, as the process terminates when accessing public key info of provided certificates from user code. The current context of the users will be gone, and that will cause a DoS scenario. This vulnerability affects all active Node.js versions v16, v18, and, v20. |
Affected by 14 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-76ck-4p9k-aaan
Aliases: CVE-2023-30581 |
The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the experimental policy mechanism in all active release lines: v16, v18 and, v20. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js |
Affected by 14 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-849h-j5yz-aaan
Aliases: CVE-2023-46809 |
Node.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked version of OpenSSL which are unpatched are vulnerable to the Marvin Attack - https://people.redhat.com/~hkario/marvin/, if PCKS #1 v1.5 padding is allowed when performing RSA descryption using a private key. |
Affected by 14 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
VCID-ct8v-45pf-aaaj
Aliases: CVE-2023-23920 |
An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-dwjz-y3em-aaam
Aliases: CVE-2023-38552 |
When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation and return a forged checksum to the node's policy implementation, thus effectively disabling the integrity check. Impacts: This vulnerability affects all users using the experimental policy mechanism in all active release lines: 18.x and, 20.x. Please note that at the time this CVE was issued, the policy mechanism is an experimental feature of Node.js. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-fwx8-w1gn-aaan
Aliases: CVE-2023-23919 |
A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases did does not clear the OpenSSL error stack after operations that may set it. This may lead to false positive errors during subsequent cryptographic operations that happen to be on the same thread. This in turn could be used to cause a denial of service. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-hmkq-2p3p-aaac
Aliases: CVE-2023-30589 GHSA-cggh-pq45-6h9x |
The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20 |
Affected by 14 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-huhc-ydq5-aaaa
Aliases: CVE-2023-30590 |
The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet, but the function is also needed to compute the corresponding public key after calling setPrivateKey(). However, the documentation says this API call: "Generates private and public Diffie-Hellman key values". The documented behavior is very different from the actual behavior, and this difference could easily lead to security issues in applications that use these APIs as the DiffieHellman may be used as the basis for application-level security, implications are consequently broad. |
Affected by 14 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-mj23-x76p-aaak
Aliases: CVE-2023-32006 |
The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js. |
Affected by 14 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-q3v8-cbar-aaak
Aliases: CVE-2023-39333 |
Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The injected code may be able to access data and functions that the WebAssembly module itself does not have access to, similar to as if the WebAssembly module was a JavaScript module. This vulnerability affects users of any active release line of Node.js. The vulnerable feature is only available if Node.js is started with the `--experimental-wasm-modules` command line option. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-sv5v-pb1b-aaam
Aliases: CVE-2023-32559 |
A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `process.binding('spawn_sync')` run arbitrary code, outside of the limits defined in a `policy.json` file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js. |
Affected by 14 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-vde9-qtmz-aaab
Aliases: CVE-2023-23918 |
A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permissions option with --experimental-policy. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2024-04-26T05:51:30.778379+00:00 | Debian Importer | Affected by | VCID-849h-j5yz-aaan | https://security-tracker.debian.org/tracker/data/json | 34.0.0rc4 |
| 2024-04-26T04:22:36.975510+00:00 | Debian Importer | Affected by | VCID-q3v8-cbar-aaak | None | 34.0.0rc4 |
| 2024-04-26T04:14:07.260568+00:00 | Debian Importer | Affected by | VCID-dwjz-y3em-aaam | None | 34.0.0rc4 |
| 2024-04-26T03:23:15.340032+00:00 | Debian Importer | Fixing | VCID-sv5v-pb1b-aaam | https://security-tracker.debian.org/tracker/data/json | 34.0.0rc4 |
| 2024-04-26T03:23:13.732763+00:00 | Debian Importer | Affected by | VCID-sv5v-pb1b-aaam | None | 34.0.0rc4 |
| 2024-04-26T03:13:22.612788+00:00 | Debian Importer | Fixing | VCID-mj23-x76p-aaak | https://security-tracker.debian.org/tracker/data/json | 34.0.0rc4 |
| 2024-04-26T03:13:21.802725+00:00 | Debian Importer | Affected by | VCID-mj23-x76p-aaak | None | 34.0.0rc4 |
| 2024-04-26T03:13:18.007927+00:00 | Debian Importer | Fixing | VCID-2hqt-4pa1-aaac | https://security-tracker.debian.org/tracker/data/json | 34.0.0rc4 |
| 2024-04-26T03:13:15.626776+00:00 | Debian Importer | Affected by | VCID-2hqt-4pa1-aaac | None | 34.0.0rc4 |
| 2024-04-26T03:04:02.179984+00:00 | Debian Importer | Fixing | VCID-huhc-ydq5-aaaa | https://security-tracker.debian.org/tracker/data/json | 34.0.0rc4 |
| 2024-04-26T03:04:01.354109+00:00 | Debian Importer | Affected by | VCID-huhc-ydq5-aaaa | None | 34.0.0rc4 |
| 2024-04-26T03:03:58.028500+00:00 | Debian Importer | Fixing | VCID-hmkq-2p3p-aaac | https://security-tracker.debian.org/tracker/data/json | 34.0.0rc4 |
| 2024-04-26T03:03:56.224201+00:00 | Debian Importer | Affected by | VCID-hmkq-2p3p-aaac | None | 34.0.0rc4 |
| 2024-04-26T03:03:53.834232+00:00 | Debian Importer | Affected by | VCID-3a15-d62k-aaae | None | 34.0.0rc4 |
| 2024-04-26T03:03:48.489924+00:00 | Debian Importer | Affected by | VCID-76ck-4p9k-aaan | None | 34.0.0rc4 |
| 2024-04-26T03:03:47.662859+00:00 | Debian Importer | Fixing | VCID-76ck-4p9k-aaan | https://security-tracker.debian.org/tracker/data/json | 34.0.0rc4 |
| 2024-04-26T01:42:32.247489+00:00 | Debian Importer | Affected by | VCID-ct8v-45pf-aaaj | None | 34.0.0rc4 |
| 2024-04-26T01:42:26.495555+00:00 | Debian Importer | Affected by | VCID-fwx8-w1gn-aaan | None | 34.0.0rc4 |
| 2024-04-26T01:42:20.368864+00:00 | Debian Importer | Affected by | VCID-vde9-qtmz-aaab | None | 34.0.0rc4 |
| 2024-01-12T13:50:58.633085+00:00 | Debian Importer | Affected by | VCID-q3v8-cbar-aaak | None | 34.0.0rc2 |
| 2024-01-12T13:46:09.674963+00:00 | Debian Importer | Affected by | VCID-dwjz-y3em-aaam | None | 34.0.0rc2 |
| 2024-01-12T13:13:39.456199+00:00 | Debian Importer | Fixing | VCID-sv5v-pb1b-aaam | https://security-tracker.debian.org/tracker/data/json | 34.0.0rc2 |
| 2024-01-12T13:13:36.933475+00:00 | Debian Importer | Affected by | VCID-sv5v-pb1b-aaam | None | 34.0.0rc2 |
| 2024-01-12T13:06:50.583352+00:00 | Debian Importer | Fixing | VCID-mj23-x76p-aaak | https://security-tracker.debian.org/tracker/data/json | 34.0.0rc2 |
| 2024-01-12T13:06:47.182732+00:00 | Debian Importer | Affected by | VCID-mj23-x76p-aaak | None | 34.0.0rc2 |
| 2024-01-12T13:06:44.295682+00:00 | Debian Importer | Fixing | VCID-2hqt-4pa1-aaac | https://security-tracker.debian.org/tracker/data/json | 34.0.0rc2 |
| 2024-01-12T13:06:41.807806+00:00 | Debian Importer | Affected by | VCID-2hqt-4pa1-aaac | None | 34.0.0rc2 |
| 2024-01-12T13:02:26.272427+00:00 | Debian Importer | Fixing | VCID-huhc-ydq5-aaaa | https://security-tracker.debian.org/tracker/data/json | 34.0.0rc2 |
| 2024-01-12T13:02:25.383546+00:00 | Debian Importer | Affected by | VCID-huhc-ydq5-aaaa | None | 34.0.0rc2 |
| 2024-01-12T13:02:23.700577+00:00 | Debian Importer | Fixing | VCID-hmkq-2p3p-aaac | https://security-tracker.debian.org/tracker/data/json | 34.0.0rc2 |
| 2024-01-12T13:02:21.122547+00:00 | Debian Importer | Affected by | VCID-hmkq-2p3p-aaac | None | 34.0.0rc2 |
| 2024-01-12T13:02:18.169866+00:00 | Debian Importer | Affected by | VCID-3a15-d62k-aaae | None | 34.0.0rc2 |
| 2024-01-12T13:02:13.801229+00:00 | Debian Importer | Affected by | VCID-76ck-4p9k-aaan | None | 34.0.0rc2 |
| 2024-01-12T13:02:12.992513+00:00 | Debian Importer | Fixing | VCID-76ck-4p9k-aaan | https://security-tracker.debian.org/tracker/data/json | 34.0.0rc2 |
| 2024-01-12T11:53:50.083898+00:00 | Debian Importer | Affected by | VCID-ct8v-45pf-aaaj | None | 34.0.0rc2 |
| 2024-01-12T11:53:45.110500+00:00 | Debian Importer | Affected by | VCID-fwx8-w1gn-aaan | None | 34.0.0rc2 |
| 2024-01-12T11:53:40.080918+00:00 | Debian Importer | Affected by | VCID-vde9-qtmz-aaab | None | 34.0.0rc2 |
| 2024-01-05T09:24:53.791762+00:00 | Debian Importer | Affected by | VCID-q3v8-cbar-aaak | None | 34.0.0rc1 |
| 2024-01-05T09:20:10.290866+00:00 | Debian Importer | Affected by | VCID-dwjz-y3em-aaam | None | 34.0.0rc1 |
| 2024-01-05T08:53:51.084680+00:00 | Debian Importer | Fixing | VCID-sv5v-pb1b-aaam | https://security-tracker.debian.org/tracker/data/json | 34.0.0rc1 |
| 2024-01-05T08:53:48.829754+00:00 | Debian Importer | Affected by | VCID-sv5v-pb1b-aaam | None | 34.0.0rc1 |
| 2024-01-05T08:47:33.460033+00:00 | Debian Importer | Fixing | VCID-mj23-x76p-aaak | https://security-tracker.debian.org/tracker/data/json | 34.0.0rc1 |
| 2024-01-05T08:47:30.303364+00:00 | Debian Importer | Affected by | VCID-mj23-x76p-aaak | None | 34.0.0rc1 |
| 2024-01-05T08:47:27.515230+00:00 | Debian Importer | Fixing | VCID-2hqt-4pa1-aaac | https://security-tracker.debian.org/tracker/data/json | 34.0.0rc1 |
| 2024-01-05T08:47:25.027205+00:00 | Debian Importer | Affected by | VCID-2hqt-4pa1-aaac | None | 34.0.0rc1 |
| 2024-01-05T08:43:26.803104+00:00 | Debian Importer | Fixing | VCID-huhc-ydq5-aaaa | https://security-tracker.debian.org/tracker/data/json | 34.0.0rc1 |
| 2024-01-05T08:43:25.966845+00:00 | Debian Importer | Affected by | VCID-huhc-ydq5-aaaa | None | 34.0.0rc1 |
| 2024-01-05T08:43:24.367199+00:00 | Debian Importer | Fixing | VCID-hmkq-2p3p-aaac | https://security-tracker.debian.org/tracker/data/json | 34.0.0rc1 |
| 2024-01-05T08:43:21.862099+00:00 | Debian Importer | Affected by | VCID-hmkq-2p3p-aaac | None | 34.0.0rc1 |
| 2024-01-05T08:43:19.342572+00:00 | Debian Importer | Affected by | VCID-3a15-d62k-aaae | None | 34.0.0rc1 |
| 2024-01-05T08:43:15.220981+00:00 | Debian Importer | Affected by | VCID-76ck-4p9k-aaan | None | 34.0.0rc1 |
| 2024-01-05T08:43:14.490113+00:00 | Debian Importer | Fixing | VCID-76ck-4p9k-aaan | https://security-tracker.debian.org/tracker/data/json | 34.0.0rc1 |
| 2024-01-05T07:57:39.428053+00:00 | Debian Importer | Affected by | VCID-ct8v-45pf-aaaj | None | 34.0.0rc1 |
| 2024-01-05T07:57:34.427451+00:00 | Debian Importer | Affected by | VCID-fwx8-w1gn-aaan | None | 34.0.0rc1 |
| 2024-01-05T07:57:29.452405+00:00 | Debian Importer | Affected by | VCID-vde9-qtmz-aaab | None | 34.0.0rc1 |