The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Node.js Core

vulnerability announce CVE-2018-1000168

Nghttp2: NULL pointer dereference via ALTSVC Frame

Synthesis of the vulnerability

An attacker can force a NULL pointer to be dereferenced via ALTSVC Frame of Nghttp2, in order to trigger a denial of service.
Impacted products: Fedora, IBM i, IRAD, Nodejs Core, openSUSE Leap, Solaris, SLES.
Severity: 3/4.
Consequences: denial of service on service.
Provenance: internet client.
Creation date: 23/04/2018.
Identifiers: bulletinoct2018, CVE-2018-1000168, FEDORA-2018-cec96a9c41, ibm10715995, ibm10728705, openSUSE-SU-2018:1963-1, SUSE-SU-2018:1918-1, VIGILANCE-VUL-25942.

Description of the vulnerability

An attacker can force a NULL pointer to be dereferenced via ALTSVC Frame of Nghttp2, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2018-0737

OpenSSL: information disclosure via RSA Constant Time Key Generation

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via RSA Constant Time Key Generation of OpenSSL, in order to obtain sensitive information.
Impacted products: Debian, AIX, BladeCenter, IBM i, Juniper EX-Series, Juniper J-Series, Junos OS, SRX-Series, MariaDB ~ precise, MySQL Community, MySQL Enterprise, Nodejs Core, OpenBSD, OpenSSL, openSUSE Leap, Oracle Communications, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Solaris, Tuxedo, Oracle Virtual Directory, VirtualBox, WebLogic, Palo Alto Firewall PA***, PAN-OS, Percona Server, XtraBackup, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Synology DS***, Synology RS***, Nessus, Ubuntu, X2GoClient.
Severity: 1/4.
Consequences: data reading.
Provenance: user shell.
Creation date: 17/04/2018.
Identifiers: bulletinjul2018, CERTFR-2018-AVI-511, CERTFR-2018-AVI-607, cpuapr2019, cpujan2019, cpujul2019, cpuoct2018, CVE-2018-0737, DLA-1449-1, DSA-4348-1, DSA-4355-1, ibm10729805, ibm10743283, ibm10880781, JSA10919, openSUSE-SU-2018:2695-1, openSUSE-SU-2018:2957-1, openSUSE-SU-2018:3015-1, openSUSE-SU-2019:0152-1, openSUSE-SU-2019:1432-1, PAN-SA-2018-0015, RHSA-2018:3221-01, SSA:2018-226-01, SUSE-SU-2018:2486-1, SUSE-SU-2018:2492-1, SUSE-SU-2018:2683-1, SUSE-SU-2018:2928-1, SUSE-SU-2018:2965-1, SUSE-SU-2018:3864-1, SUSE-SU-2018:3864-2, SUSE-SU-2019:0197-1, SUSE-SU-2019:0512-1, SUSE-SU-2019:1553-1, TNS-2018-14, TNS-2018-17, TSB17568, USN-3628-1, USN-3628-2, USN-3692-1, USN-3692-2, VIGILANCE-VUL-25884.

Description of the vulnerability

An attacker can bypass access restrictions to data via RSA Constant Time Key Generation of OpenSSL, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2018-7160

Node Core: code execution via Inspector DNS Rebinding

Synthesis of the vulnerability

An attacker can use a vulnerability via Inspector DNS Rebinding of Node Core, in order to run code.
Impacted products: Fedora, IBM i, Nodejs Core, openSUSE Leap.
Severity: 3/4.
Consequences: user access/rights.
Provenance: internet server.
Creation date: 29/03/2018.
Identifiers: CVE-2018-7160, FEDORA-2018-e672eaf4df, FEDORA-2018-ecf73042e3, ibm10715995, openSUSE-SU-2018:1209-1, VIGILANCE-VUL-25723.

Description of the vulnerability

An attacker can use a vulnerability via Inspector DNS Rebinding of Node Core, in order to run code.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2018-7159

Node Core: vulnerability via HTTP Content-Length Spaces

Synthesis of the vulnerability

A vulnerability via HTTP Content-Length Spaces of Node Core was announced.
Impacted products: BIG-IP Hardware, TMOS, Fedora, IBM i, Nodejs Core, openSUSE Leap, RHEL.
Severity: 2/4.
Consequences: unknown consequence, administrator access/rights, privileged access/rights, user access/rights, client access/rights, data reading, data creation/edition, data deletion, data flow, denial of service on server, denial of service on service, denial of service on client, disguisement.
Provenance: internet client.
Creation date: 29/03/2018.
Identifiers: CVE-2018-7159, FEDORA-2018-e672eaf4df, FEDORA-2018-ecf73042e3, ibm10715995, K27228191, openSUSE-SU-2018:0967-1, openSUSE-SU-2018:1209-1, RHSA-2019:2258-01, VIGILANCE-VUL-25722.

Description of the vulnerability

A vulnerability via HTTP Content-Length Spaces of Node Core was announced.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2018-7158

Node Core: denial of service via Path Regular Expression

Synthesis of the vulnerability

An attacker can generate a fatal error via Path Regular Expression of Node Core, in order to trigger a denial of service.
Impacted products: Fedora, IBM i, Nodejs Core, openSUSE Leap.
Severity: 2/4.
Consequences: denial of service on service, denial of service on client.
Provenance: internet client.
Creation date: 29/03/2018.
Identifiers: CVE-2018-7158, FEDORA-2018-e672eaf4df, FEDORA-2018-ecf73042e3, ibm10715995, openSUSE-SU-2018:0967-1, openSUSE-SU-2018:1209-1, VIGILANCE-VUL-25721.

Description of the vulnerability

An attacker can generate a fatal error via Path Regular Expression of Node Core, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability 25365

Node Core: buffer overflow via fs.readdirSync

Synthesis of the vulnerability

An attacker can generate a buffer overflow via fs.readdirSync() of Node Core, in order to trigger a denial of service, and possibly to run code.
Impacted products: Nodejs Core.
Severity: 2/4.
Consequences: privileged access/rights, user access/rights, denial of service on service.
Provenance: user account.
Creation date: 23/02/2018.
Identifiers: VIGILANCE-VUL-25365.

Description of the vulnerability

An attacker can generate a buffer overflow via fs.readdirSync() of Node Core, in order to trigger a denial of service, and possibly to run code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2017-15897

Node Core: information disclosure via Fill Value Encoding

Synthesis of the vulnerability

A local attacker can read a memory fragment via Fill Value Encoding of Node Core, in order to obtain sensitive information.
Impacted products: Fedora, Nodejs Core.
Severity: 1/4.
Consequences: data reading.
Provenance: user shell.
Creation date: 11/12/2017.
Identifiers: CVE-2017-15897, FEDORA-2017-e6be32cb7a, VIGILANCE-VUL-24728.

Description of the vulnerability

A local attacker can read a memory fragment via Fill Value Encoding of Node Core, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2017-15896

Node Core: information disclosure via SSL_read

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via SSL_read() of Node Core, in order to obtain sensitive information.
Impacted products: Fedora, Junos Space, Nodejs Core, openSUSE Leap.
Severity: 2/4.
Consequences: data reading.
Provenance: document.
Creation date: 11/12/2017.
Identifiers: CVE-2017-15896, FEDORA-2017-e6be32cb7a, JSA10873, openSUSE-SU-2018:0029-1, openSUSE-SU-2018:0315-1, VIGILANCE-VUL-24727.

Description of the vulnerability

An attacker can bypass access restrictions to data via SSL_read() of Node Core, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2017-3738

OpenSSL: information disclosure via rsaz_1024_mul_avx2

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via rsaz_1024_mul_avx2() of OpenSSL, in order to obtain sensitive information.
Impacted products: ProxySG par Blue Coat, SGOS by Blue Coat, Debian, Fedora, FreeBSD, hMailServer, DB2 UDB, QRadar SIEM, Tivoli Storage Manager, Juniper J-Series, Junos OS, NSM Central Manager, NSMXpress, SRX-Series, MariaDB ~ precise, MySQL Community, MySQL Enterprise, Nodejs Core, OpenSSL, openSUSE Leap, Oracle Communications, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle Internet Directory, Solaris, Tuxedo, Oracle Virtual Directory, VirtualBox, WebLogic, Percona Server, pfSense, RHEL, Slackware, ProxySG by Symantec, SGOS by Symantec, Synology DSM, Synology DS***, Synology RS***, Ubuntu, WinSCP, X2GoClient.
Severity: 1/4.
Consequences: data reading.
Provenance: intranet client.
Creation date: 07/12/2017.
Identifiers: 2014324, bulletinapr2018, bulletinjan2018, CERTFR-2017-AVI-452, CERTFR-2018-AVI-155, cpuapr2018, cpuapr2019, cpujan2018, cpujan2019, cpujul2018, cpujul2019, cpuoct2018, CVE-2017-3738, DSA-4065-1, DSA-4157-1, FEDORA-2017-e6be32cb7a, FreeBSD-SA-17:12.openssl, ibm10716907, ibm10717405, ibm10717409, ibm10719113, JSA10851, openSUSE-SU-2017:3345-1, openSUSE-SU-2018:0029-1, openSUSE-SU-2018:0315-1, RHSA-2018:0998-01, SA159, SSA:2017-342-01, swg21647054, USN-3512-1, VIGILANCE-VUL-24698.

Description of the vulnerability

An attacker can bypass access restrictions to data via rsaz_1024_mul_avx2() of OpenSSL, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2017-3735

OpenSSL: out-of-bounds memory reading via X.509 IPAddressFamily

Synthesis of the vulnerability

An attacker can force a read at an invalid address via X.509 IPAddressFamily of OpenSSL, in order to trigger a denial of service, or to obtain sensitive information.
Impacted products: Mac OS X, Blue Coat CAS, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, Debian, Fedora, FreeBSD, hMailServer, AIX, WebSphere MQ, Juniper J-Series, Junos OS, NSM Central Manager, NSMXpress, SRX-Series, MariaDB ~ precise, McAfee Web Gateway, MySQL Community, MySQL Enterprise, Nodejs Core, OpenSSL, openSUSE Leap, Oracle Communications, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle Internet Directory, Solaris, Tuxedo, WebLogic, Percona Server, pfSense, RHEL, stunnel, SUSE Linux Enterprise Desktop, SLES, Symantec Content Analysis, ProxySG by Symantec, SGOS by Symantec, Synology DSM, Synology DS***, Synology RS***, Nessus, Ubuntu, X2GoClient.
Severity: 2/4.
Consequences: data reading, denial of service on service, denial of service on client.
Provenance: document.
Creation date: 02/11/2017.
Identifiers: 2011879, 2013026, 2014367, bulletinapr2018, CERTFR-2017-AVI-391, cpuapr2018, cpuapr2019, cpujan2018, cpujan2019, cpujul2018, cpujul2019, cpuoct2018, CVE-2017-3735, DSA-4017-1, DSA-4018-1, FEDORA-2017-4cf72e2c11, FEDORA-2017-512a6c5aae, FEDORA-2017-55a3247cfd, FEDORA-2017-7f30914972, FEDORA-2017-dbec196dd8, FreeBSD-SA-17:11.openssl, HT208331, HT208394, ibm10715641, ibm10738249, JSA10851, openSUSE-SU-2017:3192-1, openSUSE-SU-2018:0029-1, openSUSE-SU-2018:0315-1, RHSA-2018:3221-01, SA157, SB10211, SUSE-SU-2017:2968-1, SUSE-SU-2017:2981-1, SUSE-SU-2018:0112-1, TNS-2017-15, USN-3475-1, VIGILANCE-VUL-24317.

Description of the vulnerability

An attacker can force a read at an invalid address via X.509 IPAddressFamily of OpenSSL, in order to trigger a denial of service, or to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Node.js Core: