oss-sec mailing list archives
various vulnerabilities in Node.js packages
From: cve-assign () mitre org
Date: Wed, 20 Apr 2016 17:16:24 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 The CVE Assignment Team received a request (on an unexpected mailing list) for CVE IDs for several Node.js packages. Because everything was open source and post-disclosure, we are sending IDs here instead.
https://nodesecurity.io/advisories/23 marked package before 0.3.4 for Node.js - ReDoS
Use CVE-2015-8854.
https://nodesecurity.io/advisories/28 The qs module does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service condition, for example, in a web application, other requests would not be processed while this blocking is occurring.
This does not have a CVE ID, as discussed in the http://www.openwall.com/lists/oss-security/2014/09/30/10 post.
https://nodesecurity.io/advisories/31 semver package before 4.3.2 for Node.js - ReDoS
Use CVE-2015-8855.
https://nodesecurity.io/advisories/34 serve-index package before 1.6.3 for Node.js - XSS
Use CVE-2015-8856.
https://nodesecurity.io/advisories/37 syntax-error
Use CVE-2014-7192 as described in the http://www.openwall.com/lists/oss-security/2014/09/30/10 post and the http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7192 page.
https://nodesecurity.io/advisories/39 uglify-js package before 2.4.24 for Node.js - non-boolean comparison mishandling
Use CVE-2015-8857.
https://nodesecurity.io/advisories/41 validator package before 1.1.0 for Node.js
XSS filter bypass - nested tags Use CVE-2013-7451. XSS filter bypass - javascript: URIs Use CVE-2013-7452. XSS filter bypass - UI redressing Use CVE-2013-7453. XSS filter bypass - nested forbidden strings Use CVE-2013-7454.
https://nodesecurity.io/advisories/43 validator package before 2.0.0 for Node.js - XSS filter bypass - hex encoding
Use CVE-2014-9772.
https://nodesecurity.io/advisories/46 ms package before 0.7.0 for Node.js - ReDoS
Use CVE-2015-8315.
https://nodesecurity.io/advisories/48 uglify-js package before 2.6.0 for Node.js - ReDoS
Use CVE-2015-8858.
https://nodesecurity.io/advisories/55 moment package before 2.11.2 for Node.js - ReDoS
Use CVE-2016-4055.
https://nodesecurity.io/advisories/56 send package before 0.11.1 for Node.js - path disclosure
Use CVE-2015-8859.
https://nodesecurity.io/advisories/57 tar package before 2.0.0 for Node.js - symlink mishandling
Use CVE-2015-8860.
https://nodesecurity.io/advisories/61 handlebars package before 4.0.0 for Node.js - injection
Use CVE-2015-8861.
https://nodesecurity.io/advisories/62 mustache package before 2.2.1 for Node.js - injection
Use CVE-2015-8862.
https://nodesecurity.io/advisories/76
is-my-json-valid - Use CVE-2016-2537 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2537
https://nodesecurity.io/advisories/77
hawk - Use CVE-2016-2515 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2515 - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXF/CmAAoJEHb/MwWLVhi2r8wQAJnfaenGkAtx0d5Qg+wS13tq zqbibEgI5QY8ICMFCDuP5i3QFwTuRdD/jkgV0YC01jGh1t9HOscJ+s1QII9TDgNU t0bxFL3Gkltk3hWEmH1GcwxEr3NHm6lxgmqBFcXIwS6ogZCRgNVpQ+rOkwf38pSH 9EBKNb3neQFmKjW1Vw49EK4Lt+frM0YEp3tk9goD2X3sYaPg7e7gXuKUs5aPjCwx Ay3JKl0t9R3iGoVlxOoR6mrHlyrEg8dD+G/1Qw6OgacoaX3yYYyCWfYCCvskMDUH uVzcDNG3sWKzSGZaMYuyj4m0vjJpZeP2RONF1/3I0syf2uFS2LNkj4N9PwWNgFqR mckFrRplxFI9JiLPfGJG1Tk/6giysexVMbb1cd+cnQymnWhsCKBbmxnVwjOosb04 xNjsmH8N9T30oQo+nAlSxB559s1bcYdFJwHDna1GzGYU1oQSTlQuirkyAbGlkAgo kp5MLwhXls+kHGdF81GAde3CgRAJe1UVfWsvFEIsc0LqUBFpB9FFhJ1oynBsuY8h sQZ/1k+TrFYyks3ga72vp0yGwZ9XrcfDE1roBzE7MRwKBGY6Ar5pTLGFih9ILoBs WWpLX53tExs9h7NXKjvydX3NB+r8ii8VjH9B7zzH/+YXHCjKuZranAHmLYOq710a TPB0PkU+Ig4KgWAgKRMb =K29F -----END PGP SIGNATURE-----
Current thread:
- various vulnerabilities in Node.js packages cve-assign (Apr 20)