CVE-2021-37714 – Crafted input may cause the jsoup HTML and XML parser to get stuck, timeout, or throw unchecked exceptions
https://notcve.org/view.php?id=CVE-2021-37714
jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. • https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6c https://jsoup.org/news/release-1.14.1 https://jsoup.org/news/release-1.14.2 https://lists.apache.org/thread.html/r215009dbf7467a9f6506d0c0024cb36cad30071010e62c9352cfaaf0%40%3Cissues.maven.apache.org%3E https://lists.apache.org/thread.html/r377b93d79817ce649e9e68b3456e6f499747ef1643fa987b342e082e%40%3Cissues.maven.apache.org%3E https://lists.apache.org/thread.html/r3d71f18adb78e50f626dde689161ca63d3b7491bd9718fcddfaecba7%40%3Cissues.maven.apache.org%3E https://lists.apa • CWE-248: Uncaught Exception CWE-400: Uncontrolled Resource Consumption CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVE-2021-22939 – nodejs: Incomplete validation of tls rejectUnauthorized parameter
https://notcve.org/view.php?id=CVE-2021-22939
If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted. Si la API https de Node.js, era usada incorrectamente y se pasaba "undefined" para el parámetro "rejectUnauthorized", no fue devuelto ningún error y se aceptaban las conexiones a servidores con un certificado caducado. A flaw was found in Node.js. If the Node.js HTTPS API is used incorrectly and "undefined" is passed for the "rejectUnauthorized" parameter, no error is returned, and the connections to servers with an expired certificate are accepted. The highest threat from this vulnerability is to integrity. • https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf https://hackerone.com/reports/1278254 https://lists.debian.org/debian-lts-announce/2022/10/msg00006.html https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases https://security.gentoo.org/glsa/202401-02 https://security.netapp.com/advisory/ntap-20210917-0003 https://www.oracle.com/security-alerts/cpujan2022.html https://www.oracle.com/security-alerts/cpujul2022.html https://www.oracle.com/security-alerts/cpuoct2021& • CWE-20: Improper Input Validation CWE-295: Improper Certificate Validation •
CVE-2021-22940 – nodejs: Use-after-free on close http2 on stream canceling
https://notcve.org/view.php?id=CVE-2021-22940
Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior. Node.js versiones anteriores a 16.6.1, 14.17.5 y 12.22.5, es vulnerable a un ataque de uso de memoria previamente liberada donde un atacante podría ser capaz de explotar la corrupción de memoria para cambiar el comportamiento del proceso. A flaw was found in Node.js, where it is vulnerable to a use-after-free attack. This flaw allows an attacker to exploit memory corruption to change process behavior. The highest threat from this vulnerability is to confidentiality and integrity. • https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf https://hackerone.com/reports/1238162 https://lists.debian.org/debian-lts-announce/2022/10/msg00006.html https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases https://security.gentoo.org/glsa/202401-02 https://security.netapp.com/advisory/ntap-20210923-0001 https://www.oracle.com/security-alerts/cpujan2022.html https://www.oracle.com/security-alerts/cpujul2022.html https://www.oracle.com/security-alerts/cpuoct2021& • CWE-416: Use After Free •
CVE-2021-22931 – nodejs: Improper handling of untypical characters in domain names
https://notcve.org/view.php?id=CVE-2021-22931
Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library. Node.js versiones anteriores a 16.6.0, 14.17.4 y 12.22.4, es vulnerable a una Ejecución de Código Remota , ataques de tipo XSS, bloqueo de Aplicaciones debido a una falta de comprobación de entrada de los nombres de host devueltos por los Servidores de Nombres de Dominio en la librería dns de Node.js, que puede conllevar a la salida de nombres de host erróneos (conllevando al Secuestro de Dominio) y vulnerabilidades de inyección en aplicaciones que usan la librería. A flaw was found in Node.js. These vulnerabilities include remote code execution, Cross-site scripting (XSS), application crashes due to missing input validation of hostnames returned by Domain Name Servers in the Node.js DNS library, which can lead to the output of wrong hostnames (leading to Domain hijacking) and injection vulnerabilities in applications using the library. • https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf https://hackerone.com/reports/1178337 https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases https://security.gentoo.org/glsa/202401-02 https://security.netapp.com/advisory/ntap-20210923-0001 https://security.netapp.com/advisory/ntap-20211022-0003 https://www.oracle.com/security-alerts/cpujan2022.html https://www.oracle.com/security-alerts/cpujul2022.html https://www.oracle.com/security-alerts/cpuoct2021.html https: • CWE-20: Improper Input Validation CWE-170: Improper Null Termination •
CVE-2021-37695 – Execution of JavaScript code using malformed HTML in ckeditor
https://notcve.org/view.php?id=CVE-2021-37695
ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects) package. The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version < 4.16.2. The problem has been recognized and patched. • https://github.com/ckeditor/ckeditor4/commit/de3c001540715f9c3801aaa38a1917de46cfcf58 https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-m94c-37g6-cjhc https://lists.debian.org/debian-lts-announce/2021/11/msg00007.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW https://lists.fedoraproject.org/archives/list/package-announce%40lists& • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •