CVSS: 7.8EPSS: 0%CPEs: 18EXPL: 0CVE-2024-22019 – nodejs: reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks
https://notcve.org/view.php?id=CVE-2024-22019
20 Feb 2024 — A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like timeouts and body size limits. Una vulnerabilidad en los servidores HTTP de Node.js permite a un atacan... • http://www.openwall.com/lists/oss-security/2024/03/11/1 • CWE-400: Uncontrolled Resource Consumption CWE-404: Improper Resource Shutdown or Release •
CVSS: 9.8EPSS: 0%CPEs: 18EXPL: 0CVE-2024-21892 – nodejs: code injection and privilege escalation through Linux capabilities
https://notcve.org/view.php?id=CVE-2024-21892
20 Feb 2024 — On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user while the process is running with elevated privileges with the only exception of CAP_NET_BIND_SERVICE. Due to a bug in the implementation of this exception, Node.js incorrectly applies this exception even when certain other capabilities have been set. This allows unprivileged users to inject code that inherits the process's elevated privileges. En Linux, Node.js ignora ciertas variables de entorno si p... • http://www.openwall.com/lists/oss-security/2024/03/11/1 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-269: Improper Privilege Management •