CVE-2020-8172 – nodejs: TLS session reuse can lead to hostname verification bypass
https://notcve.org/view.php?id=CVE-2020-8172
TLS session reuse can lead to host certificate verification bypass in node version < 12.18.0 and < 14.4.0. La reutilización de una sesión TLS puede conllevar a una omisión de la verificación del certificado del host en node versión anterior a 12.18.0 y anterior a 14.4.0 A TLS Hostname verification bypass vulnerability exists in NodeJS. This flaw allows an attacker to bypass TLS Hostname verification when a TLS client reuses HTTPS sessions. • https://hackerone.com/reports/811502 https://nodejs.org/en/blog/vulnerability/june-2020-security-releases https://security.gentoo.org/glsa/202101-07 https://security.netapp.com/advisory/ntap-20200625-0002 https://www.oracle.com//security-alerts/cpujul2021.html https://www.oracle.com/security-alerts/cpuapr2022.html https://www.oracle.com/security-alerts/cpujan2021.html https://www.oracle.com/security-alerts/cpujul2020.html https://www.oracle.com/security-alerts/cpuoct2020.html https://ac • CWE-285: Improper Authorization CWE-295: Improper Certificate Validation •
CVE-2020-11080 – Denial of service in nghttp2
https://notcve.org/view.php?id=CVE-2020-11080
In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection. • http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00024.html https://github.com/nghttp2/nghttp2/commit/336a98feb0d56b9ac54e12736b18785c27f75090 https://github.com/nghttp2/nghttp2/commit/f8da73bd042f810f34d19f9eae02b46d870af394 https://github.com/nghttp2/nghttp2/security/advisories/GHSA-q5wr-xfw9-q7xr https://lists.debian.org/debian-lts-announce/2021/10/msg00011.html https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject& • CWE-400: Uncontrolled Resource Consumption CWE-707: Improper Neutralization CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2019-15606 – nodejs: HTTP header values do not have trailing optional whitespace trimmed
https://notcve.org/view.php?id=CVE-2019-15606
Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons Una inclusión de espacios en blanco finales en los valores de encabezado HTTP en Nodejs versiones 10, 12 y 13, causa una omisión de autorización según las comparaciones de valores de encabezado. A flaw was found in Node.js where the HTTP(s) header values were not stripped of trailing whitespace. An attacker can use this flaw to send an HTTP(s) request which is validated by an upstream proxy server, but not by the Node.js HTTP(s) server. • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html https://access.redhat.com/errata/RHSA-2020:0573 https://access.redhat.com/errata/RHSA-2020:0579 https://access.redhat.com/errata/RHSA-2020:0597 https://access.redhat.com/errata/RHSA-2020:0598 https://access.redhat.com/errata/RHSA-2020:0602 https://hackerone.com/reports/730779 https://nodejs.org/en/blog/release/v10.19.0 https://nodejs.org/en/blog/release/v12.15.0 https://nodejs.org/en/b • CWE-20: Improper Input Validation CWE-138: Improper Neutralization of Special Elements •
CVE-2019-15604 – nodejs: Remotely trigger an assertion on a TLS server with a malformed certificate string
https://notcve.org/view.php?id=CVE-2019-15604
Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a crafted X.509 certificate Una Comprobación Inapropiada del Certificado en Node.js versiones 10, 12 y 13, causa que el proceso se aborte cuando se envía un certificado X.509 diseñado. An encoding error flaw exists in the Node.js code that is used to read a peer certificate in the TLS client authentication. An attacker can use this flaw to crash the process used to handle TLS client authentication. • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html https://access.redhat.com/errata/RHSA-2020:0573 https://access.redhat.com/errata/RHSA-2020:0579 https://access.redhat.com/errata/RHSA-2020:0597 https://access.redhat.com/errata/RHSA-2020:0598 https://access.redhat.com/errata/RHSA-2020:0602 https://hackerone.com/reports/746733 https://nodejs.org/en/blog/release/v10.19.0 https://nodejs.org/en/blog/release/v12.15.0 https://nodejs.org/en/b • CWE-172: Encoding Error CWE-295: Improper Certificate Validation •
CVE-2019-15605 – nodejs: HTTP request smuggling using malformed Transfer-Encoding header
https://notcve.org/view.php?id=CVE-2019-15605
HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed El tráfico no autorizado de peticiones HTTP en Node.js versiones 10, 12 y 13, causa la entrega maliciosa de la carga útil cuando la codificación de transferencia es malformada. A flaw was found in the Node.js code where a specially crafted HTTP(s) request sent to a Node.js server failed to properly process the HTTP(s) headers, resulting in a request smuggling attack. An attacker can use this flaw to alter a request sent as an authenticated user if the Node.js server is deployed behind a proxy server that reuses connections. • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html https://access.redhat.com/errata/RHSA-2020:0573 https://access.redhat.com/errata/RHSA-2020:0579 https://access.redhat.com/errata/RHSA-2020:0597 https://access.redhat.com/errata/RHSA-2020:0598 https://access.redhat.com/errata/RHSA-2020:0602 https://access.redhat.com/errata/RHSA-2020:0703 https://access.redhat.com/errata/RHSA-2020:0707 https://access.redhat.com/errata/RHSA-2020:0708 https://hackerone& • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •