4 results (0.004 seconds)

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

Jenkins NodeJS Plugin 1.6.0 and earlier does not properly mask (i.e., replace with asterisks) credentials specified in the Npm config file in Pipeline build logs. • http://www.openwall.com/lists/oss-security/2023/08/16/3 https://www.jenkins.io/security/advisory/2023-08-16/#SECURITY-3196 •

CVSS: 6.8EPSS: 2%CPEs: 58EXPL: 1

Node.js 0.8 before 0.8.28 and 0.10 before 0.10.30 does not consider the possibility of recursive processing that triggers V8 garbage collection in conjunction with a V8 interrupt, which allows remote attackers to cause a denial of service (memory corruption and application crash) via deep JSON objects whose parsing lets this interrupt mask an overflow of the program stack. Node.js 0.8 anterior a 0.8.28 y 0.10 anterior a 0.10.30 no considera la posibilidad del procesamiento recursivo que provoca la recolección de basura V8 en conjunto con una interrupción V8, lo que permite a atacantes remotos causar una denegación de servicio (corrupción de la memoria y caída de la aplicación) a través de objetos JSON profundos cuyo análisis sintáctico deje que esta interrupción enmascare un desbordamiento de la pila del programa. It was discovered that V8 did not properly check the stack size limit in certain cases. A remote attacker able to send a request that caused a script executed by V8 to use deep recursion could trigger a stack overflow, leading to a crash of an application using V8. • http://advisories.mageia.org/MGASA-2014-0516.html http://blog.nodejs.org/2014/07/31/v8-memory-corruption-stack-overflow http://secunia.com/advisories/61260 http://www-01.ibm.com/support/docview.wss?uid=swg21684769 http://www.mandriva.com/security/advisories?name=MDVSA-2015:142 https://github.com/joyent/node/commit/530af9cb8e700e7596b3ec812bad123c9fa06356 https://access.redhat.com/security/cve/CVE-2014-5256 https://bugzilla.redhat.com/show_bug.cgi?id=1125464 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-121: Stack-based Buffer Overflow •

CVSS: 5.0EPSS: 11%CPEs: 47EXPL: 1

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of service (memory and CPU consumption) by sending a large number of pipelined requests without reading the response. El servidor HTTP en Node.js 0.10.x anterior a la versión 0.10.21 y 0.8.x anterior a 0.8.26 permite a atacantes remotos provocar una denegación de servicio (consumo de memoria y CPU) mediante el envío de un número largo de solicitudes canalizadas sin leer la respuesta. • http://blog.nodejs.org/2013/10/18/node-v0-10-21-stable http://blog.nodejs.org/2013/10/18/node-v0-8-26-maintenance http://lists.opensuse.org/opensuse-updates/2013-12/msg00051.html http://rhn.redhat.com/errata/RHSA-2013-1842.html http://www.openwall.com/lists/oss-security/2013/10/20/1 http://www.securityfocus.com/bid/63229 https://github.com/joyent/node/issues/6214 https://github.com/rapid7/metasploit-framework/pull/2548 https://groups.google.com/forum/# • CWE-20: Improper Input Validation •

CVSS: 6.4EPSS: 0%CPEs: 9EXPL: 2

The Update method in src/node_http_parser.cc in Node.js before 0.6.17 and 0.7 before 0.7.8 does not properly check the length of a string, which allows remote attackers to obtain sensitive information (request header contents) and possibly spoof HTTP headers via a zero length string. El método de actualización (Update) en src/node_http_parser.cc en Node.js antes de v0.6.17 y v0.7 antes de v0.7.8 no comprueba correctamente la longitud de una cadena, lo que permite a atacantes remotos obtener información sensible (contenidos del encabezado de la solicitud) y, posiblemente, HTTP falsear cabeceras a través de una cadena de longitud cero. • http://blog.nodejs.org/2012/05/04/version-0-6-17-stable http://secunia.com/advisories/49066 http://www.openwall.com/lists/oss-security/2012/05/08/4 http://www.openwall.com/lists/oss-security/2012/05/08/8 https://github.com/joyent/node/commit/7b3fb22 https://github.com/joyent/node/commit/c9a231d https://support.f5.com/csp/article/K99038439?utm_source=f5support&amp%3Butm_medium=RSS • CWE-20: Improper Input Validation •