17 results (0.013 seconds)

CVSS: 8.1EPSS: 0%CPEs: 5EXPL: 0

11 Feb 2020 — The uv_rwlock_t fallback implementation for Windows XP and Server 2003 in libuv before 1.7.4 does not properly prevent threads from releasing the locks of other threads, which allows attackers to cause a denial of service (deadlock) or possibly have unspecified other impact by leveraging a race condition. La implementación fallback de uv_rwlock_t para Windows XP y Server 2003 en libuv versiones anteriores a 1.7.4, no impide apropiadamente que los subprocesos (hilos) liberen los bloqueos de otros subprocesos... • https://github.com/libuv/libuv/issues/515 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1

23 Jan 2017 — The validator package before 2.0.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via hex-encoded characters. El paquete validator en versiones anteriores a 2.0.0 para Node.js permite a atacantes remotos eludir el filtro de secuencias de comandos en sitios cruzados (XSS) a través de caracteres hex codificados. • http://www.openwall.com/lists/oss-security/2016/04/20/11 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.8EPSS: 1%CPEs: 1EXPL: 0

23 Jan 2017 — The semver package before 4.3.2 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)." El paquete semver en versiones anteriores a 4.3.2 para Node.js permite a atacantes provocar una denegación de servicio (consumo de CPU) a través de una cadena de versión larga, vulnerabilidad también conocida como "denegación de servicio de expresión regular (ReDoS)". • http://www.openwall.com/lists/oss-security/2016/04/20/11 • CWE-399: Resource Management Errors •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

23 Jan 2017 — The tar package before 2.0.0 for Node.js allows remote attackers to write to arbitrary files via a symlink attack in an archive. El paquete tar en versiones anteriores a 2.0.0 para Node.js permite a atacantes remotos ercribir archivos arbitrarios a través de un ataque de enlace simbólico en un archivo. • http://www.openwall.com/lists/oss-security/2016/04/20/11 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •

CVSS: 6.1EPSS: 0%CPEs: 98EXPL: 0

10 Oct 2016 — CRLF injection vulnerability in the ServerResponse#writeHead function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the reason argument. Vulnerabilidad de inyección CRLF en la función ServerResponse#writeHead en Node.js 0.10.x en versiones anteriores a 0.10.47, 0.12.x en versiones anteriores a 0.12.16, 4.x en versiones anteriores a 4.6.0 y 6.x en versione... • http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00013.html • CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') •

CVSS: 9.8EPSS: 15%CPEs: 32EXPL: 0

03 Oct 2016 — Heap-based buffer overflow in the ares_create_query function in c-ares 1.x before 1.12.0 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly execute arbitrary code via a hostname with an escaped trailing dot. Desbordamiento de búfer basado en memoria dinámica en la función ares_create_query en c-ares 1.x en versiones anteriores a 1.12.0 permite a atacantes remotos provocar una denegación de servicio (escritura fuera de límites) o posiblemente ejecutar código arbitrario a t... • http://rhn.redhat.com/errata/RHSA-2017-0002.html • CWE-122: Heap-based Buffer Overflow CWE-787: Out-of-bounds Write •

CVSS: 7.5EPSS: 40%CPEs: 45EXPL: 2

01 Sep 2016 — The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack. Los cifrados DES y Triple DES, como se usan en los protocolos TLS, SSH e IPSec y otros protocolos y productos, tienen ... • https://packetstorm.news/files/id/142756 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-327: Use of a Broken or Risky Cryptographic Algorithm •

CVSS: 7.5EPSS: 2%CPEs: 95EXPL: 0

02 Jul 2016 — The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before 4.4.2, and 5 before 5.10.0, includes bearer tokens with arbitrary requests, which allows remote HTTP servers to obtain sensitive information by reading Authorization headers. La CLI en npm en versiones anteriores a 2.15.1 y 3.x en versiones anteriores a 3.8.3, tal como se utiliza en Node.js 0.10 en versiones anteriores a 0.10.44, 0.12 en versiones anteriores a 0.12.13, 4 en versiones ante... • http://blog.npmjs.org/post/142036323955/fixing-a-bearer-token-vulnerability • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 5.5EPSS: 0%CPEs: 45EXPL: 0

20 Jun 2016 — The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through 1.0.2h does not properly ensure the use of constant-time operations, which makes it easier for local users to discover a DSA private key via a timing side-channel attack. La función dsa_sign_setup en crypto/dsa/dsa_ossl.c en OpenSSL hasta la versión 1.0.2h no asegura correctamente la utilización de operaciones de tiempo constante, lo que facilita a usuarios locales descubrir una clave privada DSA a través de un ataque de sincronización ... • http://eprint.iacr.org/2016/594.pdf • CWE-203: Observable Discrepancy CWE-385: Covert Timing Channel •

CVSS: 9.3EPSS: 5%CPEs: 13EXPL: 0

13 May 2016 — The Zone::New function in zone.cc in Google V8 before 5.0.71.47, as used in Google Chrome before 50.0.2661.102, does not properly determine when to expand certain memory allocations, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via crafted JavaScript code. La función Zone::New en zone.cc en Google V8 en versiones anteriores a 5.0.71.47, tal como se utiliza en Google Chrome en versiones anteriores a 50.0.2661.102, no determina correcta... • http://googlechromereleases.blogspot.com/2016/05/stable-channel-update.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-190: Integer Overflow or Wraparound •