CVSS: 3.7EPSS: 0%CPEs: 2EXPL: 0CVE-2020-2900
https://notcve.org/view.php?id=CVE-2020-2900
15 Apr 2020 — Vulnerability in the Oracle GraalVM Enterprise Edition product of Oracle GraalVM (component: Tools). Supported versions that are affected are 19.3.1 and 20.0.0. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some o... • https://www.oracle.com/security-alerts/cpuapr2020.html •
CVSS: 6.3EPSS: 0%CPEs: 2EXPL: 0CVE-2020-2799
https://notcve.org/view.php?id=CVE-2020-2799
15 Apr 2020 — Vulnerability in the Oracle GraalVM Enterprise Edition product of Oracle GraalVM (component: GraalVM Compiler). Supported versions that are affected are 19.3.1 and 20.0.0. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise Oracle GraalVM Enterprise Edition. While the vulnerability is in Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthor... • https://www.oracle.com/security-alerts/cpuapr2020.html •
CVSS: 7.7EPSS: 0%CPEs: 2EXPL: 0CVE-2020-2802
https://notcve.org/view.php?id=CVE-2020-2802
15 Apr 2020 — Vulnerability in the Oracle GraalVM Enterprise Edition product of Oracle GraalVM (component: GraalVM Compiler). Supported versions that are affected are 19.3.1 and 20.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise Oracle GraalVM Enterprise Edition. While the vulnerability is in Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthoriz... • https://www.oracle.com/security-alerts/cpuapr2020.html •
CVSS: 9.8EPSS: 2%CPEs: 10EXPL: 1CVE-2019-15606 – nodejs: HTTP header values do not have trailing optional whitespace trimmed
https://notcve.org/view.php?id=CVE-2019-15606
07 Feb 2020 — Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons Una inclusión de espacios en blanco finales en los valores de encabezado HTTP en Nodejs versiones 10, 12 y 13, causa una omisión de autorización según las comparaciones de valores de encabezado. A flaw was found in Node.js where the HTTP(s) header values were not stripped of trailing whitespace. An attacker can use this flaw to send an HTTP(s) request which is valida... • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html • CWE-20: Improper Input Validation CWE-138: Improper Neutralization of Special Elements •
CVSS: 7.5EPSS: 5%CPEs: 20EXPL: 1CVE-2019-15604 – nodejs: Remotely trigger an assertion on a TLS server with a malformed certificate string
https://notcve.org/view.php?id=CVE-2019-15604
07 Feb 2020 — Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a crafted X.509 certificate Una Comprobación Inapropiada del Certificado en Node.js versiones 10, 12 y 13, causa que el proceso se aborte cuando se envía un certificado X.509 diseñado. An encoding error flaw exists in the Node.js code that is used to read a peer certificate in the TLS client authentication. An attacker can use this flaw to crash the process used to handle TLS client authentication. Rogier Scho... • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html • CWE-172: Encoding Error CWE-295: Improper Certificate Validation •
CVSS: 9.8EPSS: 43%CPEs: 26EXPL: 1CVE-2019-15605 – nodejs: HTTP request smuggling using malformed Transfer-Encoding header
https://notcve.org/view.php?id=CVE-2019-15605
07 Feb 2020 — HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed El tráfico no autorizado de peticiones HTTP en Node.js versiones 10, 12 y 13, causa la entrega maliciosa de la carga útil cuando la codificación de transferencia es malformada. A flaw was found in the Node.js code where a specially crafted HTTP(s) request sent to a Node.js server failed to properly process the HTTP(s) headers, resulting in a request smuggling attack. An attacker can use thi... • https://github.com/jlcarruda/node-poc-http-smuggling • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 7.7EPSS: 0%CPEs: 8EXPL: 0CVE-2019-16775 – Unauthorized File Access in npm CLI before before version 6.13.3
https://notcve.org/view.php?id=CVE-2019-16775
13 Dec 2019 — Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignor... • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html • CWE-20: Improper Input Validation CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-61: UNIX Symbolic Link (Symlink) Following •