Action not permitted
Modal body text goes here.
Modal Title
Modal Body
alsa-2021:0551
Vulnerability from osv_almalinux
Published
2021-02-16 07:34
Modified
2021-02-16 13:03
Summary
Moderate: nodejs:14 security and bug fix update
Details
Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.
The following packages have been upgraded to a later upstream version: nodejs (14.15.4).
Security Fix(es):
-
nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS (CVE-2020-7754)
-
nodejs-y18n: prototype pollution vulnerability (CVE-2020-7774)
-
nodejs-ini: prototype pollution via malicious INI file (CVE-2020-7788)
-
nodejs: use-after-free in the TLS implementation (CVE-2020-8265)
-
c-ares: ares_parse_{a,aaaa}_reply() insufficient naddrttls validation DoS (CVE-2020-8277)
-
nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366)
-
nodejs: HTTP request smuggling via two copies of a header field in an http request (CVE-2020-8287)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
- yarn install crashes with nodejs:14 on aarch64 (BZ#1916465)
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "nodejs-nodemon"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.3-1.module_el8.4.0+2521+c668cc9f"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "nodejs-packaging"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "23-3.module_el8.5.0+254+b4526b16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "nodejs-packaging"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "23-3.module_el8.4.0+2522+3bd42762"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. \n\nThe following packages have been upgraded to a later upstream version: nodejs (14.15.4).\n\nSecurity Fix(es):\n\n* nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS (CVE-2020-7754)\n\n* nodejs-y18n: prototype pollution vulnerability (CVE-2020-7774)\n\n* nodejs-ini: prototype pollution via malicious INI file (CVE-2020-7788)\n\n* nodejs: use-after-free in the TLS implementation (CVE-2020-8265)\n\n* c-ares: ares_parse_{a,aaaa}_reply() insufficient naddrttls validation DoS (CVE-2020-8277)\n\n* nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366)\n\n* nodejs: HTTP request smuggling via two copies of a header field in an http request (CVE-2020-8287)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* yarn install crashes with nodejs:14 on aarch64 (BZ#1916465)",
"id": "ALSA-2021:0551",
"modified": "2021-02-16T13:03:09Z",
"published": "2021-02-16T07:34:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/8/ALSA-2021-0551.html"
},
{
"type": "REPORT",
"url": "https://vulners.com/cve/CVE-2020-15366"
},
{
"type": "REPORT",
"url": "https://vulners.com/cve/CVE-2020-7754"
},
{
"type": "REPORT",
"url": "https://vulners.com/cve/CVE-2020-7774"
},
{
"type": "REPORT",
"url": "https://vulners.com/cve/CVE-2020-7788"
},
{
"type": "REPORT",
"url": "https://vulners.com/cve/CVE-2020-8265"
},
{
"type": "REPORT",
"url": "https://vulners.com/cve/CVE-2020-8277"
},
{
"type": "REPORT",
"url": "https://vulners.com/cve/CVE-2020-8287"
}
],
"related": [
"CVE-2020-7754",
"CVE-2020-7774",
"CVE-2020-7788",
"CVE-2020-8265",
"CVE-2020-8277",
"CVE-2020-15366",
"CVE-2020-8287"
],
"summary": "Moderate: nodejs:14 security and bug fix update"
}
CVE-2020-8277 (GCVE-0-2020-8277)
Vulnerability from cvelistv5 – Published: 2020-11-19 00:32 – Updated: 2025-04-30 22:24
VLAI?
EPSS
Summary
A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed in 15.2.1, 14.15.1, and 12.19.1.
Severity ?
No CVSS data available.
CWE
- CWE-400 - Denial of Service (CWE-400)
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| NodeJS | Node |
Affected:
4.0 , < 4.*
(semver)
Affected: 5.0 , < 5.* (semver) Affected: 6.0 , < 6.* (semver) Affected: 7.0 , < 7.* (semver) Affected: 8.0 , < 8.* (semver) Affected: 9.0 , < 9.* (semver) Affected: 11.0 , < 11.* (semver) Affected: 12.0 , < 12.19.1 (semver) Affected: 13.0 , < 13.* (semver) Affected: 14.0 , < 14.15.1 (semver) Affected: 15.0 , < 15.2.1 (semver) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:56:28.290Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/1033107"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://nodejs.org/en/blog/vulnerability/november-2020-security-releases/"
},
{
"name": "FEDORA-2020-7473744de1",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A7WH7W46OZSEUHWBHD7TCH3LRFY52V6Z/"
},
{
"name": "FEDORA-2020-307e873389",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BEJBY3RJB3XWUOJFGZM5E3EMQ7MFM3UT/"
},
{
"name": "GLSA-202012-11",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202012-11"
},
{
"name": "GLSA-202101-07",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202101-07"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"name": "FEDORA-2021-afed2b904e",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VXLJY4764LYVJPC7NCDLE2UMQ3QC5OI2/"
},
{
"name": "FEDORA-2021-ee913722db",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEIV4CH6KNVZK63Y6EKVN2XDW7IHSJBJ/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Node",
"vendor": "NodeJS",
"versions": [
{
"lessThan": "4.*",
"status": "affected",
"version": "4.0",
"versionType": "semver"
},
{
"lessThan": "5.*",
"status": "affected",
"version": "5.0",
"versionType": "semver"
},
{
"lessThan": "6.*",
"status": "affected",
"version": "6.0",
"versionType": "semver"
},
{
"lessThan": "7.*",
"status": "affected",
"version": "7.0",
"versionType": "semver"
},
{
"lessThan": "8.*",
"status": "affected",
"version": "8.0",
"versionType": "semver"
},
{
"lessThan": "9.*",
"status": "affected",
"version": "9.0",
"versionType": "semver"
},
{
"lessThan": "11.*",
"status": "affected",
"version": "11.0",
"versionType": "semver"
},
{
"lessThan": "12.19.1",
"status": "affected",
"version": "12.0",
"versionType": "semver"
},
{
"lessThan": "13.*",
"status": "affected",
"version": "13.0",
"versionType": "semver"
},
{
"lessThan": "14.15.1",
"status": "affected",
"version": "14.0",
"versionType": "semver"
},
{
"lessThan": "15.2.1",
"status": "affected",
"version": "15.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions \u003c 15.2.1, \u003c 14.15.1, and \u003c 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed in 15.2.1, 14.15.1, and 12.19.1."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Denial of Service (CWE-400)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-30T22:24:27.745Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/1033107"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://nodejs.org/en/blog/vulnerability/november-2020-security-releases/"
},
{
"name": "FEDORA-2020-7473744de1",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A7WH7W46OZSEUHWBHD7TCH3LRFY52V6Z/"
},
{
"name": "FEDORA-2020-307e873389",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BEJBY3RJB3XWUOJFGZM5E3EMQ7MFM3UT/"
},
{
"name": "GLSA-202012-11",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202012-11"
},
{
"name": "GLSA-202101-07",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202101-07"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"name": "FEDORA-2021-afed2b904e",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VXLJY4764LYVJPC7NCDLE2UMQ3QC5OI2/"
},
{
"name": "FEDORA-2021-ee913722db",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEIV4CH6KNVZK63Y6EKVN2XDW7IHSJBJ/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2020-8277",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "https://github.com/nodejs/node",
"version": {
"version_data": [
{
"version_value": "Fixed in 15.2.1, 14.15.1, 12.19.1"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions \u003c 15.2.1, \u003c 14.15.1, and \u003c 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed in 15.2.1, 14.15.1, and 12.19.1."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service (CWE-400)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/1033107",
"refsource": "MISC",
"url": "https://hackerone.com/reports/1033107"
},
{
"name": "https://nodejs.org/en/blog/vulnerability/november-2020-security-releases/",
"refsource": "CONFIRM",
"url": "https://nodejs.org/en/blog/vulnerability/november-2020-security-releases/"
},
{
"name": "FEDORA-2020-7473744de1",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A7WH7W46OZSEUHWBHD7TCH3LRFY52V6Z/"
},
{
"name": "FEDORA-2020-307e873389",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BEJBY3RJB3XWUOJFGZM5E3EMQ7MFM3UT/"
},
{
"name": "GLSA-202012-11",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202012-11"
},
{
"name": "GLSA-202101-07",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202101-07"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"name": "FEDORA-2021-afed2b904e",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VXLJY4764LYVJPC7NCDLE2UMQ3QC5OI2/"
},
{
"name": "FEDORA-2021-ee913722db",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EEIV4CH6KNVZK63Y6EKVN2XDW7IHSJBJ/"
},
{
"name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"name": "https://www.oracle.com//security-alerts/cpujul2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2020-8277",
"datePublished": "2020-11-19T00:32:13.000Z",
"dateReserved": "2020-01-28T00:00:00.000Z",
"dateUpdated": "2025-04-30T22:24:27.745Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8287 (GCVE-0-2020-8287)
Vulnerability from cvelistv5 – Published: 2021-01-06 00:00 – Updated: 2025-04-30 22:24
VLAI?
EPSS
Summary
Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling.
Severity ?
No CVSS data available.
CWE
- CWE-444 - HTTP Request Smuggling (CWE-444)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| NodeJS | Node |
Affected:
4.0 , < 4.*
(semver)
Affected: 5.0 , < 5.* (semver) Affected: 6.0 , < 6.* (semver) Affected: 7.0 , < 7.* (semver) Affected: 8.0 , < 8.* (semver) Affected: 9.0 , < 9.* (semver) Affected: 10.0 , < 10.23.1 (semver) Affected: 11.0 , < 11.* (semver) Affected: 12.0 , < 12.20.1 (semver) Affected: 13.0 , < 13.* (semver) Affected: 14.0 , < 14.15.4 (semver) Affected: 15.0 , < 15.5.1 (semver) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:56:28.289Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://hackerone.com/reports/1002188"
},
{
"tags": [
"x_transferred"
],
"url": "https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/"
},
{
"name": "DSA-4826",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-4826"
},
{
"name": "FEDORA-2021-fb1a136393",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K4I6MZNC7C7VIDQR267OL4TVCI3ZKAC4/"
},
{
"name": "GLSA-202101-07",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202101-07"
},
{
"name": "FEDORA-2021-d5b2c18fe6",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H472D5HPXN6RRXCNFML3BK5OYC52CXF2/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210212-0003/"
},
{
"tags": [
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
},
{
"name": "[debian-lts-announce] 20221205 [SECURITY] [DLA 3224-1] http-parser security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00009.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Node",
"vendor": "NodeJS",
"versions": [
{
"lessThan": "4.*",
"status": "affected",
"version": "4.0",
"versionType": "semver"
},
{
"lessThan": "5.*",
"status": "affected",
"version": "5.0",
"versionType": "semver"
},
{
"lessThan": "6.*",
"status": "affected",
"version": "6.0",
"versionType": "semver"
},
{
"lessThan": "7.*",
"status": "affected",
"version": "7.0",
"versionType": "semver"
},
{
"lessThan": "8.*",
"status": "affected",
"version": "8.0",
"versionType": "semver"
},
{
"lessThan": "9.*",
"status": "affected",
"version": "9.0",
"versionType": "semver"
},
{
"lessThan": "10.23.1",
"status": "affected",
"version": "10.0",
"versionType": "semver"
},
{
"lessThan": "11.*",
"status": "affected",
"version": "11.0",
"versionType": "semver"
},
{
"lessThan": "12.20.1",
"status": "affected",
"version": "12.0",
"versionType": "semver"
},
{
"lessThan": "13.*",
"status": "affected",
"version": "13.0",
"versionType": "semver"
},
{
"lessThan": "14.15.4",
"status": "affected",
"version": "14.0",
"versionType": "semver"
},
{
"lessThan": "15.5.1",
"status": "affected",
"version": "15.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-444",
"description": "HTTP Request Smuggling (CWE-444)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-30T22:24:29.487Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://hackerone.com/reports/1002188"
},
{
"url": "https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/"
},
{
"name": "DSA-4826",
"tags": [
"vendor-advisory"
],
"url": "https://www.debian.org/security/2021/dsa-4826"
},
{
"name": "FEDORA-2021-fb1a136393",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K4I6MZNC7C7VIDQR267OL4TVCI3ZKAC4/"
},
{
"name": "GLSA-202101-07",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/202101-07"
},
{
"name": "FEDORA-2021-d5b2c18fe6",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H472D5HPXN6RRXCNFML3BK5OYC52CXF2/"
},
{
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"url": "https://security.netapp.com/advisory/ntap-20210212-0003/"
},
{
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
},
{
"name": "[debian-lts-announce] 20221205 [SECURITY] [DLA 3224-1] http-parser security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00009.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2020-8287",
"datePublished": "2021-01-06T00:00:00.000Z",
"dateReserved": "2020-01-28T00:00:00.000Z",
"dateUpdated": "2025-04-30T22:24:29.487Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15366 (GCVE-0-2020-15366)
Vulnerability from cvelistv5 – Published: 2020-07-15 19:14 – Updated: 2024-08-04 13:15
VLAI?
EPSS
Summary
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:15:20.438Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://hackerone.com/bugs?subject=user\u0026report_id=894259"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/ajv-validator/ajv/tags"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/ajv-validator/ajv/releases/tag/v6.12.3"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20240621-0007/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-21T19:08:28.352Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://hackerone.com/bugs?subject=user\u0026report_id=894259"
},
{
"url": "https://github.com/ajv-validator/ajv/tags"
},
{
"url": "https://github.com/ajv-validator/ajv/releases/tag/v6.12.3"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240621-0007/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-15366",
"datePublished": "2020-07-15T19:14:07.000Z",
"dateReserved": "2020-06-29T00:00:00.000Z",
"dateUpdated": "2024-08-04T13:15:20.438Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-7774 (GCVE-0-2020-7774)
Vulnerability from cvelistv5 – Published: 2020-11-17 12:30 – Updated: 2024-09-16 20:13
VLAI?
EPSS
Title
Prototype Pollution
Summary
The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.
Severity ?
CWE
- Prototype Pollution
Assigner
References
Credits
po6ix
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:41:01.338Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JS-Y18N-1021887"
},
{
"tags": [
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1038306"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/yargs/y18n/pull/108"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/yargs/y18n/issues/96"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "y18n",
"vendor": "n/a",
"versions": [
{
"lessThan": "5.0.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "po6ix"
}
],
"datePublic": "2020-11-17T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"exploitCodeMaturity": "PROOF_OF_CONCEPT",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "UNCHANGED",
"temporalScore": 6.9,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Prototype Pollution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-14T00:00:00.000Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"url": "https://snyk.io/vuln/SNYK-JS-Y18N-1021887"
},
{
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1038306"
},
{
"url": "https://github.com/yargs/y18n/pull/108"
},
{
"url": "https://github.com/yargs/y18n/issues/96"
},
{
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
}
],
"title": "Prototype Pollution"
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2020-7774",
"datePublished": "2020-11-17T12:30:20.482Z",
"dateReserved": "2020-01-21T00:00:00.000Z",
"dateUpdated": "2024-09-16T20:13:29.664Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8265 (GCVE-0-2020-8265)
Vulnerability from cvelistv5 – Published: 2021-01-06 21:01 – Updated: 2025-04-30 22:24
VLAI?
EPSS
Summary
Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits.
Severity ?
No CVSS data available.
CWE
- CWE-416 - Use After Free (CWE-416)
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| NodeJS | Node |
Affected:
4.0 , < 4.*
(semver)
Affected: 5.0 , < 5.* (semver) Affected: 6.0 , < 6.* (semver) Affected: 7.0 , < 7.* (semver) Affected: 8.0 , < 8.* (semver) Affected: 9.0 , < 9.* (semver) Affected: 10.0 , < 10.23.1 (semver) Affected: 11.0 , < 11.* (semver) Affected: 12.0 , < 12.20.1 (semver) Affected: 13.0 , < 13.* (semver) Affected: 14.0 , < 14.15.4 (semver) Affected: 15.0 , < 15.5.1 (semver) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:56:27.971Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/988103"
},
{
"name": "DSA-4826",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-4826"
},
{
"name": "FEDORA-2021-fb1a136393",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K4I6MZNC7C7VIDQR267OL4TVCI3ZKAC4/"
},
{
"name": "GLSA-202101-07",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202101-07"
},
{
"name": "FEDORA-2021-d5b2c18fe6",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H472D5HPXN6RRXCNFML3BK5OYC52CXF2/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210212-0003/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Node",
"vendor": "NodeJS",
"versions": [
{
"lessThan": "4.*",
"status": "affected",
"version": "4.0",
"versionType": "semver"
},
{
"lessThan": "5.*",
"status": "affected",
"version": "5.0",
"versionType": "semver"
},
{
"lessThan": "6.*",
"status": "affected",
"version": "6.0",
"versionType": "semver"
},
{
"lessThan": "7.*",
"status": "affected",
"version": "7.0",
"versionType": "semver"
},
{
"lessThan": "8.*",
"status": "affected",
"version": "8.0",
"versionType": "semver"
},
{
"lessThan": "9.*",
"status": "affected",
"version": "9.0",
"versionType": "semver"
},
{
"lessThan": "10.23.1",
"status": "affected",
"version": "10.0",
"versionType": "semver"
},
{
"lessThan": "11.*",
"status": "affected",
"version": "11.0",
"versionType": "semver"
},
{
"lessThan": "12.20.1",
"status": "affected",
"version": "12.0",
"versionType": "semver"
},
{
"lessThan": "13.*",
"status": "affected",
"version": "13.0",
"versionType": "semver"
},
{
"lessThan": "14.15.4",
"status": "affected",
"version": "14.0",
"versionType": "semver"
},
{
"lessThan": "15.5.1",
"status": "affected",
"version": "15.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "Use After Free (CWE-416)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-30T22:24:28.624Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/988103"
},
{
"name": "DSA-4826",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2021/dsa-4826"
},
{
"name": "FEDORA-2021-fb1a136393",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K4I6MZNC7C7VIDQR267OL4TVCI3ZKAC4/"
},
{
"name": "GLSA-202101-07",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202101-07"
},
{
"name": "FEDORA-2021-d5b2c18fe6",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H472D5HPXN6RRXCNFML3BK5OYC52CXF2/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20210212-0003/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2020-8265",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "https://github.com/nodejs/node",
"version": {
"version_data": [
{
"version_value": "Fixed in 10.23.1, 12.20.1, 14.15.4, 15.5.1"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Use After Free (CWE-416)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/",
"refsource": "MISC",
"url": "https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/"
},
{
"name": "https://hackerone.com/reports/988103",
"refsource": "MISC",
"url": "https://hackerone.com/reports/988103"
},
{
"name": "DSA-4826",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-4826"
},
{
"name": "FEDORA-2021-fb1a136393",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K4I6MZNC7C7VIDQR267OL4TVCI3ZKAC4/"
},
{
"name": "GLSA-202101-07",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202101-07"
},
{
"name": "FEDORA-2021-d5b2c18fe6",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H472D5HPXN6RRXCNFML3BK5OYC52CXF2/"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210212-0003/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20210212-0003/"
},
{
"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf",
"refsource": "CONFIRM",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2020-8265",
"datePublished": "2021-01-06T21:01:15.000Z",
"dateReserved": "2020-01-28T00:00:00.000Z",
"dateUpdated": "2025-04-30T22:24:28.624Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-7754 (GCVE-0-2020-7754)
Vulnerability from cvelistv5 – Published: 2020-10-27 15:05 – Updated: 2024-09-17 04:28
VLAI?
EPSS
Title
Regular Expression Denial of Service (ReDoS)
Summary
This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters.
Severity ?
7.5 (High)
CWE
- Regular Expression Denial of Service (ReDoS)
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | npm-user-validate |
Affected:
unspecified , < 1.0.1
(custom)
|
Credits
Yeting Li
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:41:01.529Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JS-NPMUSERVALIDATE-1019352"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1019353"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/npm/npm-user-validate/security/advisories/GHSA-xgh6-85xh-479p"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/npm/npm-user-validate/commit/c8a87dac1a4cc6988b5418f30411a8669bef204e"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "npm-user-validate",
"vendor": "n/a",
"versions": [
{
"lessThan": "1.0.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Yeting Li"
}
],
"datePublic": "2020-10-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Regular Expression Denial of Service (ReDoS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-27T15:05:17.000Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JS-NPMUSERVALIDATE-1019352"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1019353"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/npm/npm-user-validate/security/advisories/GHSA-xgh6-85xh-479p"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/npm/npm-user-validate/commit/c8a87dac1a4cc6988b5418f30411a8669bef204e"
}
],
"title": "Regular Expression Denial of Service (ReDoS)",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"DATE_PUBLIC": "2020-10-27T15:03:17.448791Z",
"ID": "CVE-2020-7754",
"STATE": "PUBLIC",
"TITLE": "Regular Expression Denial of Service (ReDoS)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "npm-user-validate",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.0.1"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Yeting Li"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Regular Expression Denial of Service (ReDoS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://snyk.io/vuln/SNYK-JS-NPMUSERVALIDATE-1019352",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JS-NPMUSERVALIDATE-1019352"
},
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1019353",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1019353"
},
{
"name": "https://github.com/npm/npm-user-validate/security/advisories/GHSA-xgh6-85xh-479p",
"refsource": "MISC",
"url": "https://github.com/npm/npm-user-validate/security/advisories/GHSA-xgh6-85xh-479p"
},
{
"name": "https://github.com/npm/npm-user-validate/commit/c8a87dac1a4cc6988b5418f30411a8669bef204e",
"refsource": "MISC",
"url": "https://github.com/npm/npm-user-validate/commit/c8a87dac1a4cc6988b5418f30411a8669bef204e"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2020-7754",
"datePublished": "2020-10-27T15:05:18.052Z",
"dateReserved": "2020-01-21T00:00:00.000Z",
"dateUpdated": "2024-09-17T04:28:53.351Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-7788 (GCVE-0-2020-7788)
Vulnerability from cvelistv5 – Published: 2020-12-11 10:45 – Updated: 2024-09-16 23:41
VLAI?
EPSS
Title
Prototype Pollution
Summary
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
Severity ?
CWE
- Prototype Pollution
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Credits
Eugene Lim
Government Technology Agency Cyber Security Group
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:41:01.567Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JS-INI-1048974"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1"
},
{
"name": "[debian-lts-announce] 20201221 [SECURITY] [DLA 2503-1] node-ini security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00032.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ini",
"vendor": "n/a",
"versions": [
{
"lessThan": "1.3.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Eugene Lim"
},
{
"lang": "en",
"value": "Government Technology Agency Cyber Security Group"
}
],
"datePublic": "2020-12-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"exploitCodeMaturity": "PROOF_OF_CONCEPT",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "UNCHANGED",
"temporalScore": 6.9,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Prototype Pollution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-21T16:06:11.000Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JS-INI-1048974"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1"
},
{
"name": "[debian-lts-announce] 20201221 [SECURITY] [DLA 2503-1] node-ini security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00032.html"
}
],
"title": "Prototype Pollution",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"DATE_PUBLIC": "2020-12-11T10:43:26.139627Z",
"ID": "CVE-2020-7788",
"STATE": "PUBLIC",
"TITLE": "Prototype Pollution"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ini",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.3.6"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Eugene Lim"
},
{
"lang": "eng",
"value": "Government Technology Agency Cyber Security Group"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Prototype Pollution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://snyk.io/vuln/SNYK-JS-INI-1048974",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JS-INI-1048974"
},
{
"name": "https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1",
"refsource": "MISC",
"url": "https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1"
},
{
"name": "[debian-lts-announce] 20201221 [SECURITY] [DLA 2503-1] node-ini security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00032.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2020-7788",
"datePublished": "2020-12-11T10:45:14.077Z",
"dateReserved": "2020-01-21T00:00:00.000Z",
"dateUpdated": "2024-09-16T23:41:44.616Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…