oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

various vulnerabilities in Node.js packages

From: cve-assign () mitre org
Date: Wed, 20 Apr 2016 17:16:24 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

The CVE Assignment Team received a request (on an unexpected mailing
list) for CVE IDs for several Node.js packages. Because everything was
open source and post-disclosure, we are sending IDs here instead.



https://nodesecurity.io/advisories/23

marked package before 0.3.4 for Node.js - ReDoS


Use CVE-2015-8854.




https://nodesecurity.io/advisories/28

The qs module does not have an option or default for specifying object
depth and when parsing a string representing a deeply nested object
will block the event loop for long periods of time. An attacker could
leverage this to cause a temporary denial-of-service condition, for
example, in a web application, other requests would not be processed
while this blocking is occurring.


This does not have a CVE ID, as discussed in the
http://www.openwall.com/lists/oss-security/2014/09/30/10 post.
 



https://nodesecurity.io/advisories/31

semver package before 4.3.2 for Node.js - ReDoS

 
Use CVE-2015-8855.




https://nodesecurity.io/advisories/34

serve-index package before 1.6.3 for Node.js - XSS


Use CVE-2015-8856.

 


https://nodesecurity.io/advisories/37

syntax-error


Use CVE-2014-7192 as described in the
http://www.openwall.com/lists/oss-security/2014/09/30/10 post and the
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7192 page.




https://nodesecurity.io/advisories/39

uglify-js package before 2.4.24 for Node.js - non-boolean comparison mishandling


Use CVE-2015-8857.

 


https://nodesecurity.io/advisories/41

validator package before 1.1.0 for Node.js


XSS filter bypass - nested tags               Use CVE-2013-7451.

XSS filter bypass - javascript: URIs          Use CVE-2013-7452.

XSS filter bypass - UI redressing             Use CVE-2013-7453.

XSS filter bypass - nested forbidden strings  Use CVE-2013-7454.
 



https://nodesecurity.io/advisories/43

validator package before 2.0.0 for Node.js - XSS filter bypass - hex encoding


Use CVE-2014-9772.




https://nodesecurity.io/advisories/46

ms package before 0.7.0 for Node.js - ReDoS


Use CVE-2015-8315.

 


https://nodesecurity.io/advisories/48

uglify-js package before 2.6.0 for Node.js - ReDoS


Use CVE-2015-8858.

 


https://nodesecurity.io/advisories/55

moment package before 2.11.2 for Node.js - ReDoS


Use CVE-2016-4055.

 


https://nodesecurity.io/advisories/56

send package before 0.11.1 for Node.js - path disclosure


Use CVE-2015-8859.

 


https://nodesecurity.io/advisories/57

tar package before 2.0.0 for Node.js - symlink mishandling


Use CVE-2015-8860.

 


https://nodesecurity.io/advisories/61

handlebars package before 4.0.0 for Node.js - injection


Use CVE-2015-8861.
 



https://nodesecurity.io/advisories/62

mustache package before 2.2.1 for Node.js - injection


Use CVE-2015-8862.

 


https://nodesecurity.io/advisories/76


is-my-json-valid - Use CVE-2016-2537 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2537




https://nodesecurity.io/advisories/77


hawk - Use CVE-2016-2515 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2515

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXF/CmAAoJEHb/MwWLVhi2r8wQAJnfaenGkAtx0d5Qg+wS13tq
zqbibEgI5QY8ICMFCDuP5i3QFwTuRdD/jkgV0YC01jGh1t9HOscJ+s1QII9TDgNU
t0bxFL3Gkltk3hWEmH1GcwxEr3NHm6lxgmqBFcXIwS6ogZCRgNVpQ+rOkwf38pSH
9EBKNb3neQFmKjW1Vw49EK4Lt+frM0YEp3tk9goD2X3sYaPg7e7gXuKUs5aPjCwx
Ay3JKl0t9R3iGoVlxOoR6mrHlyrEg8dD+G/1Qw6OgacoaX3yYYyCWfYCCvskMDUH
uVzcDNG3sWKzSGZaMYuyj4m0vjJpZeP2RONF1/3I0syf2uFS2LNkj4N9PwWNgFqR
mckFrRplxFI9JiLPfGJG1Tk/6giysexVMbb1cd+cnQymnWhsCKBbmxnVwjOosb04
xNjsmH8N9T30oQo+nAlSxB559s1bcYdFJwHDna1GzGYU1oQSTlQuirkyAbGlkAgo
kp5MLwhXls+kHGdF81GAde3CgRAJe1UVfWsvFEIsc0LqUBFpB9FFhJ1oynBsuY8h
sQZ/1k+TrFYyks3ga72vp0yGwZ9XrcfDE1roBzE7MRwKBGY6Ar5pTLGFih9ILoBs
WWpLX53tExs9h7NXKjvydX3NB+r8ii8VjH9B7zzH/+YXHCjKuZranAHmLYOq710a
TPB0PkU+Ig4KgWAgKRMb
=K29F
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: