Filtered by vendor Redhat
Subscriptions
Total
22970 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-22883 | 6 Fedoraproject, Netapp, Nodejs and 3 more | 12 Fedora, E-series Performance Analyzer, Node.js and 9 more | 2025-04-30 | 7.5 High |
| Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory. | ||||
| CVE-2020-8287 | 6 Debian, Fedoraproject, Nodejs and 3 more | 7 Debian Linux, Fedora, Node.js and 4 more | 2025-04-30 | 6.5 Medium |
| Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling. | ||||
| CVE-2020-8265 | 6 Debian, Fedoraproject, Nodejs and 3 more | 7 Debian Linux, Fedora, Node.js and 4 more | 2025-04-30 | 8.1 High |
| Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits. | ||||
| CVE-2020-8277 | 5 C-ares Project, Fedoraproject, Nodejs and 2 more | 10 C-ares, Fedora, Node.js and 7 more | 2025-04-30 | 7.5 High |
| A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed in 15.2.1, 14.15.1, and 12.19.1. | ||||
| CVE-2020-8252 | 4 Fedoraproject, Nodejs, Opensuse and 1 more | 6 Fedora, Node.js, Leap and 3 more | 2025-04-30 | 7.8 High |
| The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes. | ||||
| CVE-2020-8201 | 4 Fedoraproject, Nodejs, Opensuse and 1 more | 6 Fedora, Node.js, Leap and 3 more | 2025-04-30 | 7.4 High |
| Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system. The attack was possible due to a bug in processing of carrier-return symbols in the HTTP header names. | ||||
| CVE-2019-15606 | 5 Debian, Nodejs, Opensuse and 2 more | 9 Debian Linux, Node.js, Leap and 6 more | 2025-04-30 | 9.8 Critical |
| Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons | ||||
| CVE-2019-15605 | 6 Debian, Fedoraproject, Nodejs and 3 more | 16 Debian Linux, Fedora, Node.js and 13 more | 2025-04-30 | 9.8 Critical |
| HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed | ||||
| CVE-2019-15604 | 5 Debian, Nodejs, Opensuse and 2 more | 12 Debian Linux, Node.js, Leap and 9 more | 2025-04-30 | 7.5 High |
| Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a crafted X.509 certificate | ||||
| CVE-2024-50602 | 2 Libexpat Project, Redhat | 3 Libexpat, Enterprise Linux, Rhel Eus | 2025-04-30 | 5.9 Medium |
| An issue was discovered in libexpat before 2.6.4. There is a crash within the XML_ResumeParser function because XML_StopParser can stop/suspend an unstarted parser. | ||||
| CVE-2024-11235 | 2 Php, Redhat | 2 Php, Enterprise Linux | 2025-04-30 | 8.1 High |
| In PHP versions 8.3.* before 8.3.19 and 8.4.* before 8.4.5, a code sequence involving __set handler or ??= operator and exceptions can lead to a use-after-free vulnerability. If the third party can control the memory layout leading to this, for example by supplying specially crafted inputs to the script, it could lead to remote code execution. | ||||
| CVE-2024-39331 | 2 Gnu, Redhat | 6 Emacs, Enterprise Linux, Rhel Aus and 3 more | 2025-04-30 | 9.8 Critical |
| In Emacs before 29.4, org-link-expand-abbrev in lisp/ol.el expands a %(...) link abbrev even when it specifies an unsafe function, such as shell-command-to-string. This affects Org Mode before 9.7.5. | ||||
| CVE-2024-53920 | 2 Gnu, Redhat | 3 Emacs, Enterprise Linux, Rhel Eus | 2025-04-30 | 7.8 High |
| In elisp-mode.el in GNU Emacs before 30.1, a user who chooses to invoke elisp-completion-at-point (for code completion) on untrusted Emacs Lisp source code can trigger unsafe Lisp macro expansion that allows attackers to execute arbitrary code. (This unsafe expansion also occurs if a user chooses to enable on-the-fly diagnosis that byte compiles untrusted Emacs Lisp source code.) | ||||
| CVE-2024-56406 | 2 Perl, Redhat | 2 Perl, Enterprise Linux | 2025-04-30 | 8.6 High |
| A heap buffer overflow vulnerability was discovered in Perl. Release branches 5.34, 5.36, 5.38 and 5.40 are affected, including development versions from 5.33.1 through 5.41.10. When there are non-ASCII bytes in the left-hand-side of the `tr` operator, `S_do_trans_invmap` can overflow the destination pointer `d`. $ perl -e '$_ = "\x{FF}" x 1000000; tr/\xFF/\x{100}/;' Segmentation fault (core dumped) It is believed that this vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses. | ||||
| CVE-2022-45381 | 2 Jenkins, Redhat | 2 Pipeline Utility Steps, Openshift | 2025-04-30 | 8.1 High |
| Jenkins Pipeline Utility Steps Plugin 2.13.1 and earlier does not restrict the set of enabled prefix interpolators and bundles versions of Apache Commons Configuration library that enable the 'file:' prefix interpolator by default, allowing attackers able to configure Pipelines to read arbitrary files from the Jenkins controller file system. | ||||
| CVE-2022-45380 | 2 Jenkins, Redhat | 2 Junit, Openshift | 2025-04-30 | 5.4 Medium |
| Jenkins JUnit Plugin 1159.v0b_396e1e07dd and earlier converts HTTP(S) URLs in test report output to clickable links in an unsafe manner, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | ||||
| CVE-2023-23920 | 3 Debian, Nodejs, Redhat | 5 Debian Linux, Node.js, Enterprise Linux and 2 more | 2025-04-30 | 4.2 Medium |
| An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges. | ||||
| CVE-2023-23919 | 2 Nodejs, Redhat | 2 Node.js, Enterprise Linux | 2025-04-30 | 7.5 High |
| A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases did does not clear the OpenSSL error stack after operations that may set it. This may lead to false positive errors during subsequent cryptographic operations that happen to be on the same thread. This in turn could be used to cause a denial of service. | ||||
| CVE-2022-43548 | 3 Debian, Nodejs, Redhat | 5 Debian Linux, Node.js, Enterprise Linux and 2 more | 2025-04-30 | 8.1 High |
| A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.The fix for this issue in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212 was incomplete and this new CVE is to complete the fix. | ||||
| CVE-2022-35255 | 4 Debian, Nodejs, Redhat and 1 more | 4 Debian Linux, Node.js, Enterprise Linux and 1 more | 2025-04-30 | 9.1 Critical |
| A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with this: 1) It does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail. 2) The random data returned byEntropySource() may not be cryptographically strong and therefore not suitable as keying material. | ||||