Логотип exploitDog
bind:"CVE-2023-30589" OR bind:"CVE-2023-30590" OR bind:"CVE-2023-30581" OR bind:"CVE-2023-30588"
Консоль
Логотип exploitDog

exploitDog

bind:"CVE-2023-30589" OR bind:"CVE-2023-30590" OR bind:"CVE-2023-30581" OR bind:"CVE-2023-30588"

Количество 51

Количество 51

oracle-oval логотип

ELSA-2023-12933

почти 2 года назад

ELSA-2023-12933: GraalVM Security update (IMPORTANT)

EPSS: Низкий
suse-cvrf логотип

SUSE-SU-2023:3408-1

около 2 лет назад

Security update for nodejs14

EPSS: Низкий
suse-cvrf логотип

SUSE-SU-2023:3306-1

около 2 лет назад

Security update for nodejs14

EPSS: Низкий
suse-cvrf логотип

SUSE-SU-2023:3455-1

около 2 лет назад

Security update for nodejs12

EPSS: Низкий
ubuntu логотип

CVE-2023-30589

больше 2 лет назад

The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20

CVSS3: 7.5
EPSS: Низкий
redhat логотип

CVE-2023-30589

больше 2 лет назад

The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20

CVSS3: 7.5
EPSS: Низкий
nvd логотип

CVE-2023-30589

больше 2 лет назад

The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20

CVSS3: 7.5
EPSS: Низкий
msrc логотип

CVE-2023-30589

больше 2 лет назад

CVSS3: 7.5
EPSS: Низкий
debian логотип

CVE-2023-30589

больше 2 лет назад

The llhttp parser in the http module in Node v20.2.0 does not strictly ...

CVSS3: 7.5
EPSS: Низкий
github логотип

GHSA-cggh-pq45-6h9x

больше 2 лет назад

llhttp vulnerable to HTTP request smuggling

CVSS3: 7.5
EPSS: Низкий
fstec логотип

BDU:2023-04893

больше 2 лет назад

Уязвимость программной платформы Node.js, связанная с недостатками обработки HTTP-запросов, позволяющая нарушителю выполнять атаку "контрабанда HTTP-запросов"

CVSS3: 7.5
EPSS: Низкий
ubuntu логотип

CVE-2023-30590

почти 2 года назад

The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet, but the function is also needed to compute the corresponding public key after calling setPrivateKey(). However, the documentation says this API call: "Generates private and public Diffie-Hellman key values". The documented behavior is very different from the actual behavior, and this difference could easily lead to security issues in applications that use these APIs as the DiffieHellman may be used as the basis for application-level security, implications are consequently broad.

CVSS3: 7.5
EPSS: Низкий
redhat логотип

CVE-2023-30590

больше 2 лет назад

The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet, but the function is also needed to compute the corresponding public key after calling setPrivateKey(). However, the documentation says this API call: "Generates private and public Diffie-Hellman key values". The documented behavior is very different from the actual behavior, and this difference could easily lead to security issues in applications that use these APIs as the DiffieHellman may be used as the basis for application-level security, implications are consequently broad.

CVSS3: 7.5
EPSS: Низкий
nvd логотип

CVE-2023-30590

почти 2 года назад

The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet, but the function is also needed to compute the corresponding public key after calling setPrivateKey(). However, the documentation says this API call: "Generates private and public Diffie-Hellman key values". The documented behavior is very different from the actual behavior, and this difference could easily lead to security issues in applications that use these APIs as the DiffieHellman may be used as the basis for application-level security, implications are consequently broad.

CVSS3: 7.5
EPSS: Низкий
debian логотип

CVE-2023-30590

почти 2 года назад

The generateKeys() API function returned from crypto.createDiffieHellm ...

CVSS3: 7.5
EPSS: Низкий
github логотип

GHSA-v63h-9gvh-2x49

почти 2 года назад

The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet, but the function is also needed to compute the corresponding public key after calling setPrivateKey(). However, the documentation says this API call: "Generates private and public Diffie-Hellman key values". The documented behavior is very different from the actual behavior, and this difference could easily lead to security issues in applications that use these APIs as the DiffieHellman may be used as the basis for application-level security, implications are consequently broad.

CVSS3: 7.5
EPSS: Низкий
fstec логотип

BDU:2023-04930

больше 2 лет назад

Уязвимость функции generateKeys() программной платформы Node.js, позволяющая нарушителю обойти существующие ограничения безопасности

CVSS3: 5.3
EPSS: Низкий
ubuntu логотип

CVE-2023-30581

почти 2 года назад

The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the experimental policy mechanism in all active release lines: v16, v18 and, v20. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js

CVSS3: 7.5
EPSS: Низкий
redhat логотип

CVE-2023-30581

больше 2 лет назад

The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the experimental policy mechanism in all active release lines: v16, v18 and, v20. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js

CVSS3: 7.5
EPSS: Низкий
nvd логотип

CVE-2023-30581

почти 2 года назад

The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the experimental policy mechanism in all active release lines: v16, v18 and, v20. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js

CVSS3: 7.5
EPSS: Низкий

Уязвимостей на страницу

Уязвимость
CVSS
EPSS
Опубликовано
oracle-oval логотип
ELSA-2023-12933

ELSA-2023-12933: GraalVM Security update (IMPORTANT)

почти 2 года назад
suse-cvrf логотип
SUSE-SU-2023:3408-1

Security update for nodejs14

около 2 лет назад
suse-cvrf логотип
SUSE-SU-2023:3306-1

Security update for nodejs14

около 2 лет назад
suse-cvrf логотип
SUSE-SU-2023:3455-1

Security update for nodejs12

около 2 лет назад
ubuntu логотип
CVE-2023-30589

The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20

CVSS3: 7.5
2%
Низкий
больше 2 лет назад
redhat логотип
CVE-2023-30589

The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20

CVSS3: 7.5
2%
Низкий
больше 2 лет назад
nvd логотип
CVE-2023-30589

The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20

CVSS3: 7.5
2%
Низкий
больше 2 лет назад
msrc логотип
CVSS3: 7.5
2%
Низкий
больше 2 лет назад
debian логотип
CVE-2023-30589

The llhttp parser in the http module in Node v20.2.0 does not strictly ...

CVSS3: 7.5
2%
Низкий
больше 2 лет назад
github логотип
GHSA-cggh-pq45-6h9x

llhttp vulnerable to HTTP request smuggling

CVSS3: 7.5
2%
Низкий
больше 2 лет назад
fstec логотип
BDU:2023-04893

Уязвимость программной платформы Node.js, связанная с недостатками обработки HTTP-запросов, позволяющая нарушителю выполнять атаку "контрабанда HTTP-запросов"

CVSS3: 7.5
2%
Низкий
больше 2 лет назад
ubuntu логотип
CVE-2023-30590

The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet, but the function is also needed to compute the corresponding public key after calling setPrivateKey(). However, the documentation says this API call: "Generates private and public Diffie-Hellman key values". The documented behavior is very different from the actual behavior, and this difference could easily lead to security issues in applications that use these APIs as the DiffieHellman may be used as the basis for application-level security, implications are consequently broad.

CVSS3: 7.5
1%
Низкий
почти 2 года назад
redhat логотип
CVE-2023-30590

The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet, but the function is also needed to compute the corresponding public key after calling setPrivateKey(). However, the documentation says this API call: "Generates private and public Diffie-Hellman key values". The documented behavior is very different from the actual behavior, and this difference could easily lead to security issues in applications that use these APIs as the DiffieHellman may be used as the basis for application-level security, implications are consequently broad.

CVSS3: 7.5
1%
Низкий
больше 2 лет назад
nvd логотип
CVE-2023-30590

The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet, but the function is also needed to compute the corresponding public key after calling setPrivateKey(). However, the documentation says this API call: "Generates private and public Diffie-Hellman key values". The documented behavior is very different from the actual behavior, and this difference could easily lead to security issues in applications that use these APIs as the DiffieHellman may be used as the basis for application-level security, implications are consequently broad.

CVSS3: 7.5
1%
Низкий
почти 2 года назад
debian логотип
CVE-2023-30590

The generateKeys() API function returned from crypto.createDiffieHellm ...

CVSS3: 7.5
1%
Низкий
почти 2 года назад
github логотип
GHSA-v63h-9gvh-2x49

The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet, but the function is also needed to compute the corresponding public key after calling setPrivateKey(). However, the documentation says this API call: "Generates private and public Diffie-Hellman key values". The documented behavior is very different from the actual behavior, and this difference could easily lead to security issues in applications that use these APIs as the DiffieHellman may be used as the basis for application-level security, implications are consequently broad.

CVSS3: 7.5
1%
Низкий
почти 2 года назад
fstec логотип
BDU:2023-04930

Уязвимость функции generateKeys() программной платформы Node.js, позволяющая нарушителю обойти существующие ограничения безопасности

CVSS3: 5.3
1%
Низкий
больше 2 лет назад
ubuntu логотип
CVE-2023-30581

The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the experimental policy mechanism in all active release lines: v16, v18 and, v20. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js

CVSS3: 7.5
0%
Низкий
почти 2 года назад
redhat логотип
CVE-2023-30581

The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the experimental policy mechanism in all active release lines: v16, v18 and, v20. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js

CVSS3: 7.5
0%
Низкий
больше 2 лет назад
nvd логотип
CVE-2023-30581

The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the experimental policy mechanism in all active release lines: v16, v18 and, v20. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js

CVSS3: 7.5
0%
Низкий
почти 2 года назад

Уязвимостей на страницу