From ce0dee412e00f40da730b4f7a921339cfb156e0d Mon Sep 17 00:00:00 2001 From: RafaelGSS Date: Thu, 15 Feb 2024 16:42:15 -0300 Subject: [PATCH] vuln: add latest security release vulnerabilities --- vuln/core/131.json | 8 ++++++++ vuln/core/132.json | 8 ++++++++ vuln/core/133.json | 8 ++++++++ vuln/core/134.json | 8 ++++++++ vuln/core/135.json | 8 ++++++++ vuln/core/136.json | 8 ++++++++ vuln/core/137.json | 8 ++++++++ vuln/core/138.json | 8 ++++++++ 8 files changed, 64 insertions(+) create mode 100644 vuln/core/131.json create mode 100644 vuln/core/132.json create mode 100644 vuln/core/133.json create mode 100644 vuln/core/134.json create mode 100644 vuln/core/135.json create mode 100644 vuln/core/136.json create mode 100644 vuln/core/137.json create mode 100644 vuln/core/138.json diff --git a/vuln/core/131.json b/vuln/core/131.json new file mode 100644 index 00000000..69e9c896 --- /dev/null +++ b/vuln/core/131.json @@ -0,0 +1,8 @@ +{ + "cve": ["CVE-2023-46809"], + "vulnerable": "18.x || 20.x || 21.x", + "patched": "^18.19.1 || ^20.11.1 || ^21.6.2", + "ref": "https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/", + "overview": "A vulnerability in the privateDecrypt() API of the crypto library, allowed a covert timing side-channel during PKCS#1 v1.5 padding error handling.", + "affectedEnvironments": ["all"] +} diff --git a/vuln/core/132.json b/vuln/core/132.json new file mode 100644 index 00000000..876c4929 --- /dev/null +++ b/vuln/core/132.json @@ -0,0 +1,8 @@ +{ + "cve": ["CVE-2024-21891"], + "vulnerable": "20.x || 21.x", + "patched": "^20.11.1 || ^21.6.2", + "ref": "https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/", + "overview": "Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions, which can be overwitten with user-defined implementations leading to filesystem permission model bypass through path traversal attack.", + "affectedEnvironments": ["all"] +} diff --git a/vuln/core/133.json b/vuln/core/133.json new file mode 100644 index 00000000..577633d8 --- /dev/null +++ b/vuln/core/133.json @@ -0,0 +1,8 @@ +{ + "cve": ["CVE-2024-21890"], + "vulnerable": "20.x || 21.x", + "patched": "^20.11.1 || ^21.6.2", + "ref": "https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/", + "overview": "Improper handling of wildcards in --allow-fs-read and --allow-fs-write", + "affectedEnvironments": ["all"] +} diff --git a/vuln/core/134.json b/vuln/core/134.json new file mode 100644 index 00000000..77db40ce --- /dev/null +++ b/vuln/core/134.json @@ -0,0 +1,8 @@ +{ + "cve": ["CVE-2024-21892"], + "vulnerable": "18.x || 20.x || 21.x", + "patched": "^18.19.1 || ^20.11.1 || ^21.6.2", + "ref": "https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/", + "overview": "Code injection and privilege escalation through Linux capabilities", + "affectedEnvironments": ["all"] +} diff --git a/vuln/core/135.json b/vuln/core/135.json new file mode 100644 index 00000000..b96311df --- /dev/null +++ b/vuln/core/135.json @@ -0,0 +1,8 @@ +{ + "cve": ["CVE-2024-22019"], + "vulnerable": "18.x || 20.x || 21.x", + "patched": "^18.19.1 || ^20.11.1 || ^21.6.2", + "ref": "https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/", + "overview": "A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS).", + "affectedEnvironments": ["all"] +} diff --git a/vuln/core/136.json b/vuln/core/136.json new file mode 100644 index 00000000..c294da7c --- /dev/null +++ b/vuln/core/136.json @@ -0,0 +1,8 @@ +{ + "cve": ["CVE-2024-21896"], + "vulnerable": "20.x || 21.x", + "patched": "^20.11.1 || ^21.6.2", + "ref": "https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/", + "overview": "The permission model protects itself against path traversal attacks by calling path.resolve() on any paths given by the user. If the path is to be treated as a Buffer, the implementation uses Buffer.from() to obtain a Buffer from the result of path.resolve().", + "affectedEnvironments": ["all"] +} diff --git a/vuln/core/137.json b/vuln/core/137.json new file mode 100644 index 00000000..23119168 --- /dev/null +++ b/vuln/core/137.json @@ -0,0 +1,8 @@ +{ + "cve": ["CVE-2024-22017"], + "vulnerable": "20.x || 21.x", + "patched": "^20.11.1 || ^21.6.2", + "ref": "https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/", + "overview": "setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid(). This allows the process to perform privileged operations despite presumably having dropped such privileges through a call to setuid()", + "affectedEnvironments": ["all"] +} diff --git a/vuln/core/138.json b/vuln/core/138.json new file mode 100644 index 00000000..733d8ed7 --- /dev/null +++ b/vuln/core/138.json @@ -0,0 +1,8 @@ +{ + "cve": ["CVE-2024-22025"], + "vulnerable": "18.x || 20.x || 21.x", + "patched": "^18.19.1 || ^20.11.1 || ^21.6.2", + "ref": "https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/", + "overview": "A vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack through resource exhaustion when using the fetch() function to retrieve content from an untrusted URL.", + "affectedEnvironments": ["all"] +}