Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2018-12120 (GCVE-0-2018-12120)
Vulnerability from cvelistv5
Published
2018-11-28 17:00
Modified
2024-08-05 08:24
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-419 - Unprotected Primary Channel
Summary
Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as `node --debug=localhost`. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable.
References
| URL | Tags | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The Node.js Project | Node.js |
Version: All versions prior to Node.js 6.15.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T08:24:03.745Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
},
{
"name": "106040",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/106040"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Node.js",
"vendor": "The Node.js Project",
"versions": [
{
"status": "affected",
"version": "All versions prior to Node.js 6.15.0"
}
]
}
],
"datePublic": "2018-11-28T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as `node --debug=localhost`. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-419",
"description": "CWE-419: Unprotected Primary Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-11-29T10:57:01",
"orgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
"shortName": "nodejs"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
},
{
"name": "106040",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/106040"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-request@iojs.org",
"ID": "CVE-2018-12120",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Node.js",
"version": {
"version_data": [
{
"version_value": "All versions prior to Node.js 6.15.0"
}
]
}
}
]
},
"vendor_name": "The Node.js Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as `node --debug=localhost`. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-419: Unprotected Primary Channel"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/",
"refsource": "CONFIRM",
"url": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
},
{
"name": "106040",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/106040"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
"assignerShortName": "nodejs",
"cveId": "CVE-2018-12120",
"datePublished": "2018-11-28T17:00:00",
"dateReserved": "2018-06-11T00:00:00",
"dateUpdated": "2024-08-05T08:24:03.745Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2018-12120\",\"sourceIdentifier\":\"cve-request@iojs.org\",\"published\":\"2018-11-28T17:29:00.290\",\"lastModified\":\"2024-11-21T03:44:38.050\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as `node --debug=localhost`. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable.\"},{\"lang\":\"es\",\"value\":\"Node.js: Todas las versiones anteriores a la 6.15.0: El puerto de depuraci\u00f3n 5858 escucha en cualquier interfaz por defecto. Cuando el depurador est\u00e1 habilitado con \\\"node --debug\\\" o \\\"node debug\\\", escucha en el puerto 5858 en todas las interfaces por defecto. Esto podr\u00eda permitir que los ordenadores remotos se conecten al puerto de depuraci\u00f3n y eval\u00faen JavaScript arbitrario. La interfaz por defecto es ahora localhost. Siempre ha sido posible iniciar el depurador en una interfaz concreta, como \\\"node --debug=localhost\\\". El depurador fue eliminado en Node.js 8 y se sustituy\u00f3 por el inspector, por lo que no hay versiones vulnerables a partir de la 8.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:P/A:P\",\"baseScore\":6.8,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"cve-request@iojs.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-419\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-829\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*\",\"versionStartIncluding\":\"6.0.0\",\"versionEndExcluding\":\"6.15.0\",\"matchCriteriaId\":\"30C30A13-A774-48C1-A0FC-1F31327DE909\"}]}]}],\"references\":[{\"url\":\"http://www.securityfocus.com/bid/106040\",\"source\":\"cve-request@iojs.org\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/\",\"source\":\"cve-request@iojs.org\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/106040\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]}]}}"
}
}
CERTFR-2021-AVI-146
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans F5 BIG-IP. Elles permettent à un attaquant de provoquer un déni de service à distance et une atteinte à la confidentialité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| F5 | BIG-IP | BIG-IP (WebSafe) versions 14.x antérieures à 14.1.0 | ||
| F5 | BIG-IP | BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, FPS, GTM, Link Controller, PEM, WebAccelerator) versions 13.x antérieures à 13.1.3.2 | ||
| F5 | BIG-IP | BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, FPS, GTM, Link Controller, PEM, WebAccelerator) versions 11.x antérieures à 11.6.5.1 | ||
| F5 | BIG-IP | BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, FPS, GTM, Link Controller, PEM, WebAccelerator) versions 14.x antérieures à 14.1.2.1 | ||
| F5 | BIG-IP | BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, FPS, GTM, Link Controller, PEM, WebAccelerator) versions 15.0.x antérieures à 15.0.1.1 | ||
| F5 | BIG-IP | BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, FPS, GTM, Link Controller, PEM, WebAccelerator) versions 12.x antérieures à 12.1.5.1 |
References
| Title | Publication Time | Tags | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "BIG-IP (WebSafe) versions 14.x ant\u00e9rieures \u00e0 14.1.0",
"product": {
"name": "BIG-IP",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, FPS, GTM, Link Controller, PEM, WebAccelerator) versions 13.x ant\u00e9rieures \u00e0 13.1.3.2",
"product": {
"name": "BIG-IP",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, FPS, GTM, Link Controller, PEM, WebAccelerator) versions 11.x ant\u00e9rieures \u00e0 11.6.5.1",
"product": {
"name": "BIG-IP",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, FPS, GTM, Link Controller, PEM, WebAccelerator) versions 14.x ant\u00e9rieures \u00e0 14.1.2.1",
"product": {
"name": "BIG-IP",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, FPS, GTM, Link Controller, PEM, WebAccelerator) versions 15.0.x ant\u00e9rieures \u00e0 15.0.1.1",
"product": {
"name": "BIG-IP",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, FPS, GTM, Link Controller, PEM, WebAccelerator) versions 12.x ant\u00e9rieures \u00e0 12.1.5.1",
"product": {
"name": "BIG-IP",
"vendor": {
"name": "F5",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2018-12120",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-12120"
},
{
"name": "CVE-2018-2815",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-2815"
},
{
"name": "CVE-2016-10708",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-10708"
},
{
"name": "CVE-2018-2795",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-2795"
},
{
"name": "CVE-2019-11479",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11479"
},
{
"name": "CVE-2018-2783",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-2783"
}
],
"initial_release_date": "2021-02-25T00:00:00",
"last_revision_date": "2021-02-25T00:00:00",
"links": [],
"reference": "CERTFR-2021-AVI-146",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2021-02-25T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans F5 BIG-IP. Elles\npermettent \u00e0 un attaquant de provoquer un d\u00e9ni de service \u00e0 distance et\nune atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans F5 BIG-IP",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 F5 K15217245 du 11 mai 2018",
"url": "https://support.f5.com/csp/article/K15217245"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 F5 K70321874 du 11 mai 2018",
"url": "https://support.f5.com/csp/article/K70321874"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 F5 K32485746 du 12 avril 2018",
"url": "https://support.f5.com/csp/article/K32485746"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 F5 K44923228 du 10 mai 2018",
"url": "https://support.f5.com/csp/article/K44923228"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 F5 K35421172 du 19 juin 2019",
"url": "https://support.f5.com/csp/article/K35421172"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 F5 K37111863 du 15 d\u00e9cembre 2018",
"url": "https://support.f5.com/csp/article/K37111863"
}
]
}
gsd-2018-12120
Vulnerability from gsd
Modified
2023-12-13 01:22
Details
Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as `node --debug=localhost`. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2018-12120",
"description": "Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as `node --debug=localhost`. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable.",
"id": "GSD-2018-12120",
"references": [
"https://www.suse.com/security/cve/CVE-2018-12120.html",
"https://advisories.mageia.org/CVE-2018-12120.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2018-12120"
],
"details": "Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as `node --debug=localhost`. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable.",
"id": "GSD-2018-12120",
"modified": "2023-12-13T01:22:29.852550Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve-request@iojs.org",
"ID": "CVE-2018-12120",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Node.js",
"version": {
"version_data": [
{
"version_value": "All versions prior to Node.js 6.15.0"
}
]
}
}
]
},
"vendor_name": "The Node.js Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as `node --debug=localhost`. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-419: Unprotected Primary Channel"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/",
"refsource": "CONFIRM",
"url": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
},
{
"name": "106040",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/106040"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*",
"cpe_name": [],
"versionEndExcluding": "6.15.0",
"versionStartIncluding": "6.0.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve-request@iojs.org",
"ID": "CVE-2018-12120"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as `node --debug=localhost`. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-829"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/",
"refsource": "CONFIRM",
"tags": [
"Vendor Advisory",
"Patch"
],
"url": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
},
{
"name": "106040",
"refsource": "BID",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/106040"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9
}
},
"lastModifiedDate": "2022-09-06T18:00Z",
"publishedDate": "2018-11-28T17:29Z"
}
}
}
ghsa-8fqw-43x4-4q75
Vulnerability from github
Published
2022-05-13 01:34
Modified
2022-05-13 01:34
Severity ?
VLAI Severity ?
Details
Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with node --debug or node debug, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as node --debug=localhost. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable.
{
"affected": [],
"aliases": [
"CVE-2018-12120"
],
"database_specific": {
"cwe_ids": [
"CWE-829"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-11-28T17:29:00Z",
"severity": "HIGH"
},
"details": "Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as `node --debug=localhost`. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable.",
"id": "GHSA-8fqw-43x4-4q75",
"modified": "2022-05-13T01:34:48Z",
"published": "2022-05-13T01:34:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12120"
},
{
"type": "WEB",
"url": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/106040"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
suse-su-2019:0117-1
Vulnerability from csaf_suse
Published
2019-01-18 10:52
Modified
2019-01-18 10:52
Summary
Security update for nodejs4
Notes
Title of the patch
Security update for nodejs4
Description of the patch
This update for nodejs4 fixes the following issues:
Security issues fixed:
- CVE-2018-0734: Fixed a timing vulnerability in the DSA signature generation (bsc#1113652)
- CVE-2018-5407: Fixed a hyperthread port content side channel attack (aka 'PortSmash') (bsc#1113534)
- CVE-2018-12120: Fixed that the debugger listens on any interface by default (bsc#1117625)
- CVE-2018-12121: Fixed a denial of Service with large HTTP headers (bsc#1117626)
- CVE-2018-12122: Fixed the 'Slowloris' HTTP Denial of Service (bsc#1117627)
- CVE-2018-12116: Fixed HTTP request splitting (bsc#1117630)
- CVE-2018-12123: Fixed hostname spoofing in URL parser for javascript protocol (bsc#1117629)
Patchnames
SUSE-2019-117,SUSE-SLE-Module-Web-Scripting-12-2019-117,SUSE-Storage-4-2019-117
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for nodejs4",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for nodejs4 fixes the following issues:\n\nSecurity issues fixed:\n\n- CVE-2018-0734: Fixed a timing vulnerability in the DSA signature generation (bsc#1113652)\n- CVE-2018-5407: Fixed a hyperthread port content side channel attack (aka \u0027PortSmash\u0027) (bsc#1113534)\n- CVE-2018-12120: Fixed that the debugger listens on any interface by default (bsc#1117625)\n- CVE-2018-12121: Fixed a denial of Service with large HTTP headers (bsc#1117626)\n- CVE-2018-12122: Fixed the \u0027Slowloris\u0027 HTTP Denial of Service (bsc#1117627)\n- CVE-2018-12116: Fixed HTTP request splitting (bsc#1117630)\n- CVE-2018-12123: Fixed hostname spoofing in URL parser for javascript protocol (bsc#1117629)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2019-117,SUSE-SLE-Module-Web-Scripting-12-2019-117,SUSE-Storage-4-2019-117",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2019_0117-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2019:0117-1",
"url": "https://www.suse.com/support/update/announcement/2019/suse-su-20190117-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2019:0117-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2019-January/005042.html"
},
{
"category": "self",
"summary": "SUSE Bug 1113534",
"url": "https://bugzilla.suse.com/1113534"
},
{
"category": "self",
"summary": "SUSE Bug 1113652",
"url": "https://bugzilla.suse.com/1113652"
},
{
"category": "self",
"summary": "SUSE Bug 1117625",
"url": "https://bugzilla.suse.com/1117625"
},
{
"category": "self",
"summary": "SUSE Bug 1117626",
"url": "https://bugzilla.suse.com/1117626"
},
{
"category": "self",
"summary": "SUSE Bug 1117627",
"url": "https://bugzilla.suse.com/1117627"
},
{
"category": "self",
"summary": "SUSE Bug 1117629",
"url": "https://bugzilla.suse.com/1117629"
},
{
"category": "self",
"summary": "SUSE Bug 1117630",
"url": "https://bugzilla.suse.com/1117630"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-0734 page",
"url": "https://www.suse.com/security/cve/CVE-2018-0734/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-12116 page",
"url": "https://www.suse.com/security/cve/CVE-2018-12116/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-12120 page",
"url": "https://www.suse.com/security/cve/CVE-2018-12120/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-12121 page",
"url": "https://www.suse.com/security/cve/CVE-2018-12121/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-12122 page",
"url": "https://www.suse.com/security/cve/CVE-2018-12122/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-12123 page",
"url": "https://www.suse.com/security/cve/CVE-2018-12123/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-5407 page",
"url": "https://www.suse.com/security/cve/CVE-2018-5407/"
}
],
"title": "Security update for nodejs4",
"tracking": {
"current_release_date": "2019-01-18T10:52:41Z",
"generator": {
"date": "2019-01-18T10:52:41Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2019:0117-1",
"initial_release_date": "2019-01-18T10:52:41Z",
"revision_history": [
{
"date": "2019-01-18T10:52:41Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "nodejs4-4.9.1-15.17.1.aarch64",
"product": {
"name": "nodejs4-4.9.1-15.17.1.aarch64",
"product_id": "nodejs4-4.9.1-15.17.1.aarch64"
}
},
{
"category": "product_version",
"name": "nodejs4-devel-4.9.1-15.17.1.aarch64",
"product": {
"name": "nodejs4-devel-4.9.1-15.17.1.aarch64",
"product_id": "nodejs4-devel-4.9.1-15.17.1.aarch64"
}
},
{
"category": "product_version",
"name": "npm4-4.9.1-15.17.1.aarch64",
"product": {
"name": "npm4-4.9.1-15.17.1.aarch64",
"product_id": "npm4-4.9.1-15.17.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs4-4.9.1-15.17.1.i586",
"product": {
"name": "nodejs4-4.9.1-15.17.1.i586",
"product_id": "nodejs4-4.9.1-15.17.1.i586"
}
},
{
"category": "product_version",
"name": "nodejs4-devel-4.9.1-15.17.1.i586",
"product": {
"name": "nodejs4-devel-4.9.1-15.17.1.i586",
"product_id": "nodejs4-devel-4.9.1-15.17.1.i586"
}
},
{
"category": "product_version",
"name": "npm4-4.9.1-15.17.1.i586",
"product": {
"name": "npm4-4.9.1-15.17.1.i586",
"product_id": "npm4-4.9.1-15.17.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs4-docs-4.9.1-15.17.1.noarch",
"product": {
"name": "nodejs4-docs-4.9.1-15.17.1.noarch",
"product_id": "nodejs4-docs-4.9.1-15.17.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs4-4.9.1-15.17.1.ppc64le",
"product": {
"name": "nodejs4-4.9.1-15.17.1.ppc64le",
"product_id": "nodejs4-4.9.1-15.17.1.ppc64le"
}
},
{
"category": "product_version",
"name": "nodejs4-devel-4.9.1-15.17.1.ppc64le",
"product": {
"name": "nodejs4-devel-4.9.1-15.17.1.ppc64le",
"product_id": "nodejs4-devel-4.9.1-15.17.1.ppc64le"
}
},
{
"category": "product_version",
"name": "npm4-4.9.1-15.17.1.ppc64le",
"product": {
"name": "npm4-4.9.1-15.17.1.ppc64le",
"product_id": "npm4-4.9.1-15.17.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs4-4.9.1-15.17.1.x86_64",
"product": {
"name": "nodejs4-4.9.1-15.17.1.x86_64",
"product_id": "nodejs4-4.9.1-15.17.1.x86_64"
}
},
{
"category": "product_version",
"name": "nodejs4-devel-4.9.1-15.17.1.x86_64",
"product": {
"name": "nodejs4-devel-4.9.1-15.17.1.x86_64",
"product_id": "nodejs4-devel-4.9.1-15.17.1.x86_64"
}
},
{
"category": "product_version",
"name": "npm4-4.9.1-15.17.1.x86_64",
"product": {
"name": "npm4-4.9.1-15.17.1.x86_64",
"product_id": "npm4-4.9.1-15.17.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Web and Scripting 12",
"product": {
"name": "SUSE Linux Enterprise Module for Web and Scripting 12",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 12",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-web-scripting:12"
}
}
},
{
"category": "product_name",
"name": "SUSE Enterprise Storage 4",
"product": {
"name": "SUSE Enterprise Storage 4",
"product_id": "SUSE Enterprise Storage 4",
"product_identification_helper": {
"cpe": "cpe:/o:suse:ses:4"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs4-4.9.1-15.17.1.aarch64 as component of SUSE Linux Enterprise Module for Web and Scripting 12",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.aarch64"
},
"product_reference": "nodejs4-4.9.1-15.17.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs4-4.9.1-15.17.1.ppc64le as component of SUSE Linux Enterprise Module for Web and Scripting 12",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.ppc64le"
},
"product_reference": "nodejs4-4.9.1-15.17.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs4-4.9.1-15.17.1.x86_64 as component of SUSE Linux Enterprise Module for Web and Scripting 12",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.x86_64"
},
"product_reference": "nodejs4-4.9.1-15.17.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs4-devel-4.9.1-15.17.1.aarch64 as component of SUSE Linux Enterprise Module for Web and Scripting 12",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.aarch64"
},
"product_reference": "nodejs4-devel-4.9.1-15.17.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs4-devel-4.9.1-15.17.1.ppc64le as component of SUSE Linux Enterprise Module for Web and Scripting 12",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.ppc64le"
},
"product_reference": "nodejs4-devel-4.9.1-15.17.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs4-devel-4.9.1-15.17.1.x86_64 as component of SUSE Linux Enterprise Module for Web and Scripting 12",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.x86_64"
},
"product_reference": "nodejs4-devel-4.9.1-15.17.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs4-docs-4.9.1-15.17.1.noarch as component of SUSE Linux Enterprise Module for Web and Scripting 12",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-docs-4.9.1-15.17.1.noarch"
},
"product_reference": "nodejs4-docs-4.9.1-15.17.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm4-4.9.1-15.17.1.aarch64 as component of SUSE Linux Enterprise Module for Web and Scripting 12",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.aarch64"
},
"product_reference": "npm4-4.9.1-15.17.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm4-4.9.1-15.17.1.ppc64le as component of SUSE Linux Enterprise Module for Web and Scripting 12",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.ppc64le"
},
"product_reference": "npm4-4.9.1-15.17.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm4-4.9.1-15.17.1.x86_64 as component of SUSE Linux Enterprise Module for Web and Scripting 12",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.x86_64"
},
"product_reference": "npm4-4.9.1-15.17.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs4-4.9.1-15.17.1.aarch64 as component of SUSE Enterprise Storage 4",
"product_id": "SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.aarch64"
},
"product_reference": "nodejs4-4.9.1-15.17.1.aarch64",
"relates_to_product_reference": "SUSE Enterprise Storage 4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs4-4.9.1-15.17.1.x86_64 as component of SUSE Enterprise Storage 4",
"product_id": "SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.x86_64"
},
"product_reference": "nodejs4-4.9.1-15.17.1.x86_64",
"relates_to_product_reference": "SUSE Enterprise Storage 4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-0734",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-0734"
}
],
"notes": [
{
"category": "general",
"text": "The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.aarch64",
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-docs-4.9.1-15.17.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-0734",
"url": "https://www.suse.com/security/cve/CVE-2018-0734"
},
{
"category": "external",
"summary": "SUSE Bug 1113534 for CVE-2018-0734",
"url": "https://bugzilla.suse.com/1113534"
},
{
"category": "external",
"summary": "SUSE Bug 1113652 for CVE-2018-0734",
"url": "https://bugzilla.suse.com/1113652"
},
{
"category": "external",
"summary": "SUSE Bug 1113742 for CVE-2018-0734",
"url": "https://bugzilla.suse.com/1113742"
},
{
"category": "external",
"summary": "SUSE Bug 1122198 for CVE-2018-0734",
"url": "https://bugzilla.suse.com/1122198"
},
{
"category": "external",
"summary": "SUSE Bug 1122212 for CVE-2018-0734",
"url": "https://bugzilla.suse.com/1122212"
},
{
"category": "external",
"summary": "SUSE Bug 1126909 for CVE-2018-0734",
"url": "https://bugzilla.suse.com/1126909"
},
{
"category": "external",
"summary": "SUSE Bug 1148697 for CVE-2018-0734",
"url": "https://bugzilla.suse.com/1148697"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.aarch64",
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-docs-4.9.1-15.17.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.aarch64",
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-docs-4.9.1-15.17.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2019-01-18T10:52:41Z",
"details": "moderate"
}
],
"title": "CVE-2018-0734"
},
{
"cve": "CVE-2018-12116",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-12116"
}
],
"notes": [
{
"category": "general",
"text": "Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to made to the same server.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.aarch64",
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-docs-4.9.1-15.17.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-12116",
"url": "https://www.suse.com/security/cve/CVE-2018-12116"
},
{
"category": "external",
"summary": "SUSE Bug 1117630 for CVE-2018-12116",
"url": "https://bugzilla.suse.com/1117630"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.aarch64",
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-docs-4.9.1-15.17.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.aarch64",
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-docs-4.9.1-15.17.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2019-01-18T10:52:41Z",
"details": "moderate"
}
],
"title": "CVE-2018-12116"
},
{
"cve": "CVE-2018-12120",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-12120"
}
],
"notes": [
{
"category": "general",
"text": "Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as `node --debug=localhost`. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.aarch64",
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-docs-4.9.1-15.17.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-12120",
"url": "https://www.suse.com/security/cve/CVE-2018-12120"
},
{
"category": "external",
"summary": "SUSE Bug 1117625 for CVE-2018-12120",
"url": "https://bugzilla.suse.com/1117625"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.aarch64",
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-docs-4.9.1-15.17.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.aarch64",
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-docs-4.9.1-15.17.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2019-01-18T10:52:41Z",
"details": "critical"
}
],
"title": "CVE-2018-12120"
},
{
"cve": "CVE-2018-12121",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-12121"
}
],
"notes": [
{
"category": "general",
"text": "Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers (almost 80 KB per connection), and carefully timed completion of the headers, it is possible to cause the HTTP server to abort from heap allocation failure. Attack potential is mitigated by the use of a load balancer or other proxy layer.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.aarch64",
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-docs-4.9.1-15.17.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-12121",
"url": "https://www.suse.com/security/cve/CVE-2018-12121"
},
{
"category": "external",
"summary": "SUSE Bug 1117626 for CVE-2018-12121",
"url": "https://bugzilla.suse.com/1117626"
},
{
"category": "external",
"summary": "SUSE Bug 1127532 for CVE-2018-12121",
"url": "https://bugzilla.suse.com/1127532"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.aarch64",
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-docs-4.9.1-15.17.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.aarch64",
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-docs-4.9.1-15.17.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2019-01-18T10:52:41Z",
"details": "important"
}
],
"title": "CVE-2018-12121"
},
{
"cve": "CVE-2018-12122",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-12122"
}
],
"notes": [
{
"category": "general",
"text": "Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Slowloris HTTP Denial of Service: An attacker can cause a Denial of Service (DoS) by sending headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.aarch64",
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-docs-4.9.1-15.17.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-12122",
"url": "https://www.suse.com/security/cve/CVE-2018-12122"
},
{
"category": "external",
"summary": "SUSE Bug 1117627 for CVE-2018-12122",
"url": "https://bugzilla.suse.com/1117627"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.aarch64",
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-docs-4.9.1-15.17.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.aarch64",
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-docs-4.9.1-15.17.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2019-01-18T10:52:41Z",
"details": "important"
}
],
"title": "CVE-2018-12122"
},
{
"cve": "CVE-2018-12123",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-12123"
}
],
"notes": [
{
"category": "general",
"text": "Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case \"javascript:\" (e.g. \"javAscript:\") protocol (other protocols are not affected). If security decisions are made about the URL based on the hostname, they may be incorrect.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.aarch64",
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-docs-4.9.1-15.17.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-12123",
"url": "https://www.suse.com/security/cve/CVE-2018-12123"
},
{
"category": "external",
"summary": "SUSE Bug 1117629 for CVE-2018-12123",
"url": "https://bugzilla.suse.com/1117629"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.aarch64",
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-docs-4.9.1-15.17.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.aarch64",
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-docs-4.9.1-15.17.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2019-01-18T10:52:41Z",
"details": "moderate"
}
],
"title": "CVE-2018-12123"
},
{
"cve": "CVE-2018-5407",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-5407"
}
],
"notes": [
{
"category": "general",
"text": "Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on \u0027port contention\u0027.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.aarch64",
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-docs-4.9.1-15.17.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-5407",
"url": "https://www.suse.com/security/cve/CVE-2018-5407"
},
{
"category": "external",
"summary": "SUSE Bug 1113534 for CVE-2018-5407",
"url": "https://bugzilla.suse.com/1113534"
},
{
"category": "external",
"summary": "SUSE Bug 1116195 for CVE-2018-5407",
"url": "https://bugzilla.suse.com/1116195"
},
{
"category": "external",
"summary": "SUSE Bug 1126909 for CVE-2018-5407",
"url": "https://bugzilla.suse.com/1126909"
},
{
"category": "external",
"summary": "SUSE Bug 1148697 for CVE-2018-5407",
"url": "https://bugzilla.suse.com/1148697"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.aarch64",
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-docs-4.9.1-15.17.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:P/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.aarch64",
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.17.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-docs-4.9.1-15.17.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.17.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2019-01-18T10:52:41Z",
"details": "moderate"
}
],
"title": "CVE-2018-5407"
}
]
}
suse-su-2019:0395-1
Vulnerability from csaf_suse
Published
2019-02-14 13:59
Modified
2019-02-14 13:59
Summary
Security update for nodejs6
Notes
Title of the patch
Security update for nodejs6
Description of the patch
This update for nodejs6 to version 6.16.0 fixes the following issues:
Security issues fixed:
- CVE-2018-0734: Fixed a timing vulnerability in the DSA signature generation (bsc#1113652)
- CVE-2018-5407: Fixed a hyperthread port content side channel attack (aka 'PortSmash') (bsc#1113534)
- CVE-2018-12120: Fixed that the debugger listens on any interface by default (bsc#1117625)
- CVE-2018-12121: Fixed a denial of Service with large HTTP headers (bsc#1117626)
- CVE-2018-12122: Fixed the 'Slowloris' HTTP Denial of Service (bsc#1117627)
- CVE-2018-12116: Fixed HTTP request splitting (bsc#1117630)
- CVE-2018-12123: Fixed hostname spoofing in URL parser for javascript protocol (bsc#1117629)
Patchnames
SUSE-2019-395,SUSE-OpenStack-Cloud-7-2019-395,SUSE-OpenStack-Cloud-Crowbar-8-2019-395,SUSE-SLE-Module-Web-Scripting-12-2019-395,SUSE-Storage-4-2019-395
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for nodejs6",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for nodejs6 to version 6.16.0 fixes the following issues:\n\nSecurity issues fixed:\n\n- CVE-2018-0734: Fixed a timing vulnerability in the DSA signature generation (bsc#1113652)\n- CVE-2018-5407: Fixed a hyperthread port content side channel attack (aka \u0027PortSmash\u0027) (bsc#1113534)\n- CVE-2018-12120: Fixed that the debugger listens on any interface by default (bsc#1117625)\n- CVE-2018-12121: Fixed a denial of Service with large HTTP headers (bsc#1117626)\n- CVE-2018-12122: Fixed the \u0027Slowloris\u0027 HTTP Denial of Service (bsc#1117627)\n- CVE-2018-12116: Fixed HTTP request splitting (bsc#1117630)\n- CVE-2018-12123: Fixed hostname spoofing in URL parser for javascript protocol (bsc#1117629)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2019-395,SUSE-OpenStack-Cloud-7-2019-395,SUSE-OpenStack-Cloud-Crowbar-8-2019-395,SUSE-SLE-Module-Web-Scripting-12-2019-395,SUSE-Storage-4-2019-395",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2019_0395-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2019:0395-1",
"url": "https://www.suse.com/support/update/announcement/2019/suse-su-20190395-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2019:0395-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2019-February/005121.html"
},
{
"category": "self",
"summary": "SUSE Bug 1113534",
"url": "https://bugzilla.suse.com/1113534"
},
{
"category": "self",
"summary": "SUSE Bug 1113652",
"url": "https://bugzilla.suse.com/1113652"
},
{
"category": "self",
"summary": "SUSE Bug 1117625",
"url": "https://bugzilla.suse.com/1117625"
},
{
"category": "self",
"summary": "SUSE Bug 1117626",
"url": "https://bugzilla.suse.com/1117626"
},
{
"category": "self",
"summary": "SUSE Bug 1117627",
"url": "https://bugzilla.suse.com/1117627"
},
{
"category": "self",
"summary": "SUSE Bug 1117629",
"url": "https://bugzilla.suse.com/1117629"
},
{
"category": "self",
"summary": "SUSE Bug 1117630",
"url": "https://bugzilla.suse.com/1117630"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-0734 page",
"url": "https://www.suse.com/security/cve/CVE-2018-0734/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-12116 page",
"url": "https://www.suse.com/security/cve/CVE-2018-12116/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-12120 page",
"url": "https://www.suse.com/security/cve/CVE-2018-12120/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-12121 page",
"url": "https://www.suse.com/security/cve/CVE-2018-12121/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-12122 page",
"url": "https://www.suse.com/security/cve/CVE-2018-12122/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-12123 page",
"url": "https://www.suse.com/security/cve/CVE-2018-12123/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-5407 page",
"url": "https://www.suse.com/security/cve/CVE-2018-5407/"
}
],
"title": "Security update for nodejs6",
"tracking": {
"current_release_date": "2019-02-14T13:59:06Z",
"generator": {
"date": "2019-02-14T13:59:06Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2019:0395-1",
"initial_release_date": "2019-02-14T13:59:06Z",
"revision_history": [
{
"date": "2019-02-14T13:59:06Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "nodejs6-6.16.0-11.21.1.aarch64",
"product": {
"name": "nodejs6-6.16.0-11.21.1.aarch64",
"product_id": "nodejs6-6.16.0-11.21.1.aarch64"
}
},
{
"category": "product_version",
"name": "nodejs6-devel-6.16.0-11.21.1.aarch64",
"product": {
"name": "nodejs6-devel-6.16.0-11.21.1.aarch64",
"product_id": "nodejs6-devel-6.16.0-11.21.1.aarch64"
}
},
{
"category": "product_version",
"name": "npm6-6.16.0-11.21.1.aarch64",
"product": {
"name": "npm6-6.16.0-11.21.1.aarch64",
"product_id": "npm6-6.16.0-11.21.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs6-6.16.0-11.21.1.i586",
"product": {
"name": "nodejs6-6.16.0-11.21.1.i586",
"product_id": "nodejs6-6.16.0-11.21.1.i586"
}
},
{
"category": "product_version",
"name": "nodejs6-devel-6.16.0-11.21.1.i586",
"product": {
"name": "nodejs6-devel-6.16.0-11.21.1.i586",
"product_id": "nodejs6-devel-6.16.0-11.21.1.i586"
}
},
{
"category": "product_version",
"name": "npm6-6.16.0-11.21.1.i586",
"product": {
"name": "npm6-6.16.0-11.21.1.i586",
"product_id": "npm6-6.16.0-11.21.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs6-docs-6.16.0-11.21.1.noarch",
"product": {
"name": "nodejs6-docs-6.16.0-11.21.1.noarch",
"product_id": "nodejs6-docs-6.16.0-11.21.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs6-6.16.0-11.21.1.ppc64le",
"product": {
"name": "nodejs6-6.16.0-11.21.1.ppc64le",
"product_id": "nodejs6-6.16.0-11.21.1.ppc64le"
}
},
{
"category": "product_version",
"name": "nodejs6-devel-6.16.0-11.21.1.ppc64le",
"product": {
"name": "nodejs6-devel-6.16.0-11.21.1.ppc64le",
"product_id": "nodejs6-devel-6.16.0-11.21.1.ppc64le"
}
},
{
"category": "product_version",
"name": "npm6-6.16.0-11.21.1.ppc64le",
"product": {
"name": "npm6-6.16.0-11.21.1.ppc64le",
"product_id": "npm6-6.16.0-11.21.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs6-6.16.0-11.21.1.s390",
"product": {
"name": "nodejs6-6.16.0-11.21.1.s390",
"product_id": "nodejs6-6.16.0-11.21.1.s390"
}
},
{
"category": "product_version",
"name": "nodejs6-devel-6.16.0-11.21.1.s390",
"product": {
"name": "nodejs6-devel-6.16.0-11.21.1.s390",
"product_id": "nodejs6-devel-6.16.0-11.21.1.s390"
}
},
{
"category": "product_version",
"name": "npm6-6.16.0-11.21.1.s390",
"product": {
"name": "npm6-6.16.0-11.21.1.s390",
"product_id": "npm6-6.16.0-11.21.1.s390"
}
}
],
"category": "architecture",
"name": "s390"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs6-6.16.0-11.21.1.s390x",
"product": {
"name": "nodejs6-6.16.0-11.21.1.s390x",
"product_id": "nodejs6-6.16.0-11.21.1.s390x"
}
},
{
"category": "product_version",
"name": "nodejs6-devel-6.16.0-11.21.1.s390x",
"product": {
"name": "nodejs6-devel-6.16.0-11.21.1.s390x",
"product_id": "nodejs6-devel-6.16.0-11.21.1.s390x"
}
},
{
"category": "product_version",
"name": "npm6-6.16.0-11.21.1.s390x",
"product": {
"name": "npm6-6.16.0-11.21.1.s390x",
"product_id": "npm6-6.16.0-11.21.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs6-6.16.0-11.21.1.x86_64",
"product": {
"name": "nodejs6-6.16.0-11.21.1.x86_64",
"product_id": "nodejs6-6.16.0-11.21.1.x86_64"
}
},
{
"category": "product_version",
"name": "nodejs6-devel-6.16.0-11.21.1.x86_64",
"product": {
"name": "nodejs6-devel-6.16.0-11.21.1.x86_64",
"product_id": "nodejs6-devel-6.16.0-11.21.1.x86_64"
}
},
{
"category": "product_version",
"name": "npm6-6.16.0-11.21.1.x86_64",
"product": {
"name": "npm6-6.16.0-11.21.1.x86_64",
"product_id": "npm6-6.16.0-11.21.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE OpenStack Cloud 7",
"product": {
"name": "SUSE OpenStack Cloud 7",
"product_id": "SUSE OpenStack Cloud 7",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse-openstack-cloud:7"
}
}
},
{
"category": "product_name",
"name": "SUSE OpenStack Cloud Crowbar 8",
"product": {
"name": "SUSE OpenStack Cloud Crowbar 8",
"product_id": "SUSE OpenStack Cloud Crowbar 8",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse-openstack-cloud-crowbar:8"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Web and Scripting 12",
"product": {
"name": "SUSE Linux Enterprise Module for Web and Scripting 12",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 12",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-web-scripting:12"
}
}
},
{
"category": "product_name",
"name": "SUSE Enterprise Storage 4",
"product": {
"name": "SUSE Enterprise Storage 4",
"product_id": "SUSE Enterprise Storage 4",
"product_identification_helper": {
"cpe": "cpe:/o:suse:ses:4"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs6-6.16.0-11.21.1.aarch64 as component of SUSE OpenStack Cloud 7",
"product_id": "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.aarch64"
},
"product_reference": "nodejs6-6.16.0-11.21.1.aarch64",
"relates_to_product_reference": "SUSE OpenStack Cloud 7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs6-6.16.0-11.21.1.s390x as component of SUSE OpenStack Cloud 7",
"product_id": "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.s390x"
},
"product_reference": "nodejs6-6.16.0-11.21.1.s390x",
"relates_to_product_reference": "SUSE OpenStack Cloud 7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs6-6.16.0-11.21.1.x86_64 as component of SUSE OpenStack Cloud 7",
"product_id": "SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.x86_64"
},
"product_reference": "nodejs6-6.16.0-11.21.1.x86_64",
"relates_to_product_reference": "SUSE OpenStack Cloud 7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs6-6.16.0-11.21.1.x86_64 as component of SUSE OpenStack Cloud Crowbar 8",
"product_id": "SUSE OpenStack Cloud Crowbar 8:nodejs6-6.16.0-11.21.1.x86_64"
},
"product_reference": "nodejs6-6.16.0-11.21.1.x86_64",
"relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs6-6.16.0-11.21.1.aarch64 as component of SUSE Linux Enterprise Module for Web and Scripting 12",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.aarch64"
},
"product_reference": "nodejs6-6.16.0-11.21.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs6-6.16.0-11.21.1.ppc64le as component of SUSE Linux Enterprise Module for Web and Scripting 12",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.ppc64le"
},
"product_reference": "nodejs6-6.16.0-11.21.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs6-6.16.0-11.21.1.s390x as component of SUSE Linux Enterprise Module for Web and Scripting 12",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.s390x"
},
"product_reference": "nodejs6-6.16.0-11.21.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs6-6.16.0-11.21.1.x86_64 as component of SUSE Linux Enterprise Module for Web and Scripting 12",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.x86_64"
},
"product_reference": "nodejs6-6.16.0-11.21.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs6-devel-6.16.0-11.21.1.aarch64 as component of SUSE Linux Enterprise Module for Web and Scripting 12",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.aarch64"
},
"product_reference": "nodejs6-devel-6.16.0-11.21.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs6-devel-6.16.0-11.21.1.ppc64le as component of SUSE Linux Enterprise Module for Web and Scripting 12",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.ppc64le"
},
"product_reference": "nodejs6-devel-6.16.0-11.21.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs6-devel-6.16.0-11.21.1.s390x as component of SUSE Linux Enterprise Module for Web and Scripting 12",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.s390x"
},
"product_reference": "nodejs6-devel-6.16.0-11.21.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs6-devel-6.16.0-11.21.1.x86_64 as component of SUSE Linux Enterprise Module for Web and Scripting 12",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.x86_64"
},
"product_reference": "nodejs6-devel-6.16.0-11.21.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs6-docs-6.16.0-11.21.1.noarch as component of SUSE Linux Enterprise Module for Web and Scripting 12",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.16.0-11.21.1.noarch"
},
"product_reference": "nodejs6-docs-6.16.0-11.21.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm6-6.16.0-11.21.1.aarch64 as component of SUSE Linux Enterprise Module for Web and Scripting 12",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.aarch64"
},
"product_reference": "npm6-6.16.0-11.21.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm6-6.16.0-11.21.1.ppc64le as component of SUSE Linux Enterprise Module for Web and Scripting 12",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.ppc64le"
},
"product_reference": "npm6-6.16.0-11.21.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm6-6.16.0-11.21.1.s390x as component of SUSE Linux Enterprise Module for Web and Scripting 12",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.s390x"
},
"product_reference": "npm6-6.16.0-11.21.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm6-6.16.0-11.21.1.x86_64 as component of SUSE Linux Enterprise Module for Web and Scripting 12",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.x86_64"
},
"product_reference": "npm6-6.16.0-11.21.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs6-6.16.0-11.21.1.aarch64 as component of SUSE Enterprise Storage 4",
"product_id": "SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.aarch64"
},
"product_reference": "nodejs6-6.16.0-11.21.1.aarch64",
"relates_to_product_reference": "SUSE Enterprise Storage 4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs6-6.16.0-11.21.1.x86_64 as component of SUSE Enterprise Storage 4",
"product_id": "SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.x86_64"
},
"product_reference": "nodejs6-6.16.0-11.21.1.x86_64",
"relates_to_product_reference": "SUSE Enterprise Storage 4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-0734",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-0734"
}
],
"notes": [
{
"category": "general",
"text": "The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.16.0-11.21.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.x86_64",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.s390x",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:nodejs6-6.16.0-11.21.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-0734",
"url": "https://www.suse.com/security/cve/CVE-2018-0734"
},
{
"category": "external",
"summary": "SUSE Bug 1113534 for CVE-2018-0734",
"url": "https://bugzilla.suse.com/1113534"
},
{
"category": "external",
"summary": "SUSE Bug 1113652 for CVE-2018-0734",
"url": "https://bugzilla.suse.com/1113652"
},
{
"category": "external",
"summary": "SUSE Bug 1113742 for CVE-2018-0734",
"url": "https://bugzilla.suse.com/1113742"
},
{
"category": "external",
"summary": "SUSE Bug 1122198 for CVE-2018-0734",
"url": "https://bugzilla.suse.com/1122198"
},
{
"category": "external",
"summary": "SUSE Bug 1122212 for CVE-2018-0734",
"url": "https://bugzilla.suse.com/1122212"
},
{
"category": "external",
"summary": "SUSE Bug 1126909 for CVE-2018-0734",
"url": "https://bugzilla.suse.com/1126909"
},
{
"category": "external",
"summary": "SUSE Bug 1148697 for CVE-2018-0734",
"url": "https://bugzilla.suse.com/1148697"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.16.0-11.21.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.x86_64",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.s390x",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:nodejs6-6.16.0-11.21.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.16.0-11.21.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.x86_64",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.s390x",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:nodejs6-6.16.0-11.21.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2019-02-14T13:59:06Z",
"details": "moderate"
}
],
"title": "CVE-2018-0734"
},
{
"cve": "CVE-2018-12116",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-12116"
}
],
"notes": [
{
"category": "general",
"text": "Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to made to the same server.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.16.0-11.21.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.x86_64",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.s390x",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:nodejs6-6.16.0-11.21.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-12116",
"url": "https://www.suse.com/security/cve/CVE-2018-12116"
},
{
"category": "external",
"summary": "SUSE Bug 1117630 for CVE-2018-12116",
"url": "https://bugzilla.suse.com/1117630"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.16.0-11.21.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.x86_64",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.s390x",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:nodejs6-6.16.0-11.21.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.16.0-11.21.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.x86_64",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.s390x",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:nodejs6-6.16.0-11.21.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2019-02-14T13:59:06Z",
"details": "moderate"
}
],
"title": "CVE-2018-12116"
},
{
"cve": "CVE-2018-12120",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-12120"
}
],
"notes": [
{
"category": "general",
"text": "Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as `node --debug=localhost`. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.16.0-11.21.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.x86_64",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.s390x",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:nodejs6-6.16.0-11.21.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-12120",
"url": "https://www.suse.com/security/cve/CVE-2018-12120"
},
{
"category": "external",
"summary": "SUSE Bug 1117625 for CVE-2018-12120",
"url": "https://bugzilla.suse.com/1117625"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.16.0-11.21.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.x86_64",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.s390x",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:nodejs6-6.16.0-11.21.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.16.0-11.21.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.x86_64",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.s390x",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:nodejs6-6.16.0-11.21.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2019-02-14T13:59:06Z",
"details": "critical"
}
],
"title": "CVE-2018-12120"
},
{
"cve": "CVE-2018-12121",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-12121"
}
],
"notes": [
{
"category": "general",
"text": "Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers (almost 80 KB per connection), and carefully timed completion of the headers, it is possible to cause the HTTP server to abort from heap allocation failure. Attack potential is mitigated by the use of a load balancer or other proxy layer.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.16.0-11.21.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.x86_64",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.s390x",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:nodejs6-6.16.0-11.21.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-12121",
"url": "https://www.suse.com/security/cve/CVE-2018-12121"
},
{
"category": "external",
"summary": "SUSE Bug 1117626 for CVE-2018-12121",
"url": "https://bugzilla.suse.com/1117626"
},
{
"category": "external",
"summary": "SUSE Bug 1127532 for CVE-2018-12121",
"url": "https://bugzilla.suse.com/1127532"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.16.0-11.21.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.x86_64",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.s390x",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:nodejs6-6.16.0-11.21.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.16.0-11.21.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.x86_64",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.s390x",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:nodejs6-6.16.0-11.21.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2019-02-14T13:59:06Z",
"details": "important"
}
],
"title": "CVE-2018-12121"
},
{
"cve": "CVE-2018-12122",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-12122"
}
],
"notes": [
{
"category": "general",
"text": "Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Slowloris HTTP Denial of Service: An attacker can cause a Denial of Service (DoS) by sending headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.16.0-11.21.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.x86_64",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.s390x",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:nodejs6-6.16.0-11.21.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-12122",
"url": "https://www.suse.com/security/cve/CVE-2018-12122"
},
{
"category": "external",
"summary": "SUSE Bug 1117627 for CVE-2018-12122",
"url": "https://bugzilla.suse.com/1117627"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.16.0-11.21.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.x86_64",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.s390x",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:nodejs6-6.16.0-11.21.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.16.0-11.21.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.x86_64",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.s390x",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:nodejs6-6.16.0-11.21.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2019-02-14T13:59:06Z",
"details": "important"
}
],
"title": "CVE-2018-12122"
},
{
"cve": "CVE-2018-12123",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-12123"
}
],
"notes": [
{
"category": "general",
"text": "Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case \"javascript:\" (e.g. \"javAscript:\") protocol (other protocols are not affected). If security decisions are made about the URL based on the hostname, they may be incorrect.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.16.0-11.21.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.x86_64",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.s390x",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:nodejs6-6.16.0-11.21.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-12123",
"url": "https://www.suse.com/security/cve/CVE-2018-12123"
},
{
"category": "external",
"summary": "SUSE Bug 1117629 for CVE-2018-12123",
"url": "https://bugzilla.suse.com/1117629"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.16.0-11.21.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.x86_64",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.s390x",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:nodejs6-6.16.0-11.21.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.16.0-11.21.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.x86_64",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.s390x",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:nodejs6-6.16.0-11.21.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2019-02-14T13:59:06Z",
"details": "moderate"
}
],
"title": "CVE-2018-12123"
},
{
"cve": "CVE-2018-5407",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-5407"
}
],
"notes": [
{
"category": "general",
"text": "Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on \u0027port contention\u0027.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.16.0-11.21.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.x86_64",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.s390x",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:nodejs6-6.16.0-11.21.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-5407",
"url": "https://www.suse.com/security/cve/CVE-2018-5407"
},
{
"category": "external",
"summary": "SUSE Bug 1113534 for CVE-2018-5407",
"url": "https://bugzilla.suse.com/1113534"
},
{
"category": "external",
"summary": "SUSE Bug 1116195 for CVE-2018-5407",
"url": "https://bugzilla.suse.com/1116195"
},
{
"category": "external",
"summary": "SUSE Bug 1126909 for CVE-2018-5407",
"url": "https://bugzilla.suse.com/1126909"
},
{
"category": "external",
"summary": "SUSE Bug 1148697 for CVE-2018-5407",
"url": "https://bugzilla.suse.com/1148697"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.16.0-11.21.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.x86_64",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.s390x",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:nodejs6-6.16.0-11.21.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:P/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE Enterprise Storage 4:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.16.0-11.21.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.16.0-11.21.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.16.0-11.21.1.x86_64",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.aarch64",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.s390x",
"SUSE OpenStack Cloud 7:nodejs6-6.16.0-11.21.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:nodejs6-6.16.0-11.21.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2019-02-14T13:59:06Z",
"details": "moderate"
}
],
"title": "CVE-2018-5407"
}
]
}
cnvd-2019-42557
Vulnerability from cnvd
Title
Joyent Node.js存在未明漏洞(CNVD-2019-42557)
Description
Joyent Node.js是美国Joyent公司的一套建立在Google V8 JavaScript引擎之上的网络应用平台。该平台主要用于构建高度可伸缩的应用程序,以及编写能够处理数万条且同时连接到一个物理机的连接代码。
Joyent Node.js 6.15.0之前版本中存在安全漏洞,该漏洞源于当采用node --debug或node debug来启用debugger时,默认情况下它在所有接口上监听5858端口。远程攻击者可利用该漏洞将计算机添加到调试端口,运行任意JavaScript代码。
Severity
中
VLAI Severity ?
Patch Name
Joyent Node.js存在未明漏洞(CNVD-2019-42557)的补丁
Patch Description
Joyent Node.js是美国Joyent公司的一套建立在Google V8 JavaScript引擎之上的网络应用平台。该平台主要用于构建高度可伸缩的应用程序,以及编写能够处理数万条且同时连接到一个物理机的连接代码。
Joyent Node.js 6.15.0之前版本中存在安全漏洞,该漏洞源于当采用node --debug或node debug来启用debugger时,默认情况下它在所有接口上监听5858端口。远程攻击者可利用该漏洞将计算机添加到调试端口,运行任意JavaScript代码。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
目前厂商已发布升级补丁以修复漏洞,补丁获取链接: https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
Reference
https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
Impacted products
| Name | Joyent Node.js <6.15.0 |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2018-12120",
"cveUrl": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12120"
}
},
"description": "Joyent Node.js\u662f\u7f8e\u56fdJoyent\u516c\u53f8\u7684\u4e00\u5957\u5efa\u7acb\u5728Google V8 JavaScript\u5f15\u64ce\u4e4b\u4e0a\u7684\u7f51\u7edc\u5e94\u7528\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u4e3b\u8981\u7528\u4e8e\u6784\u5efa\u9ad8\u5ea6\u53ef\u4f38\u7f29\u7684\u5e94\u7528\u7a0b\u5e8f\uff0c\u4ee5\u53ca\u7f16\u5199\u80fd\u591f\u5904\u7406\u6570\u4e07\u6761\u4e14\u540c\u65f6\u8fde\u63a5\u5230\u4e00\u4e2a\u7269\u7406\u673a\u7684\u8fde\u63a5\u4ee3\u7801\u3002\n\nJoyent Node.js 6.15.0\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5f53\u91c7\u7528node --debug\u6216node debug\u6765\u542f\u7528debugger\u65f6\uff0c\u9ed8\u8ba4\u60c5\u51b5\u4e0b\u5b83\u5728\u6240\u6709\u63a5\u53e3\u4e0a\u76d1\u542c5858\u7aef\u53e3\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5c06\u8ba1\u7b97\u673a\u6dfb\u52a0\u5230\u8c03\u8bd5\u7aef\u53e3\uff0c\u8fd0\u884c\u4efb\u610fJavaScript\u4ee3\u7801\u3002",
"formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://nodejs.org/en/blog/vulnerability/november-2018-security-releases/",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2019-42557",
"openTime": "2019-11-27",
"patchDescription": "Joyent Node.js\u662f\u7f8e\u56fdJoyent\u516c\u53f8\u7684\u4e00\u5957\u5efa\u7acb\u5728Google V8 JavaScript\u5f15\u64ce\u4e4b\u4e0a\u7684\u7f51\u7edc\u5e94\u7528\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u4e3b\u8981\u7528\u4e8e\u6784\u5efa\u9ad8\u5ea6\u53ef\u4f38\u7f29\u7684\u5e94\u7528\u7a0b\u5e8f\uff0c\u4ee5\u53ca\u7f16\u5199\u80fd\u591f\u5904\u7406\u6570\u4e07\u6761\u4e14\u540c\u65f6\u8fde\u63a5\u5230\u4e00\u4e2a\u7269\u7406\u673a\u7684\u8fde\u63a5\u4ee3\u7801\u3002\r\n\r\nJoyent Node.js 6.15.0\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5f53\u91c7\u7528node --debug\u6216node debug\u6765\u542f\u7528debugger\u65f6\uff0c\u9ed8\u8ba4\u60c5\u51b5\u4e0b\u5b83\u5728\u6240\u6709\u63a5\u53e3\u4e0a\u76d1\u542c5858\u7aef\u53e3\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5c06\u8ba1\u7b97\u673a\u6dfb\u52a0\u5230\u8c03\u8bd5\u7aef\u53e3\uff0c\u8fd0\u884c\u4efb\u610fJavaScript\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "Joyent Node.js\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\uff08CNVD-2019-42557\uff09\u7684\u8865\u4e01",
"products": {
"product": "Joyent Node.js \u003c6.15.0"
},
"referenceLink": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/",
"serverity": "\u4e2d",
"submitTime": "2018-11-30",
"title": "Joyent Node.js\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\uff08CNVD-2019-42557\uff09"
}
fkie_cve-2018-12120
Vulnerability from fkie_nvd
Published
2018-11-28 17:29
Modified
2024-11-21 03:44
Severity ?
Summary
Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as `node --debug=localhost`. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable.
References
| URL | Tags | ||
|---|---|---|---|
| cve-request@iojs.org | http://www.securityfocus.com/bid/106040 | Third Party Advisory, VDB Entry | |
| cve-request@iojs.org | https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/ | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/106040 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/ | Patch, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*",
"matchCriteriaId": "30C30A13-A774-48C1-A0FC-1F31327DE909",
"versionEndExcluding": "6.15.0",
"versionStartIncluding": "6.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as `node --debug=localhost`. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable."
},
{
"lang": "es",
"value": "Node.js: Todas las versiones anteriores a la 6.15.0: El puerto de depuraci\u00f3n 5858 escucha en cualquier interfaz por defecto. Cuando el depurador est\u00e1 habilitado con \"node --debug\" o \"node debug\", escucha en el puerto 5858 en todas las interfaces por defecto. Esto podr\u00eda permitir que los ordenadores remotos se conecten al puerto de depuraci\u00f3n y eval\u00faen JavaScript arbitrario. La interfaz por defecto es ahora localhost. Siempre ha sido posible iniciar el depurador en una interfaz concreta, como \"node --debug=localhost\". El depurador fue eliminado en Node.js 8 y se sustituy\u00f3 por el inspector, por lo que no hay versiones vulnerables a partir de la 8."
}
],
"id": "CVE-2018-12120",
"lastModified": "2024-11-21T03:44:38.050",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-11-28T17:29:00.290",
"references": [
{
"source": "cve-request@iojs.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/106040"
},
{
"source": "cve-request@iojs.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/106040"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
}
],
"sourceIdentifier": "cve-request@iojs.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-419"
}
],
"source": "cve-request@iojs.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-829"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…