Skip to content

Commit

Permalink
vuln: add october 2023 security release vulns (#1131)
Browse files Browse the repository at this point in the history 
* vuln: add october 2023 security release vulns

* vuln: adjust typo in overview's field

Co-authored-by: Tobias Nießen <tniessen@tnie.de>

---------

Co-authored-by: Tobias Nießen <tniessen@tnie.de>
  • Loading branch information
@RafaelGSS @tniessen
RafaelGSS and tniessen authored Oct 13, 2023
1 parent 6b0e2b5 commit 6d79856
Show file tree
Hide file tree
Showing 7 changed files with 120 additions and 0 deletions.
8 changes: 8 additions & 0 deletions vuln/core/125.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
{
"cve": ["CVE-2023-45143"],
"vulnerable": "18.x || 20.x",
"patched": "^18.18.2 || ^20.8.1",
"ref": "https://nodejs.org/en/blog/vulnerability/october-2023-security-releases/",
"overview": "Cookie headers are not cleared in cross-domain redirect in undici-fetch (High)",
"affectedEnvironments": ["all"]
}
8 changes: 8 additions & 0 deletions vuln/core/126.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
{
"cve": ["CVE-2023-44487"],
"vulnerable": "18.x || 20.x",
"patched": "^18.18.2 || ^20.8.1",
"ref": "https://nodejs.org/en/blog/vulnerability/october-2023-security-releases/",
"overview": "Rapidly creating and cancelling streams (HEADERS frame immediately followed by RST_STREAM) without bound causes denial of service (High)",
"affectedEnvironments": ["all"]
}
8 changes: 8 additions & 0 deletions vuln/core/127.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
{
"cve": ["CVE-2023-39331"],
"vulnerable": "20.x",
"patched": "^20.8.1",
"ref": "https://nodejs.org/en/blog/vulnerability/october-2023-security-releases/",
"overview": "A previously disclosed vulnerability (CVE-2023-30584) was patched insufficiently. The implementation does not protect itself against the application overwriting built-in utility functions with user-defined implementations (High)",
"affectedEnvironments": ["all"]
}
8 changes: 8 additions & 0 deletions vuln/core/128.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
{
"cve": ["CVE-2023-39332"],
"vulnerable": "20.x",
"patched": "^20.8.1",
"ref": "https://nodejs.org/en/blog/vulnerability/october-2023-security-releases/",
"overview": "Path traversal through path stored in Uint8Array (High)",
"affectedEnvironments": ["all"]
}
8 changes: 8 additions & 0 deletions vuln/core/129.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
{
"cve": ["CVE-2023-38552"],
"vulnerable": "18.x || 20.x",
"patched": "^18.18.2 || ^20.8.1",
"ref": "https://nodejs.org/en/blog/vulnerability/october-2023-security-releases/",
"overview": "Integrity checks according to experimental policies can be circumvented (Medium)",
"affectedEnvironments": ["all"]
}
8 changes: 8 additions & 0 deletions vuln/core/130.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
{
"cve": ["CVE-2023-39333"],
"vulnerable": "18.x || 20.x",
"patched": "^18.18.2 || ^20.8.1",
"ref": "https://nodejs.org/en/blog/vulnerability/october-2023-security-releases/",
"overview": "Code injection via WebAssembly export names (Low)",
"affectedEnvironments": ["all"]
}
72 changes: 72 additions & 0 deletions vuln/core/index.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1546,5 +1546,77 @@
"affectedEnvironments": [
"all"
]
},
"125": {
"cve": [
"CVE-2023-45143"
],
"vulnerable": "18.x || 20.x",
"patched": "^18.18.2 || ^20.8.1",
"ref": "https://nodejs.org/en/blog/vulnerability/october-2023-security-releases/",
"overview": "Cookie headers are not cleared in cross-domain redirect in undici-fetch (High)",
"affectedEnvironments": [
"all"
]
},
"126": {
"cve": [
"CVE-2023-44487"
],
"vulnerable": "18.x || 20.x",
"patched": "^18.18.2 || ^20.8.1",
"ref": "https://nodejs.org/en/blog/vulnerability/october-2023-security-releases/",
"overview": "Rapidly creating and cancelling streams (HEADERS frame immediately followed by RST_STREAM) without bound causes denial of service (High)",
"affectedEnvironments": [
"all"
]
},
"127": {
"cve": [
"CVE-2023-39331"
],
"vulnerable": "20.x",
"patched": "^20.8.1",
"ref": "https://nodejs.org/en/blog/vulnerability/october-2023-security-releases/",
"overview": "A previously disclosed vulnerability (CVE-2023-30584) was patched insufficiently. The implementation does not protect itself against the application overwriting built-in utility functions with user-defined implementations (High)",
"affectedEnvironments": [
"all"
]
},
"128": {
"cve": [
"CVE-2023-39332"
],
"vulnerable": "20.x",
"patched": "^20.8.1",
"ref": "https://nodejs.org/en/blog/vulnerability/october-2023-security-releases/",
"overview": "Path traversal through path stored in Uint8Array (High)",
"affectedEnvironments": [
"all"
]
},
"129": {
"cve": [
"CVE-2023-38552"
],
"vulnerable": "18.x || 20.x",
"patched": "^18.18.2 || ^20.8.1",
"ref": "https://nodejs.org/en/blog/vulnerability/october-2023-security-releases/",
"overview": "Integrity checks according to experimental policies can be circumvented (Medium)",
"affectedEnvironments": [
"all"
]
},
"130": {
"cve": [
"CVE-2023-39333"
],
"vulnerable": "18.x || 20.x",
"patched": "^18.18.2 || ^20.8.1",
"ref": "https://nodejs.org/en/blog/vulnerability/october-2023-security-releases/",
"overview": "Code injection via WebAssembly export names (Low)",
"affectedEnvironments": [
"all"
]
}
}

0 comments on commit 6d79856

Please sign in to comment.