Skip to content

Commit

Permalink
vuln: add recent vulnerabilities (#1029)
Browse files Browse the repository at this point in the history
  • Loading branch information
@RafaelGSS
RafaelGSS authored Jun 21, 2023
1 parent 76cebdd commit b442fb8
Show file tree
Hide file tree
Showing 11 changed files with 1,056 additions and 0 deletions.
8 changes: 8 additions & 0 deletions vuln/core/108.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
{
"cve": ["CVE-2023-30581"],
"vulnerable": "16.x || 18.x || 20.x",
"patched": "^16.20.1 || ^18.16.1 || ^20.3.1",
"ref": "https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/",
"overview": "The use of proto in process.mainModule.proto.require() can bypass the policy mechanism and require modules outside of the policy.json definition",
"affectedEnvironments": ["all"]
}
8 changes: 8 additions & 0 deletions vuln/core/109.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
{
"cve": ["CVE-2023-30582"],
"vulnerable": "20.x",
"patched": "^20.3.1",
"ref": "https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/",
"overview": "A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument.",
"affectedEnvironments": ["all"]
}
8 changes: 8 additions & 0 deletions vuln/core/110.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
{
"cve": ["CVE-2023-30583"],
"vulnerable": "20.x",
"patched": "^20.3.1",
"ref": "https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/",
"overview": "fs.openAsBlob() can bypass the experimental permission model when using the file system read restriction with the --allow-fs-read flag in Node.js 20",
"affectedEnvironments": ["all"]
}
8 changes: 8 additions & 0 deletions vuln/core/111.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
{
"cve": ["CVE-2023-30584"],
"vulnerable": "20.x",
"patched": "^20.3.1",
"ref": "https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/",
"overview": "A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model. This flaw relates to improper handling of path traversal bypass when verifying file permissions.",
"affectedEnvironments": ["all"]
}
8 changes: 8 additions & 0 deletions vuln/core/112.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
{
"cve": ["CVE-2023-30585"],
"vulnerable": "16.x || 18.x || 20.x",
"patched": "^16.20.1 || ^18.16.1 || ^20.3.1",
"ref": "https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/",
"overview": "Privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process",
"affectedEnvironments": ["win32"]
}
8 changes: 8 additions & 0 deletions vuln/core/113.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
{
"cve": ["CVE-2023-30586"],
"vulnerable": "20.x",
"patched": "^20.3.1",
"ref": "https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/",
"overview": "Node.js 20 allows loading arbitrary OpenSSL engines when the experimental permission model is enabled, which can bypass and/or disable the permission model.",
"affectedEnvironments": ["all"]
}
8 changes: 8 additions & 0 deletions vuln/core/114.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
{
"cve": ["CVE-2023-30587"],
"vulnerable": "20.x",
"patched": "^20.3.1",
"ref": "https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/",
"overview": "A vulnerability in Node.js version 20 allows for bypassing restrictions set by the --experimental-permission flag using the built-in inspector module (node:inspector).",
"affectedEnvironments": ["all"]
}
8 changes: 8 additions & 0 deletions vuln/core/115.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
{
"cve": ["CVE-2023-30589"],
"vulnerable": "16.x || 18.x || 20.x",
"patched": "^16.20.1 || ^18.16.1 || ^20.3.1",
"ref": "https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/",
"overview": "The llhttp parser in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests.",
"affectedEnvironments": ["all"]
}
8 changes: 8 additions & 0 deletions vuln/core/116.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
{
"cve": ["CVE-2023-30588"],
"vulnerable": "16.x || 18.x || 20.x",
"patched": "^16.20.1 || ^18.16.1 || ^20.3.1",
"ref": "https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/",
"overview": "When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination occurs.",
"affectedEnvironments": ["all"]
}
8 changes: 8 additions & 0 deletions vuln/core/117.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
{
"cve": ["CVE-2023-30590"],
"vulnerable": "16.x || 18.x || 20.x",
"patched": "^16.20.1 || ^18.16.1 || ^20.3.1",
"ref": "https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/",
"overview": "The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet.",
"affectedEnvironments": ["all"]
}
976 changes: 976 additions & 0 deletions vuln/core/index.json
View file

Large diffs are not rendered by default.

0 comments on commit b442fb8

Please sign in to comment.