Lucene search

K
redosRedosROS-20240916-03
HistorySep 16, 2024 - 12:00 a.m.

ROS-20240916-03

2024-09-1600:00:00
redos.red-soft.ru
2
node.js
vulnerability
data authentication
encryption errors
access control
remote attackers
bypass restrictions
elevate privileges
arbitrary commands
unreliable search path
unix
service data
disclosure
http/1.1 undici client

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

8.1

Confidence

High

EPSS

0.012

Percentile

85.6%

A vulnerability in the Node.js software platform is related to insufficient data authentication.
Exploitation of the vulnerability could allow an attacker acting remotely to disable the validation of the
integrity

A vulnerability in the APIgenerateKeys() function of the Node.js software platform is related to a mismatch between the implementation and the documented design.
implementation and documented design. Exploitation of the vulnerability could allow an attacker,
acting remotely, to bypass existing security restrictions

Vulnerability in the WebAssembly module of the Node.js software platform is related to mismanagement of code generation.
code generation. Exploitation of the vulnerability could allow an attacker acting remotely to execute arbitrary
commands

Vulnerability in the Node.js software platform, related to data encryption errors. Exploitation of the vulnerability
could allow a remote attacker to cause a denial of service

Vulnerability in Module._load() of the Node.js software platform, related to access control flaws.
access. Exploitation of the vulnerability could allow an attacker acting remotely to bypass the imposed
security restrictions

Vulnerability in the process.mainModule.require() function of the Node.js software platform is related to authorization flaws.
authorization errors. Exploitation of the vulnerability could allow an attacker acting remotely to elevate their
privileges

Vulnerability of process.binding() module of Node.js software platform is related to authorization flaws.
access. Exploitation of the vulnerability could allow a remote attacker to bypass existing security restrictions.
security restrictions

HTTP/1.1 undici client vulnerability in the Node.js software platform is related to insufficient protection of service data.
service data. Exploitation of the vulnerability could allow an attacker acting remotely to disclose
protected information

Vulnerability of module.constructor.createRequire() module of Node.js software platform is related to
access control flaws. Exploitation of the vulnerability could allow an attacker acting remotely to bypass the restrictions imposed on the module.constructor.createRequire().
remotely to bypass security restrictions

A vulnerability in the Node.js software platform is related to the use of an unreliable search path. Exploitation
exploitation of the vulnerability could allow an attacker to escalate privileges.

OSVersionArchitecturePackageVersionFilename
redos7.3x86_64nodejs< 18.18.2-1UNKNOWN

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

8.1

Confidence

High

EPSS

0.012

Percentile

85.6%