Total
188 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-17560 | 2 Apache, Oracle | 2 Netbeans, Graalvm | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| The "Apache NetBeans" autoupdate system does not validate SSL certificates and hostnames for https based downloads. This allows an attacker to intercept downloads of autoupdates and modify the download, potentially injecting malicious code. “Apache NetBeans" versions up to and including 11.2 are affected by this vulnerability. | |||||
| CVE-2019-16777 | 5 Fedoraproject, Npmjs, Opensuse and 2 more | 6 Fedora, Npm, Leap and 3 more | 2024-11-21 | 5.5 MEDIUM | 7.7 HIGH |
| Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the previous serve binary. This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option. | |||||
| CVE-2019-16776 | 5 Fedoraproject, Npmjs, Opensuse and 2 more | 6 Fedora, Npm, Leap and 3 more | 2024-11-21 | 5.5 MEDIUM | 7.7 HIGH |
| Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option. | |||||
| CVE-2019-16775 | 5 Fedoraproject, Npmjs, Opensuse and 2 more | 6 Fedora, Npm, Leap and 3 more | 2024-11-21 | 4.0 MEDIUM | 7.7 HIGH |
| Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option. | |||||
| CVE-2019-16255 | 4 Debian, Opensuse, Oracle and 1 more | 4 Debian Linux, Leap, Graalvm and 1 more | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method. | |||||
| CVE-2019-15606 | 5 Debian, Nodejs, Opensuse and 2 more | 7 Debian Linux, Node.js, Leap and 4 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons | |||||
| CVE-2019-15605 | 6 Debian, Fedoraproject, Nodejs and 3 more | 13 Debian Linux, Fedora, Node.js and 10 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed | |||||
| CVE-2019-15604 | 5 Debian, Nodejs, Opensuse and 2 more | 10 Debian Linux, Node.js, Leap and 7 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a crafted X.509 certificate | |||||