Total
1831 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2016-10544 | 1 Uws Project | 1 Uws | 2019-10-09 | 4.3 MEDIUM | 5.9 MEDIUM |
| uws is a WebSocket server library. By sending a 256mb websocket message to a uws server instance with permessage-deflate enabled, there is a possibility used compression will shrink said 256mb down to less than 16mb of websocket payload which passes the length check of 16mb payload. This data will then inflate up to 256mb and crash the node process by exceeding V8's maximum string size. This affects uws >=0.10.0 <=0.10.8. | |||||
| CVE-2016-10542 | 1 Ws Project | 1 Ws | 2019-10-09 | 5.0 MEDIUM | 7.5 HIGH |
| ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455". By sending an overly long websocket payload to a `ws` server, it is possible to crash the node process. This affects ws 1.1.0 and earlier. | |||||
| CVE-2016-10540 | 1 Minimatch Project | 1 Minimatch | 2019-10-09 | 5.0 MEDIUM | 7.5 HIGH |
| Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript `RegExp` objects. The primary function, `minimatch(path, pattern)` in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the `pattern` parameter. | |||||
| CVE-2016-10539 | 1 Negotiator Project | 1 Negotiator | 2019-10-09 | 5.0 MEDIUM | 7.5 HIGH |
| negotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa. The header for "Accept-Language", when parsed by negotiator 0.6.0 and earlier is vulnerable to Regular Expression Denial of Service via a specially crafted string. | |||||
| CVE-2016-10527 | 1 Riot.js | 1 Riot-compiler | 2019-10-09 | 5.0 MEDIUM | 7.5 HIGH |
| The riot-compiler version version 2.3.21 has an issue in a regex (Catastrophic Backtracking) thats make it unusable under certain conditions. | |||||
| CVE-2016-10523 | 1 Mqtt-packet Project | 1 Mqtt-packet | 2019-10-09 | 5.0 MEDIUM | 7.5 HIGH |
| MQTT before 3.4.6 and 4.0.x before 4.0.5 allows specifically crafted MQTT packets to crash the application, making a DoS attack feasible with very little bandwidth. | |||||
| CVE-2016-10521 | 1 Jshamcrest Project | 1 Jshamcrest | 2019-10-09 | 5.0 MEDIUM | 7.5 HIGH |
| jshamcrest is vulnerable to regular expression denial of service (ReDoS) when certain types of user input is passed in to the emailAddress validator. | |||||
| CVE-2016-10520 | 1 Jadedown Project | 1 Jadedown | 2019-10-09 | 5.0 MEDIUM | 7.5 HIGH |
| jadedown is vulnerable to regular expression denial of service (ReDoS) when certain types of user input is passed in. | |||||
| CVE-2015-9242 | 1 Ecstatic Project | 1 Ecstatic | 2019-10-09 | 5.0 MEDIUM | 7.5 HIGH |
| Certain input strings when passed to new Date() or Date.parse() in ecstatic node module before 1.4.0 will cause v8 to raise an exception. This leads to a crash and denial of service in ecstatic when this input is passed into the server via the If-Modified-Since header. | |||||
| CVE-2015-9241 | 1 Hapijs | 1 Hapi | 2019-10-09 | 5.0 MEDIUM | 7.5 HIGH |
| Certain input passed into the If-Modified-Since or Last-Modified headers will cause an 'illegal access' exception to be raised. Instead of sending a HTTP 500 error back to the sender, hapi node module before 11.1.3 will continue to hold the socket open until timed out (default node timeout is 2 minutes). | |||||
| CVE-2015-9239 | 1 Ansi2html Project | 1 Ansi2html | 2019-10-09 | 5.0 MEDIUM | 7.5 HIGH |
| ansi2html is vulnerable to regular expression denial of service (ReDoS) when certain types of user input is passed in. | |||||
| CVE-2014-10064 | 1 Qs Project | 1 Qs | 2019-10-09 | 5.0 MEDIUM | 7.5 HIGH |
| The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service condition, for example, in a web application, other requests would not be processed while this blocking is occurring. | |||||
| CVE-2019-10750 | 1 Deeply Project | 1 Deeply | 2019-10-08 | 7.5 HIGH | 9.8 CRITICAL |
| deeply is vulnerable to Prototype Pollution in versions before 3.1.0. The function assign-deep could be tricked into adding or modifying properties of Object.prototype using using a _proto_ payload. | |||||
| CVE-2018-17281 | 2 Debian, Digium | 3 Debian Linux, Asterisk, Certified Asterisk | 2019-10-03 | 5.0 MEDIUM | 7.5 HIGH |
| There is a stack consumption vulnerability in the res_http_websocket.so module of Asterisk through 13.23.0, 14.7.x through 14.7.7, and 15.x through 15.6.0 and Certified Asterisk through 13.21-cert2. It allows an attacker to crash Asterisk via a specially crafted HTTP request to upgrade the connection to a websocket. | |||||
| CVE-2018-1000872 | 1 Pykmip Project | 1 Pykmip | 2019-10-03 | 4.3 MEDIUM | 6.5 MEDIUM |
| OpenKMIP PyKMIP version All versions before 0.8.0 contains a CWE 399: Resource Management Errors (similar issue to CVE-2015-5262) vulnerability in PyKMIP server that can result in DOS: the server can be made unavailable by one or more clients opening all of the available sockets. This attack appear to be exploitable via A client or clients open sockets with the server and then never close them. This vulnerability appears to have been fixed in 0.8.0. | |||||
| CVE-2018-10193 | 1 Logmein | 1 Lastpass | 2019-10-03 | 5.0 MEDIUM | 7.5 HIGH |
| LogMeIn LastPass through 4.15.0 allows remote attackers to cause a denial of service (browser hang) via an HTML document because the resource consumption of onloadwff.js grows with the number of INPUT elements. | |||||
| CVE-2017-14086 | 1 Trendmicro | 1 Officescan | 2019-10-03 | 7.8 HIGH | 7.5 HIGH |
| Pre-authorization Start Remote Process vulnerabilities in Trend Micro OfficeScan 11.0 and XG may allow unauthenticated users who can access the OfficeScan server to start the fcgiOfcDDA.exe executable or cause a potential INI corruption, which may cause the server disk space to be consumed with dump files from continuous HTTP requests. | |||||
| CVE-2017-15130 | 3 Canonical, Debian, Dovecot | 3 Ubuntu Linux, Debian Linux, Dovecot | 2019-10-03 | 4.3 MEDIUM | 5.9 MEDIUM |
| A denial of service flaw was found in dovecot before 2.2.34. An attacker able to generate random SNI server names could exploit TLS SNI configuration lookups, leading to excessive memory usage and the process to restart. | |||||
| CVE-2017-7684 | 1 Apache | 1 Openmeetings | 2019-10-03 | 5.0 MEDIUM | 7.5 HIGH |
| Apache OpenMeetings 1.0.0 doesn't check contents of files being uploaded. An attacker can cause a denial of service by uploading multiple large files to the server. | |||||
| CVE-2018-10924 | 1 Gluster | 1 Glusterfs | 2019-10-03 | 6.8 MEDIUM | 6.5 MEDIUM |
| It was discovered that fsync(2) system call in glusterfs client code leaks memory. An authenticated attacker could use this flaw to launch a denial of service attack by making gluster clients consume memory of the host machine. | |||||