National Vulnerability Database

Subscribe to National Vulnerability Database feed
This feed contains the most recent CVE cyber vulnerabilities published within the National Vulnerability Database.
Updated: 22 hours 23 min ago

CVE-2017-16098

Wed, 06/06/2018 - 22:29
charset 1.0.0 and below are vulnerable to regular expression denial of service. Input of around 50k characters is required for a slow down of around 2 seconds. Unless node was compiled using the -DHTTP_MAX_HEADER_SIZE= option the default header max length is 80kb, so the impact of the ReDoS is relatively low.
Categories: Security News

CVE-2017-16099

Wed, 06/06/2018 - 22:29
The no-case module is vulnerable to regular expression denial of service. When malicious untrusted user input is passed into no-case it can block the event loop causing a denial of service condition.
Categories: Security News

CVE-2017-16100

Wed, 06/06/2018 - 22:29
dns-sync is a sync/blocking dns resolver. If untrusted user input is allowed into the resolve() method then command injection is possible.
Categories: Security News

CVE-2017-16101

Wed, 06/06/2018 - 22:29
serverwg is a simple http server. serverwg is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.
Categories: Security News

CVE-2017-16102

Wed, 06/06/2018 - 22:29
serverhuwenhui is a simple http server. serverhuwenhui is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.
Categories: Security News

CVE-2017-16103

Wed, 06/06/2018 - 22:29
serveryztyzt is a simple http server. serveryztyzt is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.
Categories: Security News

CVE-2017-16104

Wed, 06/06/2018 - 22:29
citypredict.whauwiller is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
Categories: Security News

CVE-2017-16105

Wed, 06/06/2018 - 22:29
serverwzl is a simple http server. serverwzl is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.
Categories: Security News

CVE-2017-16106

Wed, 06/06/2018 - 22:29
tmock is a static file server. tmock is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
Categories: Security News

CVE-2017-16107

Wed, 06/06/2018 - 22:29
pooledwebsocket is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
Categories: Security News

CVE-2017-16108

Wed, 06/06/2018 - 22:29
gaoxiaotingtingting is an HTTP server. gaoxiaotingtingting is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
Categories: Security News

CVE-2017-16109

Wed, 06/06/2018 - 22:29
easyquick is a simple web server. easyquick is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. Access is constrained, however, to supported file types. Requesting a file such as /etc/passwd returns a "not supported" error.
Categories: Security News

CVE-2017-16110

Wed, 06/06/2018 - 22:29
weather.swlyons is a simple web server for weather updates. weather.swlyons is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
Categories: Security News

CVE-2017-16111

Wed, 06/06/2018 - 22:29
The content module is a module to parse HTTP Content-* headers. It is used by the hapijs framework to provide this functionality. The module is vulnerable to regular expression denial of service when passed a specifically crafted Content-Type or Content-Disposition header.
Categories: Security News

CVE-2017-16113

Wed, 06/06/2018 - 22:29
The parsejson module is vulnerable to regular expression denial of service when untrusted user input is passed into it to be parsed.
Categories: Security News

CVE-2017-16114

Wed, 06/06/2018 - 22:29
The marked module is vulnerable to a regular expression denial of service. Based on the information published in the public issue, 1k characters can block for around 6 seconds.
Categories: Security News

CVE-2017-16115

Wed, 06/06/2018 - 22:29
The timespan module is vulnerable to regular expression denial of service. Given 50k characters of untrusted user input it will block the event loop for around 10 seconds.
Categories: Security News

CVE-2017-16116

Wed, 06/06/2018 - 22:29
The string module is a module that provides extra string operations. The string module is vulnerable to regular expression denial of service when specifically crafted untrusted user input is passed into the underscore or unescapeHTML methods.
Categories: Security News

CVE-2017-16117

Wed, 06/06/2018 - 22:29
slug is a module to slugify strings, even if they contain unicode. slug is vulnerable to regular expression denial of service is specially crafted untrusted input is passed as input. About 50k characters can block the event loop for 2 seconds.
Categories: Security News

CVE-2017-16118

Wed, 06/06/2018 - 22:29
The forwarded module is used by the Express.js framework to handle the X-Forwarded-For header. It is vulnerable to a regular expression denial of service when it's passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.
Categories: Security News

Pages