Search CVE reports
161 – 170 of 248 results
The function `OCSP_basic_verify` verifies the signer certificate on an OCSP response. In the case where the (non-default) flag OCSP_NOCHECKS is used then the response will be positive (meaning a successful verification) even in...
4 affected packages
edk2, nodejs, openssl, openssl1.0
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| edk2 | — | Not affected | Not affected | Not affected | Not affected |
| nodejs | — | Not affected | Not affected | Not affected | Not affected |
| openssl | — | Fixed | Fixed | Not affected | Not affected |
| openssl1.0 | — | Not in release | Not in release | Not in release | Not affected |
The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an...
4 affected packages
edk2, nodejs, openssl, openssl1.0
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| edk2 | Not affected | Not affected | Not affected | Not affected | Not affected |
| nodejs | Not affected | Not affected | Fixed | Not affected | Not affected |
| openssl | Fixed | Fixed | Fixed | Fixed | Fixed |
| openssl1.0 | Not in release | Not in release | Not in release | Not in release | Fixed |
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none
4 affected packages
edk2, nodejs, openssl, openssl1.0
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| edk2 | — | — | Not affected | Not affected | Not affected |
| nodejs | — | — | Not affected | Not affected | Not affected |
| openssl | — | — | Not affected | Not affected | Not affected |
| openssl1.0 | — | — | Not in release | Not in release | Not affected |
Some fixes available 17 of 20
The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public...
4 affected packages
edk2, nodejs, openssl, openssl1.0
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| edk2 | Not affected | Not affected | Fixed | Vulnerable | Vulnerable |
| nodejs | Not affected | Not affected | Fixed | Not affected | Not affected |
| openssl | Fixed | Fixed | Fixed | Fixed | Fixed |
| openssl1.0 | Not in release | Not in release | Not in release | Not in release | Fixed |
Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the...
1 affected package
nodejs
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| nodejs | — | Not affected | Not affected | Not affected | Not affected |
Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would...
1 affected package
nodejs
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| nodejs | Not affected | Not affected | Not affected | Vulnerable | Not affected |
Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format...
1 affected package
nodejs
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| nodejs | Not affected | Not affected | Vulnerable | Not affected | Not affected |
Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3, < 16.13.2, and <...
1 affected package
nodejs
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| nodejs | — | Not affected | Not affected | Not affected | Not affected |
There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of the TLS 1.3 default curves. Impact was not analyzed in detail, because the pre-requisites for attack...
4 affected packages
edk2, nodejs, openssl, openssl1.0
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| edk2 | Not affected | Not affected | Not affected | Not affected | Not affected |
| nodejs | Not affected | Not affected | Not affected | Not affected | Not affected |
| openssl | Not affected | Not affected | Not affected | Not affected | Not affected |
| openssl1.0 | Not in release | Not in release | Not in release | Not in release | Not affected |
Internally libssl in OpenSSL calls X509_verify_cert() on the client side to verify a certificate supplied by a server. That function may return a negative return value to indicate an internal error (for example out of memory)....
4 affected packages
edk2, nodejs, openssl, openssl1.0
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| edk2 | — | — | Not affected | Not affected | Not affected |
| nodejs | — | — | Not affected | Not affected | Not affected |
| openssl | — | — | Fixed | Not affected | Not affected |
| openssl1.0 | — | — | Not in release | Not in release | Not affected |