Vulnerability report for Docker node:18.16.1-bookworm

Vulnerabilities	366 via 1265 paths
Dependencies	414
Source	Docker
Target OS	debian:12

Test your Docker Hub image against our market leading vulnerability database Sign up for free

Severity

Critical
10
High
49
Medium
66
Low
241

Status

Open
366
Patched
0
Ignored
0

OS binaries

critical severity

Integer Overflow or Wraparound

Vulnerable module: aom/libaom3
Introduced through: aom/libaom3@3.6.0-1
Fixed in: 3.6.0-1+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › aom/libaom3@3.6.0-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream aom package and not the aom package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Integer overflow in libaom internal function img_alloc_helper can lead to heap buffer overflow. This function can be reached via 3 callers:

Calling aom_img_alloc() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid.
Calling aom_img_wrap() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid.
Calling aom_img_alloc_with_border() with a large value of the d_w, d_h, align, size_align, or border parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid.

Remediation

Upgrade Debian:12 aom to version 3.6.0-1+deb12u1 or higher.

References

Integer Overflow or Wraparound vulnerability report

critical severity

Out-of-bounds Write

Vulnerable module: curl
Introduced through: curl@7.88.1-10, curl/libcurl3-gnutls@7.88.1-10 and others
Fixed in: 7.88.1-10+deb12u4

Detailed paths

Introduced through: node@18.16.1-bookworm › curl@7.88.1-10
Introduced through: node@18.16.1-bookworm › curl/libcurl3-gnutls@7.88.1-10
Introduced through: node@18.16.1-bookworm › curl/libcurl4@7.88.1-10
Introduced through: node@18.16.1-bookworm › curl/libcurl4-openssl-dev@7.88.1-10

…and 1 more

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake.

When curl is asked to pass along the host name to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that host name can be is 255 bytes.

If the host name is detected to be longer, curl switches to local name resolving and instead passes on the resolved address only. Due to this bug, the local variable that means "let the host resolve the name" could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long host name to the target buffer instead of copying just the resolved address there.

The target buffer being a heap based buffer, and the host name coming from the URL that curl has been told to operate with.

Remediation

Upgrade Debian:12 curl to version 7.88.1-10+deb12u4 or higher.

References

Out-of-bounds Write vulnerability report

critical severity

Integer Overflow or Wraparound

Vulnerable module: expat/libexpat1
Introduced through: expat/libexpat1@2.5.0-1 and expat/libexpat1-dev@2.5.0-1
Fixed in: 2.5.0-1+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › expat/libexpat1@2.5.0-1
Introduced through: node@18.16.1-bookworm › expat/libexpat1-dev@2.5.0-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX).

Remediation

Upgrade Debian:12 expat to version 2.5.0-1+deb12u1 or higher.

References

Integer Overflow or Wraparound vulnerability report

critical severity

Integer Overflow or Wraparound

Vulnerable module: expat/libexpat1
Introduced through: expat/libexpat1@2.5.0-1 and expat/libexpat1-dev@2.5.0-1
Fixed in: 2.5.0-1+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › expat/libexpat1@2.5.0-1
Introduced through: node@18.16.1-bookworm › expat/libexpat1-dev@2.5.0-1

NVD Description

An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX).

Remediation

Upgrade Debian:12 expat to version 2.5.0-1+deb12u1 or higher.

References

Integer Overflow or Wraparound vulnerability report

critical severity

CVE-2023-28531

Vulnerable module: openssh/openssh-client
Introduced through: openssh/openssh-client@1:9.2p1-2
Fixed in: 1:9.2p1-2+deb12u2

Detailed paths

Introduced through: node@18.16.1-bookworm › openssh/openssh-client@1:9.2p1-2

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

ssh-add in OpenSSH before 9.3 adds smartcard keys to ssh-agent without the intended per-hop destination constraints. The earliest affected version is 8.9.

Remediation

Upgrade Debian:12 openssh to version 1:9.2p1-2+deb12u2 or higher.

References

CVE-2023-28531 vulnerability report

critical severity

Unquoted Search Path or Element

Vulnerable module: openssh/openssh-client
Introduced through: openssh/openssh-client@1:9.2p1-2
Fixed in: 1:9.2p1-2+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › openssh/openssh-client@1:9.2p1-2

NVD Description

The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.

Remediation

Upgrade Debian:12 openssh to version 1:9.2p1-2+deb12u1 or higher.

References

Unquoted Search Path or Element vulnerability report

critical severity

Integer Overflow or Wraparound

Vulnerable module: zlib/zlib1g
Introduced through: zlib/zlib1g@1:1.2.13.dfsg-1 and zlib/zlib1g-dev@1:1.2.13.dfsg-1

Detailed paths

Introduced through: node@18.16.1-bookworm › zlib/zlib1g@1:1.2.13.dfsg-1
Introduced through: node@18.16.1-bookworm › zlib/zlib1g-dev@1:1.2.13.dfsg-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream zlib package and not the zlib package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API.

Remediation

There is no fixed version for Debian:12 zlib.

References

Integer Overflow or Wraparound vulnerability report

critical severity

CVE-2024-37371

Vulnerable module: krb5/krb5-multidev
Introduced through: krb5/krb5-multidev@1.20.1-2, krb5/libgssapi-krb5-2@1.20.1-2 and others
Fixed in: 1.20.1-2+deb12u2

Detailed paths

Introduced through: node@18.16.1-bookworm › krb5/krb5-multidev@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libgssapi-krb5-2@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libgssrpc4@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libk5crypto3@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libkadm5clnt-mit12@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libkadm5srv-mit12@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libkdb5-10@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libkrb5-3@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libkrb5-dev@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libkrb5support0@1.20.1-2

…and 7 more

NVD Description

Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.

Remediation

Upgrade Debian:12 krb5 to version 1.20.1-2+deb12u2 or higher.

References

CVE-2024-37371 vulnerability report

critical severity

Interpretation Conflict

Vulnerable module: wget/wget
Introduced through: wget/wget@1.21.3-1+b2
Fixed in: 1.21.3-1+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › wget/wget@1.21.3-1+b2

NVD Description

Note: Versions mentioned in the description apply only to the upstream wget package and not the wget package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be insecure behavior in which data that was supposed to be in the userinfo subcomponent is misinterpreted to be part of the host subcomponent.

Remediation

Upgrade Debian:12 wget to version 1.21.3-1+deb12u1 or higher.

References

Interpretation Conflict vulnerability report

critical severity

Link Following

Vulnerable module: git
Introduced through: git@1:2.39.2-1.1 and git/git-man@1:2.39.2-1.1
Fixed in: 1:2.39.5-0+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › git@1:2.39.2-1.1
Introduced through: node@18.16.1-bookworm › git/git-man@1:2.39.2-1.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a .git/ directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via git config --global core.symlinks false), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources.

Remediation

Upgrade Debian:12 git to version 1:2.39.5-0+deb12u1 or higher.

References

Link Following vulnerability report

high severity

Integer Overflow or Wraparound

Vulnerable module: dav1d/libdav1d6
Introduced through: dav1d/libdav1d6@1.0.0-2
Fixed in: 1.0.0-2+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › dav1d/libdav1d6@1.0.0-2

NVD Description

Note: Versions mentioned in the description apply only to the upstream dav1d package and not the dav1d package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

An integer overflow in dav1d AV1 decoder that can occur when decoding videos with large frame size. This can lead to memory corruption within the AV1 decoder. We recommend upgrading past version 1.4.0 of dav1d.

Remediation

Upgrade Debian:12 dav1d to version 1.0.0-2+deb12u1 or higher.

References

Integer Overflow or Wraparound vulnerability report

high severity

Out-of-bounds Write

Vulnerable module: libde265/libde265-0
Introduced through: libde265/libde265-0@1.0.11-1
Fixed in: 1.0.11-1+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › libde265/libde265-0@1.0.11-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libde265 package and not the libde265 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Libde265 v1.0.11 was discovered to contain a heap buffer overflow via the function derive_collocated_motion_vectors at motion.cc.

Remediation

Upgrade Debian:12 libde265 to version 1.0.11-1+deb12u1 or higher.

References

Out-of-bounds Write vulnerability report

high severity

Out-of-bounds Write

Vulnerable module: libde265/libde265-0
Introduced through: libde265/libde265-0@1.0.11-1
Fixed in: 1.0.11-1+deb12u2

Detailed paths

Introduced through: node@18.16.1-bookworm › libde265/libde265-0@1.0.11-1

NVD Description

Libde265 v1.0.14 was discovered to contain a global buffer overflow vulnerability in the read_coding_unit function at slice.cc.

Remediation

Upgrade Debian:12 libde265 to version 1.0.11-1+deb12u2 or higher.

References

Out-of-bounds Write vulnerability report

high severity

Out-of-bounds Write

Vulnerable module: libde265/libde265-0
Introduced through: libde265/libde265-0@1.0.11-1
Fixed in: 1.0.11-1+deb12u2

Detailed paths

Introduced through: node@18.16.1-bookworm › libde265/libde265-0@1.0.11-1

NVD Description

Libde265 v1.0.14 was discovered to contain a heap-buffer-overflow vulnerability in the derive_combined_bipredictive_merging_candidates function at motion.cc.

Remediation

Upgrade Debian:12 libde265 to version 1.0.11-1+deb12u2 or higher.

References

Out-of-bounds Write vulnerability report

high severity

Out-of-bounds Write

Vulnerable module: libde265/libde265-0
Introduced through: libde265/libde265-0@1.0.11-1
Fixed in: 1.0.11-1+deb12u2

Detailed paths

Introduced through: node@18.16.1-bookworm › libde265/libde265-0@1.0.11-1

NVD Description

Libde265 v1.0.14 was discovered to contain a heap-buffer-overflow vulnerability in the derive_spatial_luma_vector_prediction function at motion.cc.

Remediation

Upgrade Debian:12 libde265 to version 1.0.11-1+deb12u2 or higher.

References

Out-of-bounds Write vulnerability report

high severity

CVE-2023-49462

Vulnerable module: libheif/libheif1
Introduced through: libheif/libheif1@1.15.1-1
Fixed in: 1.15.1-1+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › libheif/libheif1@1.15.1-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libheif package and not the libheif package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

libheif v1.17.5 was discovered to contain a segmentation violation via the component /libheif/exif.cc.

Remediation

Upgrade Debian:12 libheif to version 1.15.1-1+deb12u1 or higher.

References

CVE-2023-49462 vulnerability report

high severity

Out-of-bounds Write

Vulnerable module: libwebp/libwebp-dev
Introduced through: libwebp/libwebp-dev@1.2.4-0.2, libwebp/libwebp7@1.2.4-0.2 and others
Fixed in: 1.2.4-0.2+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › libwebp/libwebp-dev@1.2.4-0.2
Introduced through: node@18.16.1-bookworm › libwebp/libwebp7@1.2.4-0.2
Introduced through: node@18.16.1-bookworm › libwebp/libwebpdemux2@1.2.4-0.2
Introduced through: node@18.16.1-bookworm › libwebp/libwebpmux3@1.2.4-0.2

…and 1 more

NVD Description

Note: Versions mentioned in the description apply only to the upstream libwebp package and not the libwebp package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)

Remediation

Upgrade Debian:12 libwebp to version 1.2.4-0.2+deb12u1 or higher.

References

Out-of-bounds Write vulnerability report

high severity

Externally Controlled Reference to a Resource in Another Sphere

Vulnerable module: postgresql-15/libpq-dev
Introduced through: postgresql-15/libpq-dev@15.3-0+deb12u1 and postgresql-15/libpq5@15.3-0+deb12u1
Fixed in: 15.9-0+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › postgresql-15/libpq-dev@15.3-0+deb12u1
Introduced through: node@18.16.1-bookworm › postgresql-15/libpq5@15.3-0+deb12u1

NVD Description

Note: Versions mentioned in the description apply only to the upstream postgresql-15 package and not the postgresql-15 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.

Remediation

Upgrade Debian:12 postgresql-15 to version 15.9-0+deb12u1 or higher.

References

Externally Controlled Reference to a Resource in Another Sphere vulnerability report

high severity

Integer Overflow or Wraparound

Vulnerable module: postgresql-15/libpq-dev
Introduced through: postgresql-15/libpq-dev@15.3-0+deb12u1 and postgresql-15/libpq5@15.3-0+deb12u1
Fixed in: 15.5-0+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › postgresql-15/libpq-dev@15.3-0+deb12u1
Introduced through: node@18.16.1-bookworm › postgresql-15/libpq5@15.3-0+deb12u1

NVD Description

A flaw was found in PostgreSQL that allows authenticated database users to execute arbitrary code through missing overflow checks during SQL array value modification. This issue exists due to an integer overflow during array modification where a remote user can trigger the overflow by providing specially crafted data. This enables the execution of arbitrary code on the target system, allowing users to write arbitrary bytes to memory and extensively read the server's memory.

Remediation

Upgrade Debian:12 postgresql-15 to version 15.5-0+deb12u1 or higher.

References

Integer Overflow or Wraparound vulnerability report

high severity

SQL Injection

Vulnerable module: postgresql-15/libpq-dev
Introduced through: postgresql-15/libpq-dev@15.3-0+deb12u1 and postgresql-15/libpq5@15.3-0+deb12u1
Fixed in: 15.5-0+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › postgresql-15/libpq-dev@15.3-0+deb12u1
Introduced through: node@18.16.1-bookworm › postgresql-15/libpq5@15.3-0+deb12u1

NVD Description

IN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found in PostgreSQL if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or ""). If an administrator has installed files of a vulnerable, trusted, non-bundled extension, an attacker with database-level CREATE privilege can execute arbitrary code as the bootstrap superuser.

Remediation

Upgrade Debian:12 postgresql-15 to version 15.5-0+deb12u1 or higher.

References

SQL Injection vulnerability report

high severity

Buffer Overflow

Vulnerable module: libde265/libde265-0
Introduced through: libde265/libde265-0@1.0.11-1
Fixed in: 1.0.11-1+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › libde265/libde265-0@1.0.11-1

NVD Description

Libde265 v1.0.12 was discovered to contain multiple buffer overflows via the num_tile_columns and num_tile_row parameters in the function pic_parameter_set::dump.

Remediation

Upgrade Debian:12 libde265 to version 1.0.11-1+deb12u1 or higher.

References

Buffer Overflow vulnerability report

high severity

Out-of-bounds Read

Vulnerable module: libheif/libheif1
Introduced through: libheif/libheif1@1.15.1-1
Fixed in: 1.15.1-1+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › libheif/libheif1@1.15.1-1

NVD Description

In Libheif 1.17.6, insufficient checks in ImageOverlay::parse() decoding a heif file containing an overlay image with forged offsets can lead to an out-of-bounds read and write.

Remediation

Upgrade Debian:12 libheif to version 1.15.1-1+deb12u1 or higher.

References

Out-of-bounds Read vulnerability report

high severity

Code Injection

Vulnerable module: node
Introduced through: node@18.16.1

Detailed paths

Introduced through: docker-image|node@18.16.1-bookworm › node@18.16.1

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Code Injection due to the incorrect handling of environment variables on Linux when the process is running with elevated privileges that the current user lacks (does not apply to CAP_NET_BIND_SERVICE).

Remediation

Upgrade node to version 18.19.1, 20.11.1, 21.6.2 or higher.

References

Code Injection vulnerability report

high severity

Race Condition

Vulnerable module: openssh/openssh-client
Introduced through: openssh/openssh-client@1:9.2p1-2
Fixed in: 1:9.2p1-2+deb12u3

Detailed paths

Introduced through: node@18.16.1-bookworm › openssh/openssh-client@1:9.2p1-2

NVD Description

A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.

Remediation

Upgrade Debian:12 openssh to version 1:9.2p1-2+deb12u3 or higher.

References

Race Condition vulnerability report

high severity

CVE-2024-0985

Vulnerable module: postgresql-15/libpq-dev
Introduced through: postgresql-15/libpq-dev@15.3-0+deb12u1 and postgresql-15/libpq5@15.3-0+deb12u1
Fixed in: 15.6-0+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › postgresql-15/libpq-dev@15.3-0+deb12u1
Introduced through: node@18.16.1-bookworm › postgresql-15/libpq5@15.3-0+deb12u1

NVD Description

Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. Versions before PostgreSQL 16.2, 15.6, 14.11, 13.14, and 12.18 are affected.

Remediation

Upgrade Debian:12 postgresql-15 to version 15.6-0+deb12u1 or higher.

References

CVE-2024-0985 vulnerability report

high severity

Out-of-bounds Write

Vulnerable module: gdk-pixbuf/gir1.2-gdkpixbuf-2.0
Introduced through: gdk-pixbuf/gir1.2-gdkpixbuf-2.0@2.42.10+dfsg-1+b1, gdk-pixbuf/libgdk-pixbuf-2.0-0@2.42.10+dfsg-1+b1 and others
Fixed in: 2.42.10+dfsg-1+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › gdk-pixbuf/gir1.2-gdkpixbuf-2.0@2.42.10+dfsg-1+b1
Introduced through: node@18.16.1-bookworm › gdk-pixbuf/libgdk-pixbuf-2.0-0@2.42.10+dfsg-1+b1
Introduced through: node@18.16.1-bookworm › gdk-pixbuf/libgdk-pixbuf-2.0-dev@2.42.10+dfsg-1+b1
Introduced through: node@18.16.1-bookworm › gdk-pixbuf/libgdk-pixbuf2.0-bin@2.42.10+dfsg-1+b1
Introduced through: node@18.16.1-bookworm › gdk-pixbuf/libgdk-pixbuf2.0-common@2.42.10+dfsg-1

…and 2 more

NVD Description

Note: Versions mentioned in the description apply only to the upstream gdk-pixbuf package and not the gdk-pixbuf package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

In GNOME GdkPixbuf (aka gdk-pixbuf) through 2.42.10, the ANI (Windows animated cursor) decoder encounters heap memory corruption (in ani_load_chunk in io-ani.c) when parsing chunks in a crafted .ani file. A crafted file could allow an attacker to overwrite heap metadata, leading to a denial of service or code execution attack. This occurs in gdk_pixbuf_set_option() in gdk-pixbuf.c.

Remediation

Upgrade Debian:12 gdk-pixbuf to version 2.42.10+dfsg-1+deb12u1 or higher.

References

Out-of-bounds Write vulnerability report

high severity

Arbitrary Code Injection

Vulnerable module: git
Introduced through: git@1:2.39.2-1.1 and git/git-man@1:2.39.2-1.1
Fixed in: 1:2.39.5-0+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › git@1:2.39.2-1.1
Introduced through: node@18.16.1-bookworm › git/git-man@1:2.39.2-1.1

NVD Description

Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted .gitmodules file with submodule URLs that are longer than 1024 characters can used to exploit a bug in config.c::git_config_copy_or_rename_section_in_file(). This bug can be used to inject arbitrary configuration into a user's $GIT_DIR/config when attempting to remove the configuration section associated with that submodule. When the attacker injects configuration values which specify executables to run (such as core.pager, core.editor, core.sshCommand, etc.) this can lead to a remote code execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running git submodule deinit on untrusted repositories or without prior inspection of any submodule sections in $GIT_DIR/config.

Remediation

Upgrade Debian:12 git to version 1:2.39.5-0+deb12u1 or higher.

References

Arbitrary Code Injection vulnerability report

high severity

Out-of-bounds Write

Vulnerable module: glibc/libc-bin
Introduced through: glibc/libc-bin@2.36-9, glibc/libc-dev-bin@2.36-9 and others
Fixed in: 2.36-9+deb12u3

Detailed paths

Introduced through: node@18.16.1-bookworm › glibc/libc-bin@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc-dev-bin@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc6@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc6-dev@2.36-9

…and 1 more

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.

Remediation

Upgrade Debian:12 glibc to version 2.36-9+deb12u3 or higher.

References

Out-of-bounds Write vulnerability report

high severity

Out-of-bounds Write

Vulnerable module: glibc/libc-bin
Introduced through: glibc/libc-bin@2.36-9, glibc/libc-dev-bin@2.36-9 and others
Fixed in: 2.36-9+deb12u4

Detailed paths

Introduced through: node@18.16.1-bookworm › glibc/libc-bin@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc-dev-bin@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc6@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc6-dev@2.36-9

…and 1 more

NVD Description

A heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when the openlog function was not called, or called with the ident argument set to NULL, and the program name (the basename of argv[0]) is bigger than 1024 bytes, resulting in an application crash or local privilege escalation. This issue affects glibc 2.36 and newer.

Remediation

Upgrade Debian:12 glibc to version 2.36-9+deb12u4 or higher.

References

Out-of-bounds Write vulnerability report

high severity

Integer Overflow or Wraparound

Vulnerable module: libx11/libx11-6
Introduced through: libx11/libx11-6@2:1.8.4-2+deb12u1, libx11/libx11-data@2:1.8.4-2+deb12u1 and others
Fixed in: 2:1.8.4-2+deb12u2

Detailed paths

Introduced through: node@18.16.1-bookworm › libx11/libx11-6@2:1.8.4-2+deb12u1
Introduced through: node@18.16.1-bookworm › libx11/libx11-data@2:1.8.4-2+deb12u1
Introduced through: node@18.16.1-bookworm › libx11/libx11-dev@2:1.8.4-2+deb12u1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libx11 package and not the libx11 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A vulnerability was found in libX11 due to an integer overflow within the XCreateImage() function. This flaw allows a local user to trigger an integer overflow and execute arbitrary code with elevated privileges.

Remediation

Upgrade Debian:12 libx11 to version 2:1.8.4-2+deb12u2 or higher.

References

Integer Overflow or Wraparound vulnerability report

high severity

Out-of-bounds Write

Vulnerable module: openjpeg2/libopenjp2-7
Introduced through: openjpeg2/libopenjp2-7@2.5.0-2 and openjpeg2/libopenjp2-7-dev@2.5.0-2
Fixed in: 2.5.0-2+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › openjpeg2/libopenjp2-7@2.5.0-2
Introduced through: node@18.16.1-bookworm › openjpeg2/libopenjp2-7-dev@2.5.0-2

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjpeg2 package and not the openjpeg2 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A heap-based buffer overflow was found in openjpeg in color.c:379:42 in sycc420_to_rgb when decompressing a crafted .j2k file. An attacker could use this to execute arbitrary code with the permissions of the application compiled against openjpeg.

Remediation

Upgrade Debian:12 openjpeg2 to version 2.5.0-2+deb12u1 or higher.

References

Out-of-bounds Write vulnerability report

high severity

Out-of-bounds Write

Vulnerable module: perl
Introduced through: perl@5.36.0-7, perl/libperl5.36@5.36.0-7 and others
Fixed in: 5.36.0-7+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › perl@5.36.0-7
Introduced through: node@18.16.1-bookworm › perl/libperl5.36@5.36.0-7
Introduced through: node@18.16.1-bookworm › perl/perl-base@5.36.0-7
Introduced through: node@18.16.1-bookworm › perl/perl-modules-5.36@5.36.0-7

…and 1 more

NVD Description

Note: Versions mentioned in the description apply only to the upstream perl package and not the perl package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A vulnerability was found in perl 5.30.0 through 5.38.0. This issue occurs when a crafted regular expression is compiled by perl, which can allow an attacker controlled byte buffer overflow in a heap allocated buffer.

Remediation

Upgrade Debian:12 perl to version 5.36.0-7+deb12u1 or higher.

References

Out-of-bounds Write vulnerability report

high severity

Arbitrary Command Injection

Vulnerable module: python3.11
Introduced through: python3.11@3.11.2-6, python3.11/libpython3.11-minimal@3.11.2-6 and others
Fixed in: 3.11.2-6+deb12u5

Detailed paths

Introduced through: node@18.16.1-bookworm › python3.11@3.11.2-6
Introduced through: node@18.16.1-bookworm › python3.11/libpython3.11-minimal@3.11.2-6
Introduced through: node@18.16.1-bookworm › python3.11/libpython3.11-stdlib@3.11.2-6
Introduced through: node@18.16.1-bookworm › python3.11/python3.11-minimal@3.11.2-6

…and 1 more

NVD Description

Note: Versions mentioned in the description apply only to the upstream python3.11 package and not the python3.11 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A vulnerability has been found in the CPython venv module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected.

Remediation

Upgrade Debian:12 python3.11 to version 3.11.2-6+deb12u5 or higher.

References

Arbitrary Command Injection vulnerability report

high severity

Allocation of Resources Without Limits or Throttling

Vulnerable module: curl
Introduced through: curl@7.88.1-10, curl/libcurl3-gnutls@7.88.1-10 and others
Fixed in: 7.88.1-10+deb12u3

Detailed paths

Introduced through: node@18.16.1-bookworm › curl@7.88.1-10
Introduced through: node@18.16.1-bookworm › curl/libcurl3-gnutls@7.88.1-10
Introduced through: node@18.16.1-bookworm › curl/libcurl4@7.88.1-10
Introduced through: node@18.16.1-bookworm › curl/libcurl4-openssl-dev@7.88.1-10

…and 1 more

NVD Description

When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API.

However, curl did not have a limit in how many or how large headers it would accept in a response, allowing a malicious server to stream an endless series of headers and eventually cause curl to run out of heap memory.

Remediation

Upgrade Debian:12 curl to version 7.88.1-10+deb12u3 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity

XML External Entity (XXE) Injection

Vulnerable module: expat/libexpat1
Introduced through: expat/libexpat1@2.5.0-1 and expat/libexpat1-dev@2.5.0-1
Fixed in: 2.5.0-1+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › expat/libexpat1@2.5.0-1
Introduced through: node@18.16.1-bookworm › expat/libexpat1-dev@2.5.0-1

NVD Description

An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.

Remediation

Upgrade Debian:12 expat to version 2.5.0-1+deb12u1 or higher.

References

XML External Entity (XXE) Injection vulnerability report

high severity

Directory Traversal

Vulnerable module: git
Introduced through: git@1:2.39.2-1.1 and git/git-man@1:2.39.2-1.1
Fixed in: 1:2.39.5-0+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › git@1:2.39.2-1.1
Introduced through: node@18.16.1-bookworm › git/git-man@1:2.39.2-1.1

NVD Description

Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to git apply --reject, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid using git apply with --reject when applying patches from an untrusted source. Use git apply --stat to inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the *.rej file exists.

Remediation

Upgrade Debian:12 git to version 1:2.39.5-0+deb12u1 or higher.

References

Directory Traversal vulnerability report

high severity

Out-of-bounds Write

Vulnerable module: glibc/libc-bin
Introduced through: glibc/libc-bin@2.36-9, glibc/libc-dev-bin@2.36-9 and others
Fixed in: 2.36-9+deb12u4

Detailed paths

Introduced through: node@18.16.1-bookworm › glibc/libc-bin@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc-dev-bin@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc6@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc6-dev@2.36-9

…and 1 more

NVD Description

An off-by-one heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a message bigger than INT_MAX bytes, leading to an incorrect calculation of the buffer size to store the message, resulting in an application crash. This issue affects glibc 2.37 and newer.

Remediation

Upgrade Debian:12 glibc to version 2.36-9+deb12u4 or higher.

References

Out-of-bounds Write vulnerability report

high severity

Improper Verification of Cryptographic Signature

Vulnerable module: gnutls28/libgnutls30
Introduced through: gnutls28/libgnutls30@3.7.9-2
Fixed in: 3.7.9-2+deb12u2

Detailed paths

Introduced through: node@18.16.1-bookworm › gnutls28/libgnutls30@3.7.9-2

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust. This issue occurs when validating a certificate chain with cockpit-certificate-ensure. This flaw allows an unauthenticated, remote client or attacker to initiate a denial of service attack.

Remediation

Upgrade Debian:12 gnutls28 to version 3.7.9-2+deb12u2 or higher.

References

Improper Verification of Cryptographic Signature vulnerability report

high severity

Information Exposure

Vulnerable module: gnutls28/libgnutls30
Introduced through: gnutls28/libgnutls30@3.7.9-2
Fixed in: 3.7.9-2+deb12u2

Detailed paths

Introduced through: node@18.16.1-bookworm › gnutls28/libgnutls30@3.7.9-2

NVD Description

A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from the response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981.

Remediation

Upgrade Debian:12 gnutls28 to version 3.7.9-2+deb12u2 or higher.

References

Information Exposure vulnerability report

high severity

Out-of-bounds Write

Vulnerable module: imagemagick
Introduced through: imagemagick@8:6.9.11.60+dfsg-1.6, imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.6 and others
Fixed in: 8:6.9.11.60+dfsg-1.6+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › imagemagick@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/imagemagick-6.q16@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6-arch-config@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6-headers@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6.q16-6@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6.q16-6-extra@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6.q16-dev@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-dev@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-6-headers@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-6.q16-6@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-6.q16-dev@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-dev@8:6.9.11.60+dfsg-1.6

…and 10 more

NVD Description

Note: Versions mentioned in the description apply only to the upstream imagemagick package and not the imagemagick package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A heap-based buffer overflow vulnerability was found in ImageMagick in versions prior to 7.0.11-14 in ReadTIFFImage() in coders/tiff.c. This issue is due to an incorrect setting of the pixel array size, which can lead to a crash and segmentation fault.

Remediation

Upgrade Debian:12 imagemagick to version 8:6.9.11.60+dfsg-1.6+deb12u1 or higher.

References

Out-of-bounds Write vulnerability report

high severity

CVE-2024-37370

Vulnerable module: krb5/krb5-multidev
Introduced through: krb5/krb5-multidev@1.20.1-2, krb5/libgssapi-krb5-2@1.20.1-2 and others
Fixed in: 1.20.1-2+deb12u2

Detailed paths

Introduced through: node@18.16.1-bookworm › krb5/krb5-multidev@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libgssapi-krb5-2@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libgssrpc4@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libk5crypto3@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libkadm5clnt-mit12@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libkadm5srv-mit12@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libkdb5-10@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libkrb5-3@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libkrb5-dev@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libkrb5support0@1.20.1-2

…and 7 more

NVD Description

In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.

Remediation

Upgrade Debian:12 krb5 to version 1.20.1-2+deb12u2 or higher.

References

CVE-2024-37370 vulnerability report

high severity

CVE-2025-27113

Vulnerable module: libxml2
Introduced through: libxml2@2.9.14+dfsg-1.2 and libxml2/libxml2-dev@2.9.14+dfsg-1.2

Detailed paths

Introduced through: node@18.16.1-bookworm › libxml2@2.9.14+dfsg-1.2
Introduced through: node@18.16.1-bookworm › libxml2/libxml2-dev@2.9.14+dfsg-1.2

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.

Remediation

There is no fixed version for Debian:12 libxml2.

References

CVE-2025-27113 vulnerability report

high severity

NULL Pointer Dereference

Vulnerable module: libxml2
Introduced through: libxml2@2.9.14+dfsg-1.2 and libxml2/libxml2-dev@2.9.14+dfsg-1.2
Fixed in: 2.9.14+dfsg-1.3~deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › libxml2@2.9.14+dfsg-1.2
Introduced through: node@18.16.1-bookworm › libxml2/libxml2-dev@2.9.14+dfsg-1.2

NVD Description

NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered.

Remediation

Upgrade Debian:12 libxml2 to version 2.9.14+dfsg-1.3~deb12u1 or higher.

References

NULL Pointer Dereference vulnerability report

high severity

CVE-2023-44487

Vulnerable module: nghttp2/libnghttp2-14
Introduced through: nghttp2/libnghttp2-14@1.52.0-1
Fixed in: 1.52.0-1+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › nghttp2/libnghttp2-14@1.52.0-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream nghttp2 package and not the nghttp2 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Remediation

Upgrade Debian:12 nghttp2 to version 1.52.0-1+deb12u1 or higher.

References

CVE-2023-44487 vulnerability report

high severity

Allocation of Resources Without Limits or Throttling

Vulnerable module: node
Introduced through: node@18.16.1

Detailed paths

Introduced through: docker-image|node@18.16.1-bookworm › node@18.16.1

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to a lack of safeguards on chunk extension bytes. The server may read an unbounded number of bytes from a single connection, which allows an attacker to cause denial of service via CPU and network bandwidth exhaustion.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade node to version 18.19.1, 20.11.1, 21.6.2 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity

Allocation of Resources Without Limits or Throttling

Vulnerable module: node
Introduced through: node@18.16.1

Detailed paths

Introduced through: docker-image|node@18.16.1-bookworm › node@18.16.1

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to a race condition in Http2Session when nghttp2 data is left in memory after a connection is reset while processing HTTP/2 CONTINUATION frames. An attacker can cause denial of service by sending such frames then triggering the Http2Session destructor.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

Two common types of DoS vulnerabilities:

High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade node to version 18.20.1, 20.12.1, 21.7.2 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity

Arbitrary Code Injection

Vulnerable module: node
Introduced through: node@18.16.1
Fixed in: 18.17.1

Detailed paths

Introduced through: docker-image|node@18.16.1-bookworm › node@18.16.1

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Arbitrary Code Injection. The use of the deprecated API process.binding() can bypass the policy mechanism by requiring internal modules and eventually take advantage of process.binding('spawn_sync') to run arbitrary code, outside of the limits defined in a policy.json file.

Note:

At the time this advisory was issued, the policy is an experimental feature of Node.js, which is not enabled by default.

Remediation

Upgrade node to version 16.20.2, 18.17.1, 20.5.1 or higher.

References

Arbitrary Code Injection vulnerability report

high severity

CVE-2023-5363

Vulnerable module: openssl
Introduced through: openssl@3.0.9-1, openssl/libssl-dev@3.0.9-1 and others
Fixed in: 3.0.11-1~deb12u2

Detailed paths

Introduced through: node@18.16.1-bookworm › openssl@3.0.9-1
Introduced through: node@18.16.1-bookworm › openssl/libssl-dev@3.0.9-1
Introduced through: node@18.16.1-bookworm › openssl/libssl3@3.0.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Issue summary: A bug has been identified in the processing of key and initialisation vector (IV) lengths. This can lead to potential truncation or overruns during the initialisation of some symmetric ciphers.

Impact summary: A truncation in the IV can result in non-uniqueness, which could result in loss of confidentiality for some cipher modes.

When calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or EVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after the key and IV have been established. Any alterations to the key length, via the "keylen" parameter or the IV length, via the "ivlen" parameter, within the OSSL_PARAM array will not take effect as intended, potentially causing truncation or overreading of these values. The following ciphers and cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB.

For the CCM, GCM and OCB cipher modes, truncation of the IV can result in loss of confidentiality. For example, when following NIST's SP 800-38D section 8.2.1 guidance for constructing a deterministic IV for AES in GCM mode, truncation of the counter portion could lead to IV reuse.

Both truncations and overruns of the key and overruns of the IV will produce incorrect results and could, in some cases, trigger a memory exception. However, these issues are not currently assessed as security critical.

Changing the key and/or IV lengths is not considered to be a common operation and the vulnerable API was recently introduced. Furthermore it is likely that application developers will have spotted this problem during testing since decryption would fail unless both peers in the communication were similarly vulnerable. For these reasons we expect the probability of an application being vulnerable to this to be quite low. However if an application is vulnerable then this issue is considered very serious. For these reasons we have assessed this issue as Moderate severity overall.

The OpenSSL SSL/TLS implementation is not affected by this issue.

The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because the issue lies outside of the FIPS provider boundary.

OpenSSL 3.1 and 3.0 are vulnerable to this issue.

Remediation

Upgrade Debian:12 openssl to version 3.0.11-1~deb12u2 or higher.

References

CVE-2023-5363 vulnerability report

high severity

Time-of-check Time-of-use (TOCTOU)

Vulnerable module: postgresql-15/libpq-dev
Introduced through: postgresql-15/libpq-dev@15.3-0+deb12u1 and postgresql-15/libpq5@15.3-0+deb12u1
Fixed in: 15.8-0+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › postgresql-15/libpq-dev@15.3-0+deb12u1
Introduced through: node@18.16.1-bookworm › postgresql-15/libpq5@15.3-0+deb12u1

NVD Description

Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected.

Remediation

Upgrade Debian:12 postgresql-15 to version 15.8-0+deb12u1 or higher.

References

Time-of-check Time-of-use (TOCTOU) vulnerability report

high severity

Improper Input Validation

Vulnerable module: python3.11
Introduced through: python3.11@3.11.2-6, python3.11/libpython3.11-minimal@3.11.2-6 and others
Fixed in: 3.11.2-6+deb12u2

Detailed paths

Introduced through: node@18.16.1-bookworm › python3.11@3.11.2-6
Introduced through: node@18.16.1-bookworm › python3.11/libpython3.11-minimal@3.11.2-6
Introduced through: node@18.16.1-bookworm › python3.11/libpython3.11-stdlib@3.11.2-6
Introduced through: node@18.16.1-bookworm › python3.11/python3.11-minimal@3.11.2-6

…and 1 more

NVD Description

An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.

Remediation

Upgrade Debian:12 python3.11 to version 3.11.2-6+deb12u2 or higher.

References

Improper Input Validation vulnerability report

high severity

Inefficient Regular Expression Complexity

Vulnerable module: python3.11
Introduced through: python3.11@3.11.2-6, python3.11/libpython3.11-minimal@3.11.2-6 and others
Fixed in: 3.11.2-6+deb12u5

Detailed paths

Introduced through: node@18.16.1-bookworm › python3.11@3.11.2-6
Introduced through: node@18.16.1-bookworm › python3.11/libpython3.11-minimal@3.11.2-6
Introduced through: node@18.16.1-bookworm › python3.11/libpython3.11-stdlib@3.11.2-6
Introduced through: node@18.16.1-bookworm › python3.11/python3.11-minimal@3.11.2-6

…and 1 more

NVD Description

There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module.

When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.

Remediation

Upgrade Debian:12 python3.11 to version 3.11.2-6+deb12u5 or higher.

References

Inefficient Regular Expression Complexity vulnerability report

high severity

Inefficient Regular Expression Complexity

Vulnerable module: python3.11
Introduced through: python3.11@3.11.2-6, python3.11/libpython3.11-minimal@3.11.2-6 and others
Fixed in: 3.11.2-6+deb12u4

Detailed paths

Introduced through: node@18.16.1-bookworm › python3.11@3.11.2-6
Introduced through: node@18.16.1-bookworm › python3.11/libpython3.11-minimal@3.11.2-6
Introduced through: node@18.16.1-bookworm › python3.11/libpython3.11-stdlib@3.11.2-6
Introduced through: node@18.16.1-bookworm › python3.11/python3.11-minimal@3.11.2-6

…and 1 more

NVD Description

There is a MEDIUM severity vulnerability affecting CPython.

Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.

Remediation

Upgrade Debian:12 python3.11 to version 3.11.2-6+deb12u4 or higher.

References

Inefficient Regular Expression Complexity vulnerability report

high severity

Untrusted Search Path

Vulnerable module: python3.11
Introduced through: python3.11@3.11.2-6, python3.11/libpython3.11-minimal@3.11.2-6 and others
Fixed in: 3.11.2-6+deb12u2

Detailed paths

Introduced through: node@18.16.1-bookworm › python3.11@3.11.2-6
Introduced through: node@18.16.1-bookworm › python3.11/libpython3.11-minimal@3.11.2-6
Introduced through: node@18.16.1-bookworm › python3.11/libpython3.11-stdlib@3.11.2-6
Introduced through: node@18.16.1-bookworm › python3.11/python3.11-minimal@3.11.2-6

…and 1 more

NVD Description

An issue was discovered in Python 3.11 through 3.11.4. If a path containing '\0' bytes is passed to os.path.normpath(), the path will be truncated unexpectedly at the first '\0' byte. There are plausible cases in which an application would have rejected a filename for security reasons in Python 3.10.x or earlier, but that filename is no longer rejected in Python 3.11.x.

Remediation

Upgrade Debian:12 python3.11 to version 3.11.2-6+deb12u2 or higher.

References

Untrusted Search Path vulnerability report

high severity

Allocation of Resources Without Limits or Throttling

Vulnerable module: systemd/libsystemd0
Introduced through: systemd/libsystemd0@252.6-1 and systemd/libudev1@252.6-1
Fixed in: 252.23-1~deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › systemd/libsystemd0@252.6-1
Introduced through: node@18.16.1-bookworm › systemd/libudev1@252.6-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.

Remediation

Upgrade Debian:12 systemd to version 252.23-1~deb12u1 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity

NULL Pointer Dereference

Vulnerable module: tiff/libtiff-dev
Introduced through: tiff/libtiff-dev@4.5.0-6, tiff/libtiff6@4.5.0-6 and others
Fixed in: 4.5.0-6+deb12u2

Detailed paths

Introduced through: node@18.16.1-bookworm › tiff/libtiff-dev@4.5.0-6
Introduced through: node@18.16.1-bookworm › tiff/libtiff6@4.5.0-6
Introduced through: node@18.16.1-bookworm › tiff/libtiffxx6@4.5.0-6

NVD Description

Note: Versions mentioned in the description apply only to the upstream tiff package and not the tiff package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A null pointer dereference flaw was found in Libtiff via tif_dirinfo.c. This issue may allow an attacker to trigger memory allocation failures through certain means, such as restricting the heap space size or injecting faults, causing a segmentation fault. This can cause an application crash, eventually leading to a denial of service.

Remediation

Upgrade Debian:12 tiff to version 4.5.0-6+deb12u2 or higher.

References

NULL Pointer Dereference vulnerability report

high severity

Out-of-bounds Write

Vulnerable module: tiff/libtiff-dev
Introduced through: tiff/libtiff-dev@4.5.0-6, tiff/libtiff6@4.5.0-6 and others
Fixed in: 4.5.0-6+deb12u2

Detailed paths

Introduced through: node@18.16.1-bookworm › tiff/libtiff-dev@4.5.0-6
Introduced through: node@18.16.1-bookworm › tiff/libtiff6@4.5.0-6
Introduced through: node@18.16.1-bookworm › tiff/libtiffxx6@4.5.0-6

NVD Description

A segment fault (SEGV) flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFReadRGBATileExt() API. This flaw allows a remote attacker to cause a heap-buffer overflow, leading to a denial of service.

Remediation

Upgrade Debian:12 tiff to version 4.5.0-6+deb12u2 or higher.

References

Out-of-bounds Write vulnerability report

high severity

Server-Side Request Forgery (SSRF)

Vulnerable module: node
Introduced through: node@18.16.1

Detailed paths

Introduced through: docker-image|node@18.16.1-bookworm › node@18.16.1

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF) due to the handling of the hostname_ascii variable in the uv_getaddrinfo function. Attackers can exploit the creation of addresses that bypass developer checks and resolve to unintended IP addresses, to access internal APIs or for websites that allow users to have username.example.com pages, potentially exposing internal services to attacks.

Notes:

Depending on the build and runtime environment, it can lead to different exploitation scenarios:

The last byte of the hostname is a random value (0-256) but identical in successive calls, and the subsequent byte is a null byte. This situation can be exploited through brute force, especially in production environments where many Node.js instances run in parallel (pm2, kubernetes, etc).

Since the last byte is random, there are cases where it's one of 0-9a-f, which makes 16 possible cases (out of 256) useful for calling localhost (127.0.0.x) and potentially bypassing security measures on internal APIs. The same is true for calling other IP-ranges.

When deployed in an environment with multiple pods (e.g., Kubernetes), is vulnerable to the attack described above, potentially allowing unauthorized access to internal APIs.

Remediation

Upgrade node to version 18.19.1, 20.11.1, 21.6.2 or higher.

References

Server-Side Request Forgery (SSRF) vulnerability report

high severity

Out-of-Bounds

Vulnerable module: sqlite3/libsqlite3-0
Introduced through: sqlite3/libsqlite3-0@3.40.1-2 and sqlite3/libsqlite3-dev@3.40.1-2
Fixed in: 3.40.1-2+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › sqlite3/libsqlite3-0@3.40.1-2
Introduced through: node@18.16.1-bookworm › sqlite3/libsqlite3-dev@3.40.1-2

NVD Description

Note: Versions mentioned in the description apply only to the upstream sqlite3 package and not the sqlite3 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A vulnerability was found in SQLite SQLite3 up to 3.43.0 and classified as critical. This issue affects the function sessionReadRecord of the file ext/session/sqlite3session.c of the component make alltest Handler. The manipulation leads to heap-based buffer overflow. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-248999.

Remediation

Upgrade Debian:12 sqlite3 to version 3.40.1-2+deb12u1 or higher.

References

Out-of-Bounds vulnerability report

high severity

Improper Control of Generation of Code ('Code Injection')

Vulnerable module: node
Introduced through: node@18.16.1

Detailed paths

Introduced through: docker-image|node@18.16.1-bookworm › node@18.16.1

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection') due to the improper handling of batch files in child_process.spawn or child_process.spawnSync. An attacker can inject arbitrary commands and achieve code execution even if the shell option is not enabled.

Note: This vulnerability only affects Windows machines.

Remediation

Upgrade node to version 18.20.2, 20.12.2, 21.7.3 or higher.

References

Improper Control of Generation of Code ('Code Injection') vulnerability report

medium severity

Access Restriction Bypass

Vulnerable module: node
Introduced through: node@18.16.1

Detailed paths

Introduced through: docker-image|node@18.16.1-bookworm › node@18.16.1

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Access Restriction Bypass by embedding non-network imports in data URLs. Exploiting this vulnerability allows an attacker to execute arbitrary code, compromising system security.

Remediation

Upgrade node to version 18.20.4, 20.15.1, 22.4.1 or higher.

References

Access Restriction Bypass vulnerability report

medium severity

Improper Control of Generation of Code ('Code Injection')

Vulnerable module: node
Introduced through: node@18.16.1

Detailed paths

Introduced through: docker-image|node@18.16.1-bookworm › node@18.16.1

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection'). This is due to a bypass of CVE-2024-27980.

A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.

Note: This vulnerability affects only users of child_process.spawn and child_process.spawnSync on Windows in all active release lines.

Remediation

Upgrade node to version 18.20.4, 20.15.1, 22.4.1 or higher.

References

Improper Control of Generation of Code ('Code Injection') vulnerability report

medium severity

Detection of Error Condition Without Action

Vulnerable module: openssh/openssh-client
Introduced through: openssh/openssh-client@1:9.2p1-2
Fixed in: 1:9.2p1-2+deb12u5

Detailed paths

Introduced through: node@18.16.1-bookworm › openssh/openssh-client@1:9.2p1-2

NVD Description

A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying the host key. For an attack to be considered successful, the attacker needs to manage to exhaust the client's memory resource first, turning the attack complexity high.

Remediation

Upgrade Debian:12 openssh to version 1:9.2p1-2+deb12u5 or higher.

References

Detection of Error Condition Without Action vulnerability report

medium severity

CVE-2023-46218

Vulnerable module: curl
Introduced through: curl@7.88.1-10, curl/libcurl3-gnutls@7.88.1-10 and others
Fixed in: 7.88.1-10+deb12u5

Detailed paths

Introduced through: node@18.16.1-bookworm › curl@7.88.1-10
Introduced through: node@18.16.1-bookworm › curl/libcurl3-gnutls@7.88.1-10
Introduced through: node@18.16.1-bookworm › curl/libcurl4@7.88.1-10
Introduced through: node@18.16.1-bookworm › curl/libcurl4-openssl-dev@7.88.1-10

…and 1 more

NVD Description

This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains.

It could do this by exploiting a mixed case flaw in curl's function that verifies a given cookie domain against the Public Suffix List (PSL). For example a cookie could be set with domain=co.UK when the URL used a lower case hostname curl.co.uk, even though co.uk is listed as a PSL domain.

Remediation

Upgrade Debian:12 curl to version 7.88.1-10+deb12u5 or higher.

References

CVE-2023-46218 vulnerability report

medium severity

Insufficient Comparison

Vulnerable module: curl
Introduced through: curl@7.88.1-10, curl/libcurl3-gnutls@7.88.1-10 and others
Fixed in: 7.88.1-10+deb12u9

Detailed paths

Introduced through: node@18.16.1-bookworm › curl@7.88.1-10
Introduced through: node@18.16.1-bookworm › curl/libcurl3-gnutls@7.88.1-10
Introduced through: node@18.16.1-bookworm › curl/libcurl4@7.88.1-10
Introduced through: node@18.16.1-bookworm › curl/libcurl4-openssl-dev@7.88.1-10

…and 1 more

NVD Description

When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended.

This affects curl using applications that enable HSTS and use URLs with the insecure HTTP:// scheme and perform transfers with hosts like x.example.com as well as example.com where the first host is a subdomain of the second host.

(The HSTS cache either needs to have been populated manually or there needs to have been previous HTTPS accesses done as the cache needs to have entries for the domains involved to trigger this problem.)

When x.example.com responds with Strict-Transport-Security: headers, this bug can make the subdomain's expiry timeout bleed over and get set for the parent domain example.com in curl's HSTS cache.

The result of a triggered bug is that HTTP accesses to example.com get converted to HTTPS for a different period of time than what was asked for by the origin server. If example.com for example stops supporting HTTPS at its expiry time, curl might then fail to access http://example.com until the (wrongly set) timeout expires. This bug can also expire the parent's entry earlier, thus making curl inadvertently switch back to insecure HTTP earlier than otherwise intended.

Remediation

Upgrade Debian:12 curl to version 7.88.1-10+deb12u9 or higher.

References

Insufficient Comparison vulnerability report

medium severity

Out-of-bounds Read

Vulnerable module: curl
Introduced through: curl@7.88.1-10, curl/libcurl3-gnutls@7.88.1-10 and others
Fixed in: 7.88.1-10+deb12u7

Detailed paths

Introduced through: node@18.16.1-bookworm › curl@7.88.1-10
Introduced through: node@18.16.1-bookworm › curl/libcurl3-gnutls@7.88.1-10
Introduced through: node@18.16.1-bookworm › curl/libcurl4@7.88.1-10
Introduced through: node@18.16.1-bookworm › curl/libcurl4-openssl-dev@7.88.1-10

…and 1 more

NVD Description

libcurl's ASN1 parser code has the GTime2str() function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect field, the parser might end up using -1 for the length of the time fraction, leading to a strlen() getting performed on a pointer to a heap buffer area that is not (purposely) null terminated.

This flaw most likely leads to a crash, but can also lead to heap contents getting returned to the application when CURLINFO_CERTINFO is used.

Remediation

Upgrade Debian:12 curl to version 7.88.1-10+deb12u7 or higher.

References

Out-of-bounds Read vulnerability report

medium severity

Out-of-bounds Read

Vulnerable module: glibc/libc-bin
Introduced through: glibc/libc-bin@2.36-9, glibc/libc-dev-bin@2.36-9 and others
Fixed in: 2.36-9+deb12u3

Detailed paths

Introduced through: node@18.16.1-bookworm › glibc/libc-bin@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc-dev-bin@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc6@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc6-dev@2.36-9

…and 1 more

NVD Description

A flaw was found in glibc. When the getaddrinfo function is called with the AF_UNSPEC address family and the system is configured with no-aaaa mode via /etc/resolv.conf, a DNS response via TCP larger than 2048 bytes can potentially disclose stack contents through the function returned address data, and may cause a crash.

Remediation

Upgrade Debian:12 glibc to version 2.36-9+deb12u3 or higher.

References

Out-of-bounds Read vulnerability report

medium severity

Access of Uninitialized Pointer

Vulnerable module: krb5/krb5-multidev
Introduced through: krb5/krb5-multidev@1.20.1-2, krb5/libgssapi-krb5-2@1.20.1-2 and others
Fixed in: 1.20.1-2+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › krb5/krb5-multidev@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libgssapi-krb5-2@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libgssrpc4@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libk5crypto3@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libkadm5clnt-mit12@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libkadm5srv-mit12@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libkdb5-10@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libkrb5-3@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libkrb5-dev@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libkrb5support0@1.20.1-2

…and 7 more

NVD Description

lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.

Remediation

Upgrade Debian:12 krb5 to version 1.20.1-2+deb12u1 or higher.

References

Access of Uninitialized Pointer vulnerability report

medium severity

Buffer Overflow

Vulnerable module: libde265/libde265-0
Introduced through: libde265/libde265-0@1.0.11-1
Fixed in: 1.0.11-1+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › libde265/libde265-0@1.0.11-1

NVD Description

Buffer Overflow vulnerability in strukturag libde265 v1.10.12 allows a local attacker to cause a denial of service via the slice_segment_header function in the slice.cc component.

Remediation

Upgrade Debian:12 libde265 to version 1.0.11-1+deb12u1 or higher.

References

Buffer Overflow vulnerability report

medium severity

NULL Pointer Dereference

Vulnerable module: libde265/libde265-0
Introduced through: libde265/libde265-0@1.0.11-1
Fixed in: 1.0.11-1+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › libde265/libde265-0@1.0.11-1

NVD Description

Libde265 v1.0.11 was discovered to contain a segmentation violation via the function decoder_context::process_slice_segment_header at decctx.cc.

Remediation

Upgrade Debian:12 libde265 to version 1.0.11-1+deb12u1 or higher.

References

NULL Pointer Dereference vulnerability report

medium severity

Divide By Zero

Vulnerable module: libheif/libheif1
Introduced through: libheif/libheif1@1.15.1-1
Fixed in: 1.15.1-1+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › libheif/libheif1@1.15.1-1

NVD Description

A Segmentation fault caused by a floating point exception exists in libheif 1.15.1 using crafted heif images via the heif::Fraction::round() function in box.cc, which causes a denial of service.

Remediation

Upgrade Debian:12 libheif to version 1.15.1-1+deb12u1 or higher.

References

Divide By Zero vulnerability report

medium severity

Access Restriction Bypass

Vulnerable module: node
Introduced through: node@18.16.1
Fixed in: 18.17.1

Detailed paths

Introduced through: docker-image|node@18.16.1-bookworm › node@18.16.1

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Access Restriction Bypass via the Module._load which can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.

Remediation

Upgrade node to version 16.20.2, 18.17.1, 20.5.1 or higher.

References

Access Restriction Bypass vulnerability report

medium severity

Improper Access Control

Vulnerable module: node
Introduced through: node@18.16.1
Fixed in: 18.17.1

Detailed paths

Introduced through: docker-image|node@18.16.1-bookworm › node@18.16.1

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Improper Access Control through the usage of module.constructor.createRequire(), which allows an attacker to bypass the policy mechanism and require modules outside of the policy.json definition for a given module.

Note: This vulnerability affects all users using the experimental policy mechanism.

Remediation

Upgrade node to version 16.20.2, 18.17.1, 20.5.1 or higher.

References

Node.js Advisory

Improper Access Control vulnerability report

medium severity

OS Command Injection

Vulnerable module: openssh/openssh-client
Introduced through: openssh/openssh-client@1:9.2p1-2
Fixed in: 1:9.2p1-2+deb12u2

Detailed paths

Introduced through: node@18.16.1-bookworm › openssh/openssh-client@1:9.2p1-2

NVD Description

In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name.

Remediation

Upgrade Debian:12 openssh to version 1:9.2p1-2+deb12u2 or higher.

References

OS Command Injection vulnerability report

medium severity

Out-of-bounds Write

Vulnerable module: openssl
Introduced through: openssl@3.0.9-1, openssl/libssl-dev@3.0.9-1 and others
Fixed in: 3.0.13-1~deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › openssl@3.0.9-1
Introduced through: node@18.16.1-bookworm › openssl/libssl-dev@3.0.9-1
Introduced through: node@18.16.1-bookworm › openssl/libssl3@3.0.9-1

NVD Description

Issue summary: The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state of applications running on PowerPC CPU based platforms if the CPU provides vector instructions.

Impact summary: If an attacker can influence whether the POLY1305 MAC algorithm is used, the application state might be corrupted with various application dependent consequences.

The POLY1305 MAC (message authentication code) implementation in OpenSSL for PowerPC CPUs restores the contents of vector registers in a different order than they are saved. Thus the contents of some of these vector registers are corrupted when returning to the caller. The vulnerable code is used only on newer PowerPC processors supporting the PowerISA 2.07 instructions.

The consequences of this kind of internal application state corruption can be various - from no consequences, if the calling application does not depend on the contents of non-volatile XMM registers at all, to the worst consequences, where the attacker could get complete control of the application process. However unless the compiler uses the vector registers for storing pointers, the most likely consequence, if any, would be an incorrect result of some application dependent calculations or a crash leading to a denial of service.

The POLY1305 MAC algorithm is most frequently used as part of the CHACHA20-POLY1305 AEAD (authenticated encryption with associated data) algorithm. The most common usage of this AEAD cipher is with TLS protocol versions 1.2 and 1.3. If this cipher is enabled on the server a malicious client can influence whether this AEAD cipher is used. This implies that TLS server applications using OpenSSL can be potentially impacted. However we are currently not aware of any concrete application that would be affected by this issue therefore we consider this a Low severity security issue.

Remediation

Upgrade Debian:12 openssl to version 3.0.13-1~deb12u1 or higher.

References

Out-of-bounds Write vulnerability report

medium severity

Buffer Overflow

Vulnerable module: tiff/libtiff-dev
Introduced through: tiff/libtiff-dev@4.5.0-6, tiff/libtiff6@4.5.0-6 and others
Fixed in: 4.5.0-6+deb12u2

Detailed paths

Introduced through: node@18.16.1-bookworm › tiff/libtiff-dev@4.5.0-6
Introduced through: node@18.16.1-bookworm › tiff/libtiff6@4.5.0-6
Introduced through: node@18.16.1-bookworm › tiff/libtiffxx6@4.5.0-6

NVD Description

A flaw was found in libtiff. A specially crafted tiff file can lead to a segmentation fault due to a buffer overflow in the Fax3Encode function in libtiff/tif_fax3.c, resulting in a denial of service.

Remediation

Upgrade Debian:12 tiff to version 4.5.0-6+deb12u2 or higher.

References

Buffer Overflow vulnerability report

medium severity

Integer Overflow or Wraparound

Vulnerable module: tiff/libtiff-dev
Introduced through: tiff/libtiff-dev@4.5.0-6, tiff/libtiff6@4.5.0-6 and others
Fixed in: 4.5.0-6+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › tiff/libtiff-dev@4.5.0-6
Introduced through: node@18.16.1-bookworm › tiff/libtiff6@4.5.0-6
Introduced through: node@18.16.1-bookworm › tiff/libtiffxx6@4.5.0-6

NVD Description

LibTIFF is vulnerable to an integer overflow. This flaw allows remote attackers to cause a denial of service (application crash) or possibly execute an arbitrary code via a crafted tiff image, which triggers a heap-based buffer overflow.

Remediation

Upgrade Debian:12 tiff to version 4.5.0-6+deb12u1 or higher.

References

Integer Overflow or Wraparound vulnerability report

medium severity

Integer Overflow or Wraparound

Vulnerable module: tiff/libtiff-dev
Introduced through: tiff/libtiff-dev@4.5.0-6, tiff/libtiff6@4.5.0-6 and others
Fixed in: 4.5.0-6+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › tiff/libtiff-dev@4.5.0-6
Introduced through: node@18.16.1-bookworm › tiff/libtiff6@4.5.0-6
Introduced through: node@18.16.1-bookworm › tiff/libtiffxx6@4.5.0-6

NVD Description

A vulnerability was found in libtiff due to multiple potential integer overflows in raw2tiff.c. This flaw allows remote attackers to cause a denial of service or possibly execute an arbitrary code via a crafted tiff image, which triggers a heap-based buffer overflow.

Remediation

Upgrade Debian:12 tiff to version 4.5.0-6+deb12u1 or higher.

References

Integer Overflow or Wraparound vulnerability report

medium severity

Use After Free

Vulnerable module: glibc/libc-bin
Introduced through: glibc/libc-bin@2.36-9, glibc/libc-dev-bin@2.36-9 and others
Fixed in: 2.36-9+deb12u3

Detailed paths

Introduced through: node@18.16.1-bookworm › glibc/libc-bin@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc-dev-bin@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc6@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc6-dev@2.36-9

…and 1 more

NVD Description

A flaw was found in glibc. In an extremely rare situation, the getaddrinfo function may access memory that has been freed, resulting in an application crash. This issue is only exploitable when a NSS module implements only the nss_gethostbyname2_r and nss_getcanonname_r hooks without implementing the nss*_gethostbyname3_r hook. The resolved name should return a large number of IPv6 and IPv4, and the call to the getaddrinfo function should have the AF_INET6 address family with AI_CANONNAME, AI_ALL and AI_V4MAPPED as flags.

Remediation

Upgrade Debian:12 glibc to version 2.36-9+deb12u3 or higher.

References

Use After Free vulnerability report

medium severity

Information Exposure

Vulnerable module: gnutls28/libgnutls30
Introduced through: gnutls28/libgnutls30@3.7.9-2
Fixed in: 3.7.9-2+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › gnutls28/libgnutls30@3.7.9-2

NVD Description

A vulnerability was found that the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding.

Remediation

Upgrade Debian:12 gnutls28 to version 3.7.9-2+deb12u1 or higher.

References

Information Exposure vulnerability report

medium severity

Improper Verification of Cryptographic Signature

Vulnerable module: node
Introduced through: node@18.16.1
Fixed in: 18.18.2

Detailed paths

Introduced through: docker-image|node@18.16.1-bookworm › node@18.16.1

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in checksum comparisons against a trusted manifest, which can be forged by an attacker.

Note:

This vulnerability affects all users using the experimental permission model.

At the time this CVE was issued, the permission model is an experimental feature of Node.js.

Remediation

Upgrade node to version 18.18.2, 20.8.1 or higher.

References

Node.js Release Notes

Improper Verification of Cryptographic Signature vulnerability report

medium severity

Observable Timing Discrepancy

Vulnerable module: node
Introduced through: node@18.16.1

Detailed paths

Introduced through: docker-image|node@18.16.1-bookworm › node@18.16.1

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Observable Timing Discrepancy due to the implementation of PKCS#1 v1.5 padding. An attacker can infer the private key used in the cryptographic operation by observing the time taken to execute cryptographic operations (Marvin).

Remediation

Upgrade node to version 18.19.1, 20.11.1, 21.6.2 or higher.

References

Observable Timing Discrepancy vulnerability report

medium severity

Improper Validation of Integrity Check Value

Vulnerable module: openssh/openssh-client
Introduced through: openssh/openssh-client@1:9.2p1-2
Fixed in: 1:9.2p1-2+deb12u2

Detailed paths

Introduced through: node@18.16.1-bookworm › openssh/openssh-client@1:9.2p1-2

NVD Description

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.

Remediation

Upgrade Debian:12 openssh to version 1:9.2p1-2+deb12u2 or higher.

References

Improper Validation of Integrity Check Value vulnerability report

medium severity

CVE-2023-7008

Vulnerable module: systemd/libsystemd0
Introduced through: systemd/libsystemd0@252.6-1 and systemd/libudev1@252.6-1
Fixed in: 252.21-1~deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › systemd/libsystemd0@252.6-1
Introduced through: node@18.16.1-bookworm › systemd/libudev1@252.6-1

NVD Description

A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.

Remediation

Upgrade Debian:12 systemd to version 252.21-1~deb12u1 or higher.

References

CVE-2023-7008 vulnerability report

medium severity

Heap-based Buffer Overflow

Vulnerable module: openjpeg2/libopenjp2-7
Introduced through: openjpeg2/libopenjp2-7@2.5.0-2 and openjpeg2/libopenjp2-7-dev@2.5.0-2
Fixed in: 2.5.0-2+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › openjpeg2/libopenjp2-7@2.5.0-2
Introduced through: node@18.16.1-bookworm › openjpeg2/libopenjp2-7-dev@2.5.0-2

NVD Description

A flaw was found in the OpenJPEG project. A heap buffer overflow condition may be triggered when certain options are specified while using the opj_decompress utility. This can lead to an application crash or other undefined behavior.

Remediation

Upgrade Debian:12 openjpeg2 to version 2.5.0-2+deb12u1 or higher.

References

Heap-based Buffer Overflow vulnerability report

medium severity

Heap-based Buffer Overflow

Vulnerable module: openjpeg2/libopenjp2-7
Introduced through: openjpeg2/libopenjp2-7@2.5.0-2 and openjpeg2/libopenjp2-7-dev@2.5.0-2
Fixed in: 2.5.0-2+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › openjpeg2/libopenjp2-7@2.5.0-2
Introduced through: node@18.16.1-bookworm › openjpeg2/libopenjp2-7-dev@2.5.0-2

NVD Description

Remediation

Upgrade Debian:12 openjpeg2 to version 2.5.0-2+deb12u1 or higher.

References

Heap-based Buffer Overflow vulnerability report

medium severity

Incorrect Permission Assignment for Critical Resource

Vulnerable module: apr/libapr1
Introduced through: apr/libapr1@1.7.2-3
Fixed in: 1.7.2-3+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › apr/libapr1@1.7.2-3

NVD Description

Note: Versions mentioned in the description apply only to the upstream apr package and not the apr package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Lax permissions set by the Apache Portable Runtime library on Unix platforms would allow local users read access to named shared memory segments, potentially revealing sensitive application data.

This issue does not affect non-Unix platforms, or builds with APR_USE_SHMEM_SHMGET=1 (apr.h)

Users are recommended to upgrade to APR version 1.7.5, which fixes this issue.

Remediation

Upgrade Debian:12 apr to version 1.7.2-3+deb12u1 or higher.

References

Incorrect Permission Assignment for Critical Resource vulnerability report

medium severity

Heap-based Buffer Overflow

Vulnerable module: imagemagick
Introduced through: imagemagick@8:6.9.11.60+dfsg-1.6, imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.6 and others
Fixed in: 8:6.9.11.60+dfsg-1.6+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › imagemagick@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/imagemagick-6.q16@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6-arch-config@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6-headers@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6.q16-6@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6.q16-6-extra@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6.q16-dev@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-dev@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-6-headers@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-6.q16-6@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-6.q16-dev@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-dev@8:6.9.11.60+dfsg-1.6

…and 10 more

NVD Description

A heap-based buffer overflow issue was discovered in ImageMagick's ImportMultiSpectralQuantum() function in MagickCore/quantum-import.c. An attacker could pass specially crafted file to convert, triggering an out-of-bounds read error, allowing an application to crash, resulting in a denial of service.

Remediation

Upgrade Debian:12 imagemagick to version 8:6.9.11.60+dfsg-1.6+deb12u1 or higher.

References

Heap-based Buffer Overflow vulnerability report

medium severity

Improper Input Validation

Vulnerable module: imagemagick
Introduced through: imagemagick@8:6.9.11.60+dfsg-1.6, imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.6 and others
Fixed in: 8:6.9.11.60+dfsg-1.6+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › imagemagick@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/imagemagick-6.q16@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6-arch-config@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6-headers@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6.q16-6@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6.q16-6-extra@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6.q16-dev@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-dev@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-6-headers@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-6.q16-6@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-6.q16-dev@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-dev@8:6.9.11.60+dfsg-1.6

…and 10 more

NVD Description

A vulnerability was discovered in ImageMagick where a specially created SVG file loads itself and causes a segmentation fault. This flaw allows a remote attacker to pass a specially crafted SVG file that leads to a segmentation fault, generating many trash files in "/tmp," resulting in a denial of service. When ImageMagick crashes, it generates a lot of trash files. These trash files can be large if the SVG file contains many render actions. In a denial of service attack, if a remote attacker uploads an SVG file of size t, ImageMagick generates files of size 103*t. If an attacker uploads a 100M SVG, the server will generate about 10G.

Remediation

Upgrade Debian:12 imagemagick to version 8:6.9.11.60+dfsg-1.6+deb12u1 or higher.

References

Improper Input Validation vulnerability report

medium severity

Integer Overflow or Wraparound

Vulnerable module: imagemagick
Introduced through: imagemagick@8:6.9.11.60+dfsg-1.6, imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.6 and others
Fixed in: 8:6.9.11.60+dfsg-1.6+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › imagemagick@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/imagemagick-6.q16@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6-arch-config@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6-headers@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6.q16-6@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6.q16-6-extra@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6.q16-dev@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-dev@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-6-headers@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-6.q16-6@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-6.q16-dev@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-dev@8:6.9.11.60+dfsg-1.6

…and 10 more

NVD Description

A vulnerability was found in ImageMagick. This security flaw ouccers as an undefined behaviors of casting double to size_t in svg, mvg and other coders (recurring bugs of CVE-2022-32546).

Remediation

Upgrade Debian:12 imagemagick to version 8:6.9.11.60+dfsg-1.6+deb12u1 or higher.

References

Integer Overflow or Wraparound vulnerability report

medium severity

Out-of-bounds Write

Vulnerable module: imagemagick
Introduced through: imagemagick@8:6.9.11.60+dfsg-1.6, imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.6 and others
Fixed in: 8:6.9.11.60+dfsg-1.6+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › imagemagick@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/imagemagick-6.q16@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6-arch-config@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6-headers@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6.q16-6@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6.q16-6-extra@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6.q16-dev@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-dev@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-6-headers@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-6.q16-6@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-6.q16-dev@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-dev@8:6.9.11.60+dfsg-1.6

…and 10 more

NVD Description

A heap-buffer-overflow flaw was found in ImageMagick’s PushShortPixel() function of quantum-private.h file. This vulnerability is triggered when an attacker passes a specially crafted TIFF image file to ImageMagick for conversion, potentially leading to a denial of service.

Remediation

Upgrade Debian:12 imagemagick to version 8:6.9.11.60+dfsg-1.6+deb12u1 or higher.

References

Out-of-bounds Write vulnerability report

medium severity

Out-of-bounds Write

Vulnerable module: imagemagick
Introduced through: imagemagick@8:6.9.11.60+dfsg-1.6, imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.6 and others
Fixed in: 8:6.9.11.60+dfsg-1.6+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › imagemagick@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/imagemagick-6.q16@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6-arch-config@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6-headers@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6.q16-6@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6.q16-6-extra@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6.q16-dev@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-dev@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-6-headers@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-6.q16-6@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-6.q16-dev@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-dev@8:6.9.11.60+dfsg-1.6

…and 10 more

NVD Description

A heap buffer overflow issue was found in ImageMagick. When an application processes a malformed TIFF file, it could lead to undefined behavior or a crash causing a denial of service.

Remediation

Upgrade Debian:12 imagemagick to version 8:6.9.11.60+dfsg-1.6+deb12u1 or higher.

References

Out-of-bounds Write vulnerability report

medium severity

Out-of-bounds Write

Vulnerable module: imagemagick
Introduced through: imagemagick@8:6.9.11.60+dfsg-1.6, imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.6 and others
Fixed in: 8:6.9.11.60+dfsg-1.6+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › imagemagick@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/imagemagick-6.q16@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6-arch-config@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6-headers@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6.q16-6@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6.q16-6-extra@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6.q16-dev@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-dev@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-6-headers@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-6.q16-6@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-6.q16-dev@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-dev@8:6.9.11.60+dfsg-1.6

…and 10 more

NVD Description

A heap-based buffer overflow vulnerability was found in coders/tiff.c in ImageMagick. This issue may allow a local attacker to trick the user into opening a specially crafted file, resulting in an application crash and denial of service.

Remediation

Upgrade Debian:12 imagemagick to version 8:6.9.11.60+dfsg-1.6+deb12u1 or higher.

References

Out-of-bounds Write vulnerability report

medium severity

Use After Free

Vulnerable module: imagemagick
Introduced through: imagemagick@8:6.9.11.60+dfsg-1.6, imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.6 and others
Fixed in: 8:6.9.11.60+dfsg-1.6+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › imagemagick@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/imagemagick-6.q16@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6-arch-config@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6-headers@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6.q16-6@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6.q16-6-extra@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6.q16-dev@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-dev@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-6-headers@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-6.q16-6@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-6.q16-dev@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-dev@8:6.9.11.60+dfsg-1.6

…and 10 more

NVD Description

A heap use-after-free flaw was found in coders/bmp.c in ImageMagick.

Remediation

Upgrade Debian:12 imagemagick to version 8:6.9.11.60+dfsg-1.6+deb12u1 or higher.

References

Use After Free vulnerability report

medium severity

Directory Traversal

Vulnerable module: librsvg/gir1.2-rsvg-2.0
Introduced through: librsvg/gir1.2-rsvg-2.0@2.54.5+dfsg-1, librsvg/librsvg2-2@2.54.5+dfsg-1 and others
Fixed in: 2.54.7+dfsg-1~deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › librsvg/gir1.2-rsvg-2.0@2.54.5+dfsg-1
Introduced through: node@18.16.1-bookworm › librsvg/librsvg2-2@2.54.5+dfsg-1
Introduced through: node@18.16.1-bookworm › librsvg/librsvg2-common@2.54.5+dfsg-1
Introduced through: node@18.16.1-bookworm › librsvg/librsvg2-dev@2.54.5+dfsg-1

…and 1 more

NVD Description

Note: Versions mentioned in the description apply only to the upstream librsvg package and not the librsvg package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A directory traversal problem in the URL decoder of librsvg before 2.56.3 could be used by local or remote attackers to disclose files (on the local filesystem outside of the expected area), as demonstrated by href=".?../../../../../../../../../../etc/passwd" in an xi:include element.

Remediation

Upgrade Debian:12 librsvg to version 2.54.7+dfsg-1~deb12u1 or higher.

References

Directory Traversal vulnerability report

medium severity

Loop with Unreachable Exit Condition ('Infinite Loop')

Vulnerable module: libx11/libx11-6
Introduced through: libx11/libx11-6@2:1.8.4-2+deb12u1, libx11/libx11-data@2:1.8.4-2+deb12u1 and others
Fixed in: 2:1.8.4-2+deb12u2

Detailed paths

Introduced through: node@18.16.1-bookworm › libx11/libx11-6@2:1.8.4-2+deb12u1
Introduced through: node@18.16.1-bookworm › libx11/libx11-data@2:1.8.4-2+deb12u1
Introduced through: node@18.16.1-bookworm › libx11/libx11-dev@2:1.8.4-2+deb12u1

NVD Description

A vulnerability was found in libX11 due to an infinite loop within the PutSubImage() function. This flaw allows a local user to consume all available system resources and cause a denial of service condition.

Remediation

Upgrade Debian:12 libx11 to version 2:1.8.4-2+deb12u2 or higher.

References

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability report

medium severity

Out-of-bounds Read

Vulnerable module: libx11/libx11-6
Introduced through: libx11/libx11-6@2:1.8.4-2+deb12u1, libx11/libx11-data@2:1.8.4-2+deb12u1 and others
Fixed in: 2:1.8.4-2+deb12u2

Detailed paths

Introduced through: node@18.16.1-bookworm › libx11/libx11-6@2:1.8.4-2+deb12u1
Introduced through: node@18.16.1-bookworm › libx11/libx11-data@2:1.8.4-2+deb12u1
Introduced through: node@18.16.1-bookworm › libx11/libx11-dev@2:1.8.4-2+deb12u1

NVD Description

A vulnerability was found in libX11 due to a boundary condition within the _XkbReadKeySyms() function. This flaw allows a local user to trigger an out-of-bounds read error and read the contents of memory on the system.

Remediation

Upgrade Debian:12 libx11 to version 2:1.8.4-2+deb12u2 or higher.

References

Out-of-bounds Read vulnerability report

medium severity

CVE-2023-51384

Vulnerable module: openssh/openssh-client
Introduced through: openssh/openssh-client@1:9.2p1-2
Fixed in: 1:9.2p1-2+deb12u2

Detailed paths

Introduced through: node@18.16.1-bookworm › openssh/openssh-client@1:9.2p1-2

NVD Description

In ssh-agent in OpenSSH before 9.6, certain destination constraints can be incompletely applied. When destination constraints are specified during addition of PKCS#11-hosted private keys, these constraints are only applied to the first key, even if a PKCS#11 token returns multiple keys.

Remediation

Upgrade Debian:12 openssh to version 1:9.2p1-2+deb12u2 or higher.

References

CVE-2023-51384 vulnerability report

medium severity

CVE-2024-0727

Vulnerable module: openssl
Introduced through: openssl@3.0.9-1, openssl/libssl-dev@3.0.9-1 and others
Fixed in: 3.0.13-1~deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › openssl@3.0.9-1
Introduced through: node@18.16.1-bookworm › openssl/libssl-dev@3.0.9-1
Introduced through: node@18.16.1-bookworm › openssl/libssl3@3.0.9-1

NVD Description

Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack

Impact summary: Applications loading files in the PKCS12 format from untrusted sources might terminate abruptly.

A file in PKCS12 format can contain certificates and keys and may come from an untrusted source. The PKCS12 specification allows certain fields to be NULL, but OpenSSL does not correctly check for this case. This can lead to a NULL pointer dereference that results in OpenSSL crashing. If an application processes PKCS12 files from an untrusted source using the OpenSSL APIs then that application will be vulnerable to this issue.

OpenSSL APIs that are vulnerable to this are: PKCS12_parse(), PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes() and PKCS12_newpass().

We have also fixed a similar issue in SMIME_write_PKCS7(). However since this function is related to writing data we do not consider it security significant.

The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.

Remediation

Upgrade Debian:12 openssl to version 3.0.13-1~deb12u1 or higher.

References

CVE-2024-0727 vulnerability report

medium severity

Out-of-bounds Read

Vulnerable module: tar
Introduced through: tar@1.34+dfsg-1.2
Fixed in: 1.34+dfsg-1.2+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › tar@1.34+dfsg-1.2

NVD Description

Note: Versions mentioned in the description apply only to the upstream tar package and not the tar package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters.

Remediation

Upgrade Debian:12 tar to version 1.34+dfsg-1.2+deb12u1 or higher.

References

Out-of-bounds Read vulnerability report

medium severity

Buffer Overflow

Vulnerable module: tiff/libtiff-dev
Introduced through: tiff/libtiff-dev@4.5.0-6, tiff/libtiff6@4.5.0-6 and others
Fixed in: 4.5.0-6+deb12u2

Detailed paths

Introduced through: node@18.16.1-bookworm › tiff/libtiff-dev@4.5.0-6
Introduced through: node@18.16.1-bookworm › tiff/libtiff6@4.5.0-6
Introduced through: node@18.16.1-bookworm › tiff/libtiffxx6@4.5.0-6

NVD Description

libtiff 4.5.0 is vulnerable to Buffer Overflow in uv_encode() when libtiff reads a corrupted little-endian TIFF file and specifies the output to be big-endian.

Remediation

Upgrade Debian:12 tiff to version 4.5.0-6+deb12u2 or higher.

References

Buffer Overflow vulnerability report

medium severity

Buffer Overflow

Vulnerable module: tiff/libtiff-dev
Introduced through: tiff/libtiff-dev@4.5.0-6, tiff/libtiff6@4.5.0-6 and others
Fixed in: 4.5.0-6+deb12u2

Detailed paths

Introduced through: node@18.16.1-bookworm › tiff/libtiff-dev@4.5.0-6
Introduced through: node@18.16.1-bookworm › tiff/libtiff6@4.5.0-6
Introduced through: node@18.16.1-bookworm › tiff/libtiffxx6@4.5.0-6

NVD Description

libtiff 4.5.0 is vulnerable to Buffer Overflow via /libtiff/tools/tiffcrop.c:8499. Incorrect updating of buffer size after rotateImage() in tiffcrop cause heap-buffer-overflow and SEGV.

Remediation

Upgrade Debian:12 tiff to version 4.5.0-6+deb12u2 or higher.

References

Buffer Overflow vulnerability report

medium severity

Memory Leak

Vulnerable module: tiff/libtiff-dev
Introduced through: tiff/libtiff-dev@4.5.0-6, tiff/libtiff6@4.5.0-6 and others
Fixed in: 4.5.0-6+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › tiff/libtiff-dev@4.5.0-6
Introduced through: node@18.16.1-bookworm › tiff/libtiff6@4.5.0-6
Introduced through: node@18.16.1-bookworm › tiff/libtiffxx6@4.5.0-6

NVD Description

A memory leak flaw was found in Libtiff's tiffcrop utility. This issue occurs when tiffcrop operates on a TIFF image file, allowing an attacker to pass a crafted TIFF image file to tiffcrop utility, which causes this memory leak issue, resulting an application crash, eventually leading to a denial of service.

Remediation

Upgrade Debian:12 tiff to version 4.5.0-6+deb12u1 or higher.

References

Memory Leak vulnerability report

medium severity

NULL Pointer Dereference

Vulnerable module: tiff/libtiff-dev
Introduced through: tiff/libtiff-dev@4.5.0-6, tiff/libtiff6@4.5.0-6 and others
Fixed in: 4.5.0-6+deb12u2

Detailed paths

Introduced through: node@18.16.1-bookworm › tiff/libtiff-dev@4.5.0-6
Introduced through: node@18.16.1-bookworm › tiff/libtiff6@4.5.0-6
Introduced through: node@18.16.1-bookworm › tiff/libtiffxx6@4.5.0-6

NVD Description

A null pointer dereference issue was found in Libtiff's tif_dir.c file. This issue may allow an attacker to pass a crafted TIFF image file to the tiffcp utility which triggers a runtime error that causes undefined behavior. This will result in an application crash, eventually leading to a denial of service.

Remediation

Upgrade Debian:12 tiff to version 4.5.0-6+deb12u2 or higher.

References

NULL Pointer Dereference vulnerability report

medium severity

Out-of-bounds Write

Vulnerable module: tiff/libtiff-dev
Introduced through: tiff/libtiff-dev@4.5.0-6, tiff/libtiff6@4.5.0-6 and others
Fixed in: 4.5.0-6+deb12u2

Detailed paths

Introduced through: node@18.16.1-bookworm › tiff/libtiff-dev@4.5.0-6
Introduced through: node@18.16.1-bookworm › tiff/libtiff6@4.5.0-6
Introduced through: node@18.16.1-bookworm › tiff/libtiffxx6@4.5.0-6

NVD Description

loadImage() in tools/tiffcrop.c in LibTIFF through 4.5.0 has a heap-based use after free via a crafted TIFF image.

Remediation

Upgrade Debian:12 tiff to version 4.5.0-6+deb12u2 or higher.

References

Out-of-bounds Write vulnerability report

medium severity

CVE-2024-10976

Vulnerable module: postgresql-15/libpq-dev
Introduced through: postgresql-15/libpq-dev@15.3-0+deb12u1 and postgresql-15/libpq5@15.3-0+deb12u1
Fixed in: 15.9-0+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › postgresql-15/libpq-dev@15.3-0+deb12u1
Introduced through: node@18.16.1-bookworm › postgresql-15/libpq5@15.3-0+deb12u1

NVD Description

Incomplete tracking in PostgreSQL of tables with row security allows a reused query to view or change different rows from those intended. CVE-2023-2455 and CVE-2016-2193 fixed most interaction between row security and user ID changes. They missed cases where a subquery, WITH query, security invoker view, or SQL-language function references a table with a row-level security policy. This has the same consequences as the two earlier CVEs. That is to say, it leads to potentially incorrect policies being applied in cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy. An attacker must tailor an attack to a particular application's pattern of query plan reuse, user ID changes, and role-specific row security policies. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.

Remediation

Upgrade Debian:12 postgresql-15 to version 15.9-0+deb12u1 or higher.

References

CVE-2024-10976 vulnerability report

medium severity

Missing Encryption of Sensitive Data

Vulnerable module: curl
Introduced through: curl@7.88.1-10, curl/libcurl3-gnutls@7.88.1-10 and others
Fixed in: 7.88.1-10+deb12u5

Detailed paths

Introduced through: node@18.16.1-bookworm › curl@7.88.1-10
Introduced through: node@18.16.1-bookworm › curl/libcurl3-gnutls@7.88.1-10
Introduced through: node@18.16.1-bookworm › curl/libcurl4@7.88.1-10
Introduced through: node@18.16.1-bookworm › curl/libcurl4-openssl-dev@7.88.1-10

…and 1 more

NVD Description

When saving HSTS data to an excessively long file name, curl could end up removing all contents, making subsequent requests using that file unaware of the HSTS status they should otherwise use.

Remediation

Upgrade Debian:12 curl to version 7.88.1-10+deb12u5 or higher.

References

Missing Encryption of Sensitive Data vulnerability report

medium severity

Incorrect Calculation of Buffer Size

Vulnerable module: glibc/libc-bin
Introduced through: glibc/libc-bin@2.36-9, glibc/libc-dev-bin@2.36-9 and others
Fixed in: 2.36-9+deb12u4

Detailed paths

Introduced through: node@18.16.1-bookworm › glibc/libc-bin@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc-dev-bin@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc6@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc6-dev@2.36-9

…and 1 more

NVD Description

An integer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a very long message, leading to an incorrect calculation of the buffer size to store the message, resulting in undefined behavior. This issue affects glibc 2.37 and newer.

Remediation

Upgrade Debian:12 glibc to version 2.36-9+deb12u4 or higher.

References

Incorrect Calculation of Buffer Size vulnerability report

medium severity

Algorithmic Complexity

Vulnerable module: gnutls28/libgnutls30
Introduced through: gnutls28/libgnutls30@3.7.9-2
Fixed in: 3.7.9-2+deb12u4

Detailed paths

Introduced through: node@18.16.1-bookworm › gnutls28/libgnutls30@3.7.9-2

NVD Description

A flaw was found in GnuTLS, which relies on libtasn1 for ASN.1 data processing. Due to an inefficient algorithm in libtasn1, decoding certain DER-encoded certificate data can take excessive time, leading to increased resource consumption. This flaw allows a remote attacker to send a specially crafted certificate, causing GnuTLS to become unresponsive or slow, resulting in a denial-of-service condition.

Remediation

Upgrade Debian:12 gnutls28 to version 3.7.9-2+deb12u4 or higher.

References

Algorithmic Complexity vulnerability report

medium severity

Algorithmic Complexity

Vulnerable module: libtasn1-6
Introduced through: libtasn1-6@4.19.0-2
Fixed in: 4.19.0-2+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › libtasn1-6@4.19.0-2

NVD Description

Note: Versions mentioned in the description apply only to the upstream libtasn1-6 package and not the libtasn1-6 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A flaw in libtasn1 causes inefficient handling of specific certificate data. When processing a large number of elements in a certificate, libtasn1 takes much longer than expected, which can slow down or even crash the system. This flaw allows an attacker to send a specially crafted certificate, causing a denial of service attack.

Remediation

Upgrade Debian:12 libtasn1-6 to version 4.19.0-2+deb12u1 or higher.

References

Algorithmic Complexity vulnerability report

medium severity

HTTP Request Smuggling

Vulnerable module: node
Introduced through: node@18.16.1

Detailed paths

Introduced through: docker-image|node@18.16.1-bookworm › node@18.16.1

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to HTTP Request Smuggling via content length ofuscation. An attacker can smuggle an HTTP request by including a space before a Content-Length header.

Remediation

Upgrade node to version 18.20.1, 20.12.1, 21.7.2 or higher.

References

HTTP Request Smuggling vulnerability report

medium severity

Excessive Iteration

Vulnerable module: openssl
Introduced through: openssl@3.0.9-1, openssl/libssl-dev@3.0.9-1 and others
Fixed in: 3.0.10-1~deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › openssl@3.0.9-1
Introduced through: node@18.16.1-bookworm › openssl/libssl-dev@3.0.9-1
Introduced through: node@18.16.1-bookworm › openssl/libssl3@3.0.9-1

NVD Description

Issue summary: Checking excessively long DH keys or parameters may be very slow.

Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service.

The function DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p.

An application that calls DH_check() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack.

The function DH_check() is itself called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_ex() and EVP_PKEY_param_check().

Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications when using the "-check" option.

The OpenSSL SSL/TLS implementation is not affected by this issue.

The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

Remediation

Upgrade Debian:12 openssl to version 3.0.10-1~deb12u1 or higher.

References

Excessive Iteration vulnerability report

medium severity

Improper Authentication

Vulnerable module: openssl
Introduced through: openssl@3.0.9-1, openssl/libssl-dev@3.0.9-1 and others
Fixed in: 3.0.10-1~deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › openssl@3.0.9-1
Introduced through: node@18.16.1-bookworm › openssl/libssl-dev@3.0.9-1
Introduced through: node@18.16.1-bookworm › openssl/libssl3@3.0.9-1

NVD Description

Issue summary: The AES-SIV cipher implementation contains a bug that causes it to ignore empty associated data entries which are unauthenticated as a consequence.

Impact summary: Applications that use the AES-SIV algorithm and want to authenticate empty data entries as associated data can be misled by removing, adding or reordering such empty entries as these are ignored by the OpenSSL implementation. We are currently unaware of any such applications.

The AES-SIV algorithm allows for authentication of multiple associated data entries along with the encryption. To authenticate empty data the application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with NULL pointer as the output buffer and 0 as the input buffer length. The AES-SIV implementation in OpenSSL just returns success for such a call instead of performing the associated data authentication operation. The empty data thus will not be authenticated.

As this issue does not affect non-empty associated data authentication and we expect it to be rare for an application to use empty associated data entries this is qualified as Low severity issue.

Remediation

Upgrade Debian:12 openssl to version 3.0.10-1~deb12u1 or higher.

References

Improper Authentication vulnerability report

medium severity

Improper Check for Unusual or Exceptional Conditions

Vulnerable module: openssl
Introduced through: openssl@3.0.9-1, openssl/libssl-dev@3.0.9-1 and others
Fixed in: 3.0.13-1~deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › openssl@3.0.9-1
Introduced through: node@18.16.1-bookworm › openssl/libssl-dev@3.0.9-1
Introduced through: node@18.16.1-bookworm › openssl/libssl3@3.0.9-1

NVD Description

Issue summary: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow.

Impact summary: Applications that use the functions DH_generate_key() to generate an X9.42 DH key may experience long delays. Likewise, applications that use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42 DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service.

While DH_check() performs all the necessary checks (as of CVE-2023-3817), DH_check_pub_key() doesn't make any of these checks, and is therefore vulnerable for excessively large P and Q parameters.

Likewise, while DH_generate_key() performs a check for an excessively large P, it doesn't check for an excessively large Q.

An application that calls DH_generate_key() or DH_check_pub_key() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack.

DH_generate_key() and DH_check_pub_key() are also called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().

Also vulnerable are the OpenSSL pkey command line application when using the "-pubcheck" option, as well as the OpenSSL genpkey command line application.

The OpenSSL SSL/TLS implementation is not affected by this issue.

The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

Remediation

Upgrade Debian:12 openssl to version 3.0.13-1~deb12u1 or higher.

References

Improper Check for Unusual or Exceptional Conditions vulnerability report

medium severity

Inefficient Regular Expression Complexity

Vulnerable module: openssl
Introduced through: openssl@3.0.9-1, openssl/libssl-dev@3.0.9-1 and others
Fixed in: 3.0.10-1~deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › openssl@3.0.9-1
Introduced through: node@18.16.1-bookworm › openssl/libssl-dev@3.0.9-1
Introduced through: node@18.16.1-bookworm › openssl/libssl3@3.0.9-1

NVD Description

Issue summary: Checking excessively long DH keys or parameters may be very slow.

The function DH_check() performs various checks on DH parameters. One of those checks confirms that the modulus ('p' parameter) is not too large. Trying to use a very large modulus is slow and OpenSSL will not normally use a modulus which is over 10,000 bits in length.

However the DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it has already been found to be too large.

An application that calls DH_check() and supplies a key or parameters obtained from an untrusted source could be vulernable to a Denial of Service attack.

Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications when using the '-check' option.

The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

Remediation

Upgrade Debian:12 openssl to version 3.0.10-1~deb12u1 or higher.

References

Inefficient Regular Expression Complexity vulnerability report

medium severity

CVE-2023-40217

Vulnerable module: python3.11
Introduced through: python3.11@3.11.2-6, python3.11/libpython3.11-minimal@3.11.2-6 and others
Fixed in: 3.11.2-6+deb12u2

Detailed paths

Introduced through: node@18.16.1-bookworm › python3.11@3.11.2-6
Introduced through: node@18.16.1-bookworm › python3.11/libpython3.11-minimal@3.11.2-6
Introduced through: node@18.16.1-bookworm › python3.11/libpython3.11-stdlib@3.11.2-6
Introduced through: node@18.16.1-bookworm › python3.11/python3.11-minimal@3.11.2-6

…and 1 more

NVD Description

An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)

Remediation

Upgrade Debian:12 python3.11 to version 3.11.2-6+deb12u2 or higher.

References

CVE-2023-40217 vulnerability report

medium severity

Improper Input Validation

Vulnerable module: python3.11
Introduced through: python3.11@3.11.2-6, python3.11/libpython3.11-minimal@3.11.2-6 and others
Fixed in: 3.11.2-6+deb12u5

Detailed paths

Introduced through: node@18.16.1-bookworm › python3.11@3.11.2-6
Introduced through: node@18.16.1-bookworm › python3.11/libpython3.11-minimal@3.11.2-6
Introduced through: node@18.16.1-bookworm › python3.11/libpython3.11-stdlib@3.11.2-6
Introduced through: node@18.16.1-bookworm › python3.11/python3.11-minimal@3.11.2-6

…and 1 more

NVD Description

The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.

Remediation

Upgrade Debian:12 python3.11 to version 3.11.2-6+deb12u5 or higher.

References

Improper Input Validation vulnerability report

medium severity

CVE-2023-22084

Vulnerable module: mariadb/libmariadb-dev
Introduced through: mariadb/libmariadb-dev@1:10.11.3-1, mariadb/libmariadb-dev-compat@1:10.11.3-1 and others
Fixed in: 1:10.11.6-0+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › mariadb/libmariadb-dev@1:10.11.3-1
Introduced through: node@18.16.1-bookworm › mariadb/libmariadb-dev-compat@1:10.11.3-1
Introduced through: node@18.16.1-bookworm › mariadb/libmariadb3@1:10.11.3-1
Introduced through: node@18.16.1-bookworm › mariadb/mariadb-common@1:10.11.3-1

…and 1 more

NVD Description

Note: Versions mentioned in the description apply only to the upstream mariadb package and not the mariadb package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.43 and prior, 8.0.34 and prior and 8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Remediation

Upgrade Debian:12 mariadb to version 1:10.11.6-0+deb12u1 or higher.

References

CVE-2023-22084 vulnerability report

medium severity

CVE-2024-21096

Vulnerable module: mariadb/libmariadb-dev
Introduced through: mariadb/libmariadb-dev@1:10.11.3-1, mariadb/libmariadb-dev-compat@1:10.11.3-1 and others
Fixed in: 1:10.11.11-0+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › mariadb/libmariadb-dev@1:10.11.3-1
Introduced through: node@18.16.1-bookworm › mariadb/libmariadb-dev-compat@1:10.11.3-1
Introduced through: node@18.16.1-bookworm › mariadb/libmariadb3@1:10.11.3-1
Introduced through: node@18.16.1-bookworm › mariadb/mariadb-common@1:10.11.3-1

…and 1 more

NVD Description

Vulnerability in the MySQL Server product of Oracle MySQL (component: Client: mysqldump). Supported versions that are affected are 8.0.36 and prior and 8.3.0 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data as well as unauthorized read access to a subset of MySQL Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L).

Remediation

Upgrade Debian:12 mariadb to version 1:10.11.11-0+deb12u1 or higher.

References

CVE-2024-21096 vulnerability report

medium severity

CVE-2025-21490

Vulnerable module: mariadb/libmariadb-dev
Introduced through: mariadb/libmariadb-dev@1:10.11.3-1, mariadb/libmariadb-dev-compat@1:10.11.3-1 and others
Fixed in: 1:10.11.11-0+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › mariadb/libmariadb-dev@1:10.11.3-1
Introduced through: node@18.16.1-bookworm › mariadb/libmariadb-dev-compat@1:10.11.3-1
Introduced through: node@18.16.1-bookworm › mariadb/libmariadb3@1:10.11.3-1
Introduced through: node@18.16.1-bookworm › mariadb/mariadb-common@1:10.11.3-1

…and 1 more

NVD Description

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.40 and prior, 8.4.3 and prior and 9.1.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Remediation

Upgrade Debian:12 mariadb to version 1:10.11.11-0+deb12u1 or higher.

References

CVE-2025-21490 vulnerability report

medium severity

CVE-2023-5870

Vulnerable module: postgresql-15/libpq-dev
Introduced through: postgresql-15/libpq-dev@15.3-0+deb12u1 and postgresql-15/libpq5@15.3-0+deb12u1
Fixed in: 15.5-0+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › postgresql-15/libpq-dev@15.3-0+deb12u1
Introduced through: node@18.16.1-bookworm › postgresql-15/libpq5@15.3-0+deb12u1

NVD Description

A flaw was found in PostgreSQL involving the pg_cancel_backend role that signals background workers, including the logical replication launcher, autovacuum workers, and the autovacuum launcher. Successful exploitation requires a non-core extension with a less-resilient background worker and would affect that specific background worker only. This issue may allow a remote high privileged user to launch a denial of service (DoS) attack.

Remediation

Upgrade Debian:12 postgresql-15 to version 15.5-0+deb12u1 or higher.

References

CVE-2023-5870 vulnerability report

medium severity

new

Cross-site Scripting (XSS)

Vulnerable module: mercurial
Introduced through: mercurial@6.3.2-1 and mercurial/mercurial-common@6.3.2-1
Fixed in: 6.3.2-1+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › mercurial@6.3.2-1
Introduced through: node@18.16.1-bookworm › mercurial/mercurial-common@6.3.2-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream mercurial package and not the mercurial package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A vulnerability was found in Mercurial SCM 4.5.3/71.19.145.211. It has been declared as problematic. This vulnerability affects unknown code of the component Web Interface. The manipulation of the argument cmd leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Remediation

Upgrade Debian:12 mercurial to version 6.3.2-1+deb12u1 or higher.

References

Cross-site Scripting (XSS) vulnerability report

medium severity

CVE-2023-5868

Vulnerable module: postgresql-15/libpq-dev
Introduced through: postgresql-15/libpq-dev@15.3-0+deb12u1 and postgresql-15/libpq5@15.3-0+deb12u1
Fixed in: 15.5-0+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › postgresql-15/libpq-dev@15.3-0+deb12u1
Introduced through: node@18.16.1-bookworm › postgresql-15/libpq5@15.3-0+deb12u1

NVD Description

A memory disclosure vulnerability was found in PostgreSQL that allows remote users to access sensitive information by exploiting certain aggregate function calls with 'unknown'-type arguments. Handling 'unknown'-type values from string literals without type designation can disclose bytes, potentially revealing notable and confidential information. This issue exists due to excessive data output in aggregate function calls, enabling remote users to read some portion of system memory.

Remediation

Upgrade Debian:12 postgresql-15 to version 15.5-0+deb12u1 or higher.

References

CVE-2023-5868 vulnerability report

medium severity

Insufficient Granularity of Access Control

Vulnerable module: postgresql-15/libpq-dev
Introduced through: postgresql-15/libpq-dev@15.3-0+deb12u1 and postgresql-15/libpq5@15.3-0+deb12u1
Fixed in: 15.5-0+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › postgresql-15/libpq-dev@15.3-0+deb12u1
Introduced through: node@18.16.1-bookworm › postgresql-15/libpq5@15.3-0+deb12u1

NVD Description

A vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some rows that INSERT policies do not forbid, a user could store such rows.

Remediation

Upgrade Debian:12 postgresql-15 to version 15.5-0+deb12u1 or higher.

References

Insufficient Granularity of Access Control vulnerability report

medium severity

Missing Authorization

Vulnerable module: postgresql-15/libpq-dev
Introduced through: postgresql-15/libpq-dev@15.3-0+deb12u1 and postgresql-15/libpq5@15.3-0+deb12u1
Fixed in: 15.7-0+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › postgresql-15/libpq-dev@15.3-0+deb12u1
Introduced through: node@18.16.1-bookworm › postgresql-15/libpq5@15.3-0+deb12u1

NVD Description

Missing authorization in PostgreSQL built-in views pg_stats_ext and pg_stats_ext_exprs allows an unprivileged database user to read most common values and other statistics from CREATE STATISTICS commands of other users. The most common values may reveal column values the eavesdropper could not otherwise read or results of functions they cannot execute. Installing an unaffected version only fixes fresh PostgreSQL installations, namely those that are created with the initdb utility after installing that version. Current PostgreSQL installations will remain vulnerable until they follow the instructions in the release notes. Within major versions 14-16, minor versions before PostgreSQL 16.3, 15.7, and 14.12 are affected. Versions before PostgreSQL 14 are unaffected.

Remediation

Upgrade Debian:12 postgresql-15 to version 15.7-0+deb12u1 or higher.

References

Missing Authorization vulnerability report

medium severity

CVE-2024-10978

Vulnerable module: postgresql-15/libpq-dev
Introduced through: postgresql-15/libpq-dev@15.3-0+deb12u1 and postgresql-15/libpq5@15.3-0+deb12u1
Fixed in: 15.9-0+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › postgresql-15/libpq-dev@15.3-0+deb12u1
Introduced through: node@18.16.1-bookworm › postgresql-15/libpq5@15.3-0+deb12u1

NVD Description

Incorrect privilege assignment in PostgreSQL allows a less-privileged application user to view or change different rows from those intended. An attack requires the application to use SET ROLE, SET SESSION AUTHORIZATION, or an equivalent feature. The problem arises when an application query uses parameters from the attacker or conveys query results to the attacker. If that query reacts to current_setting('role') or the current user ID, it may modify or return data as though the session had not used SET ROLE or SET SESSION AUTHORIZATION. The attacker does not control which incorrect user ID applies. Query text from less-privileged sources is not a concern here, because SET ROLE and SET SESSION AUTHORIZATION are not sandboxes for unvetted queries. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.

Remediation

Upgrade Debian:12 postgresql-15 to version 15.9-0+deb12u1 or higher.

References

CVE-2024-10978 vulnerability report

low severity

Out-of-bounds Write

Vulnerable module: aom/libaom3
Introduced through: aom/libaom3@3.6.0-1

Detailed paths

Introduced through: node@18.16.1-bookworm › aom/libaom3@3.6.0-1

NVD Description

Increasing the resolution of video frames, while performing a multi-threaded encode, can result in a heap overflow in av1_loop_restoration_dealloc().

Remediation

There is no fixed version for Debian:12 aom.

References

Out-of-bounds Write vulnerability report

low severity

Out-of-Bounds

Vulnerable module: glibc/libc-bin
Introduced through: glibc/libc-bin@2.36-9, glibc/libc-dev-bin@2.36-9 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › glibc/libc-bin@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc-dev-bin@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc6@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc6-dev@2.36-9

…and 1 more

NVD Description

GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat.

Remediation

There is no fixed version for Debian:12 glibc.

References

Out-of-Bounds vulnerability report

low severity

OS Command Injection

Vulnerable module: imagemagick
Introduced through: imagemagick@8:6.9.11.60+dfsg-1.6, imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.6 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › imagemagick@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/imagemagick-6.q16@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6-arch-config@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6-headers@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6.q16-6@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6.q16-6-extra@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6.q16-dev@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-dev@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-6-headers@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-6.q16-6@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-6.q16-dev@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-dev@8:6.9.11.60+dfsg-1.6

…and 10 more

NVD Description

A vulnerability was found in ImageMagick. This security flaw cause a remote code execution vulnerability in OpenBlob with --enable-pipes configured.

Remediation

There is no fixed version for Debian:12 imagemagick.

References

OS Command Injection vulnerability report

low severity

Out-of-bounds Write

Vulnerable module: openjpeg2/libopenjp2-7
Introduced through: openjpeg2/libopenjp2-7@2.5.0-2 and openjpeg2/libopenjp2-7-dev@2.5.0-2

Detailed paths

Introduced through: node@18.16.1-bookworm › openjpeg2/libopenjp2-7@2.5.0-2
Introduced through: node@18.16.1-bookworm › openjpeg2/libopenjp2-7-dev@2.5.0-2

NVD Description

In OpenJPEG 2.3.0, a stack-based buffer overflow was discovered in the pgxtoimage function in jpwl/convert.c. The vulnerability causes an out-of-bounds write, which may lead to remote denial of service or possibly remote code execution.

Remediation

There is no fixed version for Debian:12 openjpeg2.

References

Out-of-bounds Write vulnerability report

low severity

CVE-2005-2541

Vulnerable module: tar
Introduced through: tar@1.34+dfsg-1.2

Detailed paths

Introduced through: node@18.16.1-bookworm › tar@1.34+dfsg-1.2

NVD Description

Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges.

Remediation

There is no fixed version for Debian:12 tar.

References

CVE-2005-2541 vulnerability report

low severity

Out-of-bounds Read

Vulnerable module: tiff/libtiff-dev
Introduced through: tiff/libtiff-dev@4.5.0-6, tiff/libtiff6@4.5.0-6 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › tiff/libtiff-dev@4.5.0-6
Introduced through: node@18.16.1-bookworm › tiff/libtiff6@4.5.0-6
Introduced through: node@18.16.1-bookworm › tiff/libtiffxx6@4.5.0-6

NVD Description

In LibTIFF 4.0.6 and possibly other versions, the program processes BMP images without verifying that biWidth and biHeight in the bitmap-information header match the actual input, as demonstrated by a heap-based buffer over-read in bmp2tiff. NOTE: mentioning bmp2tiff does not imply that the activation point is in the bmp2tiff.c file (which was removed before the 4.0.7 release).

Remediation

There is no fixed version for Debian:12 tiff.

References

Out-of-bounds Read vulnerability report

low severity

Out-of-bounds Write

Vulnerable module: openexr/libopenexr-3-1-30
Introduced through: openexr/libopenexr-3-1-30@3.1.5-5 and openexr/libopenexr-dev@3.1.5-5

Detailed paths

Introduced through: node@18.16.1-bookworm › openexr/libopenexr-3-1-30@3.1.5-5
Introduced through: node@18.16.1-bookworm › openexr/libopenexr-dev@3.1.5-5

NVD Description

Note: Versions mentioned in the description apply only to the upstream openexr package and not the openexr package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Due to a failure in validating the number of scanline samples of a OpenEXR file containing deep scanline data, Academy Software Foundation OpenEX image parsing library version 3.2.1 and prior is susceptible to a heap-based buffer overflow vulnerability. This issue was resolved as of versions v3.2.2 and v3.1.12 of the affected library.

Remediation

There is no fixed version for Debian:12 openexr.

References

Out-of-bounds Write vulnerability report

low severity

CVE-2019-1010023

Vulnerable module: glibc/libc-bin
Introduced through: glibc/libc-bin@2.36-9, glibc/libc-dev-bin@2.36-9 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › glibc/libc-bin@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc-dev-bin@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc6@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc6-dev@2.36-9

…and 1 more

NVD Description

GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat.

Remediation

There is no fixed version for Debian:12 glibc.

References

CVE-2019-1010023 vulnerability report

low severity

CVE-2023-49463

Vulnerable module: libheif/libheif1
Introduced through: libheif/libheif1@1.15.1-1

Detailed paths

Introduced through: node@18.16.1-bookworm › libheif/libheif1@1.15.1-1

NVD Description

libheif v1.17.5 was discovered to contain a segmentation violation via the function find_exif_tag at /libheif/exif.cc.

Remediation

There is no fixed version for Debian:12 libheif.

References

CVE-2023-49463 vulnerability report

low severity

Out-of-Bounds

Vulnerable module: libwmf/libwmf-0.2-7
Introduced through: libwmf/libwmf-0.2-7@0.2.12-5.1, libwmf/libwmf-dev@0.2.12-5.1 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › libwmf/libwmf-0.2-7@0.2.12-5.1
Introduced through: node@18.16.1-bookworm › libwmf/libwmf-dev@0.2.12-5.1
Introduced through: node@18.16.1-bookworm › libwmf/libwmflite-0.2-7@0.2.12-5.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libwmf package and not the libwmf package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.x before 5.3.1, and the GD Graphics Library 2.x, does not properly verify a certain colorsTotal structure member, which might allow remote attackers to conduct buffer overflow or buffer over-read attacks via a crafted GD file, a different vulnerability than CVE-2009-3293. NOTE: some of these details are obtained from third party information.

Remediation

There is no fixed version for Debian:12 libwmf.

References

Out-of-Bounds vulnerability report

low severity

Integer Overflow or Wraparound

Vulnerable module: openjpeg2/libopenjp2-7
Introduced through: openjpeg2/libopenjp2-7@2.5.0-2 and openjpeg2/libopenjp2-7-dev@2.5.0-2

Detailed paths

Introduced through: node@18.16.1-bookworm › openjpeg2/libopenjp2-7@2.5.0-2
Introduced through: node@18.16.1-bookworm › openjpeg2/libopenjp2-7-dev@2.5.0-2

NVD Description

An integer overflow vulnerability was found in tiftoimage function in openjpeg 2.1.2, resulting in heap buffer overflow.

Remediation

There is no fixed version for Debian:12 openjpeg2.

References

Integer Overflow or Wraparound vulnerability report

low severity

Out-of-Bounds

Vulnerable module: openjpeg2/libopenjp2-7
Introduced through: openjpeg2/libopenjp2-7@2.5.0-2 and openjpeg2/libopenjp2-7-dev@2.5.0-2

Detailed paths

Introduced through: node@18.16.1-bookworm › openjpeg2/libopenjp2-7@2.5.0-2
Introduced through: node@18.16.1-bookworm › openjpeg2/libopenjp2-7-dev@2.5.0-2

NVD Description

An infinite loop vulnerability in tiftoimage that results in heap buffer overflow in convert_32s_C1P1 was found in openjpeg 2.1.2.

Remediation

There is no fixed version for Debian:12 openjpeg2.

References

Out-of-Bounds vulnerability report

low severity

Out-of-bounds Write

Vulnerable module: openjpeg2/libopenjp2-7
Introduced through: openjpeg2/libopenjp2-7@2.5.0-2 and openjpeg2/libopenjp2-7-dev@2.5.0-2

Detailed paths

Introduced through: node@18.16.1-bookworm › openjpeg2/libopenjp2-7@2.5.0-2
Introduced through: node@18.16.1-bookworm › openjpeg2/libopenjp2-7-dev@2.5.0-2

NVD Description

An issue was discovered in OpenJPEG 2.3.0. Missing checks for header_info.height and header_info.width in the function pnmtoimage in bin/jpwl/convert.c can lead to a heap-based buffer overflow.

Remediation

There is no fixed version for Debian:12 openjpeg2.

References

Out-of-bounds Write vulnerability report

low severity

Out-of-bounds Write

Vulnerable module: openjpeg2/libopenjp2-7
Introduced through: openjpeg2/libopenjp2-7@2.5.0-2 and openjpeg2/libopenjp2-7-dev@2.5.0-2

Detailed paths

Introduced through: node@18.16.1-bookworm › openjpeg2/libopenjp2-7@2.5.0-2
Introduced through: node@18.16.1-bookworm › openjpeg2/libopenjp2-7-dev@2.5.0-2

NVD Description

An issue was discovered in OpenJPEG 2.3.0. A heap-based buffer overflow was discovered in the function t2_encode_packet in lib/openmj2/t2.c. The vulnerability causes an out-of-bounds write, which may lead to remote denial of service or possibly unspecified other impact.

Remediation

There is no fixed version for Debian:12 openjpeg2.

References

Out-of-bounds Write vulnerability report

low severity

Out-of-bounds Read

Vulnerable module: tiff/libtiff-dev
Introduced through: tiff/libtiff-dev@4.5.0-6, tiff/libtiff6@4.5.0-6 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › tiff/libtiff-dev@4.5.0-6
Introduced through: node@18.16.1-bookworm › tiff/libtiff6@4.5.0-6
Introduced through: node@18.16.1-bookworm › tiff/libtiffxx6@4.5.0-6

NVD Description

LibTIFF version 4.0.7 is vulnerable to a heap-based buffer over-read in tif_lzw.c resulting in DoS or code execution via a crafted bmp image to tools/bmp2tiff.

Remediation

There is no fixed version for Debian:12 tiff.

References

Out-of-bounds Read vulnerability report

low severity

Use After Free

Vulnerable module: tiff/libtiff-dev
Introduced through: tiff/libtiff-dev@4.5.0-6, tiff/libtiff6@4.5.0-6 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › tiff/libtiff-dev@4.5.0-6
Introduced through: node@18.16.1-bookworm › tiff/libtiff6@4.5.0-6
Introduced through: node@18.16.1-bookworm › tiff/libtiffxx6@4.5.0-6

NVD Description

In LibTIFF 4.0.8, there is a heap-based use-after-free in the t2p_writeproc function in tiff2pdf.c. NOTE: there is a third-party report of inability to reproduce this issue

Remediation

There is no fixed version for Debian:12 tiff.

References

Use After Free vulnerability report

low severity

Improper Certificate Validation

Vulnerable module: perl
Introduced through: perl@5.36.0-7, perl/libperl5.36@5.36.0-7 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › perl@5.36.0-7
Introduced through: node@18.16.1-bookworm › perl/libperl5.36@5.36.0-7
Introduced through: node@18.16.1-bookworm › perl/perl-base@5.36.0-7
Introduced through: node@18.16.1-bookworm › perl/perl-modules-5.36@5.36.0-7

…and 1 more

NVD Description

HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.

Remediation

There is no fixed version for Debian:12 perl.

References

Improper Certificate Validation vulnerability report

low severity

Improper Certificate Validation

Vulnerable module: perl
Introduced through: perl@5.36.0-7, perl/libperl5.36@5.36.0-7 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › perl@5.36.0-7
Introduced through: node@18.16.1-bookworm › perl/libperl5.36@5.36.0-7
Introduced through: node@18.16.1-bookworm › perl/perl-base@5.36.0-7
Introduced through: node@18.16.1-bookworm › perl/perl-modules-5.36@5.36.0-7

…and 1 more

NVD Description

CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.

Remediation

There is no fixed version for Debian:12 perl.

References

Improper Certificate Validation vulnerability report

low severity

OS Command Injection

Vulnerable module: openssh/openssh-client
Introduced through: openssh/openssh-client@1:9.2p1-2

Detailed paths

Introduced through: node@18.16.1-bookworm › openssh/openssh-client@1:9.2p1-2

NVD Description

scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of "anomalous argument transfers" because that could "stand a great chance of breaking existing workflows."

Remediation

There is no fixed version for Debian:12 openssh.

References

OS Command Injection vulnerability report

low severity

Out-of-Bounds

Vulnerable module: aom/libaom3
Introduced through: aom/libaom3@3.6.0-1

Detailed paths

Introduced through: node@18.16.1-bookworm › aom/libaom3@3.6.0-1

NVD Description

AOMedia v3.0.0 to v3.5.0 was discovered to contain an invalid read memory access via the component assign_frame_buffer_p in av1/common/av1_common_int.h.

Remediation

There is no fixed version for Debian:12 aom.

References

Out-of-Bounds vulnerability report

low severity

Out-of-Bounds

Vulnerable module: binutils
Introduced through: binutils@2.40-2, binutils/binutils-common@2.40-2 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › binutils@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/binutils-common@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/binutils-x86-64-linux-gnu@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libbinutils@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libctf-nobfd0@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libctf0@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libgprofng0@2.40-2

…and 4 more

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A vulnerability, which was classified as problematic, was found in GNU Binutils up to 2.43. This affects the function disassemble_bytes of the file binutils/objdump.c. The manipulation of the argument buf leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 2.44 is able to address this issue. The identifier of the patch is baac6c221e9d69335bf41366a1c7d87d8ab2f893. It is recommended to upgrade the affected component.

Remediation

There is no fixed version for Debian:12 binutils.

References

Out-of-Bounds vulnerability report

low severity

Out-of-Bounds

Vulnerable module: binutils
Introduced through: binutils@2.40-2, binutils/binutils-common@2.40-2 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › binutils@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/binutils-common@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/binutils-x86-64-linux-gnu@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libbinutils@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libctf-nobfd0@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libctf0@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libgprofng0@2.40-2

…and 4 more

NVD Description

A vulnerability was found in GNU Binutils 2.43. It has been rated as critical. Affected by this issue is the function bfd_putl64 of the file bfd/libbfd.c of the component ld. The manipulation leads to memory corruption. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 2.44 is able to address this issue. It is recommended to upgrade the affected component. The code maintainer explains, that "[t]his bug has been fixed at some point between the 2.43 and 2.44 releases".

Remediation

There is no fixed version for Debian:12 binutils.

References

Out-of-Bounds vulnerability report

low severity

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

Vulnerable module: expat/libexpat1
Introduced through: expat/libexpat1@2.5.0-1 and expat/libexpat1-dev@2.5.0-1

Detailed paths

Introduced through: node@18.16.1-bookworm › expat/libexpat1@2.5.0-1
Introduced through: node@18.16.1-bookworm › expat/libexpat1-dev@2.5.0-1

NVD Description

libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate).

Remediation

There is no fixed version for Debian:12 expat.

References

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') vulnerability report

low severity

Resource Exhaustion

Vulnerable module: expat/libexpat1
Introduced through: expat/libexpat1@2.5.0-1 and expat/libexpat1-dev@2.5.0-1

Detailed paths

Introduced through: node@18.16.1-bookworm › expat/libexpat1@2.5.0-1
Introduced through: node@18.16.1-bookworm › expat/libexpat1-dev@2.5.0-1

NVD Description

libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.

Remediation

There is no fixed version for Debian:12 expat.

References

Resource Exhaustion vulnerability report

low severity

new

Uncontrolled Recursion

Vulnerable module: expat/libexpat1
Introduced through: expat/libexpat1@2.5.0-1 and expat/libexpat1-dev@2.5.0-1

Detailed paths

Introduced through: node@18.16.1-bookworm › expat/libexpat1@2.5.0-1
Introduced through: node@18.16.1-bookworm › expat/libexpat1-dev@2.5.0-1

NVD Description

A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage.

Remediation

There is no fixed version for Debian:12 expat.

References

Uncontrolled Recursion vulnerability report

low severity

Exposure of Resource to Wrong Sphere

Vulnerable module: git
Introduced through: git@1:2.39.2-1.1 and git/git-man@1:2.39.2-1.1

Detailed paths

Introduced through: node@18.16.1-bookworm › git@1:2.39.2-1.1
Introduced through: node@18.16.1-bookworm › git/git-man@1:2.39.2-1.1

NVD Description

The --mirror documentation for Git through 2.35.1 does not mention the availability of deleted content, aka the "GitBleed" issue. This could present a security risk if information-disclosure auditing processes rely on a clone operation without the --mirror option. Note: This has been disputed by multiple 3rd parties who believe this is an intended feature of the git binary and does not pose a security risk.

Remediation

There is no fixed version for Debian:12 git.

References

Exposure of Resource to Wrong Sphere vulnerability report

low severity

Uncontrolled Recursion

Vulnerable module: glibc/libc-bin
Introduced through: glibc/libc-bin@2.36-9, glibc/libc-dev-bin@2.36-9 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › glibc/libc-bin@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc-dev-bin@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc6@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc6-dev@2.36-9

…and 1 more

NVD Description

In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\227|)(\1\1|t1|\\2537)+' in grep.

Remediation

There is no fixed version for Debian:12 glibc.

References

Uncontrolled Recursion vulnerability report

low severity

Uncontrolled Recursion

Vulnerable module: glibc/libc-bin
Introduced through: glibc/libc-bin@2.36-9, glibc/libc-dev-bin@2.36-9 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › glibc/libc-bin@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc-dev-bin@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc6@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc6-dev@2.36-9

…and 1 more

NVD Description

In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\1\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern

Remediation

There is no fixed version for Debian:12 glibc.

References

Uncontrolled Recursion vulnerability report

low severity

Allocation of Resources Without Limits or Throttling

Vulnerable module: harfbuzz/libharfbuzz0b
Introduced through: harfbuzz/libharfbuzz0b@6.0.0+dfsg-3

Detailed paths

Introduced through: node@18.16.1-bookworm › harfbuzz/libharfbuzz0b@6.0.0+dfsg-3

NVD Description

Note: Versions mentioned in the description apply only to the upstream harfbuzz package and not the harfbuzz package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks.

Remediation

There is no fixed version for Debian:12 harfbuzz.

References

Allocation of Resources Without Limits or Throttling vulnerability report

low severity

Divide By Zero

Vulnerable module: imagemagick
Introduced through: imagemagick@8:6.9.11.60+dfsg-1.6, imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.6 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › imagemagick@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/imagemagick-6.q16@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6-arch-config@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6-headers@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6.q16-6@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6.q16-6-extra@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6.q16-dev@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-dev@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-6-headers@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-6.q16-6@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-6.q16-dev@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-dev@8:6.9.11.60+dfsg-1.6

…and 10 more

NVD Description

A flaw was found in ImageMagick in versions before 7.0.11, where a division by zero in sRGBTransformImage() in the MagickCore/colorspace.c may trigger undefined behavior via a crafted image file that is submitted by an attacker processed by an application using ImageMagick. The highest threat from this vulnerability is to system availability.

Remediation

There is no fixed version for Debian:12 imagemagick.

References

Divide By Zero vulnerability report

low severity

Out-of-bounds Read

Vulnerable module: jansson/libjansson4
Introduced through: jansson/libjansson4@2.14-2

Detailed paths

Introduced through: node@18.16.1-bookworm › jansson/libjansson4@2.14-2

NVD Description

Note: Versions mentioned in the description apply only to the upstream jansson package and not the jansson package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

An issue was discovered in Jansson through 2.13.1. Due to a parsing error in json_loads, there's an out-of-bounds read-access bug. NOTE: the vendor reports that this only occurs when a programmer fails to follow the API specification

Remediation

There is no fixed version for Debian:12 jansson.

References

Out-of-bounds Read vulnerability report

low severity

Integer Overflow or Wraparound

Vulnerable module: krb5/krb5-multidev
Introduced through: krb5/krb5-multidev@1.20.1-2, krb5/libgssapi-krb5-2@1.20.1-2 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › krb5/krb5-multidev@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libgssapi-krb5-2@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libgssrpc4@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libk5crypto3@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libkadm5clnt-mit12@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libkadm5srv-mit12@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libkdb5-10@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libkrb5-3@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libkrb5-dev@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libkrb5support0@1.20.1-2

…and 7 more

NVD Description

An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.

Remediation

There is no fixed version for Debian:12 krb5.

References

Integer Overflow or Wraparound vulnerability report

low severity

Use of a Broken or Risky Cryptographic Algorithm

Vulnerable module: libgcrypt20
Introduced through: libgcrypt20@1.10.1-3

Detailed paths

Introduced through: node@18.16.1-bookworm › libgcrypt20@1.10.1-3

NVD Description

Note: Versions mentioned in the description apply only to the upstream libgcrypt20 package and not the libgcrypt20 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.

Remediation

There is no fixed version for Debian:12 libgcrypt20.

References

Use of a Broken or Risky Cryptographic Algorithm vulnerability report

low severity

Use After Free

Vulnerable module: libxml2
Introduced through: libxml2@2.9.14+dfsg-1.2 and libxml2/libxml2-dev@2.9.14+dfsg-1.2

Detailed paths

Introduced through: node@18.16.1-bookworm › libxml2@2.9.14+dfsg-1.2
Introduced through: node@18.16.1-bookworm › libxml2/libxml2-dev@2.9.14+dfsg-1.2

NVD Description

An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.

Remediation

There is no fixed version for Debian:12 libxml2.

References

Use After Free vulnerability report

low severity

NULL Pointer Dereference

Vulnerable module: openjpeg2/libopenjp2-7
Introduced through: openjpeg2/libopenjp2-7@2.5.0-2 and openjpeg2/libopenjp2-7-dev@2.5.0-2

Detailed paths

Introduced through: node@18.16.1-bookworm › openjpeg2/libopenjp2-7@2.5.0-2
Introduced through: node@18.16.1-bookworm › openjpeg2/libopenjp2-7-dev@2.5.0-2

NVD Description

There is a NULL Pointer Access in function imagetopnm of convert.c:1943(jp2) of OpenJPEG 2.1.2. image->comps[compno].data is not assigned a value after initialization(NULL). Impact is Denial of Service.

Remediation

There is no fixed version for Debian:12 openjpeg2.

References

NULL Pointer Dereference vulnerability report

low severity

NULL Pointer Dereference

Vulnerable module: openjpeg2/libopenjp2-7
Introduced through: openjpeg2/libopenjp2-7@2.5.0-2 and openjpeg2/libopenjp2-7-dev@2.5.0-2

Detailed paths

Introduced through: node@18.16.1-bookworm › openjpeg2/libopenjp2-7@2.5.0-2
Introduced through: node@18.16.1-bookworm › openjpeg2/libopenjp2-7-dev@2.5.0-2

NVD Description

There is a NULL pointer dereference in function imagetobmp of convertbmp.c:980 of OpenJPEG 2.1.2. image->comps[0].data is not assigned a value after initialization(NULL). Impact is Denial of Service.

Remediation

There is no fixed version for Debian:12 openjpeg2.

References

NULL Pointer Dereference vulnerability report

low severity

Cryptographic Issues

Vulnerable module: openldap/libldap-2.5-0
Introduced through: openldap/libldap-2.5-0@2.5.13+dfsg-5

Detailed paths

Introduced through: node@18.16.1-bookworm › openldap/libldap-2.5-0@2.5.13+dfsg-5

NVD Description

Note: Versions mentioned in the description apply only to the upstream openldap package and not the openldap package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

The nss_parse_ciphers function in libraries/libldap/tls_m.c in OpenLDAP does not properly parse OpenSSL-style multi-keyword mode cipher strings, which might cause a weaker than intended cipher to be used and allow remote attackers to have unspecified impact via unknown vectors.

Remediation

There is no fixed version for Debian:12 openldap.

References

Cryptographic Issues vulnerability report

low severity

NULL Pointer Dereference

Vulnerable module: openldap/libldap-2.5-0
Introduced through: openldap/libldap-2.5-0@2.5.13+dfsg-5

Detailed paths

Introduced through: node@18.16.1-bookworm › openldap/libldap-2.5-0@2.5.13+dfsg-5

NVD Description

A vulnerability was found in openldap. This security flaw causes a null pointer dereference in ber_memalloc_x() function.

Remediation

There is no fixed version for Debian:12 openldap.

References

NULL Pointer Dereference vulnerability report

low severity

Out-of-Bounds

Vulnerable module: openldap/libldap-2.5-0
Introduced through: openldap/libldap-2.5-0@2.5.13+dfsg-5

Detailed paths

Introduced through: node@18.16.1-bookworm › openldap/libldap-2.5-0@2.5.13+dfsg-5

NVD Description

contrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45, when both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation.

Remediation

There is no fixed version for Debian:12 openldap.

References

Out-of-Bounds vulnerability report

low severity

Double Free

Vulnerable module: patch
Introduced through: patch@2.7.6-7

Detailed paths

Introduced through: node@18.16.1-bookworm › patch@2.7.6-7

NVD Description

Note: Versions mentioned in the description apply only to the upstream patch package and not the patch package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A double free exists in the another_hunk function in pch.c in GNU patch through 2.7.6.

Remediation

There is no fixed version for Debian:12 patch.

References

Double Free vulnerability report

low severity

NULL Pointer Dereference

Vulnerable module: patch
Introduced through: patch@2.7.6-7

Detailed paths

Introduced through: node@18.16.1-bookworm › patch@2.7.6-7

NVD Description

An issue was discovered in GNU patch through 2.7.6. There is a segmentation fault, associated with a NULL pointer dereference, leading to a denial of service in the intuit_diff_type function in pch.c, aka a "mangled rename" issue.

Remediation

There is no fixed version for Debian:12 patch.

References

NULL Pointer Dereference vulnerability report

low severity

Link Following

Vulnerable module: perl
Introduced through: perl@5.36.0-7, perl/libperl5.36@5.36.0-7 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › perl@5.36.0-7
Introduced through: node@18.16.1-bookworm › perl/libperl5.36@5.36.0-7
Introduced through: node@18.16.1-bookworm › perl/perl-base@5.36.0-7
Introduced through: node@18.16.1-bookworm › perl/perl-modules-5.36@5.36.0-7

…and 1 more

NVD Description

_is_safe in the File::Temp module for Perl does not properly handle symlinks.

Remediation

There is no fixed version for Debian:12 perl.

References

Link Following vulnerability report

low severity

Missing Release of Resource after Effective Lifetime

Vulnerable module: tiff/libtiff-dev
Introduced through: tiff/libtiff-dev@4.5.0-6, tiff/libtiff6@4.5.0-6 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › tiff/libtiff-dev@4.5.0-6
Introduced through: node@18.16.1-bookworm › tiff/libtiff6@4.5.0-6
Introduced through: node@18.16.1-bookworm › tiff/libtiffxx6@4.5.0-6

NVD Description

LibTIFF 4.0.8 has multiple memory leak vulnerabilities, which allow attackers to cause a denial of service (memory consumption), as demonstrated by tif_open.c, tif_lzw.c, and tif_aux.c. NOTE: Third parties were unable to reproduce the issue

Remediation

There is no fixed version for Debian:12 tiff.

References

Missing Release of Resource after Effective Lifetime vulnerability report

low severity

Out-of-bounds Write

Vulnerable module: tiff/libtiff-dev
Introduced through: tiff/libtiff-dev@4.5.0-6, tiff/libtiff6@4.5.0-6 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › tiff/libtiff-dev@4.5.0-6
Introduced through: node@18.16.1-bookworm › tiff/libtiff6@4.5.0-6
Introduced through: node@18.16.1-bookworm › tiff/libtiffxx6@4.5.0-6

NVD Description

An out-of-memory flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFRasterScanlineSize64() API. This flaw allows a remote attacker to cause a denial of service via a crafted input with a size smaller than 379 KB.

Remediation

There is no fixed version for Debian:12 tiff.

References

Out-of-bounds Write vulnerability report

low severity

CVE-2008-1687

Vulnerable module: m4
Introduced through: m4@1.4.19-3

Detailed paths

Introduced through: node@18.16.1-bookworm › m4@1.4.19-3

NVD Description

Note: Versions mentioned in the description apply only to the upstream m4 package and not the m4 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

The (1) maketemp and (2) mkstemp builtin functions in GNU m4 before 1.4.11 do not quote their output when a file is created, which might allow context-dependent attackers to trigger a macro expansion, leading to unspecified use of an incorrect filename.

Remediation

There is no fixed version for Debian:12 m4.

References

CVE-2008-1687 vulnerability report

low severity

CVE-2008-1688

Vulnerable module: m4
Introduced through: m4@1.4.19-3

Detailed paths

Introduced through: node@18.16.1-bookworm › m4@1.4.19-3

NVD Description

Unspecified vulnerability in GNU m4 before 1.4.11 might allow context-dependent attackers to execute arbitrary code, related to improper handling of filenames specified with the -F option. NOTE: it is not clear when this issue crosses privilege boundaries.

Remediation

There is no fixed version for Debian:12 m4.

References

CVE-2008-1688 vulnerability report

low severity

CVE-2023-51767

Vulnerable module: openssh/openssh-client
Introduced through: openssh/openssh-client@1:9.2p1-2

Detailed paths

Introduced through: node@18.16.1-bookworm › openssh/openssh-client@1:9.2p1-2

NVD Description

OpenSSH through 9.6, when common types of DRAM are used, might allow row hammer attacks (for authentication bypass) because the integer value of authenticated in mm_answer_authpassword does not resist flips of a single bit. NOTE: this is applicable to a certain threat model of attacker-victim co-location in which the attacker has user privileges.

Remediation

There is no fixed version for Debian:12 openssh.

References

CVE-2023-51767 vulnerability report

low severity

Inappropriate Encoding for Output Context

Vulnerable module: openssh/openssh-client
Introduced through: openssh/openssh-client@1:9.2p1-2

Detailed paths

Introduced through: node@18.16.1-bookworm › openssh/openssh-client@1:9.2p1-2

NVD Description

In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred.

Remediation

There is no fixed version for Debian:12 openssh.

References

Inappropriate Encoding for Output Context vulnerability report

low severity

Out-of-bounds Read

Vulnerable module: binutils
Introduced through: binutils@2.40-2, binutils/binutils-common@2.40-2 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › binutils@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/binutils-common@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/binutils-x86-64-linux-gnu@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libbinutils@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libctf-nobfd0@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libctf0@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libgprofng0@2.40-2

…and 4 more

NVD Description

A heap-based buffer over-read exists in the function d_expression_1 in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31.1. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by c++filt.

Remediation

There is no fixed version for Debian:12 binutils.

References

Out-of-bounds Read vulnerability report

low severity

Out-of-bounds Write

Vulnerable module: binutils
Introduced through: binutils@2.40-2, binutils/binutils-common@2.40-2 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › binutils@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/binutils-common@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/binutils-x86-64-linux-gnu@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libbinutils@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libctf-nobfd0@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libctf0@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libgprofng0@2.40-2

…and 4 more

NVD Description

A potential heap based buffer overflow was found in _bfd_elf_slurp_version_tables() in bfd/elf.c. This may lead to loss of availability.

Remediation

There is no fixed version for Debian:12 binutils.

References

Out-of-bounds Write vulnerability report

low severity

Out-of-bounds Write

Vulnerable module: binutils
Introduced through: binutils@2.40-2, binutils/binutils-common@2.40-2 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › binutils@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/binutils-common@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/binutils-x86-64-linux-gnu@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libbinutils@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libctf-nobfd0@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libctf0@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libgprofng0@2.40-2

…and 4 more

NVD Description

An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.36. It is a stack-overflow issue in demangle_type in rust-demangle.c.

Remediation

There is no fixed version for Debian:12 binutils.

References

Out-of-bounds Write vulnerability report

low severity

Loop with Unreachable Exit Condition ('Infinite Loop')

Vulnerable module: cairo/libcairo-gobject2
Introduced through: cairo/libcairo-gobject2@1.16.0-7, cairo/libcairo-script-interpreter2@1.16.0-7 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › cairo/libcairo-gobject2@1.16.0-7
Introduced through: node@18.16.1-bookworm › cairo/libcairo-script-interpreter2@1.16.0-7
Introduced through: node@18.16.1-bookworm › cairo/libcairo2@1.16.0-7
Introduced through: node@18.16.1-bookworm › cairo/libcairo2-dev@1.16.0-7

…and 1 more

NVD Description

Note: Versions mentioned in the description apply only to the upstream cairo package and not the cairo package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

An issue was discovered in cairo 1.16.0. There is an infinite loop in the function _arc_error_normalized in the file cairo-arc.c, related to _arc_max_angle_for_tolerance_normalized.

Remediation

There is no fixed version for Debian:12 cairo.

References

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability report

low severity

Out-of-bounds Write

Vulnerable module: cairo/libcairo-gobject2
Introduced through: cairo/libcairo-gobject2@1.16.0-7, cairo/libcairo-script-interpreter2@1.16.0-7 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › cairo/libcairo-gobject2@1.16.0-7
Introduced through: node@18.16.1-bookworm › cairo/libcairo-script-interpreter2@1.16.0-7
Introduced through: node@18.16.1-bookworm › cairo/libcairo2@1.16.0-7
Introduced through: node@18.16.1-bookworm › cairo/libcairo2-dev@1.16.0-7

…and 1 more

NVD Description

cairo through 1.15.14 has an out-of-bounds stack-memory write during processing of a crafted document by WebKitGTK+ because of the interaction between cairo-rectangular-scan-converter.c (the generate and render_rows functions) and cairo-image-compositor.c (the _cairo_image_spans_and_zero function).

Remediation

There is no fixed version for Debian:12 cairo.

References

Out-of-bounds Write vulnerability report

low severity

Reachable Assertion

Vulnerable module: cairo/libcairo-gobject2
Introduced through: cairo/libcairo-gobject2@1.16.0-7, cairo/libcairo-script-interpreter2@1.16.0-7 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › cairo/libcairo-gobject2@1.16.0-7
Introduced through: node@18.16.1-bookworm › cairo/libcairo-script-interpreter2@1.16.0-7
Introduced through: node@18.16.1-bookworm › cairo/libcairo2@1.16.0-7
Introduced through: node@18.16.1-bookworm › cairo/libcairo2-dev@1.16.0-7

…and 1 more

NVD Description

An issue was discovered in cairo 1.16.0. There is an assertion problem in the function _cairo_arc_in_direction in the file cairo-arc.c.

Remediation

There is no fixed version for Debian:12 cairo.

References

Reachable Assertion vulnerability report

low severity

Improper Input Validation

Vulnerable module: coreutils
Introduced through: coreutils@9.1-1

Detailed paths

Introduced through: node@18.16.1-bookworm › coreutils@9.1-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream coreutils package and not the coreutils package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.

Remediation

There is no fixed version for Debian:12 coreutils.

References

Improper Input Validation vulnerability report

low severity

Divide By Zero

Vulnerable module: djvulibre/libdjvulibre-dev
Introduced through: djvulibre/libdjvulibre-dev@3.5.28-2+b1, djvulibre/libdjvulibre-text@3.5.28-2 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › djvulibre/libdjvulibre-dev@3.5.28-2+b1
Introduced through: node@18.16.1-bookworm › djvulibre/libdjvulibre-text@3.5.28-2
Introduced through: node@18.16.1-bookworm › djvulibre/libdjvulibre21@3.5.28-2+b1

NVD Description

Note: Versions mentioned in the description apply only to the upstream djvulibre package and not the djvulibre package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

An issue was discovered IW44EncodeCodec.cpp in djvulibre 3.5.28 in allows attackers to cause a denial of service via divide by zero.

Remediation

There is no fixed version for Debian:12 djvulibre.

References

Divide By Zero vulnerability report

low severity

Divide By Zero

Vulnerable module: djvulibre/libdjvulibre-dev
Introduced through: djvulibre/libdjvulibre-dev@3.5.28-2+b1, djvulibre/libdjvulibre-text@3.5.28-2 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › djvulibre/libdjvulibre-dev@3.5.28-2+b1
Introduced through: node@18.16.1-bookworm › djvulibre/libdjvulibre-text@3.5.28-2
Introduced through: node@18.16.1-bookworm › djvulibre/libdjvulibre21@3.5.28-2+b1

NVD Description

An issue was discovered IW44Image.cpp in djvulibre 3.5.28 in allows attackers to cause a denial of service via divide by zero.

Remediation

There is no fixed version for Debian:12 djvulibre.

References

Divide By Zero vulnerability report

low severity

Missing Release of Resource after Effective Lifetime

Vulnerable module: imagemagick
Introduced through: imagemagick@8:6.9.11.60+dfsg-1.6, imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.6 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › imagemagick@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/imagemagick-6.q16@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6-arch-config@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6-headers@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6.q16-6@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6.q16-6-extra@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6.q16-dev@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-dev@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-6-headers@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-6.q16-6@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-6.q16-dev@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-dev@8:6.9.11.60+dfsg-1.6

…and 10 more

NVD Description

The WritePICONImage function in coders/xpm.c in ImageMagick 7.0.6-4 allows remote attackers to cause a denial of service (memory leak) via a crafted file that is mishandled in an AcquireSemaphoreInfo call.

Remediation

There is no fixed version for Debian:12 imagemagick.

References

Missing Release of Resource after Effective Lifetime vulnerability report

low severity

Missing Release of Resource after Effective Lifetime

Vulnerable module: imagemagick
Introduced through: imagemagick@8:6.9.11.60+dfsg-1.6, imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.6 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › imagemagick@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/imagemagick-6.q16@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6-arch-config@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6-headers@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6.q16-6@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6.q16-6-extra@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6.q16-dev@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-dev@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-6-headers@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-6.q16-6@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-6.q16-dev@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-dev@8:6.9.11.60+dfsg-1.6

…and 10 more

NVD Description

The WritePICONImage function in coders/xpm.c in ImageMagick 7.0.6-4 allows remote attackers to cause a denial of service (memory leak) via a crafted file that is mishandled in an OpenPixelCache call.

Remediation

There is no fixed version for Debian:12 imagemagick.

References

Missing Release of Resource after Effective Lifetime vulnerability report

low severity

Resource Exhaustion

Vulnerable module: imagemagick
Introduced through: imagemagick@8:6.9.11.60+dfsg-1.6, imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.6 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › imagemagick@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/imagemagick-6.q16@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6-arch-config@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6-headers@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6.q16-6@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6.q16-6-extra@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6.q16-dev@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-dev@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-6-headers@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-6.q16-6@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-6.q16-dev@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-dev@8:6.9.11.60+dfsg-1.6

…and 10 more

NVD Description

In ImageMagick 7.0.8-11 Q16, a tiny input file 0x50 0x36 0x36 0x36 0x36 0x4c 0x36 0x38 0x36 0x36 0x36 0x36 0x36 0x36 0x1f 0x35 0x50 0x00 can result in a hang of several minutes during which CPU and memory resources are consumed until ultimately an attempted large memory allocation fails. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted file.

Remediation

There is no fixed version for Debian:12 imagemagick.

References

Resource Exhaustion vulnerability report

low severity

Out-of-Bounds

Vulnerable module: jbigkit/libjbig-dev
Introduced through: jbigkit/libjbig-dev@2.1-6.1 and jbigkit/libjbig0@2.1-6.1

Detailed paths

Introduced through: node@18.16.1-bookworm › jbigkit/libjbig-dev@2.1-6.1
Introduced through: node@18.16.1-bookworm › jbigkit/libjbig0@2.1-6.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream jbigkit package and not the jbigkit package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

In LibTIFF 4.0.8, there is a memory malloc failure in tif_jbig.c. A crafted TIFF document can lead to an abort resulting in a remote denial of service attack.

Remediation

There is no fixed version for Debian:12 jbigkit.

References

Out-of-Bounds vulnerability report

low severity

Out-of-Bounds

Vulnerable module: libxml2
Introduced through: libxml2@2.9.14+dfsg-1.2 and libxml2/libxml2-dev@2.9.14+dfsg-1.2

Detailed paths

Introduced through: node@18.16.1-bookworm › libxml2@2.9.14+dfsg-1.2
Introduced through: node@18.16.1-bookworm › libxml2/libxml2-dev@2.9.14+dfsg-1.2

NVD Description

Xmlsoft Libxml2 v2.11.0 was discovered to contain an out-of-bounds read via the xmlSAX2StartElement() function at /libxml2/SAX2.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted XML file. NOTE: the vendor's position is that the product does not support the legacy SAX1 interface with custom callbacks; there is a crash even without crafted input.

Remediation

There is no fixed version for Debian:12 libxml2.

References

Out-of-Bounds vulnerability report

low severity

Use After Free

Vulnerable module: libxml2
Introduced through: libxml2@2.9.14+dfsg-1.2 and libxml2/libxml2-dev@2.9.14+dfsg-1.2

Detailed paths

Introduced through: node@18.16.1-bookworm › libxml2@2.9.14+dfsg-1.2
Introduced through: node@18.16.1-bookworm › libxml2/libxml2-dev@2.9.14+dfsg-1.2

NVD Description

libxml2 through 2.11.5 has a use-after-free that can only occur after a certain memory allocation fails. This occurs in xmlUnlinkNode in tree.c. NOTE: the vendor's position is "I don't think these issues are critical enough to warrant a CVE ID ... because an attacker typically can't control when memory allocations fail."

Remediation

There is no fixed version for Debian:12 libxml2.

References

Use After Free vulnerability report

low severity

CVE-2023-50495

Vulnerable module: ncurses/libncurses-dev
Introduced through: ncurses/libncurses-dev@6.4-4, ncurses/libncurses5-dev@6.4-4 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › ncurses/libncurses-dev@6.4-4
Introduced through: node@18.16.1-bookworm › ncurses/libncurses5-dev@6.4-4
Introduced through: node@18.16.1-bookworm › ncurses/libncurses6@6.4-4
Introduced through: node@18.16.1-bookworm › ncurses/libncursesw5-dev@6.4-4
Introduced through: node@18.16.1-bookworm › ncurses/libncursesw6@6.4-4
Introduced through: node@18.16.1-bookworm › ncurses/libtinfo6@6.4-4
Introduced through: node@18.16.1-bookworm › ncurses/ncurses-base@6.4-4
Introduced through: node@18.16.1-bookworm › ncurses/ncurses-bin@6.4-4

…and 5 more

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().

Remediation

There is no fixed version for Debian:12 ncurses.

References

CVE-2023-50495 vulnerability report

low severity

Allocation of Resources Without Limits or Throttling

Vulnerable module: openjpeg2/libopenjp2-7
Introduced through: openjpeg2/libopenjp2-7@2.5.0-2 and openjpeg2/libopenjp2-7-dev@2.5.0-2

Detailed paths

Introduced through: node@18.16.1-bookworm › openjpeg2/libopenjp2-7@2.5.0-2
Introduced through: node@18.16.1-bookworm › openjpeg2/libopenjp2-7-dev@2.5.0-2

NVD Description

An issue was discovered in OpenJPEG 2.3.0. It allows remote attackers to cause a denial of service (attempted excessive memory allocation) in opj_calloc in openjp2/opj_malloc.c, when called from opj_tcd_init_tile in openjp2/tcd.c, as demonstrated by the 64-bit opj_decompress.

Remediation

There is no fixed version for Debian:12 openjpeg2.

References

Allocation of Resources Without Limits or Throttling vulnerability report

low severity

Improper Input Validation

Vulnerable module: openjpeg2/libopenjp2-7
Introduced through: openjpeg2/libopenjp2-7@2.5.0-2 and openjpeg2/libopenjp2-7-dev@2.5.0-2

Detailed paths

Introduced through: node@18.16.1-bookworm › openjpeg2/libopenjp2-7@2.5.0-2
Introduced through: node@18.16.1-bookworm › openjpeg2/libopenjp2-7-dev@2.5.0-2

NVD Description

Out-of-bounds accesses in the functions pi_next_lrcp, pi_next_rlcp, pi_next_rpcl, pi_next_pcrl, pi_next_rpcl, and pi_next_cprl in openmj2/pi.c in OpenJPEG through 2.3.0 allow remote attackers to cause a denial of service (application crash).

Remediation

There is no fixed version for Debian:12 openjpeg2.

References

Improper Input Validation vulnerability report

low severity

NULL Pointer Dereference

Vulnerable module: openjpeg2/libopenjp2-7
Introduced through: openjpeg2/libopenjp2-7@2.5.0-2 and openjpeg2/libopenjp2-7-dev@2.5.0-2

Detailed paths

Introduced through: node@18.16.1-bookworm › openjpeg2/libopenjp2-7@2.5.0-2
Introduced through: node@18.16.1-bookworm › openjpeg2/libopenjp2-7-dev@2.5.0-2

NVD Description

NULL Pointer Access in function imagetopnm of convert.c:2226(jp2) in OpenJPEG 2.1.2. Impact is Denial of Service. Someone must open a crafted j2k file.

Remediation

There is no fixed version for Debian:12 openjpeg2.

References

NULL Pointer Dereference vulnerability report

low severity

NULL Pointer Dereference

Vulnerable module: openjpeg2/libopenjp2-7
Introduced through: openjpeg2/libopenjp2-7@2.5.0-2 and openjpeg2/libopenjp2-7-dev@2.5.0-2

Detailed paths

Introduced through: node@18.16.1-bookworm › openjpeg2/libopenjp2-7@2.5.0-2
Introduced through: node@18.16.1-bookworm › openjpeg2/libopenjp2-7-dev@2.5.0-2

NVD Description

NULL pointer dereference vulnerabilities in the imagetopnm function in convert.c, sycc444_to_rgb function in color.c, color_esycc_to_rgb function in color.c, and sycc422_to_rgb function in color.c in OpenJPEG before 2.2.0 allow remote attackers to cause a denial of service (application crash) via crafted j2k files.

Remediation

There is no fixed version for Debian:12 openjpeg2.

References

NULL Pointer Dereference vulnerability report

low severity

NULL Pointer Dereference

Vulnerable module: openjpeg2/libopenjp2-7
Introduced through: openjpeg2/libopenjp2-7@2.5.0-2 and openjpeg2/libopenjp2-7-dev@2.5.0-2

Detailed paths

Introduced through: node@18.16.1-bookworm › openjpeg2/libopenjp2-7@2.5.0-2
Introduced through: node@18.16.1-bookworm › openjpeg2/libopenjp2-7-dev@2.5.0-2

NVD Description

NULL Pointer Access in function imagetopnm of convert.c(jp2):1289 in OpenJPEG 2.1.2. Impact is Denial of Service. Someone must open a crafted j2k file.

Remediation

There is no fixed version for Debian:12 openjpeg2.

References

NULL Pointer Dereference vulnerability report

low severity

Out-of-Bounds

Vulnerable module: openjpeg2/libopenjp2-7
Introduced through: openjpeg2/libopenjp2-7@2.5.0-2 and openjpeg2/libopenjp2-7-dev@2.5.0-2

Detailed paths

Introduced through: node@18.16.1-bookworm › openjpeg2/libopenjp2-7@2.5.0-2
Introduced through: node@18.16.1-bookworm › openjpeg2/libopenjp2-7-dev@2.5.0-2

NVD Description

Heap Buffer Over-read in function imagetotga of convert.c(jp2):942 in OpenJPEG 2.1.2. Impact is Denial of Service. Someone must open a crafted j2k file.

Remediation

There is no fixed version for Debian:12 openjpeg2.

References

Out-of-Bounds vulnerability report

low severity

Divide By Zero

Vulnerable module: pixman/libpixman-1-0
Introduced through: pixman/libpixman-1-0@0.42.2-1 and pixman/libpixman-1-dev@0.42.2-1

Detailed paths

Introduced through: node@18.16.1-bookworm › pixman/libpixman-1-0@0.42.2-1
Introduced through: node@18.16.1-bookworm › pixman/libpixman-1-dev@0.42.2-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream pixman package and not the pixman package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

stress-test master commit e4c878 was discovered to contain a FPE vulnerability via the component combine_inner at /pixman-combine-float.c.

Remediation

There is no fixed version for Debian:12 pixman.

References

Divide By Zero vulnerability report

low severity

Improper Resource Shutdown or Release

Vulnerable module: tiff/libtiff-dev
Introduced through: tiff/libtiff-dev@4.5.0-6, tiff/libtiff6@4.5.0-6 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › tiff/libtiff-dev@4.5.0-6
Introduced through: node@18.16.1-bookworm › tiff/libtiff6@4.5.0-6
Introduced through: node@18.16.1-bookworm › tiff/libtiffxx6@4.5.0-6

NVD Description

A vulnerability classified as problematic was found in LibTIFF 4.3.0. Affected by this vulnerability is the TIFF File Handler of tiff2ps. Opening a malicious file leads to a denial of service. The attack can be launched remotely but requires user interaction. The exploit has been disclosed to the public and may be used.

Remediation

There is no fixed version for Debian:12 tiff.

References

Improper Resource Shutdown or Release vulnerability report

low severity

NULL Pointer Dereference

Vulnerable module: tiff/libtiff-dev
Introduced through: tiff/libtiff-dev@4.5.0-6, tiff/libtiff6@4.5.0-6 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › tiff/libtiff-dev@4.5.0-6
Introduced through: node@18.16.1-bookworm › tiff/libtiff6@4.5.0-6
Introduced through: node@18.16.1-bookworm › tiff/libtiffxx6@4.5.0-6

NVD Description

ijg-libjpeg before 9d, as used in tiff2pdf (from LibTIFF) and other products, does not check for a NULL pointer at a certain place in jpeg_fdct_16x16 in jfdctint.c.

Remediation

There is no fixed version for Debian:12 tiff.

References

NULL Pointer Dereference vulnerability report

low severity

Resource Exhaustion

Vulnerable module: tiff/libtiff-dev
Introduced through: tiff/libtiff-dev@4.5.0-6, tiff/libtiff6@4.5.0-6 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › tiff/libtiff-dev@4.5.0-6
Introduced through: node@18.16.1-bookworm › tiff/libtiff6@4.5.0-6
Introduced through: node@18.16.1-bookworm › tiff/libtiffxx6@4.5.0-6

NVD Description

An out-of-memory flaw was found in libtiff. Passing a crafted tiff file to TIFFOpen() API may allow a remote attacker to cause a denial of service via a craft input with size smaller than 379 KB.

Remediation

There is no fixed version for Debian:12 tiff.

References

Resource Exhaustion vulnerability report

low severity

Numeric Errors

Vulnerable module: libwmf/libwmf-0.2-7
Introduced through: libwmf/libwmf-0.2-7@0.2.12-5.1, libwmf/libwmf-dev@0.2.12-5.1 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › libwmf/libwmf-0.2-7@0.2.12-5.1
Introduced through: node@18.16.1-bookworm › libwmf/libwmf-dev@0.2.12-5.1
Introduced through: node@18.16.1-bookworm › libwmf/libwmflite-0.2-7@0.2.12-5.1

NVD Description

Multiple integer overflows in libgd in PHP before 5.2.4 allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large (1) srcW or (2) srcH value to the (a) gdImageCopyResized function, or a large (3) sy (height) or (4) sx (width) value to the (b) gdImageCreate or the (c) gdImageCreateTrueColor function.

Remediation

There is no fixed version for Debian:12 libwmf.

References

Numeric Errors vulnerability report

low severity

Access Restriction Bypass

Vulnerable module: openssh/openssh-client
Introduced through: openssh/openssh-client@1:9.2p1-2

Detailed paths

Introduced through: node@18.16.1-bookworm › openssh/openssh-client@1:9.2p1-2

NVD Description

sshd in OpenSSH 4 on Debian GNU/Linux, and the 20070303 OpenSSH snapshot, allows remote authenticated users to obtain access to arbitrary SELinux roles by appending a :/ (colon slash) sequence, followed by the role name, to the username.

Remediation

There is no fixed version for Debian:12 openssh.

References

Access Restriction Bypass vulnerability report

low severity

Access Restriction Bypass

Vulnerable module: shadow/login
Introduced through: shadow/login@1:4.13+dfsg1-1+b1 and shadow/passwd@1:4.13+dfsg1-1+b1

Detailed paths

Introduced through: node@18.16.1-bookworm › shadow/login@1:4.13+dfsg1-1+b1
Introduced through: node@18.16.1-bookworm › shadow/passwd@1:4.13+dfsg1-1+b1

NVD Description

Note: Versions mentioned in the description apply only to the upstream shadow package and not the shadow package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers.

Remediation

There is no fixed version for Debian:12 shadow.

References

Access Restriction Bypass vulnerability report

low severity

Out-of-bounds Read

Vulnerable module: tiff/libtiff-dev
Introduced through: tiff/libtiff-dev@4.5.0-6, tiff/libtiff6@4.5.0-6 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › tiff/libtiff-dev@4.5.0-6
Introduced through: node@18.16.1-bookworm › tiff/libtiff6@4.5.0-6
Introduced through: node@18.16.1-bookworm › tiff/libtiffxx6@4.5.0-6

NVD Description

A flaw was found in tiffcrop, a program distributed by the libtiff package. A specially crafted tiff file can lead to an out-of-bounds read in the extractImageSection function in tools/tiffcrop.c, resulting in a denial of service and limited information disclosure. This issue affects libtiff versions 4.x.

Remediation

There is no fixed version for Debian:12 tiff.

References

Out-of-bounds Read vulnerability report

low severity

Open Redirect

Vulnerable module: wget/wget
Introduced through: wget/wget@1.21.3-1+b2

Detailed paths

Introduced through: node@18.16.1-bookworm › wget/wget@1.21.3-1+b2

NVD Description

GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin, a related issue to CVE-2018-1000007.

Remediation

There is no fixed version for Debian:12 wget.

References

Open Redirect vulnerability report

low severity

Out-of-Bounds

Vulnerable module: binutils
Introduced through: binutils@2.40-2, binutils/binutils-common@2.40-2 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › binutils@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/binutils-common@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/binutils-x86-64-linux-gnu@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libbinutils@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libctf-nobfd0@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libctf0@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libgprofng0@2.40-2

…and 4 more

NVD Description

A vulnerability classified as problematic was found in GNU Binutils 2.43/2.44. Affected by this vulnerability is the function bfd_set_format of the file format.c. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 2.45 is able to address this issue. The identifier of the patch is 8d97c1a53f3dc9fd8e1ccdb039b8a33d50133150. It is recommended to upgrade the affected component.

Remediation

There is no fixed version for Debian:12 binutils.

References

Out-of-Bounds vulnerability report

low severity

Race Condition

Vulnerable module: dav1d/libdav1d6
Introduced through: dav1d/libdav1d6@1.0.0-2

Detailed paths

Introduced through: node@18.16.1-bookworm › dav1d/libdav1d6@1.0.0-2

NVD Description

VideoLAN dav1d before 1.2.0 has a thread_task.c race condition that can lead to an application crash, related to dav1d_decode_frame_exit.

Remediation

There is no fixed version for Debian:12 dav1d.

References

Race Condition vulnerability report

low severity

Information Exposure

Vulnerable module: openssh/openssh-client
Introduced through: openssh/openssh-client@1:9.2p1-2

Detailed paths

Introduced through: node@18.16.1-bookworm › openssh/openssh-client@1:9.2p1-2

NVD Description

The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client). NOTE: some reports state that 8.5 and 8.6 are also affected.

Remediation

There is no fixed version for Debian:12 openssh.

References

Information Exposure vulnerability report

low severity

Out-of-Bounds

Vulnerable module: binutils
Introduced through: binutils@2.40-2, binutils/binutils-common@2.40-2 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › binutils@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/binutils-common@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/binutils-x86-64-linux-gnu@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libbinutils@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libctf-nobfd0@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libctf0@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libgprofng0@2.40-2

…and 4 more

NVD Description

A vulnerability was found in GNU Binutils 2.43. It has been declared as problematic. Affected by this vulnerability is the function bfd_putl64 of the file libbfd.c of the component ld. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 75086e9de1707281172cc77f178e7949a4414ed0. It is recommended to apply a patch to fix this issue.

Remediation

There is no fixed version for Debian:12 binutils.

References

Out-of-Bounds vulnerability report

low severity

Allocation of Resources Without Limits or Throttling

Vulnerable module: binutils
Introduced through: binutils@2.40-2, binutils/binutils-common@2.40-2 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › binutils@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/binutils-common@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/binutils-x86-64-linux-gnu@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libbinutils@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libctf-nobfd0@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libctf0@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libgprofng0@2.40-2

…and 4 more

NVD Description

The C++ symbol demangler routine in cplus-dem.c in libiberty, as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted file, as demonstrated by a call from the Binary File Descriptor (BFD) library (aka libbfd).

Remediation

There is no fixed version for Debian:12 binutils.

References

Allocation of Resources Without Limits or Throttling vulnerability report

low severity

Out-of-bounds Write

Vulnerable module: binutils
Introduced through: binutils@2.40-2, binutils/binutils-common@2.40-2 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › binutils@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/binutils-common@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/binutils-x86-64-linux-gnu@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libbinutils@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libctf-nobfd0@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libctf0@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libgprofng0@2.40-2

…and 4 more

NVD Description

The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, contains an integer overflow vulnerability (for "Create an array for saving the template argument values") that can trigger a heap-based buffer overflow, as demonstrated by nm.

Remediation

There is no fixed version for Debian:12 binutils.

References

Out-of-bounds Write vulnerability report

low severity

Uncontrolled Recursion

Vulnerable module: binutils
Introduced through: binutils@2.40-2, binutils/binutils-common@2.40-2 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › binutils@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/binutils-common@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/binutils-x86-64-linux-gnu@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libbinutils@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libctf-nobfd0@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libctf0@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libgprofng0@2.40-2

…and 4 more

NVD Description

An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_template_value_parm, demangle_integral_value, and demangle_expression.

Remediation

There is no fixed version for Debian:12 binutils.

References

Uncontrolled Recursion vulnerability report

low severity

NULL Pointer Dereference

Vulnerable module: cairo/libcairo-gobject2
Introduced through: cairo/libcairo-gobject2@1.16.0-7, cairo/libcairo-script-interpreter2@1.16.0-7 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › cairo/libcairo-gobject2@1.16.0-7
Introduced through: node@18.16.1-bookworm › cairo/libcairo-script-interpreter2@1.16.0-7
Introduced through: node@18.16.1-bookworm › cairo/libcairo2@1.16.0-7
Introduced through: node@18.16.1-bookworm › cairo/libcairo2-dev@1.16.0-7

…and 1 more

NVD Description

Cairo version 1.15.4 is vulnerable to a NULL pointer dereference related to the FT_Load_Glyph and FT_Render_Glyph resulting in an application crash.

Remediation

There is no fixed version for Debian:12 cairo.

References

NULL Pointer Dereference vulnerability report

low severity

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

Vulnerable module: expat/libexpat1
Introduced through: expat/libexpat1@2.5.0-1 and expat/libexpat1-dev@2.5.0-1

Detailed paths

Introduced through: node@18.16.1-bookworm › expat/libexpat1@2.5.0-1
Introduced through: node@18.16.1-bookworm › expat/libexpat1-dev@2.5.0-1

NVD Description

libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time.

Remediation

There is no fixed version for Debian:12 expat.

References

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') vulnerability report

low severity

Uncontrolled Recursion

Vulnerable module: gcc-12
Introduced through: gcc-12@12.2.0-14, gcc-12/cpp-12@12.2.0-14 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › gcc-12@12.2.0-14
Introduced through: node@18.16.1-bookworm › gcc-12/cpp-12@12.2.0-14
Introduced through: node@18.16.1-bookworm › gcc-12/g++-12@12.2.0-14
Introduced through: node@18.16.1-bookworm › gcc-12/gcc-12-base@12.2.0-14
Introduced through: node@18.16.1-bookworm › gcc-12/libasan8@12.2.0-14
Introduced through: node@18.16.1-bookworm › gcc-12/libatomic1@12.2.0-14
Introduced through: node@18.16.1-bookworm › gcc-12/libcc1-0@12.2.0-14
Introduced through: node@18.16.1-bookworm › gcc-12/libgcc-12-dev@12.2.0-14
Introduced through: node@18.16.1-bookworm › gcc-12/libgcc-s1@12.2.0-14
Introduced through: node@18.16.1-bookworm › gcc-12/libgomp1@12.2.0-14
Introduced through: node@18.16.1-bookworm › gcc-12/libitm1@12.2.0-14
Introduced through: node@18.16.1-bookworm › gcc-12/liblsan0@12.2.0-14
Introduced through: node@18.16.1-bookworm › gcc-12/libquadmath0@12.2.0-14
Introduced through: node@18.16.1-bookworm › gcc-12/libstdc++-12-dev@12.2.0-14
Introduced through: node@18.16.1-bookworm › gcc-12/libstdc++6@12.2.0-14
Introduced through: node@18.16.1-bookworm › gcc-12/libtsan2@12.2.0-14
Introduced through: node@18.16.1-bookworm › gcc-12/libubsan1@12.2.0-14

…and 14 more

NVD Description

Note: Versions mentioned in the description apply only to the upstream gcc-12 package and not the gcc-12 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.

Remediation

There is no fixed version for Debian:12 gcc-12.

References

Uncontrolled Recursion vulnerability report

low severity

CVE-2005-0406

Vulnerable module: imagemagick
Introduced through: imagemagick@8:6.9.11.60+dfsg-1.6, imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.6 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › imagemagick@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/imagemagick-6.q16@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6-arch-config@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6-headers@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6.q16-6@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6.q16-6-extra@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6.q16-dev@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-dev@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-6-headers@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-6.q16-6@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-6.q16-dev@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-dev@8:6.9.11.60+dfsg-1.6

…and 10 more

NVD Description

A design flaw in image processing software that modifies JPEG images might not modify the original EXIF thumbnail, which could lead to an information leak of potentially sensitive visual information that had been removed from the main JPEG image.

Remediation

There is no fixed version for Debian:12 imagemagick.

References

CVE-2005-0406 vulnerability report

low severity

Out-of-Bounds

Vulnerable module: imagemagick
Introduced through: imagemagick@8:6.9.11.60+dfsg-1.6, imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.6 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › imagemagick@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/imagemagick-6.q16@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6-arch-config@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6-headers@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6.q16-6@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6.q16-6-extra@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6.q16-dev@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-dev@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-6-headers@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-6.q16-6@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-6.q16-dev@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-dev@8:6.9.11.60+dfsg-1.6

…and 10 more

NVD Description

The ReadPCXImage function in coders/pcx.c in ImageMagick 7.0.4.9 allows remote attackers to cause a denial of service (attempted large memory allocation and application crash) via a crafted file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-8862 and CVE-2016-8866.

Remediation

There is no fixed version for Debian:12 imagemagick.

References

Out-of-Bounds vulnerability report

low severity

Out-of-bounds Read

Vulnerable module: imagemagick
Introduced through: imagemagick@8:6.9.11.60+dfsg-1.6, imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.6 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › imagemagick@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/imagemagick-6.q16@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6-arch-config@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6-headers@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6.q16-6@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6.q16-6-extra@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6.q16-dev@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-dev@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-6-headers@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-6.q16-6@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-6.q16-dev@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-dev@8:6.9.11.60+dfsg-1.6

…and 10 more

NVD Description

The IsPixelMonochrome function in MagickCore/pixel-accessor.h in ImageMagick 7.0.3.0 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted file. NOTE: the vendor says "This is a Q64 issue and we do not support Q64."

Remediation

There is no fixed version for Debian:12 imagemagick.

References

Out-of-bounds Read vulnerability report

low severity

Memory Leak

Vulnerable module: krb5/krb5-multidev
Introduced through: krb5/krb5-multidev@1.20.1-2, krb5/libgssapi-krb5-2@1.20.1-2 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › krb5/krb5-multidev@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libgssapi-krb5-2@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libgssrpc4@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libk5crypto3@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libkadm5clnt-mit12@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libkadm5srv-mit12@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libkdb5-10@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libkrb5-3@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libkrb5-dev@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libkrb5support0@1.20.1-2

…and 7 more

NVD Description

Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c.

Remediation

There is no fixed version for Debian:12 krb5.

References

Memory Leak vulnerability report

low severity

Buffer Overflow

Vulnerable module: libpng1.6/libpng-dev
Introduced through: libpng1.6/libpng-dev@1.6.39-2 and libpng1.6/libpng16-16@1.6.39-2

Detailed paths

Introduced through: node@18.16.1-bookworm › libpng1.6/libpng-dev@1.6.39-2
Introduced through: node@18.16.1-bookworm › libpng1.6/libpng16-16@1.6.39-2

NVD Description

Note: Versions mentioned in the description apply only to the upstream libpng1.6 package and not the libpng1.6 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A heap overflow flaw was found in libpngs' pngimage.c program. This flaw allows an attacker with local network access to pass a specially crafted PNG file to the pngimage utility, causing an application to crash, leading to a denial of service.

Remediation

There is no fixed version for Debian:12 libpng1.6.

References

Buffer Overflow vulnerability report

low severity

Resource Exhaustion

Vulnerable module: openexr/libopenexr-3-1-30
Introduced through: openexr/libopenexr-3-1-30@3.1.5-5 and openexr/libopenexr-dev@3.1.5-5

Detailed paths

Introduced through: node@18.16.1-bookworm › openexr/libopenexr-3-1-30@3.1.5-5
Introduced through: node@18.16.1-bookworm › openexr/libopenexr-dev@3.1.5-5

NVD Description

Header::readfrom in IlmImf/ImfHeader.cpp in OpenEXR 2.2.0 allows remote attackers to cause a denial of service (excessive memory allocation) via a crafted file that is accessed with the ImfOpenInputFile function in IlmImf/ImfCRgbaFile.cpp. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid

Remediation

There is no fixed version for Debian:12 openexr.

References

Resource Exhaustion vulnerability report

low severity

CVE-2024-22365

Vulnerable module: pam/libpam-modules
Introduced through: pam/libpam-modules@1.5.2-6, pam/libpam-modules-bin@1.5.2-6 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › pam/libpam-modules@1.5.2-6
Introduced through: node@18.16.1-bookworm › pam/libpam-modules-bin@1.5.2-6
Introduced through: node@18.16.1-bookworm › pam/libpam-runtime@1.5.2-6
Introduced through: node@18.16.1-bookworm › pam/libpam0g@1.5.2-6

…and 1 more

NVD Description

Note: Versions mentioned in the description apply only to the upstream pam package and not the pam package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

linux-pam (aka Linux PAM) before 1.6.0 allows attackers to cause a denial of service (blocked login process) via mkfifo because the openat call (for protect_dir) lacks O_DIRECTORY.

Remediation

There is no fixed version for Debian:12 pam.

References

CVE-2024-22365 vulnerability report

low severity

Release of Invalid Pointer or Reference

Vulnerable module: patch
Introduced through: patch@2.7.6-7

Detailed paths

Introduced through: node@18.16.1-bookworm › patch@2.7.6-7

NVD Description

An Invalid Pointer vulnerability exists in GNU patch 2.7 via the another_hunk function, which causes a Denial of Service.

Remediation

There is no fixed version for Debian:12 patch.

References

Release of Invalid Pointer or Reference vulnerability report

low severity

Improper Authentication

Vulnerable module: shadow/login
Introduced through: shadow/login@1:4.13+dfsg1-1+b1 and shadow/passwd@1:4.13+dfsg1-1+b1

Detailed paths

Introduced through: node@18.16.1-bookworm › shadow/login@1:4.13+dfsg1-1+b1
Introduced through: node@18.16.1-bookworm › shadow/passwd@1:4.13+dfsg1-1+b1

NVD Description

A flaw was found in shadow-utils. When asking for a new password, shadow-utils asks the password twice. If the password fails on the second attempt, shadow-utils fails in cleaning the buffer used to store the first entry. This may allow an attacker with enough access to retrieve the password from the memory.

Remediation

There is no fixed version for Debian:12 shadow.

References

Improper Authentication vulnerability report

low severity

Out-of-bounds Write

Vulnerable module: tiff/libtiff-dev
Introduced through: tiff/libtiff-dev@4.5.0-6, tiff/libtiff6@4.5.0-6 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › tiff/libtiff-dev@4.5.0-6
Introduced through: node@18.16.1-bookworm › tiff/libtiff6@4.5.0-6
Introduced through: node@18.16.1-bookworm › tiff/libtiffxx6@4.5.0-6

NVD Description

A heap-buffer-overflow vulnerability was found in LibTIFF, in extractImageSection() at tools/tiffcrop.c:7916 and tools/tiffcrop.c:7801. This flaw allows attackers to cause a denial of service via a crafted tiff file.

Remediation

There is no fixed version for Debian:12 tiff.

References

Out-of-bounds Write vulnerability report

low severity

Information Exposure

Vulnerable module: util-linux/bsdutils
Introduced through: util-linux/bsdutils@1:2.38.1-5+b1, util-linux/libblkid-dev@2.38.1-5+b1 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › util-linux/bsdutils@1:2.38.1-5+b1
Introduced through: node@18.16.1-bookworm › util-linux/libblkid-dev@2.38.1-5+b1
Introduced through: node@18.16.1-bookworm › util-linux/libblkid1@2.38.1-5+b1
Introduced through: node@18.16.1-bookworm › util-linux/libmount-dev@2.38.1-5+b1
Introduced through: node@18.16.1-bookworm › util-linux/libmount1@2.38.1-5+b1
Introduced through: node@18.16.1-bookworm › util-linux/libsmartcols1@2.38.1-5+b1
Introduced through: node@18.16.1-bookworm › util-linux/libuuid1@2.38.1-5+b1
Introduced through: node@18.16.1-bookworm › util-linux/mount@2.38.1-5+b1
Introduced through: node@18.16.1-bookworm › util-linux/util-linux@2.38.1-5+b1
Introduced through: node@18.16.1-bookworm › util-linux/util-linux-extra@2.38.1-5+b1
Introduced through: node@18.16.1-bookworm › util-linux/uuid-dev@2.38.1-5+b1

…and 8 more

NVD Description

Note: Versions mentioned in the description apply only to the upstream util-linux package and not the util-linux package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.

Remediation

There is no fixed version for Debian:12 util-linux.

References

Information Exposure vulnerability report

low severity

Directory Traversal

Vulnerable module: patch
Introduced through: patch@2.7.6-7

Detailed paths

Introduced through: node@18.16.1-bookworm › patch@2.7.6-7

NVD Description

Directory traversal vulnerability in util.c in GNU patch 2.6.1 and earlier allows user-assisted remote attackers to create or overwrite arbitrary files via a filename that is specified with a .. (dot dot) or full pathname, a related issue to CVE-2010-1679.

Remediation

There is no fixed version for Debian:12 patch.

References

Directory Traversal vulnerability report

low severity

Out-of-Bounds

Vulnerable module: binutils
Introduced through: binutils@2.40-2, binutils/binutils-common@2.40-2 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › binutils@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/binutils-common@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/binutils-x86-64-linux-gnu@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libbinutils@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libctf-nobfd0@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libctf0@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libgprofng0@2.40-2

…and 4 more

NVD Description

A vulnerability has been found in GNU Binutils 2.43 and classified as problematic. Affected by this vulnerability is the function __sanitizer::internal_strlen of the file binutils/nm.c of the component nm. The manipulation of the argument const leads to buffer overflow. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.

Remediation

There is no fixed version for Debian:12 binutils.

References

Out-of-Bounds vulnerability report

low severity

Out-of-Bounds

Vulnerable module: elfutils/libelf1
Introduced through: elfutils/libelf1@0.188-2.1

Detailed paths

Introduced through: node@18.16.1-bookworm › elfutils/libelf1@0.188-2.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream elfutils package and not the elfutils package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A vulnerability, which was classified as critical, was found in GNU elfutils 0.192. This affects the function process_symtab of the file readelf.c of the component eu-readelf. The manipulation of the argument D/a leads to buffer overflow. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The identifier of the patch is 5e5c0394d82c53e97750fe7b18023e6f84157b81. It is recommended to apply a patch to fix this issue.

Remediation

There is no fixed version for Debian:12 elfutils.

References

Out-of-Bounds vulnerability report

low severity

Out-of-Bounds

Vulnerable module: elfutils/libelf1
Introduced through: elfutils/libelf1@0.188-2.1

Detailed paths

Introduced through: node@18.16.1-bookworm › elfutils/libelf1@0.188-2.1

NVD Description

A vulnerability was found in GNU elfutils 0.192. It has been declared as critical. Affected by this vulnerability is the function dump_data_section/print_string_section of the file readelf.c of the component eu-readelf. The manipulation of the argument z/x leads to buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is 73db9d2021cab9e23fd734b0a76a612d52a6f1db. It is recommended to apply a patch to fix this issue.

Remediation

There is no fixed version for Debian:12 elfutils.

References

Out-of-Bounds vulnerability report

low severity

Cryptographic Issues

Vulnerable module: glib2.0/libglib2.0-0
Introduced through: glib2.0/libglib2.0-0@2.74.6-2, glib2.0/libglib2.0-bin@2.74.6-2 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › glib2.0/libglib2.0-0@2.74.6-2
Introduced through: node@18.16.1-bookworm › glib2.0/libglib2.0-bin@2.74.6-2
Introduced through: node@18.16.1-bookworm › glib2.0/libglib2.0-data@2.74.6-2
Introduced through: node@18.16.1-bookworm › glib2.0/libglib2.0-dev@2.74.6-2
Introduced through: node@18.16.1-bookworm › glib2.0/libglib2.0-dev-bin@2.74.6-2

…and 2 more

NVD Description

Note: Versions mentioned in the description apply only to the upstream glib2.0 package and not the glib2.0 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

GLib 2.31.8 and earlier, when the g_str_hash function is used, computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this issue may be disputed by the vendor; the existence of the g_str_hash function is not a vulnerability in the library, because callers of g_hash_table_new and g_hash_table_new_full can specify an arbitrary hash function that is appropriate for the application.

Remediation

There is no fixed version for Debian:12 glib2.0.

References

Cryptographic Issues vulnerability report

low severity

Information Exposure

Vulnerable module: glibc/libc-bin
Introduced through: glibc/libc-bin@2.36-9, glibc/libc-dev-bin@2.36-9 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › glibc/libc-bin@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc-dev-bin@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc6@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc6-dev@2.36-9

…and 1 more

NVD Description

GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat.

Remediation

There is no fixed version for Debian:12 glibc.

References

Information Exposure vulnerability report

low severity

Use of Insufficiently Random Values

Vulnerable module: glibc/libc-bin
Introduced through: glibc/libc-bin@2.36-9, glibc/libc-dev-bin@2.36-9 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › glibc/libc-bin@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc-dev-bin@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc6@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc6-dev@2.36-9

…and 1 more

NVD Description

GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is "ASLR bypass itself is not a vulnerability.

Remediation

There is no fixed version for Debian:12 glibc.

References

Use of Insufficiently Random Values vulnerability report

low severity

Resource Management Errors

Vulnerable module: imagemagick
Introduced through: imagemagick@8:6.9.11.60+dfsg-1.6, imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.6 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › imagemagick@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/imagemagick-6-common@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/imagemagick-6.q16@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6-arch-config@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6-headers@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6.q16-6@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6.q16-6-extra@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-6.q16-dev@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickcore-dev@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-6-headers@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-6.q16-6@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-6.q16-dev@8:6.9.11.60+dfsg-1.6
Introduced through: node@18.16.1-bookworm › imagemagick/libmagickwand-dev@8:6.9.11.60+dfsg-1.6

…and 10 more

NVD Description

Multiple unspecified vulnerabilities in GraphicsMagick before 1.2.4 allow remote attackers to cause a denial of service (crash, infinite loop, or memory consumption) via (a) unspecified vectors in the (1) AVI, (2) AVS, (3) DCM, (4) EPT, (5) FITS, (6) MTV, (7) PALM, (8) RLA, and (9) TGA decoder readers; and (b) the GetImageCharacteristics function in magick/image.c, as reachable from a crafted (10) PNG, (11) JPEG, (12) BMP, or (13) TIFF file.

Remediation

There is no fixed version for Debian:12 imagemagick.

References

Resource Management Errors vulnerability report

low severity

Resource Management Errors

Vulnerable module: libwmf/libwmf-0.2-7
Introduced through: libwmf/libwmf-0.2-7@0.2.12-5.1, libwmf/libwmf-dev@0.2.12-5.1 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › libwmf/libwmf-0.2-7@0.2.12-5.1
Introduced through: node@18.16.1-bookworm › libwmf/libwmf-dev@0.2.12-5.1
Introduced through: node@18.16.1-bookworm › libwmf/libwmflite-0.2-7@0.2.12-5.1

NVD Description

The (a) imagearc and (b) imagefilledarc functions in GD Graphics Library (libgd) before 2.0.35 allow attackers to cause a denial of service (CPU consumption) via a large (1) start or (2) end angle degree value.

Remediation

There is no fixed version for Debian:12 libwmf.

References

Resource Management Errors vulnerability report

low severity

Use of Insufficiently Random Values

Vulnerable module: libxslt/libxslt1-dev
Introduced through: libxslt/libxslt1-dev@1.1.35-1 and libxslt/libxslt1.1@1.1.35-1

Detailed paths

Introduced through: node@18.16.1-bookworm › libxslt/libxslt1-dev@1.1.35-1
Introduced through: node@18.16.1-bookworm › libxslt/libxslt1.1@1.1.35-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxslt package and not the libxslt package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

In libxslt 1.1.29 and earlier, the EXSLT math.random function was not initialized with a random seed during startup, which could cause usage of this function to produce predictable outputs.

Remediation

There is no fixed version for Debian:12 libxslt.

References

Use of Insufficiently Random Values vulnerability report

low severity

CVE-2016-20012

Vulnerable module: openssh/openssh-client
Introduced through: openssh/openssh-client@1:9.2p1-2

Detailed paths

Introduced through: node@18.16.1-bookworm › openssh/openssh-client@1:9.2p1-2

NVD Description

OpenSSH through 8.7 allows remote attackers, who have a suspicion that a certain combination of username and public key is known to an SSH server, to test whether this suspicion is correct. This occurs because a challenge is sent only when that combination could be valid for a login session. NOTE: the vendor does not recognize user enumeration as a vulnerability for this product

Remediation

There is no fixed version for Debian:12 openssh.

References

CVE-2016-20012 vulnerability report

low severity

Improper Authentication

Vulnerable module: openssh/openssh-client
Introduced through: openssh/openssh-client@1:9.2p1-2

Detailed paths

Introduced through: node@18.16.1-bookworm › openssh/openssh-client@1:9.2p1-2

NVD Description

OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is enabled, allows remote attackers to determine the existence of user accounts by attempting to authenticate via S/KEY, which displays a different response if the user account exists, a similar issue to CVE-2001-1483.

Remediation

There is no fixed version for Debian:12 openssh.

References

Improper Authentication vulnerability report

low severity

Information Exposure

Vulnerable module: openssh/openssh-client
Introduced through: openssh/openssh-client@1:9.2p1-2

Detailed paths

Introduced through: node@18.16.1-bookworm › openssh/openssh-client@1:9.2p1-2

NVD Description

Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or "oracle") as a vulnerability.'

Remediation

There is no fixed version for Debian:12 openssh.

References

Information Exposure vulnerability report

low severity

Improper Validation of Integrity Check Value

Vulnerable module: systemd/libsystemd0
Introduced through: systemd/libsystemd0@252.6-1 and systemd/libudev1@252.6-1

Detailed paths

Introduced through: node@18.16.1-bookworm › systemd/libsystemd0@252.6-1
Introduced through: node@18.16.1-bookworm › systemd/libudev1@252.6-1

NVD Description

An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."

Remediation

There is no fixed version for Debian:12 systemd.

References

Improper Validation of Integrity Check Value vulnerability report

low severity

Improper Validation of Integrity Check Value

Vulnerable module: systemd/libsystemd0
Introduced through: systemd/libsystemd0@252.6-1 and systemd/libudev1@252.6-1

Detailed paths

Introduced through: node@18.16.1-bookworm › systemd/libsystemd0@252.6-1
Introduced through: node@18.16.1-bookworm › systemd/libudev1@252.6-1

NVD Description

An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."

Remediation

There is no fixed version for Debian:12 systemd.

References

Improper Validation of Integrity Check Value vulnerability report

low severity

Improper Validation of Integrity Check Value

Vulnerable module: systemd/libsystemd0
Introduced through: systemd/libsystemd0@252.6-1 and systemd/libudev1@252.6-1

Detailed paths

Introduced through: node@18.16.1-bookworm › systemd/libsystemd0@252.6-1
Introduced through: node@18.16.1-bookworm › systemd/libudev1@252.6-1

NVD Description

An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."

Remediation

There is no fixed version for Debian:12 systemd.

References

Improper Validation of Integrity Check Value vulnerability report

low severity

Out-of-Bounds

Vulnerable module: binutils
Introduced through: binutils@2.40-2, binutils/binutils-common@2.40-2 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › binutils@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/binutils-common@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/binutils-x86-64-linux-gnu@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libbinutils@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libctf-nobfd0@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libctf0@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libgprofng0@2.40-2

…and 4 more

NVD Description

A vulnerability classified as critical was found in GNU Binutils 2.43. This vulnerability affects the function _bfd_elf_gc_mark_rsec of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 931494c9a89558acb36a03a340c01726545eef24. It is recommended to apply a patch to fix this issue.

Remediation

There is no fixed version for Debian:12 binutils.

References

Out-of-Bounds vulnerability report

low severity

Out-of-Bounds

Vulnerable module: binutils
Introduced through: binutils@2.40-2, binutils/binutils-common@2.40-2 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › binutils@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/binutils-common@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/binutils-x86-64-linux-gnu@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libbinutils@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libctf-nobfd0@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libctf0@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libgprofng0@2.40-2

…and 4 more

NVD Description

A vulnerability was found in GNU Binutils 2.43 and classified as critical. This issue affects the function _bfd_elf_gc_mark_rsec of the file elflink.c of the component ld. The manipulation leads to heap-based buffer overflow. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The patch is named f9978defb6fab0bd8583942d97c112b0932ac814. It is recommended to apply a patch to fix this issue.

Remediation

There is no fixed version for Debian:12 binutils.

References

Out-of-Bounds vulnerability report

low severity

Out-of-Bounds

Vulnerable module: binutils
Introduced through: binutils@2.40-2, binutils/binutils-common@2.40-2 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › binutils@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/binutils-common@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/binutils-x86-64-linux-gnu@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libbinutils@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libctf-nobfd0@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libctf0@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libgprofng0@2.40-2

…and 4 more

NVD Description

A vulnerability, which was classified as critical, was found in GNU Binutils 2.43. Affected is the function bfd_elf_reloc_symbol_deleted_p of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The patch is identified as b425859021d17adf62f06fb904797cf8642986ad. It is recommended to apply a patch to fix this issue.

Remediation

There is no fixed version for Debian:12 binutils.

References

Out-of-Bounds vulnerability report

low severity

Out-of-Bounds

Vulnerable module: elfutils/libelf1
Introduced through: elfutils/libelf1@0.188-2.1

Detailed paths

Introduced through: node@18.16.1-bookworm › elfutils/libelf1@0.188-2.1

NVD Description

A vulnerability has been found in GNU elfutils 0.192 and classified as critical. This vulnerability affects the function __libdw_thread_tail in the library libdw_alloc.c of the component eu-readelf. The manipulation of the argument w leads to memory corruption. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 2636426a091bd6c6f7f02e49ab20d4cdc6bfc753. It is recommended to apply a patch to fix this issue.

Remediation

There is no fixed version for Debian:12 elfutils.

References

Out-of-Bounds vulnerability report

low severity

Improper Input Validation

Vulnerable module: git
Introduced through: git@1:2.39.2-1.1 and git/git-man@1:2.39.2-1.1

Detailed paths

Introduced through: node@18.16.1-bookworm › git@1:2.39.2-1.1
Introduced through: node@18.16.1-bookworm › git/git-man@1:2.39.2-1.1

NVD Description

GIT version 2.15.1 and earlier contains a Input Validation Error vulnerability in Client that can result in problems including messing up terminal configuration to RCE. This attack appear to be exploitable via The user must interact with a malicious git server, (or have their traffic modified in a MITM attack).

Remediation

There is no fixed version for Debian:12 git.

References

Improper Input Validation vulnerability report

low severity

CVE-2023-4039

Vulnerable module: gcc-12
Introduced through: gcc-12@12.2.0-14, gcc-12/cpp-12@12.2.0-14 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › gcc-12@12.2.0-14
Introduced through: node@18.16.1-bookworm › gcc-12/cpp-12@12.2.0-14
Introduced through: node@18.16.1-bookworm › gcc-12/g++-12@12.2.0-14
Introduced through: node@18.16.1-bookworm › gcc-12/gcc-12-base@12.2.0-14
Introduced through: node@18.16.1-bookworm › gcc-12/libasan8@12.2.0-14
Introduced through: node@18.16.1-bookworm › gcc-12/libatomic1@12.2.0-14
Introduced through: node@18.16.1-bookworm › gcc-12/libcc1-0@12.2.0-14
Introduced through: node@18.16.1-bookworm › gcc-12/libgcc-12-dev@12.2.0-14
Introduced through: node@18.16.1-bookworm › gcc-12/libgcc-s1@12.2.0-14
Introduced through: node@18.16.1-bookworm › gcc-12/libgomp1@12.2.0-14
Introduced through: node@18.16.1-bookworm › gcc-12/libitm1@12.2.0-14
Introduced through: node@18.16.1-bookworm › gcc-12/liblsan0@12.2.0-14
Introduced through: node@18.16.1-bookworm › gcc-12/libquadmath0@12.2.0-14
Introduced through: node@18.16.1-bookworm › gcc-12/libstdc++-12-dev@12.2.0-14
Introduced through: node@18.16.1-bookworm › gcc-12/libstdc++6@12.2.0-14
Introduced through: node@18.16.1-bookworm › gcc-12/libtsan2@12.2.0-14
Introduced through: node@18.16.1-bookworm › gcc-12/libubsan1@12.2.0-14

…and 14 more

NVD Description

DISPUTEDA failure in the -fstack-protector feature in GCC-based toolchains that target AArch64 allows an attacker to exploit an existing buffer overflow in dynamically-sized local variables in your application without this being detected. This stack-protector failure only applies to C99-style dynamically-sized local variables or those created using alloca(). The stack-protector operates as intended for statically-sized local variables.

The default behavior when the stack-protector detects an overflow is to terminate your application, resulting in controlled loss of availability. An attacker who can exploit a buffer overflow without triggering the stack-protector might be able to change program flow control to cause an uncontrolled loss of availability or to go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.

Remediation

There is no fixed version for Debian:12 gcc-12.

References

CVE-2023-4039 vulnerability report

low severity

Race Condition

Vulnerable module: coreutils
Introduced through: coreutils@9.1-1

Detailed paths

Introduced through: node@18.16.1-bookworm › coreutils@9.1-1

NVD Description

In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.

Remediation

There is no fixed version for Debian:12 coreutils.

References

Race Condition vulnerability report

low severity

Improper Initialization

Vulnerable module: openldap/libldap-2.5-0
Introduced through: openldap/libldap-2.5-0@2.5.13+dfsg-5

Detailed paths

Introduced through: node@18.16.1-bookworm › openldap/libldap-2.5-0@2.5.13+dfsg-5

NVD Description

slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a "kill cat /pathname" command, as demonstrated by openldap-initscript.

Remediation

There is no fixed version for Debian:12 openldap.

References

Improper Initialization vulnerability report

low severity

Insecure Storage of Sensitive Information

Vulnerable module: pam/libpam-modules
Introduced through: pam/libpam-modules@1.5.2-6, pam/libpam-modules-bin@1.5.2-6 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › pam/libpam-modules@1.5.2-6
Introduced through: node@18.16.1-bookworm › pam/libpam-modules-bin@1.5.2-6
Introduced through: node@18.16.1-bookworm › pam/libpam-runtime@1.5.2-6
Introduced through: node@18.16.1-bookworm › pam/libpam0g@1.5.2-6

…and 1 more

NVD Description

A vulnerability was found in PAM. The secret information is stored in memory, where the attacker can trigger the victim program to execute by sending characters to its standard input (stdin). As this occurs, the attacker can train the branch predictor to execute an ROP chain speculatively. This flaw could result in leaked passwords, such as those found in /etc/shadow while performing authentications.

Remediation

There is no fixed version for Debian:12 pam.

References

Insecure Storage of Sensitive Information vulnerability report

low severity

Link Following

Vulnerable module: systemd/libsystemd0
Introduced through: systemd/libsystemd0@252.6-1 and systemd/libudev1@252.6-1

Detailed paths

Introduced through: node@18.16.1-bookworm › systemd/libsystemd0@252.6-1
Introduced through: node@18.16.1-bookworm › systemd/libudev1@252.6-1

NVD Description

systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.

Remediation

There is no fixed version for Debian:12 systemd.

References

Link Following vulnerability report

low severity

Resource Management Errors

Vulnerable module: glibc/libc-bin
Introduced through: glibc/libc-bin@2.36-9, glibc/libc-dev-bin@2.36-9 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › glibc/libc-bin@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc-dev-bin@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc6@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc6-dev@2.36-9

…and 1 more

NVD Description

The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.

Remediation

There is no fixed version for Debian:12 glibc.

References

Resource Management Errors vulnerability report

low severity

Improper Input Validation

Vulnerable module: gnutls28/libgnutls30
Introduced through: gnutls28/libgnutls30@3.7.9-2

Detailed paths

Introduced through: node@18.16.1-bookworm › gnutls28/libgnutls30@3.7.9-2

NVD Description

The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.

Remediation

There is no fixed version for Debian:12 gnutls28.

References

Improper Input Validation vulnerability report

low severity

Numeric Errors

Vulnerable module: libwmf/libwmf-0.2-7
Introduced through: libwmf/libwmf-0.2-7@0.2.12-5.1, libwmf/libwmf-dev@0.2.12-5.1 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › libwmf/libwmf-0.2-7@0.2.12-5.1
Introduced through: node@18.16.1-bookworm › libwmf/libwmf-dev@0.2.12-5.1
Introduced through: node@18.16.1-bookworm › libwmf/libwmflite-0.2-7@0.2.12-5.1

NVD Description

Array index error in gd_gif_in.c in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to cause a denial of service (crash and heap corruption) via large color index values in crafted image data, which results in a segmentation fault.

Remediation

There is no fixed version for Debian:12 libwmf.

References

Numeric Errors vulnerability report

low severity

Information Exposure

Vulnerable module: openssh/openssh-client
Introduced through: openssh/openssh-client@1:9.2p1-2

Detailed paths

Introduced through: node@18.16.1-bookworm › openssh/openssh-client@1:9.2p1-2

NVD Description

OpenSSH, when using OPIE (One-Time Passwords in Everything) for PAM, allows remote attackers to determine the existence of certain user accounts, which displays a different response if the user account exists and is configured to use one-time passwords (OTP), a similar issue to CVE-2007-2243.

Remediation

There is no fixed version for Debian:12 openssh.

References

Information Exposure vulnerability report

low severity

Memory Leak

Vulnerable module: sqlite3/libsqlite3-0
Introduced through: sqlite3/libsqlite3-0@3.40.1-2 and sqlite3/libsqlite3-dev@3.40.1-2

Detailed paths

Introduced through: node@18.16.1-bookworm › sqlite3/libsqlite3-0@3.40.1-2
Introduced through: node@18.16.1-bookworm › sqlite3/libsqlite3-dev@3.40.1-2

NVD Description

A Memory Leak vulnerability exists in SQLite Project SQLite3 3.35.1 and 3.37.0 via maliciously crafted SQL Queries (made via editing the Database File), it is possible to query a record, and leak subsequent bytes of memory that extend beyond the record, which could let a malicious user obtain sensitive information. NOTE: The developer disputes this as a vulnerability stating that If you give SQLite a corrupted database file and submit a query against the database, it might read parts of the database that you did not intend or expect.

Remediation

There is no fixed version for Debian:12 sqlite3.

References

Memory Leak vulnerability report

low severity

Improper Certificate Validation

Vulnerable module: openldap/libldap-2.5-0
Introduced through: openldap/libldap-2.5-0@2.5.13+dfsg-5

Detailed paths

Introduced through: node@18.16.1-bookworm › openldap/libldap-2.5-0@2.5.13+dfsg-5

NVD Description

libldap in certain third-party OpenLDAP packages has a certificate-validation flaw when the third-party package is asserting RFC6125 support. It considers CN even when there is a non-matching subjectAltName (SAN). This is fixed in, for example, openldap-2.4.46-10.el8 in Red Hat Enterprise Linux.

Remediation

There is no fixed version for Debian:12 openldap.

References

Improper Certificate Validation vulnerability report

low severity

Information Exposure

Vulnerable module: node
Introduced through: node@18.16.1
Fixed in: 18.18.2

Detailed paths

Introduced through: docker-image|node@18.16.1-bookworm › node@18.16.1

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Information Exposure during the Cookie headers handling process. An attacker can potentially leak sensitive information to a third-party site or a malicious actor who can control the redirection target (i.e., an open redirector) by exploiting the disconnect between the spec's assumptions and the implementation of fetch.

Note:

This is only exploitable if the attacker can control the redirection target.

Remediation

Upgrade node to version 18.18.2, 20.8.1 or higher.

References

Information Exposure vulnerability report

low severity

Permissive Cross-domain Policy with Untrusted Domains

Vulnerable module: node
Introduced through: node@18.16.1

Detailed paths

Introduced through: docker-image|node@18.16.1-bookworm › node@18.16.1

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Permissive Cross-domain Policy with Untrusted Domains due to not clearing Proxy-Authentication headers on cross-origin redirects. An attacker can intercept the improperly cleared headers.

Remediation

Upgrade node to version 18.19.1, 20.11.1, 21.6.2 or higher.

References

Permissive Cross-domain Policy with Untrusted Domains vulnerability report

low severity

Improper Verification of Cryptographic Signature

Vulnerable module: apt
Introduced through: apt@2.6.1 and apt/libapt-pkg6.0@2.6.1

Detailed paths

Introduced through: node@18.16.1-bookworm › apt@2.6.1
Introduced through: node@18.16.1-bookworm › apt/libapt-pkg6.0@2.6.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream apt package and not the apt package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.

Remediation

There is no fixed version for Debian:12 apt.

References

Improper Verification of Cryptographic Signature vulnerability report

low severity

Memory Leak

Vulnerable module: binutils
Introduced through: binutils@2.40-2, binutils/binutils-common@2.40-2 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › binutils@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/binutils-common@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/binutils-x86-64-linux-gnu@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libbinutils@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libctf-nobfd0@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libctf0@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libgprofng0@2.40-2

…and 4 more

NVD Description

A vulnerability classified as problematic has been found in GNU Binutils 2.43. Affected is the function xstrdup of the file xstrdup.c of the component ld. The manipulation leads to memory leak. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: "I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master."

Remediation

There is no fixed version for Debian:12 binutils.

References

Memory Leak vulnerability report

low severity

CVE-2023-38546

Vulnerable module: curl
Introduced through: curl@7.88.1-10, curl/libcurl3-gnutls@7.88.1-10 and others
Fixed in: 7.88.1-10+deb12u4

Detailed paths

Introduced through: node@18.16.1-bookworm › curl@7.88.1-10
Introduced through: node@18.16.1-bookworm › curl/libcurl3-gnutls@7.88.1-10
Introduced through: node@18.16.1-bookworm › curl/libcurl4@7.88.1-10
Introduced through: node@18.16.1-bookworm › curl/libcurl4-openssl-dev@7.88.1-10

…and 1 more

NVD Description

This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are met.

libcurl performs transfers. In its API, an application creates "easy handles" that are the individual handles for single transfers.

libcurl provides a function call that duplicates en easy handle called curl_easy_duphandle.

If a transfer has cookies enabled when the handle is duplicated, the cookie-enable state is also cloned - but without cloning the actual cookies. If the source handle did not read any cookies from a specific file on disk, the cloned version of the handle would instead store the file name as none (using the four ASCII letters, no quotes).

Subsequent use of the cloned handle that does not explicitly set a source to load cookies from would then inadvertently load cookies from a file named none - if such a file exists and is readable in the current directory of the program using libcurl. And if using the correct file format of course.

Remediation

Upgrade Debian:12 curl to version 7.88.1-10+deb12u4 or higher.

References

CVE-2023-38546 vulnerability report

low severity

new

Integer Overflow or Wraparound

Vulnerable module: glib2.0/libglib2.0-0
Introduced through: glib2.0/libglib2.0-0@2.74.6-2, glib2.0/libglib2.0-bin@2.74.6-2 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › glib2.0/libglib2.0-0@2.74.6-2
Introduced through: node@18.16.1-bookworm › glib2.0/libglib2.0-bin@2.74.6-2
Introduced through: node@18.16.1-bookworm › glib2.0/libglib2.0-data@2.74.6-2
Introduced through: node@18.16.1-bookworm › glib2.0/libglib2.0-dev@2.74.6-2
Introduced through: node@18.16.1-bookworm › glib2.0/libglib2.0-dev-bin@2.74.6-2

…and 2 more

NVD Description

A flaw was found in GLib. An integer overflow and buffer under-read occur when parsing a long invalid ISO 8601 timestamp with the g_date_time_new_from_iso8601() function.

Remediation

There is no fixed version for Debian:12 glib2.0.

References

Integer Overflow or Wraparound vulnerability report

low severity

Insufficient Verification of Data Authenticity

Vulnerable module: postgresql-15/libpq-dev
Introduced through: postgresql-15/libpq-dev@15.3-0+deb12u1 and postgresql-15/libpq5@15.3-0+deb12u1
Fixed in: 15.9-0+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › postgresql-15/libpq-dev@15.3-0+deb12u1
Introduced through: node@18.16.1-bookworm › postgresql-15/libpq5@15.3-0+deb12u1

NVD Description

Client use of server error message in PostgreSQL allows a server not trusted under current SSL or GSS settings to furnish arbitrary non-NUL bytes to the libpq application. For example, a man-in-the-middle attacker could send a long error message that a human or screen-scraper user of psql mistakes for valid query results. This is probably not a concern for clients where the user interface unambiguously indicates the boundary between one error message and other text. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.

Remediation

Upgrade Debian:12 postgresql-15 to version 15.9-0+deb12u1 or higher.

References

Insufficient Verification of Data Authenticity vulnerability report

low severity

new

Memory Leak

Vulnerable module: binutils
Introduced through: binutils@2.40-2, binutils/binutils-common@2.40-2 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › binutils@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/binutils-common@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/binutils-x86-64-linux-gnu@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libbinutils@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libctf-nobfd0@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libctf0@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libgprofng0@2.40-2

…and 4 more

NVD Description

A vulnerability has been found in GNU Binutils 2.43/2.44 and classified as problematic. Affected by this vulnerability is the function display_info of the file binutils/bucomm.c of the component objdump. The manipulation leads to memory leak. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The patch is named ba6ad3a18cb26b79e0e3b84c39f707535bbc344d. It is recommended to apply a patch to fix this issue.

Remediation

There is no fixed version for Debian:12 binutils.

References

Memory Leak vulnerability report

low severity

Improper Resource Shutdown or Release

Vulnerable module: elfutils/libelf1
Introduced through: elfutils/libelf1@0.188-2.1

Detailed paths

Introduced through: node@18.16.1-bookworm › elfutils/libelf1@0.188-2.1

NVD Description

A vulnerability, which was classified as problematic, has been found in GNU elfutils 0.192. This issue affects the function gelf_getsymshndx of the file strip.c of the component eu-strip. The manipulation leads to denial of service. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is fbf1df9ca286de3323ae541973b08449f8d03aba. It is recommended to apply a patch to fix this issue.

Remediation

There is no fixed version for Debian:12 elfutils.

References

Improper Resource Shutdown or Release vulnerability report

low severity

Improper Resource Shutdown or Release

Vulnerable module: elfutils/libelf1
Introduced through: elfutils/libelf1@0.188-2.1

Detailed paths

Introduced through: node@18.16.1-bookworm › elfutils/libelf1@0.188-2.1

NVD Description

A vulnerability has been found in GNU elfutils 0.192 and classified as problematic. This vulnerability affects the function handle_dynamic_symtab of the file readelf.c of the component eu-read. The manipulation leads to null pointer dereference. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The patch is identified as b38e562a4c907e08171c76b8b2def8464d5a104a. It is recommended to apply a patch to fix this issue.

Remediation

There is no fixed version for Debian:12 elfutils.

References

Improper Resource Shutdown or Release vulnerability report

low severity

Out-of-bounds Write

Vulnerable module: gnupg2/dirmngr
Introduced through: gnupg2/dirmngr@2.2.40-1.1, gnupg2/gnupg@2.2.40-1.1 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › gnupg2/dirmngr@2.2.40-1.1
Introduced through: node@18.16.1-bookworm › gnupg2/gnupg@2.2.40-1.1
Introduced through: node@18.16.1-bookworm › gnupg2/gnupg-l10n@2.2.40-1.1
Introduced through: node@18.16.1-bookworm › gnupg2/gnupg-utils@2.2.40-1.1
Introduced through: node@18.16.1-bookworm › gnupg2/gpg@2.2.40-1.1
Introduced through: node@18.16.1-bookworm › gnupg2/gpg-agent@2.2.40-1.1
Introduced through: node@18.16.1-bookworm › gnupg2/gpg-wks-client@2.2.40-1.1
Introduced through: node@18.16.1-bookworm › gnupg2/gpg-wks-server@2.2.40-1.1
Introduced through: node@18.16.1-bookworm › gnupg2/gpgconf@2.2.40-1.1
Introduced through: node@18.16.1-bookworm › gnupg2/gpgsm@2.2.40-1.1
Introduced through: node@18.16.1-bookworm › gnupg2/gpgv@2.2.40-1.1

…and 8 more

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnupg2 package and not the gnupg2 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.

Remediation

There is no fixed version for Debian:12 gnupg2.

References

Out-of-bounds Write vulnerability report

low severity

Information Exposure

Vulnerable module: node
Introduced through: node@18.16.1
Fixed in: 18.18.2

Detailed paths

Introduced through: docker-image|node@18.16.1-bookworm › node@18.16.1

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Information Exposure via WebAssembly export names, which can be used to inject JavaScript that can expose data and functions that shouldn't be accessible to the WebAssembly application.

Note:

This vulnerability is exploitable when using the --experimental-wasm-modules CLI option.

Remediation

Upgrade node to version 18.18.2, 20.8.1 or higher.

References

Node.js Release Notes

Information Exposure vulnerability report

low severity

Out-of-bounds Write

Vulnerable module: procps
Introduced through: procps@2:4.0.2-3 and procps/libproc2-0@2:4.0.2-3

Detailed paths

Introduced through: node@18.16.1-bookworm › procps@2:4.0.2-3
Introduced through: node@18.16.1-bookworm › procps/libproc2-0@2:4.0.2-3

NVD Description

Note: Versions mentioned in the description apply only to the upstream procps package and not the procps package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Under some circumstances, this weakness allows a user who has access to run the “ps” utility on a machine, the ability to write almost unlimited amounts of unfiltered data into the process heap.

Remediation

There is no fixed version for Debian:12 procps.

References

Out-of-bounds Write vulnerability report

low severity

Arbitrary Code Injection

Vulnerable module: shadow/login
Introduced through: shadow/login@1:4.13+dfsg1-1+b1 and shadow/passwd@1:4.13+dfsg1-1+b1

Detailed paths

Introduced through: node@18.16.1-bookworm › shadow/login@1:4.13+dfsg1-1+b1
Introduced through: node@18.16.1-bookworm › shadow/passwd@1:4.13+dfsg1-1+b1

NVD Description

In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that "cat /etc/passwd" shows a rogue user account.

Remediation

There is no fixed version for Debian:12 shadow.

References

Arbitrary Code Injection vulnerability report

low severity

Out-of-bounds Write

Vulnerable module: tiff/libtiff-dev
Introduced through: tiff/libtiff-dev@4.5.0-6, tiff/libtiff6@4.5.0-6 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › tiff/libtiff-dev@4.5.0-6
Introduced through: node@18.16.1-bookworm › tiff/libtiff6@4.5.0-6
Introduced through: node@18.16.1-bookworm › tiff/libtiffxx6@4.5.0-6

NVD Description

An issue was found in the tiffcp utility distributed by the libtiff package where a crafted TIFF file on processing may cause a heap-based buffer overflow leads to an application crash.

Remediation

There is no fixed version for Debian:12 tiff.

References

Out-of-bounds Write vulnerability report

low severity

NULL Pointer Dereference

Vulnerable module: unzip
Introduced through: unzip@6.0-28

Detailed paths

Introduced through: node@18.16.1-bookworm › unzip@6.0-28

NVD Description

Note: Versions mentioned in the description apply only to the upstream unzip package and not the unzip package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A flaw was found in unzip. The vulnerability occurs due to improper handling of Unicode strings, which can lead to a null pointer dereference. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.

Remediation

There is no fixed version for Debian:12 unzip.

References

NULL Pointer Dereference vulnerability report

low severity

Memory Leak

Vulnerable module: binutils
Introduced through: binutils@2.40-2, binutils/binutils-common@2.40-2 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › binutils@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/binutils-common@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/binutils-x86-64-linux-gnu@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libbinutils@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libctf-nobfd0@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libctf0@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libgprofng0@2.40-2

…and 4 more

NVD Description

A vulnerability was found in GNU Binutils 2.43. It has been classified as problematic. This affects the function xstrdup of the file libiberty/xmalloc.c of the component ld. The manipulation leads to memory leak. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: "I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master."

Remediation

There is no fixed version for Debian:12 binutils.

References

Memory Leak vulnerability report

low severity

Memory Leak

Vulnerable module: binutils
Introduced through: binutils@2.40-2, binutils/binutils-common@2.40-2 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › binutils@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/binutils-common@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/binutils-x86-64-linux-gnu@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libbinutils@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libctf-nobfd0@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libctf0@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libgprofng0@2.40-2

…and 4 more

NVD Description

A vulnerability was found in GNU Binutils 2.43. It has been declared as problematic. This vulnerability affects the function bfd_malloc of the file libbfd.c of the component ld. The manipulation leads to memory leak. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: "I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master."

Remediation

There is no fixed version for Debian:12 binutils.

References

Memory Leak vulnerability report

low severity

Memory Leak

Vulnerable module: binutils
Introduced through: binutils@2.40-2, binutils/binutils-common@2.40-2 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › binutils@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/binutils-common@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/binutils-x86-64-linux-gnu@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libbinutils@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libctf-nobfd0@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libctf0@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libgprofng0@2.40-2

…and 4 more

NVD Description

A vulnerability was found in GNU Binutils 2.43 and classified as problematic. Affected by this issue is the function link_order_scan of the file ld/ldelfgen.c of the component ld. The manipulation leads to memory leak. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: "I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master."

Remediation

There is no fixed version for Debian:12 binutils.

References

Memory Leak vulnerability report

low severity

Memory Leak

Vulnerable module: binutils
Introduced through: binutils@2.40-2, binutils/binutils-common@2.40-2 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › binutils@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/binutils-common@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/binutils-x86-64-linux-gnu@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libbinutils@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libctf-nobfd0@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libctf0@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libgprofng0@2.40-2

…and 4 more

NVD Description

A vulnerability was found in GNU Binutils 2.43. It has been rated as problematic. This issue affects the function xmemdup of the file xmemdup.c of the component ld. The manipulation leads to memory leak. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: "I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master."

Remediation

There is no fixed version for Debian:12 binutils.

References

Memory Leak vulnerability report

low severity

Out-of-Bounds

Vulnerable module: binutils
Introduced through: binutils@2.40-2, binutils/binutils-common@2.40-2 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › binutils@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/binutils-common@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/binutils-x86-64-linux-gnu@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libbinutils@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libctf-nobfd0@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libctf0@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libgprofng0@2.40-2

…and 4 more

NVD Description

A vulnerability classified as problematic has been found in GNU Binutils 2.43. This affects the function _bfd_elf_write_section_eh_frame of the file bfd/elf-eh-frame.c of the component ld. The manipulation leads to memory corruption. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue.

Remediation

There is no fixed version for Debian:12 binutils.

References

Out-of-Bounds vulnerability report

low severity

Improper Resource Shutdown or Release

Vulnerable module: elfutils/libelf1
Introduced through: elfutils/libelf1@0.188-2.1

Detailed paths

Introduced through: node@18.16.1-bookworm › elfutils/libelf1@0.188-2.1

NVD Description

A vulnerability classified as problematic was found in GNU elfutils 0.192. This vulnerability affects the function elf_strptr in the library /libelf/elf_strptr.c of the component eu-strip. The manipulation leads to denial of service. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is b16f441cca0a4841050e3215a9f120a6d8aea918. It is recommended to apply a patch to fix this issue.

Remediation

There is no fixed version for Debian:12 elfutils.

References

Improper Resource Shutdown or Release vulnerability report

low severity

Authorization Bypass

Vulnerable module: node
Introduced through: node@18.16.1

Detailed paths

Introduced through: docker-image|node@18.16.1-bookworm › node@18.16.1

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Authorization Bypass via fs.fchown or fs.fchmod operations which can use a "read-only" file descriptor to change the owner and permissions of a file.

Note: This is only exploitable for users using the experimental permission when the --allow-fs-write flag is used

Remediation

Upgrade node to version 20.15.1, 22.4.1 or higher.

References

Authorization Bypass vulnerability report

low severity

Authorization Bypass

Vulnerable module: node
Introduced through: node@18.16.1

Detailed paths

Introduced through: docker-image|node@18.16.1-bookworm › node@18.16.1

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Authorization Bypass due to a failure to restrict file stats through the fs.lstat API that allows attackers to retrieve stats from files to which they do not have explicit read access.

Note: This is exploitable only for users of the experimental permission model when the --allow-fs-read flag is used.

Remediation

Upgrade node to version 20.15.1, 22.4.1 or higher.

References

Authorization Bypass vulnerability report

low severity

Improper Handling of Values

Vulnerable module: node
Introduced through: node@18.16.1

Detailed paths

Introduced through: docker-image|node@18.16.1-bookworm › node@18.16.1

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Improper Handling of Values. This is because the Permission Model assumes wrongly that any path starting with two backslashes \ has a four-character prefix that can be ignored.

Note: This vulnerability affects only Windows users of the Node.js Permission Model

Remediation

Upgrade node to version 20.15.1, 22.4.1 or higher.

References

Improper Handling of Values vulnerability report

low severity

Use of Externally-Controlled Format String

Vulnerable module: git
Introduced through: git@1:2.39.2-1.1 and git/git-man@1:2.39.2-1.1
Fixed in: 1:2.39.5-0+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › git@1:2.39.2-1.1
Introduced through: node@18.16.1-bookworm › git/git-man@1:2.39.2-1.1

NVD Description

In Git for Windows, the Windows port of Git, no localized messages are shipped with the installer. As a consequence, Git is expected not to localize messages at all, and skips the gettext initialization. However, due to a change in MINGW-packages, the gettext() function's implicit initialization no longer uses the runtime prefix but uses the hard-coded path C:\mingw64\share\locale to look for localized messages. And since any authenticated user has the permission to create folders in C:\ (and since C:\mingw64 does not typically exist), it is possible for low-privilege users to place fake messages in that location where git.exe will pick them up in version 2.40.1.

This vulnerability is relatively hard to exploit and requires social engineering. For example, a legitimate message at the end of a clone could be maliciously modified to ask the user to direct their web browser to a malicious website, and the user might think that the message comes from Git and is legitimate. It does require local write access by the attacker, though, which makes this attack vector less likely. Version 2.40.1 contains a patch for this issue. Some workarounds are available. Do not work on a Windows machine with shared accounts, or alternatively create a C:\mingw64 folder and leave it empty. Users who have administrative rights may remove the permission to create folders in C:\.

Remediation

Upgrade Debian:12 git to version 1:2.39.5-0+deb12u1 or higher.

References

Use of Externally-Controlled Format String vulnerability report

low severity

CVE-2024-53589

Vulnerable module: binutils
Introduced through: binutils@2.40-2, binutils/binutils-common@2.40-2 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › binutils@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/binutils-common@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/binutils-x86-64-linux-gnu@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libbinutils@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libctf-nobfd0@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libctf0@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libgprofng0@2.40-2

…and 4 more

NVD Description

GNU objdump 2.43 is vulnerable to Buffer Overflow in the BFD (Binary File Descriptor) library's handling of tekhex format files.

Remediation

There is no fixed version for Debian:12 binutils.

References

CVE-2024-53589 vulnerability report

low severity

CVE-2024-57360

Vulnerable module: binutils
Introduced through: binutils@2.40-2, binutils/binutils-common@2.40-2 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › binutils@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/binutils-common@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/binutils-x86-64-linux-gnu@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libbinutils@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libctf-nobfd0@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libctf0@2.40-2
Introduced through: node@18.16.1-bookworm › binutils/libgprofng0@2.40-2

…and 4 more

NVD Description

https://www.gnu.org/software/binutils/ nm >=2.43 is affected by: Incorrect Access Control. The type of exploitation is: local. The component is: nm --without-symbol-version function.

Remediation

There is no fixed version for Debian:12 binutils.

References

CVE-2024-57360 vulnerability report

low severity

CVE-2024-11053

Vulnerable module: curl
Introduced through: curl@7.88.1-10, curl/libcurl3-gnutls@7.88.1-10 and others
Fixed in: 7.88.1-10+deb12u10

Detailed paths

Introduced through: node@18.16.1-bookworm › curl@7.88.1-10
Introduced through: node@18.16.1-bookworm › curl/libcurl3-gnutls@7.88.1-10
Introduced through: node@18.16.1-bookworm › curl/libcurl4@7.88.1-10
Introduced through: node@18.16.1-bookworm › curl/libcurl4-openssl-dev@7.88.1-10

…and 1 more

NVD Description

When asked to both use a .netrc file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances.

This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password.

Remediation

Upgrade Debian:12 curl to version 7.88.1-10+deb12u10 or higher.

References

CVE-2024-11053 vulnerability report

low severity

CVE-2024-2004

Vulnerable module: curl
Introduced through: curl@7.88.1-10, curl/libcurl3-gnutls@7.88.1-10 and others
Fixed in: 7.88.1-10+deb12u6

Detailed paths

Introduced through: node@18.16.1-bookworm › curl@7.88.1-10
Introduced through: node@18.16.1-bookworm › curl/libcurl3-gnutls@7.88.1-10
Introduced through: node@18.16.1-bookworm › curl/libcurl4@7.88.1-10
Introduced through: node@18.16.1-bookworm › curl/libcurl4-openssl-dev@7.88.1-10

…and 1 more

NVD Description

When a protocol selection parameter option disables all protocols without adding any then the default set of protocols would remain in the allowed set due to an error in the logic for removing protocols. The below command would perform a request to curl.se with a plaintext protocol which has been explicitly disabled. curl --proto -all,-http http://curl.se The flaw is only present if the set of selected protocols disables the entire set of available protocols, in itself a command with no practical use and therefore unlikely to be encountered in real situations. The curl security team has thus assessed this to be low severity bug.

Remediation

Upgrade Debian:12 curl to version 7.88.1-10+deb12u6 or higher.

References

CVE-2024-2004 vulnerability report

low severity

CVE-2024-2379

Vulnerable module: curl
Introduced through: curl@7.88.1-10, curl/libcurl3-gnutls@7.88.1-10 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › curl@7.88.1-10
Introduced through: node@18.16.1-bookworm › curl/libcurl3-gnutls@7.88.1-10
Introduced through: node@18.16.1-bookworm › curl/libcurl4@7.88.1-10
Introduced through: node@18.16.1-bookworm › curl/libcurl4-openssl-dev@7.88.1-10

…and 1 more

NVD Description

libcurl skips the certificate verification for a QUIC connection under certain conditions, when built to use wolfSSL. If told to use an unknown/bad cipher or curve, the error path accidentally skips the verification and returns OK, thus ignoring any certificate problems.

Remediation

There is no fixed version for Debian:12 curl.

References

CVE-2024-2379 vulnerability report

low severity

CVE-2024-2398

Vulnerable module: curl
Introduced through: curl@7.88.1-10, curl/libcurl3-gnutls@7.88.1-10 and others
Fixed in: 7.88.1-10+deb12u6

Detailed paths

Introduced through: node@18.16.1-bookworm › curl@7.88.1-10
Introduced through: node@18.16.1-bookworm › curl/libcurl3-gnutls@7.88.1-10
Introduced through: node@18.16.1-bookworm › curl/libcurl4@7.88.1-10
Introduced through: node@18.16.1-bookworm › curl/libcurl4-openssl-dev@7.88.1-10

…and 1 more

NVD Description

When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application.

Remediation

Upgrade Debian:12 curl to version 7.88.1-10+deb12u6 or higher.

References

CVE-2024-2398 vulnerability report

low severity

CVE-2024-8096

Vulnerable module: curl
Introduced through: curl@7.88.1-10, curl/libcurl3-gnutls@7.88.1-10 and others
Fixed in: 7.88.1-10+deb12u8

Detailed paths

Introduced through: node@18.16.1-bookworm › curl@7.88.1-10
Introduced through: node@18.16.1-bookworm › curl/libcurl3-gnutls@7.88.1-10
Introduced through: node@18.16.1-bookworm › curl/libcurl4@7.88.1-10
Introduced through: node@18.16.1-bookworm › curl/libcurl4-openssl-dev@7.88.1-10

…and 1 more

NVD Description

When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not treated as a bad certficate.

Remediation

Upgrade Debian:12 curl to version 7.88.1-10+deb12u8 or higher.

References

CVE-2024-8096 vulnerability report

low severity

CVE-2025-0167

Vulnerable module: curl
Introduced through: curl@7.88.1-10, curl/libcurl3-gnutls@7.88.1-10 and others
Fixed in: 7.88.1-10+deb12u11

Detailed paths

Introduced through: node@18.16.1-bookworm › curl@7.88.1-10
Introduced through: node@18.16.1-bookworm › curl/libcurl3-gnutls@7.88.1-10
Introduced through: node@18.16.1-bookworm › curl/libcurl4@7.88.1-10
Introduced through: node@18.16.1-bookworm › curl/libcurl4-openssl-dev@7.88.1-10

…and 1 more

NVD Description

When asked to use a .netrc file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances.

This flaw only manifests itself if the netrc file has a default entry that omits both login and password. A rare circumstance.

Remediation

Upgrade Debian:12 curl to version 7.88.1-10+deb12u11 or higher.

References

CVE-2025-0167 vulnerability report

low severity

CVE-2025-0725

Vulnerable module: curl
Introduced through: curl@7.88.1-10, curl/libcurl3-gnutls@7.88.1-10 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › curl@7.88.1-10
Introduced through: node@18.16.1-bookworm › curl/libcurl3-gnutls@7.88.1-10
Introduced through: node@18.16.1-bookworm › curl/libcurl4@7.88.1-10
Introduced through: node@18.16.1-bookworm › curl/libcurl4-openssl-dev@7.88.1-10

…and 1 more

NVD Description

When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the CURLOPT_ACCEPT_ENCODING option, using zlib 1.2.0.3 or older, an attacker-controlled integer overflow would make libcurl perform a buffer overflow.

Remediation

There is no fixed version for Debian:12 curl.

References

CVE-2025-0725 vulnerability report

low severity

CVE-2024-25260

Vulnerable module: elfutils/libelf1
Introduced through: elfutils/libelf1@0.188-2.1

Detailed paths

Introduced through: node@18.16.1-bookworm › elfutils/libelf1@0.188-2.1

NVD Description

elfutils v0.189 was discovered to contain a NULL pointer dereference via the handle_verdef() function at readelf.c.

Remediation

There is no fixed version for Debian:12 elfutils.

References

CVE-2024-25260 vulnerability report

low severity

CVE-2024-50602

Vulnerable module: expat/libexpat1
Introduced through: expat/libexpat1@2.5.0-1 and expat/libexpat1-dev@2.5.0-1

Detailed paths

Introduced through: node@18.16.1-bookworm › expat/libexpat1@2.5.0-1
Introduced through: node@18.16.1-bookworm › expat/libexpat1-dev@2.5.0-1

NVD Description

An issue was discovered in libexpat before 2.6.4. There is a crash within the XML_ResumeParser function because XML_StopParser can stop/suspend an unstarted parser.

Remediation

There is no fixed version for Debian:12 expat.

References

CVE-2024-50602 vulnerability report

low severity

CVE-2025-27363

Vulnerable module: freetype/libfreetype-dev
Introduced through: freetype/libfreetype-dev@2.12.1+dfsg-5, freetype/libfreetype6@2.12.1+dfsg-5 and others
Fixed in: 2.12.1+dfsg-5+deb12u4

Detailed paths

Introduced through: node@18.16.1-bookworm › freetype/libfreetype-dev@2.12.1+dfsg-5
Introduced through: node@18.16.1-bookworm › freetype/libfreetype6@2.12.1+dfsg-5
Introduced through: node@18.16.1-bookworm › freetype/libfreetype6-dev@2.12.1+dfsg-5

NVD Description

Note: Versions mentioned in the description apply only to the upstream freetype package and not the freetype package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.

Remediation

Upgrade Debian:12 freetype to version 2.12.1+dfsg-5+deb12u4 or higher.

References

CVE-2025-27363 vulnerability report

low severity

CVE-2024-32004

Vulnerable module: git
Introduced through: git@1:2.39.2-1.1 and git/git-man@1:2.39.2-1.1
Fixed in: 1:2.39.5-0+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › git@1:2.39.2-1.1
Introduced through: node@18.16.1-bookworm › git/git-man@1:2.39.2-1.1

NVD Description

Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository in such a way that, when cloned, will execute arbitrary code during the operation. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid cloning repositories from untrusted sources.

Remediation

Upgrade Debian:12 git to version 1:2.39.5-0+deb12u1 or higher.

References

CVE-2024-32004 vulnerability report

low severity

CVE-2024-32020

Vulnerable module: git
Introduced through: git@1:2.39.2-1.1 and git/git-man@1:2.39.2-1.1
Fixed in: 1:2.39.5-0+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › git@1:2.39.2-1.1
Introduced through: node@18.16.1-bookworm › git/git-man@1:2.39.2-1.1

NVD Description

Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, local clones may end up hardlinking files into the target repository's object database when source and target repository reside on the same disk. If the source repository is owned by a different user, then those hardlinked files may be rewritten at any point in time by the untrusted user. Cloning local repositories will cause Git to either copy or hardlink files of the source repository into the target repository. This significantly speeds up such local clones compared to doing a "proper" clone and saves both disk space and compute time. When cloning a repository located on the same disk that is owned by a different user than the current user we also end up creating such hardlinks. These files will continue to be owned and controlled by the potentially-untrusted user and can be rewritten by them at will in the future. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4.

Remediation

Upgrade Debian:12 git to version 1:2.39.5-0+deb12u1 or higher.

References

CVE-2024-32020 vulnerability report

low severity

CVE-2024-32021

Vulnerable module: git
Introduced through: git@1:2.39.2-1.1 and git/git-man@1:2.39.2-1.1
Fixed in: 1:2.39.5-0+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › git@1:2.39.2-1.1
Introduced through: node@18.16.1-bookworm › git/git-man@1:2.39.2-1.1

NVD Description

Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, when cloning a local source repository that contains symlinks via the filesystem, Git may create hardlinks to arbitrary user-readable files on the same filesystem as the target repository in the objects/ directory. Cloning a local repository over the filesystem may creating hardlinks to arbitrary user-owned files on the same filesystem in the target Git repository's objects/ directory. When cloning a repository over the filesystem (without explicitly specifying the file:// protocol or --no-local), the optimizations for local cloning will be used, which include attempting to hard link the object files instead of copying them. While the code includes checks against symbolic links in the source repository, which were added during the fix for CVE-2022-39253, these checks can still be raced because the hard link operation ultimately follows symlinks. If the object on the filesystem appears as a file during the check, and then a symlink during the operation, this will allow the adversary to bypass the check and create hardlinks in the destination objects directory to arbitrary, user-readable files. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4.

Remediation

Upgrade Debian:12 git to version 1:2.39.5-0+deb12u1 or higher.

References

CVE-2024-32021 vulnerability report

low severity

CVE-2024-32465

Vulnerable module: git
Introduced through: git@1:2.39.2-1.1 and git/git-man@1:2.39.2-1.1
Fixed in: 1:2.39.5-0+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › git@1:2.39.2-1.1
Introduced through: node@18.16.1-bookworm › git/git-man@1:2.39.2-1.1

NVD Description

Git is a revision control system. The Git project recommends to avoid working in untrusted repositories, and instead to clone it first with git clone --no-local to obtain a clean copy. Git has specific protections to make that a safe operation even with an untrusted source repository, but vulnerabilities allow those protections to be bypassed. In the context of cloning local repositories owned by other users, this vulnerability has been covered in CVE-2024-32004. But there are circumstances where the fixes for CVE-2024-32004 are not enough: For example, when obtaining a .zip file containing a full copy of a Git repository, it should not be trusted by default to be safe, as e.g. hooks could be configured to run within the context of that repository. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid using Git in repositories that have been obtained via archives from untrusted sources.

Remediation

Upgrade Debian:12 git to version 1:2.39.5-0+deb12u1 or higher.

References

CVE-2024-32465 vulnerability report

low severity

Improper Encoding or Escaping of Output

Vulnerable module: git
Introduced through: git@1:2.39.2-1.1 and git/git-man@1:2.39.2-1.1
Fixed in: 1:2.39.5-0+deb12u2

Detailed paths

Introduced through: node@18.16.1-bookworm › git@1:2.39.2-1.1
Introduced through: node@18.16.1-bookworm › git/git-man@1:2.39.2-1.1

NVD Description

Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When Git asks for credentials via a terminal prompt (i.e. without using any credential helper), it prints out the host name for which the user is expected to provide a username and/or a password. At this stage, any URL-encoded parts have been decoded already, and are printed verbatim. This allows attackers to craft URLs that contain ANSI escape sequences that the terminal interpret to confuse users e.g. into providing passwords for trusted Git hosting sites when in fact they are then sent to untrusted sites that are under the attacker's control. This issue has been patch via commits 7725b81 and c903985 which are included in release versions v2.48.1, v2.47.2, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4, v2.41.3, and v2.40.4. Users are advised to upgrade. Users unable to upgrade should avoid cloning from untrusted URLs, especially recursive clones.

Remediation

Upgrade Debian:12 git to version 1:2.39.5-0+deb12u2 or higher.

References

Improper Encoding or Escaping of Output vulnerability report

low severity

Improper Encoding or Escaping of Output

Vulnerable module: git
Introduced through: git@1:2.39.2-1.1 and git/git-man@1:2.39.2-1.1
Fixed in: 1:2.39.5-0+deb12u2

Detailed paths

Introduced through: node@18.16.1-bookworm › git@1:2.39.2-1.1
Introduced through: node@18.16.1-bookworm › git/git-man@1:2.39.2-1.1

NVD Description

Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. Git defines a line-based protocol that is used to exchange information between Git and Git credential helpers. Some ecosystems (most notably, .NET and node.js) interpret single Carriage Return characters as newlines, which renders the protections against CVE-2020-5260 incomplete for credential helpers that treat Carriage Returns in this way. This issue has been addressed in commit b01b9b8 which is included in release versions v2.48.1, v2.47.2, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4, v2.41.3, and v2.40.4. Users are advised to upgrade. Users unable to upgrade should avoid cloning from untrusted URLs, especially recursive clones.

Remediation

Upgrade Debian:12 git to version 1:2.39.5-0+deb12u2 or higher.

References

Improper Encoding or Escaping of Output vulnerability report

low severity

Improper Encoding or Escaping of Output

Vulnerable module: git
Introduced through: git@1:2.39.2-1.1 and git/git-man@1:2.39.2-1.1

Detailed paths

Introduced through: node@18.16.1-bookworm › git@1:2.39.2-1.1
Introduced through: node@18.16.1-bookworm › git/git-man@1:2.39.2-1.1

NVD Description

Git is a source code management tool. When cloning from a server (or fetching, or pushing), informational or error messages are transported from the remote Git process to the client via the so-called "sideband channel". These messages will be prefixed with "remote:" and printed directly to the standard error output. Typically, this standard error output is connected to a terminal that understands ANSI escape sequences, which Git did not protect against. Most modern terminals support control sequences that can be used by a malicious actor to hide and misrepresent information, or to mislead the user into executing untrusted scripts. As requested on the git-security mailing list, the patches are under discussion on the public mailing list. Users are advised to update as soon as possible. Users unable to upgrade should avoid recursive clones unless they are from trusted sources.

Remediation

There is no fixed version for Debian:12 git.

References

Improper Encoding or Escaping of Output vulnerability report

low severity

CVE-2024-34397

Vulnerable module: glib2.0/libglib2.0-0
Introduced through: glib2.0/libglib2.0-0@2.74.6-2, glib2.0/libglib2.0-bin@2.74.6-2 and others
Fixed in: 2.74.6-2+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › glib2.0/libglib2.0-0@2.74.6-2
Introduced through: node@18.16.1-bookworm › glib2.0/libglib2.0-bin@2.74.6-2
Introduced through: node@18.16.1-bookworm › glib2.0/libglib2.0-data@2.74.6-2
Introduced through: node@18.16.1-bookworm › glib2.0/libglib2.0-dev@2.74.6-2
Introduced through: node@18.16.1-bookworm › glib2.0/libglib2.0-dev-bin@2.74.6-2

…and 2 more

NVD Description

An issue was discovered in GNOME GLib before 2.78.5, and 2.79.x and 2.80.x before 2.80.1. When a GDBus-based client subscribes to signals from a trusted system service such as NetworkManager on a shared computer, other users of the same computer can send spoofed D-Bus signals that the GDBus-based client will wrongly interpret as having been sent by the trusted system service. This could lead to the GDBus-based client behaving incorrectly, with an application-dependent impact.

Remediation

Upgrade Debian:12 glib2.0 to version 2.74.6-2+deb12u1 or higher.

References

CVE-2024-34397 vulnerability report

low severity

CVE-2024-52533

Vulnerable module: glib2.0/libglib2.0-0
Introduced through: glib2.0/libglib2.0-0@2.74.6-2, glib2.0/libglib2.0-bin@2.74.6-2 and others
Fixed in: 2.74.6-2+deb12u5

Detailed paths

Introduced through: node@18.16.1-bookworm › glib2.0/libglib2.0-0@2.74.6-2
Introduced through: node@18.16.1-bookworm › glib2.0/libglib2.0-bin@2.74.6-2
Introduced through: node@18.16.1-bookworm › glib2.0/libglib2.0-data@2.74.6-2
Introduced through: node@18.16.1-bookworm › glib2.0/libglib2.0-dev@2.74.6-2
Introduced through: node@18.16.1-bookworm › glib2.0/libglib2.0-dev-bin@2.74.6-2

…and 2 more

NVD Description

gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one error and resultant buffer overflow because SOCKS4_CONN_MSG_LEN is not sufficient for a trailing '\0' character.

Remediation

Upgrade Debian:12 glib2.0 to version 2.74.6-2+deb12u5 or higher.

References

CVE-2024-52533 vulnerability report

low severity

CVE-2024-2961

Vulnerable module: glibc/libc-bin
Introduced through: glibc/libc-bin@2.36-9, glibc/libc-dev-bin@2.36-9 and others
Fixed in: 2.36-9+deb12u6

Detailed paths

Introduced through: node@18.16.1-bookworm › glibc/libc-bin@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc-dev-bin@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc6@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc6-dev@2.36-9

…and 1 more

NVD Description

The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.

Remediation

Upgrade Debian:12 glibc to version 2.36-9+deb12u6 or higher.

References

CVE-2024-2961 vulnerability report

low severity

CVE-2024-33599

Vulnerable module: glibc/libc-bin
Introduced through: glibc/libc-bin@2.36-9, glibc/libc-dev-bin@2.36-9 and others
Fixed in: 2.36-9+deb12u7

Detailed paths

Introduced through: node@18.16.1-bookworm › glibc/libc-bin@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc-dev-bin@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc6@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc6-dev@2.36-9

…and 1 more

NVD Description

nscd: Stack-based buffer overflow in netgroup cache

If the Name Service Cache Daemon's (nscd) fixed size cache is exhausted by client requests then a subsequent client request for netgroup data may result in a stack-based buffer overflow. This flaw was introduced in glibc 2.15 when the cache was added to nscd.

This vulnerability is only present in the nscd binary.

Remediation

Upgrade Debian:12 glibc to version 2.36-9+deb12u7 or higher.

References

CVE-2024-33599 vulnerability report

low severity

CVE-2024-33600

Vulnerable module: glibc/libc-bin
Introduced through: glibc/libc-bin@2.36-9, glibc/libc-dev-bin@2.36-9 and others
Fixed in: 2.36-9+deb12u7

Detailed paths

Introduced through: node@18.16.1-bookworm › glibc/libc-bin@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc-dev-bin@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc6@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc6-dev@2.36-9

…and 1 more

NVD Description

nscd: Null pointer crashes after notfound response

If the Name Service Cache Daemon's (nscd) cache fails to add a not-found netgroup response to the cache, the client request can result in a null pointer dereference. This flaw was introduced in glibc 2.15 when the cache was added to nscd.

This vulnerability is only present in the nscd binary.

Remediation

Upgrade Debian:12 glibc to version 2.36-9+deb12u7 or higher.

References

CVE-2024-33600 vulnerability report

low severity

CVE-2024-33601

Vulnerable module: glibc/libc-bin
Introduced through: glibc/libc-bin@2.36-9, glibc/libc-dev-bin@2.36-9 and others
Fixed in: 2.36-9+deb12u7

Detailed paths

Introduced through: node@18.16.1-bookworm › glibc/libc-bin@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc-dev-bin@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc6@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc6-dev@2.36-9

…and 1 more

NVD Description

nscd: netgroup cache may terminate daemon on memory allocation failure

The Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or xrealloc and these functions may terminate the process due to a memory allocation failure resulting in a denial of service to the clients. The flaw was introduced in glibc 2.15 when the cache was added to nscd.

This vulnerability is only present in the nscd binary.

Remediation

Upgrade Debian:12 glibc to version 2.36-9+deb12u7 or higher.

References

CVE-2024-33601 vulnerability report

low severity

CVE-2024-33602

Vulnerable module: glibc/libc-bin
Introduced through: glibc/libc-bin@2.36-9, glibc/libc-dev-bin@2.36-9 and others
Fixed in: 2.36-9+deb12u7

Detailed paths

Introduced through: node@18.16.1-bookworm › glibc/libc-bin@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc-dev-bin@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc6@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc6-dev@2.36-9

…and 1 more

NVD Description

nscd: netgroup cache assumes NSS callback uses in-buffer strings

The Name Service Cache Daemon's (nscd) netgroup cache can corrupt memory when the NSS callback does not store all strings in the provided buffer. The flaw was introduced in glibc 2.15 when the cache was added to nscd.

This vulnerability is only present in the nscd binary.

Remediation

Upgrade Debian:12 glibc to version 2.36-9+deb12u7 or higher.

References

CVE-2024-33602 vulnerability report

low severity

CVE-2025-0395

Vulnerable module: glibc/libc-bin
Introduced through: glibc/libc-bin@2.36-9, glibc/libc-dev-bin@2.36-9 and others
Fixed in: 2.36-9+deb12u10

Detailed paths

Introduced through: node@18.16.1-bookworm › glibc/libc-bin@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc-dev-bin@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc6@2.36-9
Introduced through: node@18.16.1-bookworm › glibc/libc6-dev@2.36-9

…and 1 more

NVD Description

When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.

Remediation

Upgrade Debian:12 glibc to version 2.36-9+deb12u10 or higher.

References

CVE-2025-0395 vulnerability report

low severity

new

CVE-2025-30258

Vulnerable module: gnupg2/dirmngr
Introduced through: gnupg2/dirmngr@2.2.40-1.1, gnupg2/gnupg@2.2.40-1.1 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › gnupg2/dirmngr@2.2.40-1.1
Introduced through: node@18.16.1-bookworm › gnupg2/gnupg@2.2.40-1.1
Introduced through: node@18.16.1-bookworm › gnupg2/gnupg-l10n@2.2.40-1.1
Introduced through: node@18.16.1-bookworm › gnupg2/gnupg-utils@2.2.40-1.1
Introduced through: node@18.16.1-bookworm › gnupg2/gpg@2.2.40-1.1
Introduced through: node@18.16.1-bookworm › gnupg2/gpg-agent@2.2.40-1.1
Introduced through: node@18.16.1-bookworm › gnupg2/gpg-wks-client@2.2.40-1.1
Introduced through: node@18.16.1-bookworm › gnupg2/gpg-wks-server@2.2.40-1.1
Introduced through: node@18.16.1-bookworm › gnupg2/gpgconf@2.2.40-1.1
Introduced through: node@18.16.1-bookworm › gnupg2/gpgsm@2.2.40-1.1
Introduced through: node@18.16.1-bookworm › gnupg2/gpgv@2.2.40-1.1

…and 8 more

NVD Description

In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a "verification DoS."

Remediation

There is no fixed version for Debian:12 gnupg2.

References

CVE-2025-30258 vulnerability report

low severity

Uncaught Exception

Vulnerable module: gnutls28/libgnutls30
Introduced through: gnutls28/libgnutls30@3.7.9-2
Fixed in: 3.7.9-2+deb12u3

Detailed paths

Introduced through: node@18.16.1-bookworm › gnutls28/libgnutls30@3.7.9-2

NVD Description

A flaw has been discovered in GnuTLS where an application crash can be induced when attempting to verify a specially crafted .pem bundle using the "certtool --verify-chain" command.

Remediation

Upgrade Debian:12 gnutls28 to version 3.7.9-2+deb12u3 or higher.

References

Uncaught Exception vulnerability report

low severity

Use of a Broken or Risky Cryptographic Algorithm

Vulnerable module: gnutls28/libgnutls30
Introduced through: gnutls28/libgnutls30@3.7.9-2
Fixed in: 3.7.9-2+deb12u3

Detailed paths

Introduced through: node@18.16.1-bookworm › gnutls28/libgnutls30@3.7.9-2

NVD Description

A flaw was found in GnuTLS. The Minerva attack is a cryptographic vulnerability that exploits deterministic behavior in systems like GnuTLS, leading to side-channel leaks. In specific scenarios, such as when using the GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag, it can result in a noticeable step in nonce size from 513 to 512 bits, exposing a potential timing side-channel.

Remediation

Upgrade Debian:12 gnutls28 to version 3.7.9-2+deb12u3 or higher.

References

Use of a Broken or Risky Cryptographic Algorithm vulnerability report

low severity

CVE-2024-26458

Vulnerable module: krb5/krb5-multidev
Introduced through: krb5/krb5-multidev@1.20.1-2, krb5/libgssapi-krb5-2@1.20.1-2 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › krb5/krb5-multidev@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libgssapi-krb5-2@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libgssrpc4@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libk5crypto3@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libkadm5clnt-mit12@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libkadm5srv-mit12@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libkdb5-10@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libkrb5-3@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libkrb5-dev@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libkrb5support0@1.20.1-2

…and 7 more

NVD Description

Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.

Remediation

There is no fixed version for Debian:12 krb5.

References

CVE-2024-26458 vulnerability report

low severity

CVE-2024-26461

Vulnerable module: krb5/krb5-multidev
Introduced through: krb5/krb5-multidev@1.20.1-2, krb5/libgssapi-krb5-2@1.20.1-2 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › krb5/krb5-multidev@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libgssapi-krb5-2@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libgssrpc4@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libk5crypto3@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libkadm5clnt-mit12@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libkadm5srv-mit12@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libkdb5-10@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libkrb5-3@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libkrb5-dev@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libkrb5support0@1.20.1-2

…and 7 more

NVD Description

Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.

Remediation

There is no fixed version for Debian:12 krb5.

References

CVE-2024-26461 vulnerability report

low severity

CVE-2025-24528

Vulnerable module: krb5/krb5-multidev
Introduced through: krb5/krb5-multidev@1.20.1-2, krb5/libgssapi-krb5-2@1.20.1-2 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › krb5/krb5-multidev@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libgssapi-krb5-2@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libgssrpc4@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libk5crypto3@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libkadm5clnt-mit12@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libkadm5srv-mit12@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libkdb5-10@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libkrb5-3@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libkrb5-dev@1.20.1-2
Introduced through: node@18.16.1-bookworm › krb5/libkrb5support0@1.20.1-2

…and 7 more

NVD Description

This vulnerability has not been analyzed by NVD yet.

Remediation

There is no fixed version for Debian:12 krb5.

References

https://security-tracker.debian.org/tracker/CVE-2025-24528

CVE-2025-24528 vulnerability report

low severity

new

CVE-2025-29070

Vulnerable module: lcms2/liblcms2-2
Introduced through: lcms2/liblcms2-2@2.14-2 and lcms2/liblcms2-dev@2.14-2

Detailed paths

Introduced through: node@18.16.1-bookworm › lcms2/liblcms2-2@2.14-2
Introduced through: node@18.16.1-bookworm › lcms2/liblcms2-dev@2.14-2

NVD Description

Note: Versions mentioned in the description apply only to the upstream lcms2 package and not the lcms2 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A heap buffer overflow vulnerability has been identified in thesmooth2() in cmsgamma.c in lcms2-2.16 which allows a remote attacker to cause a denial of service. NOTE: the Supplier disputes this because "this is not exploitable as this function is never called on normal color management, is there only as a helper for low-level programming and investigation."

Remediation

There is no fixed version for Debian:12 lcms2.

References

CVE-2025-29070 vulnerability report

low severity

CVE-2025-1390

Vulnerable module: libcap2
Introduced through: libcap2@1:2.66-4

Detailed paths

Introduced through: node@18.16.1-bookworm › libcap2@1:2.66-4

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcap2 package and not the libcap2 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

The PAM module pam_cap.so of libcap configuration supports group names starting with “@”, during actual parsing, configurations not starting with “@” are incorrectly recognized as group names. This may result in nonintended users being granted an inherited capability set, potentially leading to security risks. Attackers can exploit this vulnerability to achieve local privilege escalation on systems where /etc/security/capability.conf is used to configure user inherited privileges by constructing specific usernames.

Remediation

There is no fixed version for Debian:12 libcap2.

References

CVE-2025-1390 vulnerability report

low severity

CVE-2023-51792

Vulnerable module: libde265/libde265-0
Introduced through: libde265/libde265-0@1.0.11-1

Detailed paths

Introduced through: node@18.16.1-bookworm › libde265/libde265-0@1.0.11-1

NVD Description

Buffer Overflow vulnerability in libde265 v1.0.12 allows a local attacker to cause a denial of service via the allocation size exceeding the maximum supported size of 0x10000000000.

Remediation

There is no fixed version for Debian:12 libde265.

References

CVE-2023-51792 vulnerability report

low severity

CVE-2024-38949

Vulnerable module: libde265/libde265-0
Introduced through: libde265/libde265-0@1.0.11-1

Detailed paths

Introduced through: node@18.16.1-bookworm › libde265/libde265-0@1.0.11-1

NVD Description

Heap Buffer Overflow vulnerability in Libde265 v1.0.15 allows attackers to crash the application via crafted payload to display444as420 function at sdl.cc

Remediation

There is no fixed version for Debian:12 libde265.

References

CVE-2024-38949 vulnerability report

low severity

CVE-2024-38950

Vulnerable module: libde265/libde265-0
Introduced through: libde265/libde265-0@1.0.11-1

Detailed paths

Introduced through: node@18.16.1-bookworm › libde265/libde265-0@1.0.11-1

NVD Description

Heap Buffer Overflow vulnerability in Libde265 v1.0.15 allows attackers to crash the application via crafted payload to __interceptor_memcpy function.

Remediation

There is no fixed version for Debian:12 libde265.

References

CVE-2024-38950 vulnerability report

low severity

Information Exposure

Vulnerable module: libgcrypt20
Introduced through: libgcrypt20@1.10.1-3

Detailed paths

Introduced through: node@18.16.1-bookworm › libgcrypt20@1.10.1-3

NVD Description

A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.

Remediation

There is no fixed version for Debian:12 libgcrypt20.

References

Information Exposure vulnerability report

low severity

CVE-2024-25269

Vulnerable module: libheif/libheif1
Introduced through: libheif/libheif1@1.15.1-1

Detailed paths

Introduced through: node@18.16.1-bookworm › libheif/libheif1@1.15.1-1

NVD Description

libheif <= 1.17.6 contains a memory leak in the function JpegEncoder::Encode. This flaw allows an attacker to cause a denial of service attack.

Remediation

There is no fixed version for Debian:12 libheif.

References

CVE-2024-25269 vulnerability report

low severity

new

CVE-2025-29482

Vulnerable module: libheif/libheif1
Introduced through: libheif/libheif1@1.15.1-1

Detailed paths

Introduced through: node@18.16.1-bookworm › libheif/libheif1@1.15.1-1

NVD Description

Buffer Overflow vulnerability in libheif 1.19.7 allows a local attacker to execute arbitrary code via the SAO (Sample Adaptive Offset) processing of libde265.

Remediation

There is no fixed version for Debian:12 libheif.

References

CVE-2025-29482 vulnerability report

low severity

CVE-2022-49043

Vulnerable module: libxml2
Introduced through: libxml2@2.9.14+dfsg-1.2 and libxml2/libxml2-dev@2.9.14+dfsg-1.2

Detailed paths

Introduced through: node@18.16.1-bookworm › libxml2@2.9.14+dfsg-1.2
Introduced through: node@18.16.1-bookworm › libxml2/libxml2-dev@2.9.14+dfsg-1.2

NVD Description

xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free.

Remediation

There is no fixed version for Debian:12 libxml2.

References

CVE-2022-49043 vulnerability report

low severity

CVE-2024-34459

Vulnerable module: libxml2
Introduced through: libxml2@2.9.14+dfsg-1.2 and libxml2/libxml2-dev@2.9.14+dfsg-1.2

Detailed paths

Introduced through: node@18.16.1-bookworm › libxml2@2.9.14+dfsg-1.2
Introduced through: node@18.16.1-bookworm › libxml2/libxml2-dev@2.9.14+dfsg-1.2

NVD Description

An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.

Remediation

There is no fixed version for Debian:12 libxml2.

References

CVE-2024-34459 vulnerability report

low severity

CVE-2024-56171

Vulnerable module: libxml2
Introduced through: libxml2@2.9.14+dfsg-1.2 and libxml2/libxml2-dev@2.9.14+dfsg-1.2

Detailed paths

Introduced through: node@18.16.1-bookworm › libxml2@2.9.14+dfsg-1.2
Introduced through: node@18.16.1-bookworm › libxml2/libxml2-dev@2.9.14+dfsg-1.2

NVD Description

libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a use-after-free in xmlSchemaIDCFillNodeTables and xmlSchemaBubbleIDCNodeTables in xmlschemas.c. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used.

Remediation

There is no fixed version for Debian:12 libxml2.

References

CVE-2024-56171 vulnerability report

low severity

CVE-2025-24928

Vulnerable module: libxml2
Introduced through: libxml2@2.9.14+dfsg-1.2 and libxml2/libxml2-dev@2.9.14+dfsg-1.2

Detailed paths

Introduced through: node@18.16.1-bookworm › libxml2@2.9.14+dfsg-1.2
Introduced through: node@18.16.1-bookworm › libxml2/libxml2-dev@2.9.14+dfsg-1.2

NVD Description

libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a stack-based buffer overflow in xmlSnprintfElements in valid.c. To exploit this, DTD validation must occur for an untrusted document or untrusted DTD. NOTE: this is similar to CVE-2017-9047.

Remediation

There is no fixed version for Debian:12 libxml2.

References

CVE-2025-24928 vulnerability report

low severity

new

CVE-2025-32414

Vulnerable module: libxml2
Introduced through: libxml2@2.9.14+dfsg-1.2 and libxml2/libxml2-dev@2.9.14+dfsg-1.2

Detailed paths

Introduced through: node@18.16.1-bookworm › libxml2@2.9.14+dfsg-1.2
Introduced through: node@18.16.1-bookworm › libxml2/libxml2-dev@2.9.14+dfsg-1.2

NVD Description

In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters.

Remediation

There is no fixed version for Debian:12 libxml2.

References

CVE-2025-32414 vulnerability report

low severity

new

CVE-2024-55549

Vulnerable module: libxslt/libxslt1-dev
Introduced through: libxslt/libxslt1-dev@1.1.35-1 and libxslt/libxslt1.1@1.1.35-1
Fixed in: 1.1.35-1+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › libxslt/libxslt1-dev@1.1.35-1
Introduced through: node@18.16.1-bookworm › libxslt/libxslt1.1@1.1.35-1

NVD Description

xsltGetInheritedNsList in libxslt before 1.1.43 has a use-after-free issue related to exclusion of result prefixes.

Remediation

Upgrade Debian:12 libxslt to version 1.1.35-1+deb12u1 or higher.

References

CVE-2024-55549 vulnerability report

low severity

new

CVE-2025-24855

Vulnerable module: libxslt/libxslt1-dev
Introduced through: libxslt/libxslt1-dev@1.1.35-1 and libxslt/libxslt1.1@1.1.35-1
Fixed in: 1.1.35-1+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › libxslt/libxslt1-dev@1.1.35-1
Introduced through: node@18.16.1-bookworm › libxslt/libxslt1.1@1.1.35-1

NVD Description

numbers.c in libxslt before 1.1.43 has a use-after-free because, in nested XPath evaluations, an XPath context node can be modified but never restored. This is related to xsltNumberFormatGetValue, xsltEvalXPathPredicate, xsltEvalXPathStringNs, and xsltComputeSortResultInternal.

Remediation

Upgrade Debian:12 libxslt to version 1.1.35-1+deb12u1 or higher.

References

CVE-2025-24855 vulnerability report

low severity

CVE-2023-52969

Vulnerable module: mariadb/libmariadb-dev
Introduced through: mariadb/libmariadb-dev@1:10.11.3-1, mariadb/libmariadb-dev-compat@1:10.11.3-1 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › mariadb/libmariadb-dev@1:10.11.3-1
Introduced through: node@18.16.1-bookworm › mariadb/libmariadb-dev-compat@1:10.11.3-1
Introduced through: node@18.16.1-bookworm › mariadb/libmariadb3@1:10.11.3-1
Introduced through: node@18.16.1-bookworm › mariadb/mariadb-common@1:10.11.3-1

…and 1 more

NVD Description

MariaDB Server 10.4 through 10.5., 10.6 through 10.6., 10.7 through 10.11., and 11.0 through 11.0. can sometimes crash with an empty backtrace log. This may be related to make_aggr_tables_info and optimize_stage2.

Remediation

There is no fixed version for Debian:12 mariadb.

References

CVE-2023-52969 vulnerability report

low severity

CVE-2023-52970

Vulnerable module: mariadb/libmariadb-dev
Introduced through: mariadb/libmariadb-dev@1:10.11.3-1, mariadb/libmariadb-dev-compat@1:10.11.3-1 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › mariadb/libmariadb-dev@1:10.11.3-1
Introduced through: node@18.16.1-bookworm › mariadb/libmariadb-dev-compat@1:10.11.3-1
Introduced through: node@18.16.1-bookworm › mariadb/libmariadb3@1:10.11.3-1
Introduced through: node@18.16.1-bookworm › mariadb/mariadb-common@1:10.11.3-1

…and 1 more

NVD Description

MariaDB Server 10.4 through 10.5., 10.6 through 10.6., 10.7 through 10.11., 11.0 through 11.0., and 11.1 through 11.4.* crashes in Item_direct_view_ref::derived_field_transformer_for_where.

Remediation

There is no fixed version for Debian:12 mariadb.

References

CVE-2023-52970 vulnerability report

low severity

CVE-2023-52971

Vulnerable module: mariadb/libmariadb-dev
Introduced through: mariadb/libmariadb-dev@1:10.11.3-1, mariadb/libmariadb-dev-compat@1:10.11.3-1 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › mariadb/libmariadb-dev@1:10.11.3-1
Introduced through: node@18.16.1-bookworm › mariadb/libmariadb-dev-compat@1:10.11.3-1
Introduced through: node@18.16.1-bookworm › mariadb/libmariadb3@1:10.11.3-1
Introduced through: node@18.16.1-bookworm › mariadb/mariadb-common@1:10.11.3-1

…and 1 more

NVD Description

MariaDB Server 10.10 through 10.11.* and 11.0 through 11.4.* crashes in JOIN::fix_all_splittings_in_plan.

Remediation

There is no fixed version for Debian:12 mariadb.

References

CVE-2023-52971 vulnerability report

low severity

CVE-2024-28182

Vulnerable module: nghttp2/libnghttp2-14
Introduced through: nghttp2/libnghttp2-14@1.52.0-1
Fixed in: 1.52.0-1+deb12u2

Detailed paths

Introduced through: node@18.16.1-bookworm › nghttp2/libnghttp2-14@1.52.0-1

NVD Description

nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability.

Remediation

Upgrade Debian:12 nghttp2 to version 1.52.0-1+deb12u2 or higher.

References

CVE-2024-28182 vulnerability report

low severity

CVE-2024-31047

Vulnerable module: openexr/libopenexr-3-1-30
Introduced through: openexr/libopenexr-3-1-30@3.1.5-5 and openexr/libopenexr-dev@3.1.5-5

Detailed paths

Introduced through: node@18.16.1-bookworm › openexr/libopenexr-3-1-30@3.1.5-5
Introduced through: node@18.16.1-bookworm › openexr/libopenexr-dev@3.1.5-5

NVD Description

An issue in Academy Software Foundation openexr v.3.2.3 and before allows a local attacker to cause a denial of service (DoS) via the convert function of exrmultipart.cpp.

Remediation

There is no fixed version for Debian:12 openexr.

References

CVE-2024-31047 vulnerability report

low severity

Resource Exhaustion

Vulnerable module: openjpeg2/libopenjp2-7
Introduced through: openjpeg2/libopenjp2-7@2.5.0-2 and openjpeg2/libopenjp2-7-dev@2.5.0-2

Detailed paths

Introduced through: node@18.16.1-bookworm › openjpeg2/libopenjp2-7@2.5.0-2
Introduced through: node@18.16.1-bookworm › openjpeg2/libopenjp2-7-dev@2.5.0-2

NVD Description

A flaw was found in OpenJPEG. Maliciously constructed pictures can cause the program to enter a large loop and continuously print warning messages on the terminal.

Remediation

There is no fixed version for Debian:12 openjpeg2.

References

Resource Exhaustion vulnerability report

low severity

Resource Exhaustion

Vulnerable module: openjpeg2/libopenjp2-7
Introduced through: openjpeg2/libopenjp2-7@2.5.0-2 and openjpeg2/libopenjp2-7-dev@2.5.0-2

Detailed paths

Introduced through: node@18.16.1-bookworm › openjpeg2/libopenjp2-7@2.5.0-2
Introduced through: node@18.16.1-bookworm › openjpeg2/libopenjp2-7-dev@2.5.0-2

NVD Description

A flaw was found in OpenJPEG. A resource exhaustion can occur in the opj_t1_decode_cblks function in tcd.c through a crafted image file, causing a denial of service.

Remediation

There is no fixed version for Debian:12 openjpeg2.

References

Resource Exhaustion vulnerability report

low severity

Resource Exhaustion

Vulnerable module: openjpeg2/libopenjp2-7
Introduced through: openjpeg2/libopenjp2-7@2.5.0-2 and openjpeg2/libopenjp2-7-dev@2.5.0-2

Detailed paths

Introduced through: node@18.16.1-bookworm › openjpeg2/libopenjp2-7@2.5.0-2
Introduced through: node@18.16.1-bookworm › openjpeg2/libopenjp2-7-dev@2.5.0-2

NVD Description

A vulnerability was found in OpenJPEG similar to CVE-2019-6988. This flaw allows an attacker to bypass existing protections and cause an application crash through a maliciously crafted file.

Remediation

There is no fixed version for Debian:12 openjpeg2.

References

Resource Exhaustion vulnerability report

low severity

new

CVE-2025-32728

Vulnerable module: openssh/openssh-client
Introduced through: openssh/openssh-client@1:9.2p1-2

Detailed paths

Introduced through: node@18.16.1-bookworm › openssh/openssh-client@1:9.2p1-2

NVD Description

In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding.

Remediation

There is no fixed version for Debian:12 openssh.

References

CVE-2025-32728 vulnerability report

low severity

CVE-2023-6237

Vulnerable module: openssl
Introduced through: openssl@3.0.9-1, openssl/libssl-dev@3.0.9-1 and others
Fixed in: 3.0.13-1~deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › openssl@3.0.9-1
Introduced through: node@18.16.1-bookworm › openssl/libssl-dev@3.0.9-1
Introduced through: node@18.16.1-bookworm › openssl/libssl3@3.0.9-1

NVD Description

Issue summary: Checking excessively long invalid RSA public keys may take a long time.

Impact summary: Applications that use the function EVP_PKEY_public_check() to check RSA public keys may experience long delays. Where the key that is being checked has been obtained from an untrusted source this may lead to a Denial of Service.

When function EVP_PKEY_public_check() is called on RSA public keys, a computation is done to confirm that the RSA modulus, n, is composite. For valid RSA keys, n is a product of two or more large primes and this computation completes quickly. However, if n is an overly large prime, then this computation would take a long time.

An application that calls EVP_PKEY_public_check() and supplies an RSA key obtained from an untrusted source could be vulnerable to a Denial of Service attack.

The function EVP_PKEY_public_check() is not called from other OpenSSL functions however it is called from the OpenSSL pkey command line application. For that reason that application is also vulnerable if used with the '-pubin' and '-check' options on untrusted data.

The OpenSSL SSL/TLS implementation is not affected by this issue.

The OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.

Remediation

Upgrade Debian:12 openssl to version 3.0.13-1~deb12u1 or higher.

References

CVE-2023-6237 vulnerability report

low severity

CVE-2024-13176

Vulnerable module: openssl
Introduced through: openssl@3.0.9-1, openssl/libssl-dev@3.0.9-1 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › openssl@3.0.9-1
Introduced through: node@18.16.1-bookworm › openssl/libssl-dev@3.0.9-1
Introduced through: node@18.16.1-bookworm › openssl/libssl3@3.0.9-1

NVD Description

Issue summary: A timing side-channel which could potentially allow recovering the private key exists in the ECDSA signature computation.

Impact summary: A timing side-channel in ECDSA signature computations could allow recovering the private key by an attacker. However, measuring the timing would require either local access to the signing application or a very fast network connection with low latency.

There is a timing signal of around 300 nanoseconds when the top word of the inverted ECDSA nonce value is zero. This can happen with significant probability only for some of the supported elliptic curves. In particular the NIST P-521 curve is affected. To be able to measure this leak, the attacker process must either be located in the same physical computer or must have a very fast network connection with low latency. For that reason the severity of this vulnerability is Low.

The FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are affected by this issue.

Remediation

There is no fixed version for Debian:12 openssl.

References

CVE-2024-13176 vulnerability report

low severity

CVE-2024-2511

Vulnerable module: openssl
Introduced through: openssl@3.0.9-1, openssl/libssl-dev@3.0.9-1 and others
Fixed in: 3.0.14-1~deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › openssl@3.0.9-1
Introduced through: node@18.16.1-bookworm › openssl/libssl-dev@3.0.9-1
Introduced through: node@18.16.1-bookworm › openssl/libssl3@3.0.9-1

NVD Description

Issue summary: Some non-default TLS server configurations can cause unbounded memory growth when processing TLSv1.3 sessions

Impact summary: An attacker may exploit certain server configurations to trigger unbounded memory growth that would lead to a Denial of Service

This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is being used (but not if early_data support is also configured and the default anti-replay protection is in use). In this case, under certain conditions, the session cache can get into an incorrect state and it will fail to flush properly as it fills. The session cache will continue to grow in an unbounded manner. A malicious client could deliberately create the scenario for this failure to force a Denial of Service. It may also happen by accident in normal operation.

This issue only affects TLS servers supporting TLSv1.3. It does not affect TLS clients.

The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL 1.0.2 is also not affected by this issue.

Remediation

Upgrade Debian:12 openssl to version 3.0.14-1~deb12u1 or higher.

References

CVE-2024-2511 vulnerability report

low severity

CVE-2024-4603

Vulnerable module: openssl
Introduced through: openssl@3.0.9-1, openssl/libssl-dev@3.0.9-1 and others
Fixed in: 3.0.14-1~deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › openssl@3.0.9-1
Introduced through: node@18.16.1-bookworm › openssl/libssl-dev@3.0.9-1
Introduced through: node@18.16.1-bookworm › openssl/libssl3@3.0.9-1

NVD Description

Issue summary: Checking excessively long DSA keys or parameters may be very slow.

Impact summary: Applications that use the functions EVP_PKEY_param_check() or EVP_PKEY_public_check() to check a DSA public key or DSA parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service.

The functions EVP_PKEY_param_check() or EVP_PKEY_public_check() perform various checks on DSA parameters. Some of those computations take a long time if the modulus (p parameter) is too large.

Trying to use a very large modulus is slow and OpenSSL will not allow using public keys with a modulus which is over 10,000 bits in length for signature verification. However the key and parameter check functions do not limit the modulus size when performing the checks.

An application that calls EVP_PKEY_param_check() or EVP_PKEY_public_check() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack.

These functions are not called by OpenSSL itself on untrusted DSA keys so only applications that directly call these functions may be vulnerable.

Also vulnerable are the OpenSSL pkey and pkeyparam command line applications when using the -check option.

The OpenSSL SSL/TLS implementation is not affected by this issue.

The OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.

Remediation

Upgrade Debian:12 openssl to version 3.0.14-1~deb12u1 or higher.

References

CVE-2024-4603 vulnerability report

low severity

CVE-2024-4741

Vulnerable module: openssl
Introduced through: openssl@3.0.9-1, openssl/libssl-dev@3.0.9-1 and others
Fixed in: 3.0.14-1~deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › openssl@3.0.9-1
Introduced through: node@18.16.1-bookworm › openssl/libssl-dev@3.0.9-1
Introduced through: node@18.16.1-bookworm › openssl/libssl3@3.0.9-1

NVD Description

Issue summary: Calling the OpenSSL API function SSL_free_buffers may cause memory to be accessed that was previously freed in some situations

Impact summary: A use after free can have a range of potential consequences such as the corruption of valid data, crashes or execution of arbitrary code. However, only applications that directly call the SSL_free_buffers function are affected by this issue. Applications that do not call this function are not vulnerable. Our investigations indicate that this function is rarely used by applications.

The SSL_free_buffers function is used to free the internal OpenSSL buffer used when processing an incoming record from the network. The call is only expected to succeed if the buffer is not currently in use. However, two scenarios have been identified where the buffer is freed even when still in use.

The first scenario occurs where a record header has been received from the network and processed by OpenSSL, but the full record body has not yet arrived. In this case calling SSL_free_buffers will succeed even though a record has only been partially processed and the buffer is still in use.

The second scenario occurs where a full record containing application data has been received and processed by OpenSSL but the application has only read part of this data. Again a call to SSL_free_buffers will succeed even though the buffer is still in use.

While these scenarios could occur accidentally during normal operation a malicious attacker could attempt to engineer a stituation where this occurs. We are not aware of this issue being actively exploited.

The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.

Remediation

Upgrade Debian:12 openssl to version 3.0.14-1~deb12u1 or higher.

References

CVE-2024-4741 vulnerability report

low severity

CVE-2024-5535

Vulnerable module: openssl
Introduced through: openssl@3.0.9-1, openssl/libssl-dev@3.0.9-1 and others
Fixed in: 3.0.15-1~deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › openssl@3.0.9-1
Introduced through: node@18.16.1-bookworm › openssl/libssl-dev@3.0.9-1
Introduced through: node@18.16.1-bookworm › openssl/libssl3@3.0.9-1

NVD Description

Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an empty supported client protocols buffer may cause a crash or memory contents to be sent to the peer.

Impact summary: A buffer overread can have a range of potential consequences such as unexpected application beahviour or a crash. In particular this issue could result in up to 255 bytes of arbitrary private data from memory being sent to the peer leading to a loss of confidentiality. However, only applications that directly call the SSL_select_next_proto function with a 0 length list of supported client protocols are affected by this issue. This would normally never be a valid scenario and is typically not under attacker control but may occur by accident in the case of a configuration or programming error in the calling application.

The OpenSSL API function SSL_select_next_proto is typically used by TLS applications that support ALPN (Application Layer Protocol Negotiation) or NPN (Next Protocol Negotiation). NPN is older, was never standardised and is deprecated in favour of ALPN. We believe that ALPN is significantly more widely deployed than NPN. The SSL_select_next_proto function accepts a list of protocols from the server and a list of protocols from the client and returns the first protocol that appears in the server list that also appears in the client list. In the case of no overlap between the two lists it returns the first item in the client list. In either case it will signal whether an overlap between the two lists was found. In the case where SSL_select_next_proto is called with a zero length client list it fails to notice this condition and returns the memory immediately following the client list pointer (and reports that there was no overlap in the lists).

This function is typically called from a server side application callback for ALPN or a client side application callback for NPN. In the case of ALPN the list of protocols supplied by the client is guaranteed by libssl to never be zero in length. The list of server protocols comes from the application and should never normally be expected to be of zero length. In this case if the SSL_select_next_proto function has been called as expected (with the list supplied by the client passed in the client/client_len parameters), then the application will not be vulnerable to this issue. If the application has accidentally been configured with a zero length server list, and has accidentally passed that zero length server list in the client/client_len parameters, and has additionally failed to correctly handle a "no overlap" response (which would normally result in a handshake failure in ALPN) then it will be vulnerable to this problem.

In the case of NPN, the protocol permits the client to opportunistically select a protocol when there is no overlap. OpenSSL returns the first client protocol in the no overlap case in support of this. The list of client protocols comes from the application and should never normally be expected to be of zero length. However if the SSL_select_next_proto function is accidentally called with a client_len of 0 then an invalid memory pointer will be returned instead. If the application uses this output as the opportunistic protocol then the loss of confidentiality will occur.

This issue has been assessed as Low severity because applications are most likely to be vulnerable if they are using NPN instead of ALPN - but NPN is not widely used. It also requires an application configuration or programming error. Finally, this issue would not typically be under attacker control making active exploitation unlikely.

The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.

Due to the low severity of this issue we are not issuing new releases of OpenSSL at this time. The fix will be included in the next releases when they become available.

Remediation

Upgrade Debian:12 openssl to version 3.0.15-1~deb12u1 or higher.

References

CVE-2024-5535 vulnerability report

low severity

CVE-2024-6119

Vulnerable module: openssl
Introduced through: openssl@3.0.9-1, openssl/libssl-dev@3.0.9-1 and others
Fixed in: 3.0.14-1~deb12u2

Detailed paths

Introduced through: node@18.16.1-bookworm › openssl@3.0.9-1
Introduced through: node@18.16.1-bookworm › openssl/libssl-dev@3.0.9-1
Introduced through: node@18.16.1-bookworm › openssl/libssl3@3.0.9-1

NVD Description

Issue summary: Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address resulting in abnormal termination of the application process.

Impact summary: Abnormal termination of an application can a cause a denial of service.

Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address when comparing the expected name with an otherName subject alternative name of an X.509 certificate. This may result in an exception that terminates the application program.

Note that basic certificate chain validation (signatures, dates, ...) is not affected, the denial of service can occur only when the application also specifies an expected DNS name, Email address or IP address.

TLS servers rarely solicit client certificates, and even when they do, they generally don't perform a name check against a reference identifier (expected identity), but rather extract the presented identity after checking the certificate chain. So TLS servers are generally not affected and the severity of the issue is Moderate.

The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.

Remediation

Upgrade Debian:12 openssl to version 3.0.14-1~deb12u2 or higher.

References

CVE-2024-6119 vulnerability report

low severity

CVE-2024-9143

Vulnerable module: openssl
Introduced through: openssl@3.0.9-1, openssl/libssl-dev@3.0.9-1 and others
Fixed in: 3.0.15-1~deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › openssl@3.0.9-1
Introduced through: node@18.16.1-bookworm › openssl/libssl-dev@3.0.9-1
Introduced through: node@18.16.1-bookworm › openssl/libssl3@3.0.9-1

NVD Description

Issue summary: Use of the low-level GF(2^m) elliptic curve APIs with untrusted explicit values for the field polynomial can lead to out-of-bounds memory reads or writes.

Impact summary: Out of bound memory writes can lead to an application crash or even a possibility of a remote code execution, however, in all the protocols involving Elliptic Curve Cryptography that we're aware of, either only "named curves" are supported, or, if explicit curve parameters are supported, they specify an X9.62 encoding of binary (GF(2^m)) curves that can't represent problematic input values. Thus the likelihood of existence of a vulnerable application is low.

In particular, the X9.62 encoding is used for ECC keys in X.509 certificates, so problematic inputs cannot occur in the context of processing X.509 certificates. Any problematic use-cases would have to be using an "exotic" curve encoding.

The affected APIs include: EC_GROUP_new_curve_GF2m(), EC_GROUP_new_from_params(), and various supporting BN_GF2m_*() functions.

Applications working with "exotic" explicit binary (GF(2^m)) curve parameters, that make it possible to represent invalid field polynomials with a zero constant term, via the above or similar APIs, may terminate abruptly as a result of reading or writing outside of array bounds. Remote code execution cannot easily be ruled out.

The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.

Remediation

Upgrade Debian:12 openssl to version 3.0.15-1~deb12u1 or higher.

References

CVE-2024-9143 vulnerability report

low severity

CVE-2025-1094

Vulnerable module: postgresql-15/libpq-dev
Introduced through: postgresql-15/libpq-dev@15.3-0+deb12u1 and postgresql-15/libpq5@15.3-0+deb12u1
Fixed in: 15.11-0+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › postgresql-15/libpq-dev@15.3-0+deb12u1
Introduced through: node@18.16.1-bookworm › postgresql-15/libpq5@15.3-0+deb12u1

NVD Description

Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL. Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected.

Remediation

Upgrade Debian:12 postgresql-15 to version 15.11-0+deb12u1 or higher.

References

CVE-2025-1094 vulnerability report

low severity

CVE-2023-6597

Vulnerable module: python3.11
Introduced through: python3.11@3.11.2-6, python3.11/libpython3.11-minimal@3.11.2-6 and others
Fixed in: 3.11.2-6+deb12u2

Detailed paths

Introduced through: node@18.16.1-bookworm › python3.11@3.11.2-6
Introduced through: node@18.16.1-bookworm › python3.11/libpython3.11-minimal@3.11.2-6
Introduced through: node@18.16.1-bookworm › python3.11/libpython3.11-stdlib@3.11.2-6
Introduced through: node@18.16.1-bookworm › python3.11/python3.11-minimal@3.11.2-6

…and 1 more

NVD Description

An issue was found in the CPython tempfile.TemporaryDirectory class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.

The tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances.

Remediation

Upgrade Debian:12 python3.11 to version 3.11.2-6+deb12u2 or higher.

References

CVE-2023-6597 vulnerability report

low severity

CVE-2024-0397

Vulnerable module: python3.11
Introduced through: python3.11@3.11.2-6, python3.11/libpython3.11-minimal@3.11.2-6 and others
Fixed in: 3.11.2-6+deb12u3

Detailed paths

Introduced through: node@18.16.1-bookworm › python3.11@3.11.2-6
Introduced through: node@18.16.1-bookworm › python3.11/libpython3.11-minimal@3.11.2-6
Introduced through: node@18.16.1-bookworm › python3.11/libpython3.11-stdlib@3.11.2-6
Introduced through: node@18.16.1-bookworm › python3.11/python3.11-minimal@3.11.2-6

…and 1 more

NVD Description

A defect was discovered in the Python “ssl” module where there is a memory race condition with the ssl.SSLContext methods “cert_store_stats()” and “get_ca_certs()”. The race condition can be triggered if the methods are called at the same time as certificates are loaded into the SSLContext, such as during the TLS handshake with a certificate directory configured. This issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.

Remediation

Upgrade Debian:12 python3.11 to version 3.11.2-6+deb12u3 or higher.

References

CVE-2024-0397 vulnerability report

low severity

CVE-2024-0450

Vulnerable module: python3.11
Introduced through: python3.11@3.11.2-6, python3.11/libpython3.11-minimal@3.11.2-6 and others
Fixed in: 3.11.2-6+deb12u2

Detailed paths

Introduced through: node@18.16.1-bookworm › python3.11@3.11.2-6
Introduced through: node@18.16.1-bookworm › python3.11/libpython3.11-minimal@3.11.2-6
Introduced through: node@18.16.1-bookworm › python3.11/libpython3.11-stdlib@3.11.2-6
Introduced through: node@18.16.1-bookworm › python3.11/python3.11-minimal@3.11.2-6

…and 1 more

NVD Description

An issue was found in the CPython zipfile module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.

The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.

Remediation

Upgrade Debian:12 python3.11 to version 3.11.2-6+deb12u2 or higher.

References

CVE-2024-0450 vulnerability report

low severity

CVE-2024-11168

Vulnerable module: python3.11
Introduced through: python3.11@3.11.2-6, python3.11/libpython3.11-minimal@3.11.2-6 and others
Fixed in: 3.11.2-6+deb12u5

Detailed paths

Introduced through: node@18.16.1-bookworm › python3.11@3.11.2-6
Introduced through: node@18.16.1-bookworm › python3.11/libpython3.11-minimal@3.11.2-6
Introduced through: node@18.16.1-bookworm › python3.11/libpython3.11-stdlib@3.11.2-6
Introduced through: node@18.16.1-bookworm › python3.11/python3.11-minimal@3.11.2-6

…and 1 more

NVD Description

The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts ([]), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.

Remediation

Upgrade Debian:12 python3.11 to version 3.11.2-6+deb12u5 or higher.

References

CVE-2024-11168 vulnerability report

low severity

CVE-2024-4032

Vulnerable module: python3.11
Introduced through: python3.11@3.11.2-6, python3.11/libpython3.11-minimal@3.11.2-6 and others
Fixed in: 3.11.2-6+deb12u3

Detailed paths

Introduced through: node@18.16.1-bookworm › python3.11@3.11.2-6
Introduced through: node@18.16.1-bookworm › python3.11/libpython3.11-minimal@3.11.2-6
Introduced through: node@18.16.1-bookworm › python3.11/libpython3.11-stdlib@3.11.2-6
Introduced through: node@18.16.1-bookworm › python3.11/python3.11-minimal@3.11.2-6

…and 1 more

NVD Description

The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries.

CPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.

Remediation

Upgrade Debian:12 python3.11 to version 3.11.2-6+deb12u3 or higher.

References

CVE-2024-4032 vulnerability report

low severity

CVE-2024-6923

Vulnerable module: python3.11
Introduced through: python3.11@3.11.2-6, python3.11/libpython3.11-minimal@3.11.2-6 and others
Fixed in: 3.11.2-6+deb12u5

Detailed paths

Introduced through: node@18.16.1-bookworm › python3.11@3.11.2-6
Introduced through: node@18.16.1-bookworm › python3.11/libpython3.11-minimal@3.11.2-6
Introduced through: node@18.16.1-bookworm › python3.11/libpython3.11-stdlib@3.11.2-6
Introduced through: node@18.16.1-bookworm › python3.11/python3.11-minimal@3.11.2-6

…and 1 more

NVD Description

There is a MEDIUM severity vulnerability affecting CPython.

The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.

Remediation

Upgrade Debian:12 python3.11 to version 3.11.2-6+deb12u5 or higher.

References

CVE-2024-6923 vulnerability report

low severity

CVE-2024-8088

Vulnerable module: python3.11
Introduced through: python3.11@3.11.2-6, python3.11/libpython3.11-minimal@3.11.2-6 and others
Fixed in: 3.11.2-6+deb12u3

Detailed paths

Introduced through: node@18.16.1-bookworm › python3.11@3.11.2-6
Introduced through: node@18.16.1-bookworm › python3.11/libpython3.11-minimal@3.11.2-6
Introduced through: node@18.16.1-bookworm › python3.11/libpython3.11-stdlib@3.11.2-6
Introduced through: node@18.16.1-bookworm › python3.11/python3.11-minimal@3.11.2-6

…and 1 more

NVD Description

There is a HIGH severity vulnerability affecting the CPython "zipfile" module affecting "zipfile.Path". Note that the more common API "zipfile.ZipFile" class is unaffected.

When iterating over names of entries in a zip archive (for example, methods of "zipfile.Path" like "namelist()", "iterdir()", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected.

Remediation

Upgrade Debian:12 python3.11 to version 3.11.2-6+deb12u3 or higher.

References

CVE-2024-8088 vulnerability report

low severity

CVE-2025-0938

Vulnerable module: python3.11
Introduced through: python3.11@3.11.2-6, python3.11/libpython3.11-minimal@3.11.2-6 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › python3.11@3.11.2-6
Introduced through: node@18.16.1-bookworm › python3.11/libpython3.11-minimal@3.11.2-6
Introduced through: node@18.16.1-bookworm › python3.11/libpython3.11-stdlib@3.11.2-6
Introduced through: node@18.16.1-bookworm › python3.11/python3.11-minimal@3.11.2-6

…and 1 more

NVD Description

The Python standard library functions urllib.parse.urlsplit and urlparse accepted domain names that included square brackets which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This could result in differential parsing across the Python URL parser and other specification-compliant URL parsers.

Remediation

There is no fixed version for Debian:12 python3.11.

References

CVE-2025-0938 vulnerability report

low severity

CVE-2025-1795

Vulnerable module: python3.11
Introduced through: python3.11@3.11.2-6, python3.11/libpython3.11-minimal@3.11.2-6 and others

Detailed paths

Introduced through: node@18.16.1-bookworm › python3.11@3.11.2-6
Introduced through: node@18.16.1-bookworm › python3.11/libpython3.11-minimal@3.11.2-6
Introduced through: node@18.16.1-bookworm › python3.11/libpython3.11-stdlib@3.11.2-6
Introduced through: node@18.16.1-bookworm › python3.11/python3.11-minimal@3.11.2-6

…and 1 more

NVD Description

During an address list folding when a separating comma ends up on a folded line and that line is to be unicode-encoded then the separator itself is also unicode-encoded. Expected behavior is that the separating comma remains a plan comma. This can result in the address header being misinterpreted by some mail servers.

Remediation

There is no fixed version for Debian:12 python3.11.

References

CVE-2025-1795 vulnerability report

low severity

CVE-2024-56433

Vulnerable module: shadow/login
Introduced through: shadow/login@1:4.13+dfsg1-1+b1 and shadow/passwd@1:4.13+dfsg1-1+b1

Detailed paths

Introduced through: node@18.16.1-bookworm › shadow/login@1:4.13+dfsg1-1+b1
Introduced through: node@18.16.1-bookworm › shadow/passwd@1:4.13+dfsg1-1+b1

NVD Description

shadow-utils (aka shadow) 4.4 through 4.17.0 establishes a default /etc/subuid behavior (e.g., uid 100000 through 165535 for the first user account) that can realistically conflict with the uids of users defined on locally administered networks, potentially leading to account takeover, e.g., by leveraging newuidmap for access to an NFS home directory (or same-host resources in the case of remote logins by these local network users). NOTE: it may also be argued that system administrators should not have assigned uids, within local networks, that are within the range that can occur in /etc/subuid.

Remediation

There is no fixed version for Debian:12 shadow.

References

CVE-2024-56433 vulnerability report

low severity

new

CVE-2025-29088

Vulnerable module: sqlite3/libsqlite3-0
Introduced through: sqlite3/libsqlite3-0@3.40.1-2 and sqlite3/libsqlite3-dev@3.40.1-2

Detailed paths

Introduced through: node@18.16.1-bookworm › sqlite3/libsqlite3-0@3.40.1-2
Introduced through: node@18.16.1-bookworm › sqlite3/libsqlite3-dev@3.40.1-2

NVD Description

An issue in sqlite v.3.49.0 allows an attacker to cause a denial of service via the SQLITE_DBCONFIG_LOOKASIDE component

Remediation

There is no fixed version for Debian:12 sqlite3.

References

CVE-2025-29088 vulnerability report

low severity

Improper Input Validation

Vulnerable module: subversion/libsvn1
Introduced through: subversion/libsvn1@1.14.2-4+b2 and subversion/subversion@1.14.2-4+b2
Fixed in: 1.14.2-4+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › subversion/libsvn1@1.14.2-4+b2
Introduced through: node@18.16.1-bookworm › subversion/subversion@1.14.2-4+b2

NVD Description

Note: Versions mentioned in the description apply only to the upstream subversion package and not the subversion package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Insufficient validation of filenames against control characters in Apache Subversion repositories served via mod_dav_svn allows authenticated users with commit access to commit a corrupted revision, leading to disruption for users of the repository.

All versions of Subversion up to and including Subversion 1.14.4 are affected if serving repositories via mod_dav_svn. Users are recommended to upgrade to version 1.14.5, which fixes this issue.

Repositories served via other access methods are not affected.

Remediation

Upgrade Debian:12 subversion to version 1.14.2-4+deb12u1 or higher.

References

Improper Input Validation vulnerability report

low severity

CVE-2023-50868

Vulnerable module: systemd/libsystemd0
Introduced through: systemd/libsystemd0@252.6-1 and systemd/libudev1@252.6-1
Fixed in: 252.23-1~deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › systemd/libsystemd0@252.6-1
Introduced through: node@18.16.1-bookworm › systemd/libudev1@252.6-1

NVD Description

The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.

Remediation

Upgrade Debian:12 systemd to version 252.23-1~deb12u1 or higher.

References

CVE-2023-50868 vulnerability report

low severity

CVE-2023-39804

Vulnerable module: tar
Introduced through: tar@1.34+dfsg-1.2
Fixed in: 1.34+dfsg-1.2+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › tar@1.34+dfsg-1.2

NVD Description

In GNU tar before 1.35, mishandled extension attributes in a PAX archive can lead to an application crash in xheader.c.

Remediation

Upgrade Debian:12 tar to version 1.34+dfsg-1.2+deb12u1 or higher.

References

CVE-2023-39804 vulnerability report

low severity

CVE-2024-28085

Vulnerable module: util-linux/libblkid-dev
Introduced through: util-linux/libblkid-dev@2.38.1-5+b1, util-linux/libblkid1@2.38.1-5+b1 and others
Fixed in: 2.38.1-5+deb12u1

Detailed paths

Introduced through: node@18.16.1-bookworm › util-linux/libblkid-dev@2.38.1-5+b1
Introduced through: node@18.16.1-bookworm › util-linux/libblkid1@2.38.1-5+b1
Introduced through: node@18.16.1-bookworm › util-linux/libmount-dev@2.38.1-5+b1
Introduced through: node@18.16.1-bookworm › util-linux/libmount1@2.38.1-5+b1
Introduced through: node@18.16.1-bookworm › util-linux/libsmartcols1@2.38.1-5+b1
Introduced through: node@18.16.1-bookworm › util-linux/libuuid1@2.38.1-5+b1
Introduced through: node@18.16.1-bookworm › util-linux/mount@2.38.1-5+b1
Introduced through: node@18.16.1-bookworm › util-linux/util-linux@2.38.1-5+b1
Introduced through: node@18.16.1-bookworm › util-linux/util-linux-extra@2.38.1-5+b1
Introduced through: node@18.16.1-bookworm › util-linux/uuid-dev@2.38.1-5+b1

…and 7 more

NVD Description

wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.

Remediation

Upgrade Debian:12 util-linux to version 2.38.1-5+deb12u1 or higher.

References

CVE-2024-28085 vulnerability report

low severity

Server-Side Request Forgery (SSRF)

Vulnerable module: wget/wget
Introduced through: wget/wget@1.21.3-1+b2

Detailed paths

Introduced through: node@18.16.1-bookworm › wget/wget@1.21.3-1+b2

NVD Description

Applications that use Wget to access a remote resource using shorthand URLs and pass arbitrary user credentials in the URL are vulnerable. In these cases attackers can enter crafted credentials which will cause Wget to access an arbitrary host.

Remediation

There is no fixed version for Debian:12 wget.

References

Server-Side Request Forgery (SSRF) vulnerability report

low severity

new

Race Condition

Vulnerable module: xz-utils
Introduced through: xz-utils@5.4.1-0.2, xz-utils/liblzma-dev@5.4.1-0.2 and others
Fixed in: 5.4.1-1

Detailed paths

Introduced through: node@18.16.1-bookworm › xz-utils@5.4.1-0.2
Introduced through: node@18.16.1-bookworm › xz-utils/liblzma-dev@5.4.1-0.2
Introduced through: node@18.16.1-bookworm › xz-utils/liblzma5@5.4.1-0.2

NVD Description

Note: Versions mentioned in the description apply only to the upstream xz-utils package and not the xz-utils package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

XZ Utils provide a general-purpose data-compression library plus command-line tools. In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on the null pointer plus an offset. Applications and libraries that use the lzma_stream_decoder_mt function are affected. The bug has been fixed in XZ Utils 5.8.1, and the fix has been committed to the v5.4, v5.6, v5.8, and master branches in the xz Git repository. No new release packages will be made from the old stable branches, but a standalone patch is available that applies to all affected releases.

Remediation

Upgrade Debian:12 xz-utils to version 5.4.1-1 or higher.

References

Race Condition vulnerability report

Docker node:18.16.1-bookworm

Vulnerabilities

Dependencies

Source

Target OS

critical severity

Integer Overflow or Wraparound

Detailed paths

NVD Description

Remediation

References

critical severity

Out-of-bounds Write

Detailed paths

NVD Description

Remediation

References

critical severity

Integer Overflow or Wraparound

Detailed paths

NVD Description

Remediation

References

critical severity

Integer Overflow or Wraparound

Detailed paths

NVD Description

Remediation

References

critical severity

CVE-2023-28531

Detailed paths

NVD Description

Remediation

References

critical severity

Unquoted Search Path or Element

Detailed paths

NVD Description

Remediation

References

critical severity

Integer Overflow or Wraparound

Detailed paths

NVD Description

Remediation

References

critical severity

CVE-2024-37371

Detailed paths

NVD Description

Remediation

References

critical severity

Interpretation Conflict

Detailed paths

NVD Description

Remediation

References

critical severity

Link Following

Detailed paths

NVD Description

Remediation

References

high severity

Integer Overflow or Wraparound

Detailed paths

NVD Description

Remediation

References

high severity

Out-of-bounds Write

Detailed paths

NVD Description

Remediation

References

high severity

Out-of-bounds Write

Detailed paths