These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2024-27983 is a high-severity denial-of-service vulnerability in Node.js affecting Siemens SINEC INS. The vulnerability stems from an assertion failure in `node::http2::Http2Session::~Http2Session()` that can be triggered by sending a small amount of HTTP/2 frame packets. An unauthenticated remote attacker can exploit this to crash the HTTP/2 server. The vulnerability was published on November 12, 202 [truncated]
CVE-2024-24758 describes an information disclosure vulnerability in Undici, an HTTP/1.1 client for Node.js. While Undici properly clears Authorization headers during cross-origin redirects, it fails to clear Proxy-Authentication headers, potentially exposing proxy credentials to unintended destinations. This vulnerability affects Siemens SINEC INS, which incorporates the vulnerable Undici component. The i [truncated]
CVE-2024-22025 is a denial-of-service vulnerability in Node.js affecting Siemens SINEC INS, published 2024-11-12. The vulnerability stems from resource exhaustion during fetch() brotli decoding, where a remote attacker can send a specially crafted request to trigger a DoS condition. The CVSS 3.1 score of 5.3 (MEDIUM) reflects network accessibility with low attack complexity, no required privileges or user [truncated]
CVE-2024-22017 is a privilege escalation vulnerability in Node.js affecting libuv's io_uring implementation. The root cause is that libuv's internal io_uring operations, when initialized before a setuid() call, retain their original privilege level and are not affected by subsequent privilege drops. This allows a process to continue performing privileged operations even after setuid() has been called to d [truncated]
CVE-2024-21892 is a high-severity local privilege escalation vulnerability affecting Node.js, as used in Siemens SINEC INS. The flaw stems from a bug in the implementation of the CAP_NET_BIND_SERVICE capability exception, which could allow a local authenticated attacker to inject code that inherits the process's elevated privileges. The vulnerability was published on November 12, 2024, via CISA's ICS advi [truncated]
CVE-2024-21891 is a path traversal vulnerability in Node.js that enables remote attackers to bypass filesystem permission models. The vulnerability stems from improper sanitization of path traversal sequences, allowing attackers to access files outside intended directories. Siemens SINEC INS is affected by this vulnerability through its Node.js dependency. CISA published advisory ICSA-24-319-08 on Novembe [truncated]
CVE-2024-21890 documents a documentation clarity issue in the Node.js Permission Model that could lead to unintended filesystem access. The vulnerability stems from misleading documentation regarding wildcard usage in file path permissions. Specifically, the documentation does not clarify that wildcards should only be used as the last character of a file path. When users specify patterns like `--allow-fs- [truncated]
CVE-2023-46809 is a HIGH severity vulnerability (CVSS 7.4) affecting Node.js applications that use unpatched OpenSSL versions for RSA decryption with PKCS #1 v1.5 padding. The vulnerability exposes systems to the Marvin Attack, a timing side-channel attack that can recover private RSA keys. Siemens SINEC INS is affected through its Node.js dependency chain. CISA published advisory ICSA-24-319-08 on Novemb [truncated]
CVE-2023-45143 is a LOW-severity vulnerability (CVSS 3.9) affecting Undici, an HTTP/1.1 client for Node.js. The issue involves improper handling of Cookie headers during cross-origin redirects. Prior to version 5.26.2, Undici cleared Authorization headers on cross-origin redirects but failed to clear Cookie headers. While browsers forbid Cookie headers in RequestInit.headers per the Fetch specification, U [truncated]
CVE-2023-39333 is a medium-severity vulnerability affecting Siemens SINEC INS, published on November 12, 2024. The vulnerability stems from maliciously crafted export names in imported WebAssembly modules that can inject JavaScript code. This injected code may access data and functions beyond the WebAssembly module's intended scope, effectively granting it privileges similar to a JavaScript module. The CV [truncated]
CVE-2023-39332 is a critical path traversal vulnerability in Node.js affecting Siemens SINEC INS. The flaw exists because Node.js `node:fs` functions inadequately validate `Uint8Array` objects (excluding `Buffer` instances) for path traversal sequences, allowing attackers to bypass security controls that properly block string-based and `Buffer`-based traversal attempts. This vulnerability is distinct from [truncated]
CVE-2023-38552 is a high-severity vulnerability (CVSS 7.5) in Node.js's experimental policy mechanism that allows integrity check bypass. When Node.js verifies a resource against a trusted manifest, an attacker can intercept this operation and return a forged checksum, effectively disabling the integrity verification. This vulnerability affects Node.js 18.x and 20.x release lines. The issue was published [truncated]
A privilege escalation vulnerability exists in the experimental policy mechanism in Node.js versions 16.x, 18.x, and 20.x. The deprecated `process.binding()` API can be exploited to bypass policy restrictions by requiring internal modules and leveraging `process.binding('spawn_sync')` to execute arbitrary code outside the boundaries defined in a `policy.json` file. Siemens SINEC INS is affected by this vu [truncated]
CVE-2023-32558 is a HIGH severity vulnerability (CVSS 7.5) affecting Siemens SINEC INS, published on 2024-11-12. The vulnerability stems from the use of the deprecated Node.js API `process.binding()`, which can bypass the experimental permission model through path traversal. This affects all users of Node.js 20.x with the experimental permission model enabled. At the time of CVE issuance, the permission m [truncated]
CVE-2023-32006 is a high-severity vulnerability (CVSS 8.8) affecting Node.js's experimental policy mechanism. The flaw allows bypass of the policy.json restrictions through use of `module.constructor.createRequire()`, enabling unauthorized module loading outside defined policy boundaries. This vulnerability impacts all active Node.js release lines (16.x, 18.x, 20.x) at the time of disclosure. Siemens SINE [truncated]
A vulnerability in Node.js version 20's experimental permission model allows unauthorized file statistics retrieval via the fs.statfs API when the --allow-fs-read flag is used with non-wildcard arguments. The permission model fails to properly restrict statfs operations, enabling malicious actors to obtain file system statistics from files they do not have explicit read access to. This affects Siemens SIN [truncated]
CVE-2023-32004 is a high-severity vulnerability (CVSS 8.8) in Node.js version 20's experimental permission model, published on 2024-11-12. The flaw involves improper handling of Buffers in file system APIs, enabling a path traversal bypass when verifying file permissions. This vulnerability affects all users of the experimental permission model in Node.js 20. Siemens SINEC INS is identified as an affected [truncated]
CVE-2023-32003 is a path traversal vulnerability in Node.js 20's experimental permission model that allows directory creation outside intended boundaries. The flaw exists in `fs.mkdtemp()` and `fs.mkdtempSync()` APIs due to missing path traversal checks. Siemens SINEC INS is affected through its Node.js dependency. The vulnerability has a CVSS 3.1 score of 5.3 (MEDIUM) with network attack vector, low comp [truncated]
CVE-2023-32002 is a critical vulnerability in Node.js's experimental policy mechanism that allows bypass of module loading restrictions. The vulnerability exists in the `Module._load()` function, which can circumvent the policy.json definition to require modules outside the intended scope. This affects all active Node.js release lines (16.x, 18.x, 20.x) when the experimental policy mechanism is enabled. S [truncated]
CVE-2015-8860 describes a tar-package vulnerability in the Node.js ecosystem where a crafted archive can use symlinks to cause arbitrary file writes. NVD rates it CVSS 7.5 High and maps it to CWE-59 (improper link resolution before file access), with no privileges or user interaction required. The issue is most relevant anywhere untrusted tar archives are extracted.
CVE-2015-8855 is a denial-of-service issue in the semver package used in the Node.js ecosystem. A specially long version string can trigger excessive CPU consumption through regular expression backtracking, making the application slow or unresponsive. The issue is rated HIGH and is not listed in CISA KEV in the supplied data.
CVE-2014-9772 describes an XSS filter bypass where hex-encoded characters could evade filtering and let attacker-controlled content reach a browser context. NVD rates the issue 6.1 (MEDIUM) with network access, no privileges, and user interaction required. The main defensive concern is that applications relying on this package for XSS protection may assume input has been normalized or blocked when it has not.
CVE-2013-7454 is a cross-site scripting (XSS) filter bypass in the Node.js validator module. According to the CVE description, versions before 1.1.0 can be bypassed using nested forbidden strings, allowing remote attackers to evade intended XSS checks. NVD classifies the weakness as CWE-79 and rates the issue CVSS 3.0 6.1 (Medium).
CVE-2013-7453 describes a cross-site scripting (XSS) filter bypass in the validator module for Node.js. According to the supplied record, attackers could use UI redressing-related vectors to get past the module’s XSS filtering in versions before 1.1.0. NVD’s CPE mapping in the source corpus also marks node.js releases through 1.0.4 as vulnerable. Because the issue requires user interaction and affects app [truncated]
CVE-2013-7452 describes a cross-site scripting filter bypass in the validator module for Node.js versions before 1.1.0. According to the NVD record, a remote attacker can use a crafted javascript: URI to bypass the module’s XSS filtering. The issue is classified as CWE-79 and carries a Medium CVSS score of 6.1.
CVE-2013-7451 is a medium-severity cross-site scripting issue in the Node.js validator module. According to the supplied record, input containing nested tags could bypass the module’s XSS filter, allowing attacker-controlled content to slip through sanitization. The issue was publicly disclosed through an oss-security mailing list post and a Node Security advisory, and the NVD record lists it as CVE-2013- [truncated]