vulnerability

Ubuntu: USN-4796-1 (CVE-2016-7099): Node.js vulnerabilities

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
4	(AV:N/AC:M/Au:N/C:N/I:P/A:N)	Oct 10, 2016	Mar 22, 2023	Apr 14, 2025

Severity

CVSS

(AV:N/AC:M/Au:N/C:N/I:P/A:N)

Published

Oct 10, 2016

Added

Mar 22, 2023

Modified

Apr 14, 2025

Description

Alexander Minozhenko and James Bunton discovered that Node.js did not
properly handle wildcards in name fields of X.509 TLS certificates. An
attacker could use this vulnerability to execute a machine-in-the-middle-
attack. This issue only affected Ubuntu 14.04 ESM and 16.04 ESM. (CVE-2016-7099)

It was discovered that Node.js incorrectly handled certain NAPTR responses.
A remote attacker could possibly use this issue to cause applications using
Node.js to crash, resulting in a denial of service. This issue only affected
Ubuntu 16.04 ESM. (CVE-2017-1000381)

Nikita Skovoroda discovered that Node.js mishandled certain input, leading
to an out of bounds write. An attacker could use this vulnerability to
cause a denial of service (crash) or possibly execute arbitrary code. This
issue only affected Ubuntu 18.04 ESM. (CVE-2018-12115)

Arkadiy Tetelman discovered that Node.js improperly handled certain
malformed HTTP requests. An attacker could use this vulnerability to inject
unexpected HTTP requests. This issue only affected Ubuntu 18.04 ESM.
(CVE-2018-12116)

Jan Maybach discovered that Node.js did not time out if incomplete
HTTP/HTTPS headers were received. An attacker could use this vulnerability
to cause a denial of service by keeping HTTP/HTTPS connections alive for a
long period of time. This issue only affected Ubuntu 18.04 ESM.
(CVE-2018-12122)

Martin Bajanik discovered that the url.parse() method would return
incorrect results if it received specially crafted input. An attacker could
use this vulnerability to spoof the hostname and bypass hostname-specific
security controls. This issue only affected Ubuntu 18.04 ESM. (CVE-2018-12123)

It was discovered that Node.js is vulnerable to a DNS rebinding attack which
could be exploited to perform remote code execution. An attack is possible
from malicious websites open in a web browser with network access to the system
running the Node.js process. This issue only affected Ubuntu 18.04 ESM.
(CVE-2018-7160)

It was discovered that the Buffer.fill() and Buffer.alloc() methods
improperly handled certain inputs. An attacker could use this vulnerability
to cause a denial of service. This issue only affected Ubuntu 18.04 ESM.
(CVE-2018-7167)

Marco Pracucci discovered that Node.js mishandled HTTP and HTTPS
connections. An attacker could use this vulnerability to cause a denial of
service. This issue only affected Ubuntu 18.04 ESM. (CVE-2019-5737)

Solutions

ubuntu-pro-upgrade-nodejsubuntu-pro-upgrade-nodejs-devubuntu-pro-upgrade-nodejs-legacy

References

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today