14 lines
1.8 KiB
JSON
14 lines
1.8 KiB
JSON
{
|
|
"id": "openEuler-SA-2024-1136",
|
|
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1136",
|
|
"title": "An update for nodejs is now available for openEuler-22.03-LTS",
|
|
"severity": "High",
|
|
"description": "Node.js is an open-source, cross-platform, JavaScript runtime environment, it executes JavaScript code outside of a browser.\r\n\r\nSecurity Fix(es):\r\n\r\nA security vulnerability has been identified in all supported versions\r\n\r\nof OpenSSL related to the verification of X.509 certificate chains\nthat include policy constraints. Attackers may be able to exploit this\nvulnerability by creating a malicious certificate chain that triggers\nexponential use of computational resources, leading to a denial-of-service\n(DoS) attack on affected systems.\r\n\r\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.(CVE-2023-0464)\r\n\r\nApplications that use a non-default option when verifying certificates may be\nvulnerable to an attack from a malicious CA to circumvent certain checks.\r\n\r\nInvalid certificate policies in leaf certificates are silently ignored by\nOpenSSL and other certificate policy checks are skipped for that certificate.\nA malicious CA could use this to deliberately assert invalid certificate policies\nin order to circumvent policy checking on the certificate altogether.\r\n\r\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.(CVE-2023-0465)",
|
|
"cves": [
|
|
{
|
|
"id": "CVE-2023-0465",
|
|
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0465",
|
|
"severity": "High"
|
|
}
|
|
]
|
|
} |