CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2024-22201 |
Description: Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP congested will be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients. The vulnerability is patched in 9.4.54, 10.0.20, 11.0.20, and 12.0.6.
CVSS: HIGH (7.5) EPSS Score: 0.07%
February 14th, 2025 (5 months ago)
|
|
CVE-2024-22181 |
Description: An out-of-bounds write vulnerability exists in the readNODE functionality of libigl v2.5.0. A specially crafted .node file can lead to an out-of-bounds write. An attacker can provide a malicious file to trigger this vulnerability.
CVSS: HIGH (7.8) EPSS Score: 0.05%
February 14th, 2025 (5 months ago)
|
|
CVE-2024-2214 |
Description: In Eclipse ThreadX before version 6.4.0, the _Mtxinit() function in the
Xtensa port was missing an array size check causing a memory overwrite.
The affected file was ports/xtensa/xcc/src/tx_clib_lock.c
CVSS: HIGH (7.0) EPSS Score: 0.05%
February 14th, 2025 (5 months ago)
|
|
CVE-2024-2212 |
Description: In Eclipse ThreadX before 6.4.0, xQueueCreate() and xQueueCreateSet()
functions from the FreeRTOS compatibility API
(utility/rtos_compatibility_layers/FreeRTOS/tx_freertos.c) were missing
parameter checks. This could lead to integer wraparound,
under-allocations and heap buffer overflows.
CVSS: HIGH (7.3) EPSS Score: 0.05%
February 14th, 2025 (5 months ago)
|
|
CVE-2024-22019 |
Description: A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like timeouts and body size limits.
CVSS: HIGH (7.5) EPSS Score: 0.05%
February 14th, 2025 (5 months ago)
|
|
CVE-2024-22017 |
Description: setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid().
This allows the process to perform privileged operations despite presumably having dropped such privileges through a call to setuid().
This vulnerability affects all users using version greater or equal than Node.js 18.18.0, Node.js 20.4.0 and Node.js 21.
CVSS: HIGH (7.3) EPSS Score: 0.05%
February 14th, 2025 (5 months ago)
|
|
CVE-2024-21896 |
Description: The permission model protects itself against path traversal attacks by calling path.resolve() on any paths given by the user. If the path is to be treated as a Buffer, the implementation uses Buffer.from() to obtain a Buffer from the result of path.resolve(). By monkey-patching Buffer internals, namely, Buffer.prototype.utf8Write, the application can modify the result of path.resolve(), which leads to a path traversal vulnerability.
This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21.
Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
CVSS: HIGH (7.9) EPSS Score: 0.05%
February 14th, 2025 (5 months ago)
|
|
CVE-2024-21892 |
Description: On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user while the process is running with elevated privileges with the only exception of CAP_NET_BIND_SERVICE.
Due to a bug in the implementation of this exception, Node.js incorrectly applies this exception even when certain other capabilities have been set.
This allows unprivileged users to inject code that inherits the process's elevated privileges.
CVSS: HIGH (7.5) EPSS Score: 0.04%
February 14th, 2025 (5 months ago)
|
|
CVE-2024-21891 |
Description: Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions, which can be overwitten with user-defined implementations leading to filesystem permission model bypass through path traversal attack.
This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21.
Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
CVSS: HIGH (7.9) EPSS Score: 0.16%
February 14th, 2025 (5 months ago)
|
|
CVE-2024-21626 |
Description: runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue.
CVSS: HIGH (8.6) EPSS Score: 1.37%
February 14th, 2025 (5 months ago)
|