#nodejs

Red Hat Security Advisory 2024-1354-03 - An update for rh-nodejs14-nodejs is now available for Red Hat Software Collections. Issues addressed include a denial of service vulnerability.

### Impact TurboBoost Commands has existing protections in place to guarantee that only public methods on Command classes can be invoked; however, the existing checks aren't as robust as they should be. It's possible for a sophisticated attacker to invoke more methods than should be permitted depending on the the strictness of authorization checks that individual applications enforce. Being able to call some of these methods can have security implications. #### Details Commands verify that the class must be a `Command` and that the method requested is defined as a public method; however, this isn't robust enough to guard against all unwanted code execution. The library should more strictly enforce which methods are considered safe before allowing them to be executed. ### Patches Patched in the following versions. - 0.1.3 - [NPM Package](https://www.npmjs.com/package/@turbo-boost/commands/v/0.1.3) - [Ruby GEM](https://rubygems.org/gems/turbo_boost-commands/versions/0.1.3) - 0.2....

### Summary More methods than expected can be called on reflex instances. Being able to call some of them has security implications. ### Details To invoke a reflex a websocket message of the following shape is sent: ```json { "target": "[class_name]#[method_name]", "args": [] } ``` The server will proceed to instantiate `reflex` using the provided `class_name` as long as it extends `StimulusReflex::Reflex`. It then attempts to call `method_name` on the instance with the provided arguments [ref](https://github.com/stimulusreflex/stimulus_reflex/blob/0211cad7d60fe96838587f159d657e44cee51b9b/app/channels/stimulus_reflex/channel.rb#L83): ```ruby method = reflex.method method_name required_params = method.parameters.select { |(kind, _)| kind == :req } optional_params = method.parameters.select { |(kind, _)| kind == :opt } if arguments.size >= required_params.size && arguments.size <= required_params.size + optional_params.size reflex.public_send(method_name, *arguments) end ``` ...

By Deeba Ahmed Patch Now! One-Day Vulnerabilities Exploited by Magnet Goblin to Deliver Linux Malware! This is a post from HackRead.com Read the original post: Magnet Goblin Hackers Using Ivanti Flaws to Deploy Linux Malware

MongoDB versions 2.0.1, 2.1.1, 2.1.4, and 2.1.5 appear to suffer from multiple localized password disclosure issues.

A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the [support for decompressing plaintext after its decryption](https://www.rfc-editor.org/rfc/rfc7516.html#section-4.1.3). This allows an adversary to exploit specific scenarios where the compression ratio becomes exceptionally high. As a result, the length of the JWE token, which is determined by the compressed content's size, can land below application-defined limits. In such cases, other existing application level mechanisms for preventing resource exhaustion may be rendered ineffective. Note that as per [RFC 8725](https://www.rfc-editor.org/rfc/rfc8725.html#name-avoid-compression-of-encryp) compression of data SHOULD NOT be done before encryption, because such compressed data often reveals information about the plaintext. For this reason the v5.x major version of `jose` removed support for compressed payloads entirely and is therefore NOT affected by this advisory. ...

Threat actors are targeting misconfigured and vulnerable servers running Apache Hadoop YARN, Docker, Atlassian Confluence, and Redis services as part of an emerging malware campaign designed to deliver a cryptocurrency miner and spawn a reverse shell for persistent remote access. “The attackers leverage these tools to issue exploit code, taking advantage of common misconfigurations and

By Deeba Ahmed Another day, another Linux malware! This is a post from HackRead.com Read the original post: New Linux Malware Alert: ‘Spinning YARN’ Hits Docker, Other Key Apps

### Summary A vulnerability in Deno's Node.js compatibility runtime allows for cross-session data contamination during simultaneous asynchronous reads from Node.js streams sourced from sockets or files. The issue arises from the re-use of a global buffer (BUF) in stream_wrap.ts used as a performance optimization to limit allocations during these asynchronous read operations. This can lead to data intended for one session being received by another session, potentially resulting in data corruption and unexpected behavior. ### Details A bug in Deno's Node.js compatibility runtime results in data cross-reception during simultaneous asynchronous reads from Node.js network streams. When multiple independent network socket connections are involved, this vulnerability can be triggered. For instance, two separate server sockets that receive data from their respective client sockets and then echo the received data back to the client using Node.js streams may experience an issue where data fro...

Registered Agents Inc. has for years allowed businesses to register under a cloak of anonymity. A WIRED investigation reveals that its secretive founder has taken the practice to an extreme.