{ "lastUpdatedDate": "2025-04-05T13:28:16.852Z", "name": "Node Version Audit", "website": "https://github.com/lightswitch05/node-version-audit", "license": "https://github.com/lightswitch05/node-version-audit/blob/master/LICENSE", "source": "https://www.github.developerdan.com/node-version-audit/rules-v1.json", "releasesCount": 654, "cveCount": 173, "supportVersionsCount": 21, "latestVersion": "23.11.0", "latestVersions": { "0": "0.12.18", "1": "1.8.4", "2": "2.5.0", "3": "3.3.1", "4": "4.9.1", "5": "5.12.0", "6": "6.17.1", "7": "7.10.1", "8": "8.17.0", "9": "9.11.2", "10": "10.24.1", "11": "11.15.0", "12": "12.22.12", "13": "13.14.0", "14": "14.21.3", "15": "15.14.0", "16": "16.20.2", "17": "17.9.1", "18": "18.20.8", "19": "19.9.0", "20": "20.19.0", "21": "21.7.3", "22": "22.14.0", "23": "23.11.0", "0.10": "0.10.48", "0.12": "0.12.18", "1.0": "1.0.4", "1.1": "1.1.0", "1.2": "1.2.0", "1.3": "1.3.0", "1.4": "1.4.3", "1.5": "1.5.1", "1.6": "1.6.4", "1.7": "1.7.1", "1.8": "1.8.4", "2.0": "2.0.2", "2.1": "2.1.0", "2.2": "2.2.1", "2.3": "2.3.4", "2.4": "2.4.0", "2.5": "2.5.0", "3.0": "3.0.0", "3.1": "3.1.0", "3.2": "3.2.0", "3.3": "3.3.1", "4.0": "4.0.0", "4.1": "4.1.2", "4.2": "4.2.6", "4.3": "4.3.2", "4.4": "4.4.7", "4.5": "4.5.0", "4.6": "4.6.2", "4.7": "4.7.3", "4.8": "4.8.7", "4.9": "4.9.1", "5.0": "5.0.0", "5.1": "5.1.1", "5.2": "5.2.0", "5.3": "5.3.0", "5.4": "5.4.1", "5.5": "5.5.0", "5.6": "5.6.0", "5.7": "5.7.1", "5.8": "5.8.0", "5.9": "5.9.1", "5.10": "5.10.1", "5.11": "5.11.1", "5.12": "5.12.0", "6.0": "6.0.0", "6.1": "6.1.0", "6.2": "6.2.2", "6.3": "6.3.1", "6.4": "6.4.0", "6.5": "6.5.0", "6.6": "6.6.0", "6.7": "6.7.0", "6.8": "6.8.1", "6.9": "6.9.5", "6.10": "6.10.3", "6.11": "6.11.5", "6.12": "6.12.3", "6.13": "6.13.1", "6.14": "6.14.4", "6.15": "6.15.1", "6.16": "6.16.0", "6.17": "6.17.1", "7.0": "7.0.0", "7.1": "7.1.0", "7.2": "7.2.1", "7.3": "7.3.0", "7.4": "7.4.0", "7.5": "7.5.0", "7.6": "7.6.0", "7.7": "7.7.4", "7.8": "7.8.0", "7.9": "7.9.0", "7.10": "7.10.1", "8.0": "8.0.0", "8.1": "8.1.4", "8.2": "8.2.1", "8.3": "8.3.0", "8.4": "8.4.0", "8.5": "8.5.0", "8.6": "8.6.0", "8.7": "8.7.0", "8.8": "8.8.1", "8.9": "8.9.4", "8.10": "8.10.0", "8.11": "8.11.4", "8.12": "8.12.0", "8.13": "8.13.0", "8.14": "8.14.1", "8.15": "8.15.1", "8.16": "8.16.2", "8.17": "8.17.0", "9.0": "9.0.0", "9.1": "9.1.0", "9.2": "9.2.1", "9.3": "9.3.0", "9.4": "9.4.0", "9.5": "9.5.0", "9.6": "9.6.1", "9.7": "9.7.1", "9.8": "9.8.0", "9.9": "9.9.0", "9.10": "9.10.1", "9.11": "9.11.2", "10.0": "10.0.0", "10.1": "10.1.0", "10.2": "10.2.1", "10.3": "10.3.0", "10.4": "10.4.1", "10.5": "10.5.0", "10.6": "10.6.0", "10.7": "10.7.0", "10.8": "10.8.0", "10.9": "10.9.0", "10.10": "10.10.0", "10.11": "10.11.0", "10.12": "10.12.0", "10.13": "10.13.0", "10.14": "10.14.2", "10.15": "10.15.3", "10.16": "10.16.3", "10.17": "10.17.0", "10.18": "10.18.1", "10.19": "10.19.0", "10.20": "10.20.1", "10.21": "10.21.0", "10.22": "10.22.1", "10.23": "10.23.3", "10.24": "10.24.1", "11.0": "11.0.0", "11.1": "11.1.0", "11.2": "11.2.0", "11.3": "11.3.0", "11.4": "11.4.0", "11.5": "11.5.0", "11.6": "11.6.0", "11.7": "11.7.0", "11.8": "11.8.0", "11.9": "11.9.0", "11.10": "11.10.1", "11.11": "11.11.0", "11.12": "11.12.0", "11.13": "11.13.0", "11.14": "11.14.0", "11.15": "11.15.0", "12.0": "12.0.0", "12.1": "12.1.0", "12.2": "12.2.0", "12.3": "12.3.1", "12.4": "12.4.0", "12.5": "12.5.0", "12.6": "12.6.0", "12.7": "12.7.0", "12.8": "12.8.1", "12.9": "12.9.1", "12.10": "12.10.0", "12.11": "12.11.1", "12.12": "12.12.0", "12.13": "12.13.1", "12.14": "12.14.1", "12.15": "12.15.0", "12.16": "12.16.3", "12.17": "12.17.0", "12.18": "12.18.4", "12.19": "12.19.1", "12.20": "12.20.2", "12.21": "12.21.0", "12.22": "12.22.12", "13.0": "13.0.1", "13.1": "13.1.0", "13.2": "13.2.0", "13.3": "13.3.0", "13.4": "13.4.0", "13.5": "13.5.0", "13.6": "13.6.0", "13.7": "13.7.0", "13.8": "13.8.0", "13.9": "13.9.0", "13.10": "13.10.1", "13.11": "13.11.0", "13.12": "13.12.0", "13.13": "13.13.0", "13.14": "13.14.0", "14.0": "14.0.0", "14.1": "14.1.0", "14.2": "14.2.0", "14.3": "14.3.0", "14.4": "14.4.0", "14.5": "14.5.0", "14.6": "14.6.0", "14.7": "14.7.0", "14.8": "14.8.0", "14.9": "14.9.0", "14.10": "14.10.1", "14.11": "14.11.0", "14.12": "14.12.0", "14.13": "14.13.1", "14.14": "14.14.0", "14.15": "14.15.5", "14.16": "14.16.1", "14.17": "14.17.6", "14.18": "14.18.3", "14.19": "14.19.3", "14.20": "14.20.1", "14.21": "14.21.3", "15.0": "15.0.1", "15.1": "15.1.0", "15.2": "15.2.1", "15.3": "15.3.0", "15.4": "15.4.0", "15.5": "15.5.1", "15.6": "15.6.0", "15.7": "15.7.0", "15.8": "15.8.0", "15.9": "15.9.0", "15.10": "15.10.0", "15.11": "15.11.0", "15.12": "15.12.0", "15.13": "15.13.0", "15.14": "15.14.0", "16.0": "16.0.0", "16.1": "16.1.0", "16.2": "16.2.0", "16.3": "16.3.0", "16.4": "16.4.2", "16.5": "16.5.0", "16.6": "16.6.2", "16.7": "16.7.0", "16.8": "16.8.0", "16.9": "16.9.1", "16.10": "16.10.0", "16.11": "16.11.1", "16.12": "16.12.0", "16.13": "16.13.2", "16.14": "16.14.2", "16.15": "16.15.1", "16.16": "16.16.0", "16.17": "16.17.1", "16.18": "16.18.1", "16.19": "16.19.1", "16.20": "16.20.2", "17.0": "17.0.1", "17.1": "17.1.0", "17.2": "17.2.0", "17.3": "17.3.1", "17.4": "17.4.0", "17.5": "17.5.0", "17.6": "17.6.0", "17.7": "17.7.2", "17.8": "17.8.0", "17.9": "17.9.1", "18.0": "18.0.0", "18.1": "18.1.0", "18.2": "18.2.0", "18.3": "18.3.0", "18.4": "18.4.0", "18.5": "18.5.0", "18.6": "18.6.0", "18.7": "18.7.0", "18.8": "18.8.0", "18.9": "18.9.1", "18.10": "18.10.0", "18.11": "18.11.0", "18.12": "18.12.1", "18.13": "18.13.0", "18.14": "18.14.2", "18.15": "18.15.0", "18.16": "18.16.1", "18.17": "18.17.1", "18.18": "18.18.2", "18.19": "18.19.1", "18.20": "18.20.8", "19.0": "19.0.1", "19.1": "19.1.0", "19.2": "19.2.0", "19.3": "19.3.0", "19.4": "19.4.0", "19.5": "19.5.0", "19.6": "19.6.1", "19.7": "19.7.0", "19.8": "19.8.1", "19.9": "19.9.0", "20.0": "20.0.0", "20.1": "20.1.0", "20.2": "20.2.0", "20.3": "20.3.1", "20.4": "20.4.0", "20.5": "20.5.1", "20.6": "20.6.1", "20.7": "20.7.0", "20.8": "20.8.1", "20.9": "20.9.0", "20.10": "20.10.0", "20.11": "20.11.1", "20.12": "20.12.2", "20.13": "20.13.1", "20.14": "20.14.0", "20.15": "20.15.1", "20.16": "20.16.0", "20.17": "20.17.0", "20.18": "20.18.3", "20.19": "20.19.0", "21.0": "21.0.0", "21.1": "21.1.0", "21.2": "21.2.0", "21.3": "21.3.0", "21.4": "21.4.0", "21.5": "21.5.0", "21.6": "21.6.2", "21.7": "21.7.3", "22.0": "22.0.0", "22.1": "22.1.0", "22.2": "22.2.0", "22.3": "22.3.0", "22.4": "22.4.1", "22.5": "22.5.1", "22.6": "22.6.0", "22.7": "22.7.0", "22.8": "22.8.0", "22.9": "22.9.0", "22.10": "22.10.0", "22.11": "22.11.0", "22.12": "22.12.0", "22.13": "22.13.1", "22.14": "22.14.0", "23.0": "23.0.0", "23.1": "23.1.0", "23.2": "23.2.0", "23.3": "23.3.0", "23.4": "23.4.0", "23.5": "23.5.0", "23.6": "23.6.1", "23.7": "23.7.0", "23.8": "23.8.0", "23.9": "23.9.0", "23.10": "23.10.0", "23.11": "23.11.0" }, "supportEndDates": { "4": { "start": "2015-09-08T00:00:00.000Z", "lts": "2015-10-12T00:00:00.000Z", "maintenance": "2017-04-01T00:00:00.000Z", "end": "2018-04-30T00:00:00.000Z" }, "5": { "start": "2015-10-29T00:00:00.000Z", "maintenance": "2016-04-30T00:00:00.000Z", "end": "2016-06-30T00:00:00.000Z" }, "6": { "start": "2016-04-26T00:00:00.000Z", "lts": "2016-10-18T00:00:00.000Z", "maintenance": "2018-04-30T00:00:00.000Z", "end": "2019-04-30T00:00:00.000Z" }, "7": { "start": "2016-10-25T00:00:00.000Z", "maintenance": "2017-04-30T00:00:00.000Z", "end": "2017-06-30T00:00:00.000Z" }, "8": { "start": "2017-05-30T00:00:00.000Z", "lts": "2017-10-31T00:00:00.000Z", "maintenance": "2019-01-01T00:00:00.000Z", "end": "2019-12-31T00:00:00.000Z" }, "9": { "start": "2017-10-01T00:00:00.000Z", "maintenance": "2018-04-01T00:00:00.000Z", "end": "2018-06-30T00:00:00.000Z" }, "10": { "start": "2018-04-24T00:00:00.000Z", "lts": "2018-10-30T00:00:00.000Z", "maintenance": "2020-05-19T00:00:00.000Z", "end": "2021-04-30T00:00:00.000Z" }, "11": { "start": "2018-10-23T00:00:00.000Z", "maintenance": "2019-04-22T00:00:00.000Z", "end": "2019-06-01T00:00:00.000Z" }, "12": { "start": "2019-04-23T00:00:00.000Z", "lts": "2019-10-21T00:00:00.000Z", "maintenance": "2020-11-30T00:00:00.000Z", "end": "2022-04-30T00:00:00.000Z" }, "13": { "start": "2019-10-22T00:00:00.000Z", "maintenance": "2020-04-01T00:00:00.000Z", "end": "2020-06-01T00:00:00.000Z" }, "14": { "start": "2020-04-21T00:00:00.000Z", "lts": "2020-10-27T00:00:00.000Z", "maintenance": "2021-10-19T00:00:00.000Z", "end": "2023-04-30T00:00:00.000Z" }, "15": { "start": "2020-10-20T00:00:00.000Z", "maintenance": "2021-04-01T00:00:00.000Z", "end": "2021-06-01T00:00:00.000Z" }, "16": { "start": "2021-04-20T00:00:00.000Z", "lts": "2021-10-26T00:00:00.000Z", "maintenance": "2022-10-18T00:00:00.000Z", "end": "2023-09-11T00:00:00.000Z" }, "17": { "start": "2021-10-19T00:00:00.000Z", "maintenance": "2022-04-01T00:00:00.000Z", "end": "2022-06-01T00:00:00.000Z" }, "18": { "start": "2022-04-19T00:00:00.000Z", "lts": "2022-10-25T00:00:00.000Z", "maintenance": "2023-10-18T00:00:00.000Z", "end": "2025-04-30T00:00:00.000Z" }, "19": { "start": "2022-10-18T00:00:00.000Z", "maintenance": "2023-04-01T00:00:00.000Z", "end": "2023-06-01T00:00:00.000Z" }, "20": { "start": "2023-04-18T00:00:00.000Z", "lts": "2023-10-24T00:00:00.000Z", "maintenance": "2024-10-22T00:00:00.000Z", "end": "2026-04-30T00:00:00.000Z" }, "21": { "start": "2023-10-17T00:00:00.000Z", "maintenance": "2024-04-01T00:00:00.000Z", "end": "2024-06-01T00:00:00.000Z" }, "22": { "start": "2024-04-24T00:00:00.000Z", "lts": "2024-10-29T00:00:00.000Z", "maintenance": "2025-10-21T00:00:00.000Z", "end": "2027-04-30T00:00:00.000Z" }, "23": { "start": "2024-10-16T00:00:00.000Z", "maintenance": "2025-04-01T00:00:00.000Z", "end": "2025-06-01T00:00:00.000Z" }, "24": { "start": "2025-04-22T00:00:00.000Z", "lts": "2025-10-28T00:00:00.000Z", "maintenance": "2026-10-20T00:00:00.000Z", "end": "2028-04-30T00:00:00.000Z" } }, "releases": { "0.10.0": { "version": "0.10.0", "releaseDate": null, "patchedCveIds": [] }, "0.10.1": { "version": "0.10.1", "releaseDate": null, "patchedCveIds": [] }, "0.10.2": { "version": "0.10.2", "releaseDate": null, "patchedCveIds": [] }, "0.10.3": { "version": "0.10.3", "releaseDate": null, "patchedCveIds": [] }, "0.10.4": { "version": "0.10.4", "releaseDate": null, "patchedCveIds": [] }, "0.10.5": { "version": "0.10.5", "releaseDate": null, "patchedCveIds": [] }, "0.10.6": { "version": "0.10.6", "releaseDate": null, "patchedCveIds": [] }, "0.10.7": { "version": "0.10.7", "releaseDate": null, "patchedCveIds": [] }, "0.10.8": { "version": "0.10.8", "releaseDate": null, "patchedCveIds": [] }, "0.10.9": { "version": "0.10.9", "releaseDate": null, "patchedCveIds": [] }, "0.10.10": { "version": "0.10.10", "releaseDate": null, "patchedCveIds": [] }, "0.10.11": { "version": "0.10.11", "releaseDate": null, "patchedCveIds": [] }, "0.10.12": { "version": "0.10.12", "releaseDate": null, "patchedCveIds": [] }, "0.10.13": { "version": "0.10.13", "releaseDate": null, "patchedCveIds": [] }, "0.10.14": { "version": "0.10.14", "releaseDate": null, "patchedCveIds": [] }, "0.10.15": { "version": "0.10.15", "releaseDate": null, "patchedCveIds": [] }, "0.10.16": { "version": "0.10.16", "releaseDate": null, "patchedCveIds": [ "CVE-2013-2882" ] }, "0.10.17": { "version": "0.10.17", "releaseDate": null, "patchedCveIds": [] }, "0.10.18": { "version": "0.10.18", "releaseDate": null, "patchedCveIds": [] }, "0.10.19": { "version": "0.10.19", "releaseDate": null, "patchedCveIds": [] }, "0.10.20": { "version": "0.10.20", "releaseDate": null, "patchedCveIds": [] }, "0.10.21": { "version": "0.10.21", "releaseDate": null, "patchedCveIds": [] }, "0.10.22": { "version": "0.10.22", "releaseDate": null, "patchedCveIds": [] }, "0.10.23": { "version": "0.10.23", "releaseDate": null, "patchedCveIds": [] }, "0.10.24": { "version": "0.10.24", "releaseDate": null, "patchedCveIds": [] }, "0.10.25": { "version": "0.10.25", "releaseDate": null, "patchedCveIds": [] }, "0.10.26": { "version": "0.10.26", "releaseDate": null, "patchedCveIds": [] }, "0.10.27": { "version": "0.10.27", "releaseDate": null, "patchedCveIds": [] }, "0.10.28": { "version": "0.10.28", "releaseDate": null, "patchedCveIds": [] }, "0.10.29": { "version": "0.10.29", "releaseDate": null, "patchedCveIds": [ "CVE-2014-224" ] }, "0.10.30": { "version": "0.10.30", "releaseDate": null, "patchedCveIds": [] }, "0.10.31": { "version": "0.10.31", "releaseDate": null, "patchedCveIds": [ "CVE-2013-6668" ] }, "0.10.32": { "version": "0.10.32", "releaseDate": null, "patchedCveIds": [] }, "0.10.33": { "version": "0.10.33", "releaseDate": null, "patchedCveIds": [] }, "0.10.34": { "version": "0.10.34", "releaseDate": null, "patchedCveIds": [] }, "0.10.35": { "version": "0.10.35", "releaseDate": null, "patchedCveIds": [] }, "0.10.36": { "version": "0.10.36", "releaseDate": "2015-01-26T00:00:00.000Z", "patchedCveIds": [] }, "0.10.37": { "version": "0.10.37", "releaseDate": "2015-03-11T00:00:00.000Z", "patchedCveIds": [ "CVE-2015-278" ] }, "0.10.38": { "version": "0.10.38", "releaseDate": "2015-03-23T00:00:00.000Z", "patchedCveIds": [] }, "0.10.39": { "version": "0.10.39", "releaseDate": "2015-06-18T00:00:00.000Z", "patchedCveIds": [] }, "0.10.40": { "version": "0.10.40", "releaseDate": "2015-07-09T00:00:00.000Z", "patchedCveIds": [] }, "0.10.41": { "version": "0.10.41", "releaseDate": "2015-12-04T00:00:00.000Z", "patchedCveIds": [ "CVE-2015-3194" ] }, "0.10.42": { "version": "0.10.42", "releaseDate": "2016-02-09T00:00:00.000Z", "patchedCveIds": [ "CVE-2016-2086", "CVE-2016-2216" ] }, "0.10.43": { "version": "0.10.43", "releaseDate": "2016-03-04T00:00:00.000Z", "patchedCveIds": [] }, "0.10.44": { "version": "0.10.44", "releaseDate": "2016-03-31T00:00:00.000Z", "patchedCveIds": [] }, "0.10.45": { "version": "0.10.45", "releaseDate": "2016-05-06T00:00:00.000Z", "patchedCveIds": [ "CVE-2016-2107" ] }, "0.10.46": { "version": "0.10.46", "releaseDate": "2016-06-23T00:00:00.000Z", "patchedCveIds": [ "CVE-2014-9748", "CVE-2016-1669" ] }, "0.10.47": { "version": "0.10.47", "releaseDate": "2016-09-27T00:00:00.000Z", "patchedCveIds": [ "CVE-2016-2178", "CVE-2016-2183", "CVE-2016-5325", "CVE-2016-6304", "CVE-2016-6306", "CVE-2016-7099" ] }, "0.10.48": { "version": "0.10.48", "releaseDate": "2016-10-18T00:00:00.000Z", "patchedCveIds": [ "CVE-2016-5180" ] }, "0.12.0": { "version": "0.12.0", "releaseDate": "2015-02-06T00:00:00.000Z", "patchedCveIds": [] }, "0.12.1": { "version": "0.12.1", "releaseDate": "2015-03-23T00:00:00.000Z", "patchedCveIds": [] }, "0.12.2": { "version": "0.12.2", "releaseDate": "2015-03-31T00:00:00.000Z", "patchedCveIds": [] }, "0.12.3": { "version": "0.12.3", "releaseDate": "2015-05-13T00:00:00.000Z", "patchedCveIds": [] }, "0.12.4": { "version": "0.12.4", "releaseDate": "2015-05-22T00:00:00.000Z", "patchedCveIds": [] }, "0.12.5": { "version": "0.12.5", "releaseDate": "2015-06-22T00:00:00.000Z", "patchedCveIds": [] }, "0.12.6": { "version": "0.12.6", "releaseDate": "2015-07-03T00:00:00.000Z", "patchedCveIds": [] }, "0.12.8": { "version": "0.12.8", "releaseDate": null, "patchedCveIds": [] }, "0.12.9": { "version": "0.12.9", "releaseDate": "2015-12-04T00:00:00.000Z", "patchedCveIds": [ "CVE-2015-3194", "CVE-2015-8027" ] }, "0.12.10": { "version": "0.12.10", "releaseDate": "2016-02-09T00:00:00.000Z", "patchedCveIds": [ "CVE-2016-2086", "CVE-2016-2216" ] }, "0.12.11": { "version": "0.12.11", "releaseDate": "2016-03-03T00:00:00.000Z", "patchedCveIds": [] }, "0.12.12": { "version": "0.12.12", "releaseDate": "2016-03-08T00:00:00.000Z", "patchedCveIds": [] }, "0.12.13": { "version": "0.12.13", "releaseDate": "2016-03-31T00:00:00.000Z", "patchedCveIds": [] }, "0.12.14": { "version": "0.12.14", "releaseDate": "2016-05-06T00:00:00.000Z", "patchedCveIds": [ "CVE-2016-2105", "CVE-2016-2107" ] }, "0.12.15": { "version": "0.12.15", "releaseDate": "2016-06-23T00:00:00.000Z", "patchedCveIds": [ "CVE-2014-9748", "CVE-2016-1669" ] }, "0.12.16": { "version": "0.12.16", "releaseDate": "2016-09-27T00:00:00.000Z", "patchedCveIds": [ "CVE-2016-2178", "CVE-2016-2183", "CVE-2016-5325", "CVE-2016-6303", "CVE-2016-6304", "CVE-2016-6306", "CVE-2016-7099" ] }, "0.12.17": { "version": "0.12.17", "releaseDate": "2016-10-18T00:00:00.000Z", "patchedCveIds": [ "CVE-2016-5180" ] }, "0.12.18": { "version": "0.12.18", "releaseDate": "2016-12-21T00:00:00.000Z", "patchedCveIds": [] }, "1.0.0": { "version": "1.0.0", "releaseDate": null, "patchedCveIds": [] }, "1.0.1": { "version": "1.0.1", "releaseDate": "2015-01-14T00:00:00.000Z", "patchedCveIds": [] }, "1.0.2": { "version": "1.0.2", "releaseDate": "2015-01-16T00:00:00.000Z", "patchedCveIds": [] }, "1.0.3": { "version": "1.0.3", "releaseDate": "2015-01-20T00:00:00.000Z", "patchedCveIds": [] }, "1.0.4": { "version": "1.0.4", "releaseDate": "2015-01-24T00:00:00.000Z", "patchedCveIds": [] }, "1.1.0": { "version": "1.1.0", "releaseDate": "2015-02-03T00:00:00.000Z", "patchedCveIds": [] }, "1.2.0": { "version": "1.2.0", "releaseDate": "2015-02-10T00:00:00.000Z", "patchedCveIds": [] }, "1.3.0": { "version": "1.3.0", "releaseDate": "2015-02-20T00:00:00.000Z", "patchedCveIds": [] }, "1.4.1": { "version": "1.4.1", "releaseDate": "2015-02-26T00:00:00.000Z", "patchedCveIds": [] }, "1.4.2": { "version": "1.4.2", "releaseDate": "2015-02-28T00:00:00.000Z", "patchedCveIds": [] }, "1.4.3": { "version": "1.4.3", "releaseDate": "2015-03-02T00:00:00.000Z", "patchedCveIds": [] }, "1.5.0": { "version": "1.5.0", "releaseDate": "2015-03-06T00:00:00.000Z", "patchedCveIds": [] }, "1.5.1": { "version": "1.5.1", "releaseDate": "2015-03-09T00:00:00.000Z", "patchedCveIds": [] }, "1.6.0": { "version": "1.6.0", "releaseDate": "2015-03-19T00:00:00.000Z", "patchedCveIds": [] }, "1.6.1": { "version": "1.6.1", "releaseDate": "2015-03-20T00:00:00.000Z", "patchedCveIds": [] }, "1.6.2": { "version": "1.6.2", "releaseDate": "2015-03-23T00:00:00.000Z", "patchedCveIds": [] }, "1.6.3": { "version": "1.6.3", "releaseDate": "2015-03-31T00:00:00.000Z", "patchedCveIds": [] }, "1.6.4": { "version": "1.6.4", "releaseDate": "2015-04-06T00:00:00.000Z", "patchedCveIds": [] }, "1.7.0": { "version": "1.7.0", "releaseDate": "2015-04-14T00:00:00.000Z", "patchedCveIds": [] }, "1.7.1": { "version": "1.7.1", "releaseDate": "2015-04-14T00:00:00.000Z", "patchedCveIds": [] }, "1.8.1": { "version": "1.8.1", "releaseDate": "2015-04-20T00:00:00.000Z", "patchedCveIds": [] }, "1.8.2": { "version": "1.8.2", "releaseDate": "2015-05-17T00:00:00.000Z", "patchedCveIds": [] }, "1.8.3": { "version": "1.8.3", "releaseDate": "2015-07-04T00:00:00.000Z", "patchedCveIds": [ "CVE-2015-1788" ] }, "1.8.4": { "version": "1.8.4", "releaseDate": "2015-07-09T00:00:00.000Z", "patchedCveIds": [ "CVE-2015-1793" ] }, "2.0.0": { "version": "2.0.0", "releaseDate": "2015-05-04T00:00:00.000Z", "patchedCveIds": [] }, "2.0.1": { "version": "2.0.1", "releaseDate": "2015-05-07T00:00:00.000Z", "patchedCveIds": [] }, "2.0.2": { "version": "2.0.2", "releaseDate": "2015-05-15T00:00:00.000Z", "patchedCveIds": [] }, "2.1.0": { "version": "2.1.0", "releaseDate": "2015-05-24T00:00:00.000Z", "patchedCveIds": [] }, "2.2.0": { "version": "2.2.0", "releaseDate": "2015-05-31T00:00:00.000Z", "patchedCveIds": [] }, "2.2.1": { "version": "2.2.1", "releaseDate": "2015-06-01T00:00:00.000Z", "patchedCveIds": [] }, "2.3.0": { "version": "2.3.0", "releaseDate": "2015-06-13T00:00:00.000Z", "patchedCveIds": [ "CVE-2015-1788" ] }, "2.3.1": { "version": "2.3.1", "releaseDate": "2015-06-23T00:00:00.000Z", "patchedCveIds": [] }, "2.3.2": { "version": "2.3.2", "releaseDate": "2015-07-01T00:00:00.000Z", "patchedCveIds": [] }, "2.3.3": { "version": "2.3.3", "releaseDate": "2015-07-04T00:00:00.000Z", "patchedCveIds": [] }, "2.3.4": { "version": "2.3.4", "releaseDate": "2015-07-09T00:00:00.000Z", "patchedCveIds": [ "CVE-2015-1793" ] }, "2.4.0": { "version": "2.4.0", "releaseDate": "2015-07-17T00:00:00.000Z", "patchedCveIds": [] }, "2.5.0": { "version": "2.5.0", "releaseDate": "2015-07-28T00:00:00.000Z", "patchedCveIds": [] }, "3.0.0": { "version": "3.0.0", "releaseDate": "2015-08-04T00:00:00.000Z", "patchedCveIds": [] }, "3.1.0": { "version": "3.1.0", "releaseDate": "2015-08-18T00:00:00.000Z", "patchedCveIds": [] }, "3.2.0": { "version": "3.2.0", "releaseDate": "2015-08-25T00:00:00.000Z", "patchedCveIds": [] }, "3.3.0": { "version": "3.3.0", "releaseDate": "2015-09-02T00:00:00.000Z", "patchedCveIds": [] }, "3.3.1": { "version": "3.3.1", "releaseDate": "2015-09-15T00:00:00.000Z", "patchedCveIds": [] }, "4.0.0": { "version": "4.0.0", "releaseDate": "2015-09-08T00:00:00.000Z", "patchedCveIds": [] }, "4.1.0": { "version": "4.1.0", "releaseDate": "2015-09-17T00:00:00.000Z", "patchedCveIds": [] }, "4.1.1": { "version": "4.1.1", "releaseDate": "2015-09-22T00:00:00.000Z", "patchedCveIds": [] }, "4.1.2": { "version": "4.1.2", "releaseDate": "2015-10-05T00:00:00.000Z", "patchedCveIds": [ "CVE-2015-7384" ] }, "4.2.0": { "version": "4.2.0", "releaseDate": "2015-10-07T00:00:00.000Z", "patchedCveIds": [] }, "4.2.1": { "version": "4.2.1", "releaseDate": "2015-10-13T00:00:00.000Z", "patchedCveIds": [] }, "4.2.2": { "version": "4.2.2", "releaseDate": "2015-11-03T00:00:00.000Z", "patchedCveIds": [] }, "4.2.3": { "version": "4.2.3", "releaseDate": "2015-12-04T00:00:00.000Z", "patchedCveIds": [ "CVE-2015-3193", "CVE-2015-3194", "CVE-2015-6764", "CVE-2015-8027" ] }, "4.2.4": { "version": "4.2.4", "releaseDate": "2015-12-23T00:00:00.000Z", "patchedCveIds": [] }, "4.2.5": { "version": "4.2.5", "releaseDate": "2016-01-20T00:00:00.000Z", "patchedCveIds": [] }, "4.2.6": { "version": "4.2.6", "releaseDate": "2016-01-21T00:00:00.000Z", "patchedCveIds": [] }, "4.3.0": { "version": "4.3.0", "releaseDate": "2016-02-09T00:00:00.000Z", "patchedCveIds": [ "CVE-2016-2086", "CVE-2016-2216" ] }, "4.3.1": { "version": "4.3.1", "releaseDate": "2016-02-16T00:00:00.000Z", "patchedCveIds": [] }, "4.3.2": { "version": "4.3.2", "releaseDate": "2016-03-02T00:00:00.000Z", "patchedCveIds": [ "CVE-2016-702", "CVE-2016-705", "CVE-2016-797" ] }, "4.4.0": { "version": "4.4.0", "releaseDate": "2016-03-08T00:00:00.000Z", "patchedCveIds": [] }, "4.4.1": { "version": "4.4.1", "releaseDate": "2016-03-22T00:00:00.000Z", "patchedCveIds": [] }, "4.4.2": { "version": "4.4.2", "releaseDate": "2016-03-31T00:00:00.000Z", "patchedCveIds": [] }, "4.4.3": { "version": "4.4.3", "releaseDate": "2016-04-12T00:00:00.000Z", "patchedCveIds": [] }, "4.4.4": { "version": "4.4.4", "releaseDate": "2016-05-05T00:00:00.000Z", "patchedCveIds": [] }, "4.4.5": { "version": "4.4.5", "releaseDate": "2016-05-24T00:00:00.000Z", "patchedCveIds": [] }, "4.4.6": { "version": "4.4.6", "releaseDate": "2016-06-23T00:00:00.000Z", "patchedCveIds": [ "CVE-2016-1669" ] }, "4.4.7": { "version": "4.4.7", "releaseDate": "2016-06-28T00:00:00.000Z", "patchedCveIds": [] }, "4.5.0": { "version": "4.5.0", "releaseDate": "2016-08-15T00:00:00.000Z", "patchedCveIds": [] }, "4.6.0": { "version": "4.6.0", "releaseDate": "2016-09-27T00:00:00.000Z", "patchedCveIds": [ "CVE-2016-2178", "CVE-2016-2183", "CVE-2016-5325", "CVE-2016-6303", "CVE-2016-6304", "CVE-2016-6306", "CVE-2016-7052", "CVE-2016-7099" ] }, "4.6.1": { "version": "4.6.1", "releaseDate": "2016-10-18T00:00:00.000Z", "patchedCveIds": [ "CVE-2016-5180" ] }, "4.6.2": { "version": "4.6.2", "releaseDate": "2016-11-08T00:00:00.000Z", "patchedCveIds": [] }, "4.7.0": { "version": "4.7.0", "releaseDate": "2016-12-06T00:00:00.000Z", "patchedCveIds": [] }, "4.7.1": { "version": "4.7.1", "releaseDate": "2017-01-03T00:00:00.000Z", "patchedCveIds": [] }, "4.7.2": { "version": "4.7.2", "releaseDate": "2017-01-05T00:00:00.000Z", "patchedCveIds": [] }, "4.7.3": { "version": "4.7.3", "releaseDate": "2017-01-31T00:00:00.000Z", "patchedCveIds": [] }, "4.8.0": { "version": "4.8.0", "releaseDate": "2017-02-21T00:00:00.000Z", "patchedCveIds": [] }, "4.8.1": { "version": "4.8.1", "releaseDate": "2017-03-21T00:00:00.000Z", "patchedCveIds": [] }, "4.8.2": { "version": "4.8.2", "releaseDate": "2017-04-04T00:00:00.000Z", "patchedCveIds": [] }, "4.8.3": { "version": "4.8.3", "releaseDate": "2017-05-02T00:00:00.000Z", "patchedCveIds": [] }, "4.8.4": { "version": "4.8.4", "releaseDate": "2017-07-11T00:00:00.000Z", "patchedCveIds": [ "CVE-2017-1000381" ] }, "4.8.5": { "version": "4.8.5", "releaseDate": "2017-10-24T00:00:00.000Z", "patchedCveIds": [ "CVE-2017-14919" ] }, "4.8.6": { "version": "4.8.6", "releaseDate": "2017-11-07T00:00:00.000Z", "patchedCveIds": [] }, "4.8.7": { "version": "4.8.7", "releaseDate": "2017-12-08T00:00:00.000Z", "patchedCveIds": [ "CVE-2017-3738", "CVE-2017-15896" ] }, "4.9.0": { "version": "4.9.0", "releaseDate": "2018-03-28T00:00:00.000Z", "patchedCveIds": [ "CVE-2018-7158", "CVE-2018-7159" ] }, "4.9.1": { "version": "4.9.1", "releaseDate": "2018-03-29T00:00:00.000Z", "patchedCveIds": [] }, "5.0.0": { "version": "5.0.0", "releaseDate": "2015-10-29T00:00:00.000Z", "patchedCveIds": [] }, "5.1.0": { "version": "5.1.0", "releaseDate": "2015-11-17T00:00:00.000Z", "patchedCveIds": [] }, "5.1.1": { "version": "5.1.1", "releaseDate": "2015-12-04T00:00:00.000Z", "patchedCveIds": [ "CVE-2015-3193", "CVE-2015-3194", "CVE-2015-6764", "CVE-2015-8027" ] }, "5.2.0": { "version": "5.2.0", "releaseDate": "2015-12-09T00:00:00.000Z", "patchedCveIds": [] }, "5.3.0": { "version": "5.3.0", "releaseDate": "2015-12-16T00:00:00.000Z", "patchedCveIds": [] }, "5.4.0": { "version": "5.4.0", "releaseDate": "2016-01-06T00:00:00.000Z", "patchedCveIds": [] }, "5.4.1": { "version": "5.4.1", "releaseDate": "2016-01-12T00:00:00.000Z", "patchedCveIds": [] }, "5.5.0": { "version": "5.5.0", "releaseDate": "2016-01-20T00:00:00.000Z", "patchedCveIds": [] }, "5.6.0": { "version": "5.6.0", "releaseDate": "2016-02-09T00:00:00.000Z", "patchedCveIds": [ "CVE-2016-2086", "CVE-2016-2216" ] }, "5.7.0": { "version": "5.7.0", "releaseDate": "2016-02-23T00:00:00.000Z", "patchedCveIds": [] }, "5.7.1": { "version": "5.7.1", "releaseDate": "2016-03-02T00:00:00.000Z", "patchedCveIds": [ "CVE-2016-702", "CVE-2016-705", "CVE-2016-797" ] }, "5.8.0": { "version": "5.8.0", "releaseDate": "2016-03-08T00:00:00.000Z", "patchedCveIds": [] }, "5.9.0": { "version": "5.9.0", "releaseDate": "2016-03-16T00:00:00.000Z", "patchedCveIds": [] }, "5.9.1": { "version": "5.9.1", "releaseDate": "2016-03-23T00:00:00.000Z", "patchedCveIds": [] }, "5.10.0": { "version": "5.10.0", "releaseDate": "2016-03-31T00:00:00.000Z", "patchedCveIds": [] }, "5.10.1": { "version": "5.10.1", "releaseDate": "2016-04-05T00:00:00.000Z", "patchedCveIds": [] }, "5.11.0": { "version": "5.11.0", "releaseDate": "2016-04-20T00:00:00.000Z", "patchedCveIds": [] }, "5.11.1": { "version": "5.11.1", "releaseDate": "2016-05-05T00:00:00.000Z", "patchedCveIds": [] }, "5.12.0": { "version": "5.12.0", "releaseDate": "2016-06-23T00:00:00.000Z", "patchedCveIds": [ "CVE-2016-1699" ] }, "6.0.0": { "version": "6.0.0", "releaseDate": "2016-04-26T00:00:00.000Z", "patchedCveIds": [] }, "6.1.0": { "version": "6.1.0", "releaseDate": "2016-05-05T00:00:00.000Z", "patchedCveIds": [] }, "6.2.0": { "version": "6.2.0", "releaseDate": "2016-05-17T00:00:00.000Z", "patchedCveIds": [] }, "6.2.1": { "version": "6.2.1", "releaseDate": "2016-06-02T00:00:00.000Z", "patchedCveIds": [] }, "6.2.2": { "version": "6.2.2", "releaseDate": "2016-06-17T00:00:00.000Z", "patchedCveIds": [] }, "6.3.0": { "version": "6.3.0", "releaseDate": "2016-07-06T00:00:00.000Z", "patchedCveIds": [] }, "6.3.1": { "version": "6.3.1", "releaseDate": "2016-07-21T00:00:00.000Z", "patchedCveIds": [] }, "6.4.0": { "version": "6.4.0", "releaseDate": "2016-08-15T00:00:00.000Z", "patchedCveIds": [] }, "6.5.0": { "version": "6.5.0", "releaseDate": "2016-08-26T00:00:00.000Z", "patchedCveIds": [] }, "6.6.0": { "version": "6.6.0", "releaseDate": "2016-09-14T00:00:00.000Z", "patchedCveIds": [] }, "6.7.0": { "version": "6.7.0", "releaseDate": "2016-09-27T00:00:00.000Z", "patchedCveIds": [ "CVE-2016-2178", "CVE-2016-2183", "CVE-2016-5325", "CVE-2016-6304", "CVE-2016-6306", "CVE-2016-7052", "CVE-2016-7099" ] }, "6.8.0": { "version": "6.8.0", "releaseDate": "2016-10-12T00:00:00.000Z", "patchedCveIds": [] }, "6.8.1": { "version": "6.8.1", "releaseDate": "2016-10-14T00:00:00.000Z", "patchedCveIds": [] }, "6.9.0": { "version": "6.9.0", "releaseDate": "2016-10-18T00:00:00.000Z", "patchedCveIds": [ "CVE-2016-5172" ] }, "6.9.1": { "version": "6.9.1", "releaseDate": "2016-10-19T00:00:00.000Z", "patchedCveIds": [] }, "6.9.2": { "version": "6.9.2", "releaseDate": "2016-12-06T00:00:00.000Z", "patchedCveIds": [] }, "6.9.3": { "version": "6.9.3", "releaseDate": "2017-01-03T00:00:00.000Z", "patchedCveIds": [] }, "6.9.4": { "version": "6.9.4", "releaseDate": "2017-01-05T00:00:00.000Z", "patchedCveIds": [] }, "6.9.5": { "version": "6.9.5", "releaseDate": "2017-01-31T00:00:00.000Z", "patchedCveIds": [] }, "6.10.0": { "version": "6.10.0", "releaseDate": "2017-02-21T00:00:00.000Z", "patchedCveIds": [] }, "6.10.1": { "version": "6.10.1", "releaseDate": "2017-03-21T00:00:00.000Z", "patchedCveIds": [] }, "6.10.2": { "version": "6.10.2", "releaseDate": "2017-04-04T00:00:00.000Z", "patchedCveIds": [] }, "6.10.3": { "version": "6.10.3", "releaseDate": "2017-05-02T00:00:00.000Z", "patchedCveIds": [] }, "6.11.0": { "version": "6.11.0", "releaseDate": "2017-06-06T00:00:00.000Z", "patchedCveIds": [] }, "6.11.1": { "version": "6.11.1", "releaseDate": "2017-07-11T00:00:00.000Z", "patchedCveIds": [ "CVE-2017-1000381" ] }, "6.11.2": { "version": "6.11.2", "releaseDate": "2017-08-01T00:00:00.000Z", "patchedCveIds": [] }, "6.11.3": { "version": "6.11.3", "releaseDate": "2017-09-05T00:00:00.000Z", "patchedCveIds": [] }, "6.11.4": { "version": "6.11.4", "releaseDate": "2017-10-03T00:00:00.000Z", "patchedCveIds": [] }, "6.11.5": { "version": "6.11.5", "releaseDate": "2017-10-24T00:00:00.000Z", "patchedCveIds": [ "CVE-2017-14919" ] }, "6.12.0": { "version": "6.12.0", "releaseDate": "2017-11-07T00:00:00.000Z", "patchedCveIds": [] }, "6.12.1": { "version": "6.12.1", "releaseDate": "2017-12-05T00:00:00.000Z", "patchedCveIds": [] }, "6.12.2": { "version": "6.12.2", "releaseDate": "2017-12-08T00:00:00.000Z", "patchedCveIds": [ "CVE-2017-3738", "CVE-2017-15896" ] }, "6.12.3": { "version": "6.12.3", "releaseDate": "2018-01-02T00:00:00.000Z", "patchedCveIds": [] }, "6.13.0": { "version": "6.13.0", "releaseDate": "2018-02-13T00:00:00.000Z", "patchedCveIds": [] }, "6.13.1": { "version": "6.13.1", "releaseDate": "2018-03-06T00:00:00.000Z", "patchedCveIds": [] }, "6.14.0": { "version": "6.14.0", "releaseDate": "2018-03-28T00:00:00.000Z", "patchedCveIds": [ "CVE-2018-7158", "CVE-2018-7159", "CVE-2018-7160" ] }, "6.14.1": { "version": "6.14.1", "releaseDate": "2018-03-29T00:00:00.000Z", "patchedCveIds": [] }, "6.14.2": { "version": "6.14.2", "releaseDate": "2018-04-30T00:00:00.000Z", "patchedCveIds": [] }, "6.14.3": { "version": "6.14.3", "releaseDate": "2018-06-12T00:00:00.000Z", "patchedCveIds": [ "CVE-2018-7167" ] }, "6.14.4": { "version": "6.14.4", "releaseDate": "2018-08-15T00:00:00.000Z", "patchedCveIds": [ "CVE-2018-732", "CVE-2018-12115" ] }, "6.15.0": { "version": "6.15.0", "releaseDate": "2018-11-27T00:00:00.000Z", "patchedCveIds": [ "CVE-2018-734", "CVE-2018-5407", "CVE-2018-12116", "CVE-2018-12120", "CVE-2018-12121", "CVE-2018-12122", "CVE-2018-12123" ] }, "6.15.1": { "version": "6.15.1", "releaseDate": "2018-12-03T00:00:00.000Z", "patchedCveIds": [ "CVE-2018-12122" ] }, "6.16.0": { "version": "6.16.0", "releaseDate": "2018-12-26T00:00:00.000Z", "patchedCveIds": [] }, "6.17.0": { "version": "6.17.0", "releaseDate": "2019-02-28T00:00:00.000Z", "patchedCveIds": [ "CVE-2019-1559", "CVE-2019-5737", "CVE-2019-5739" ] }, "6.17.1": { "version": "6.17.1", "releaseDate": "2019-04-03T00:00:00.000Z", "patchedCveIds": [] }, "7.0.0": { "version": "7.0.0", "releaseDate": "2016-10-25T00:00:00.000Z", "patchedCveIds": [] }, "7.1.0": { "version": "7.1.0", "releaseDate": "2016-11-08T00:00:00.000Z", "patchedCveIds": [] }, "7.2.0": { "version": "7.2.0", "releaseDate": "2016-11-22T00:00:00.000Z", "patchedCveIds": [ "CVE-2016-9551" ] }, "7.2.1": { "version": "7.2.1", "releaseDate": "2016-12-06T00:00:00.000Z", "patchedCveIds": [] }, "7.3.0": { "version": "7.3.0", "releaseDate": "2016-12-20T00:00:00.000Z", "patchedCveIds": [] }, "7.4.0": { "version": "7.4.0", "releaseDate": "2017-01-04T00:00:00.000Z", "patchedCveIds": [] }, "7.5.0": { "version": "7.5.0", "releaseDate": "2017-01-31T00:00:00.000Z", "patchedCveIds": [] }, "7.6.0": { "version": "7.6.0", "releaseDate": "2017-02-21T00:00:00.000Z", "patchedCveIds": [] }, "7.7.0": { "version": "7.7.0", "releaseDate": "2017-02-28T00:00:00.000Z", "patchedCveIds": [] }, "7.7.1": { "version": "7.7.1", "releaseDate": "2017-03-01T00:00:00.000Z", "patchedCveIds": [] }, "7.7.2": { "version": "7.7.2", "releaseDate": "2017-03-08T00:00:00.000Z", "patchedCveIds": [] }, "7.7.3": { "version": "7.7.3", "releaseDate": "2017-03-14T00:00:00.000Z", "patchedCveIds": [] }, "7.7.4": { "version": "7.7.4", "releaseDate": "2017-03-21T00:00:00.000Z", "patchedCveIds": [] }, "7.8.0": { "version": "7.8.0", "releaseDate": "2017-03-28T00:00:00.000Z", "patchedCveIds": [] }, "7.9.0": { "version": "7.9.0", "releaseDate": "2017-04-11T00:00:00.000Z", "patchedCveIds": [] }, "7.10.0": { "version": "7.10.0", "releaseDate": "2017-05-02T00:00:00.000Z", "patchedCveIds": [] }, "7.10.1": { "version": "7.10.1", "releaseDate": "2017-07-11T00:00:00.000Z", "patchedCveIds": [ "CVE-2017-1000381" ] }, "8.0.0": { "version": "8.0.0", "releaseDate": "2017-05-30T00:00:00.000Z", "patchedCveIds": [] }, "8.1.0": { "version": "8.1.0", "releaseDate": "2017-06-07T00:00:00.000Z", "patchedCveIds": [] }, "8.1.1": { "version": "8.1.1", "releaseDate": "2017-06-13T00:00:00.000Z", "patchedCveIds": [] }, "8.1.2": { "version": "8.1.2", "releaseDate": "2017-06-15T00:00:00.000Z", "patchedCveIds": [] }, "8.1.3": { "version": "8.1.3", "releaseDate": "2017-06-29T00:00:00.000Z", "patchedCveIds": [] }, "8.1.4": { "version": "8.1.4", "releaseDate": "2017-07-11T00:00:00.000Z", "patchedCveIds": [ "CVE-2017-1000381" ] }, "8.2.0": { "version": "8.2.0", "releaseDate": "2017-07-19T00:00:00.000Z", "patchedCveIds": [] }, "8.2.1": { "version": "8.2.1", "releaseDate": "2017-07-20T00:00:00.000Z", "patchedCveIds": [] }, "8.3.0": { "version": "8.3.0", "releaseDate": "2017-08-09T00:00:00.000Z", "patchedCveIds": [] }, "8.4.0": { "version": "8.4.0", "releaseDate": "2017-08-15T00:00:00.000Z", "patchedCveIds": [] }, "8.5.0": { "version": "8.5.0", "releaseDate": "2017-09-12T00:00:00.000Z", "patchedCveIds": [] }, "8.6.0": { "version": "8.6.0", "releaseDate": "2017-09-26T00:00:00.000Z", "patchedCveIds": [] }, "8.7.0": { "version": "8.7.0", "releaseDate": "2017-10-11T00:00:00.000Z", "patchedCveIds": [] }, "8.8.0": { "version": "8.8.0", "releaseDate": "2017-10-24T00:00:00.000Z", "patchedCveIds": [ "CVE-2017-14919" ] }, "8.8.1": { "version": "8.8.1", "releaseDate": "2017-10-25T00:00:00.000Z", "patchedCveIds": [] }, "8.9.0": { "version": "8.9.0", "releaseDate": "2017-10-31T00:00:00.000Z", "patchedCveIds": [] }, "8.9.1": { "version": "8.9.1", "releaseDate": "2017-11-07T00:00:00.000Z", "patchedCveIds": [] }, "8.9.2": { "version": "8.9.2", "releaseDate": "2017-12-05T00:00:00.000Z", "patchedCveIds": [] }, "8.9.3": { "version": "8.9.3", "releaseDate": "2017-12-08T00:00:00.000Z", "patchedCveIds": [ "CVE-2017-3738", "CVE-2017-15896", "CVE-2017-15897" ] }, "8.9.4": { "version": "8.9.4", "releaseDate": "2018-01-02T00:00:00.000Z", "patchedCveIds": [] }, "8.10.0": { "version": "8.10.0", "releaseDate": "2018-03-06T00:00:00.000Z", "patchedCveIds": [] }, "8.11.0": { "version": "8.11.0", "releaseDate": "2018-03-28T00:00:00.000Z", "patchedCveIds": [ "CVE-2018-7158", "CVE-2018-7159", "CVE-2018-7160" ] }, "8.11.1": { "version": "8.11.1", "releaseDate": "2018-03-29T00:00:00.000Z", "patchedCveIds": [] }, "8.11.2": { "version": "8.11.2", "releaseDate": "2018-05-15T00:00:00.000Z", "patchedCveIds": [] }, "8.11.3": { "version": "8.11.3", "releaseDate": "2018-06-12T00:00:00.000Z", "patchedCveIds": [ "CVE-2018-7161", "CVE-2018-7167", "CVE-2018-1000168" ] }, "8.11.4": { "version": "8.11.4", "releaseDate": "2018-08-15T00:00:00.000Z", "patchedCveIds": [ "CVE-2018-732", "CVE-2018-12115" ] }, "8.12.0": { "version": "8.12.0", "releaseDate": "2018-09-11T00:00:00.000Z", "patchedCveIds": [] }, "8.13.0": { "version": "8.13.0", "releaseDate": "2018-11-20T00:00:00.000Z", "patchedCveIds": [] }, "8.14.0": { "version": "8.14.0", "releaseDate": "2018-11-27T00:00:00.000Z", "patchedCveIds": [ "CVE-2018-734", "CVE-2018-5407", "CVE-2018-12116", "CVE-2018-12121", "CVE-2018-12122", "CVE-2018-12123" ] }, "8.14.1": { "version": "8.14.1", "releaseDate": "2018-12-18T00:00:00.000Z", "patchedCveIds": [] }, "8.15.0": { "version": "8.15.0", "releaseDate": "2018-12-26T00:00:00.000Z", "patchedCveIds": [] }, "8.15.1": { "version": "8.15.1", "releaseDate": "2019-02-28T00:00:00.000Z", "patchedCveIds": [ "CVE-2019-1559", "CVE-2019-5737" ] }, "8.16.0": { "version": "8.16.0", "releaseDate": "2019-04-16T00:00:00.000Z", "patchedCveIds": [] }, "8.16.1": { "version": "8.16.1", "releaseDate": "2019-08-15T00:00:00.000Z", "patchedCveIds": [ "CVE-2019-9511", "CVE-2019-9512", "CVE-2019-9513", "CVE-2019-9514", "CVE-2019-9515", "CVE-2019-9516", "CVE-2019-9517", "CVE-2019-9518" ] }, "8.16.2": { "version": "8.16.2", "releaseDate": "2019-10-09T00:00:00.000Z", "patchedCveIds": [] }, "8.17.0": { "version": "8.17.0", "releaseDate": "2019-12-17T00:00:00.000Z", "patchedCveIds": [] }, "9.0.0": { "version": "9.0.0", "releaseDate": "2017-10-31T00:00:00.000Z", "patchedCveIds": [] }, "9.1.0": { "version": "9.1.0", "releaseDate": "2017-11-07T00:00:00.000Z", "patchedCveIds": [] }, "9.2.0": { "version": "9.2.0", "releaseDate": "2017-11-14T00:00:00.000Z", "patchedCveIds": [] }, "9.2.1": { "version": "9.2.1", "releaseDate": "2017-12-08T00:00:00.000Z", "patchedCveIds": [ "CVE-2017-3738", "CVE-2017-15896", "CVE-2017-15897" ] }, "9.3.0": { "version": "9.3.0", "releaseDate": "2017-12-12T00:00:00.000Z", "patchedCveIds": [] }, "9.4.0": { "version": "9.4.0", "releaseDate": "2018-01-10T00:00:00.000Z", "patchedCveIds": [] }, "9.5.0": { "version": "9.5.0", "releaseDate": "2018-01-31T00:00:00.000Z", "patchedCveIds": [] }, "9.6.0": { "version": "9.6.0", "releaseDate": "2018-02-22T00:00:00.000Z", "patchedCveIds": [] }, "9.6.1": { "version": "9.6.1", "releaseDate": "2018-02-22T00:00:00.000Z", "patchedCveIds": [] }, "9.7.0": { "version": "9.7.0", "releaseDate": "2018-03-01T00:00:00.000Z", "patchedCveIds": [] }, "9.7.1": { "version": "9.7.1", "releaseDate": "2018-03-02T00:00:00.000Z", "patchedCveIds": [] }, "9.8.0": { "version": "9.8.0", "releaseDate": "2018-03-07T00:00:00.000Z", "patchedCveIds": [] }, "9.9.0": { "version": "9.9.0", "releaseDate": "2018-03-21T00:00:00.000Z", "patchedCveIds": [] }, "9.10.0": { "version": "9.10.0", "releaseDate": "2018-03-28T00:00:00.000Z", "patchedCveIds": [ "CVE-2018-7158", "CVE-2018-7159", "CVE-2018-7160" ] }, "9.10.1": { "version": "9.10.1", "releaseDate": "2018-03-29T00:00:00.000Z", "patchedCveIds": [] }, "9.11.0": { "version": "9.11.0", "releaseDate": "2018-04-04T00:00:00.000Z", "patchedCveIds": [] }, "9.11.1": { "version": "9.11.1", "releaseDate": "2018-04-05T00:00:00.000Z", "patchedCveIds": [] }, "9.11.2": { "version": "9.11.2", "releaseDate": "2018-06-12T00:00:00.000Z", "patchedCveIds": [ "CVE-2018-7161", "CVE-2018-7162", "CVE-2018-7164", "CVE-2018-7167", "CVE-2018-1000168" ] }, "10.0.0": { "version": "10.0.0", "releaseDate": "2018-04-24T00:00:00.000Z", "patchedCveIds": [] }, "10.1.0": { "version": "10.1.0", "releaseDate": "2018-05-08T00:00:00.000Z", "patchedCveIds": [] }, "10.2.0": { "version": "10.2.0", "releaseDate": "2018-05-23T00:00:00.000Z", "patchedCveIds": [] }, "10.2.1": { "version": "10.2.1", "releaseDate": "2018-05-24T00:00:00.000Z", "patchedCveIds": [] }, "10.3.0": { "version": "10.3.0", "releaseDate": "2018-05-29T00:00:00.000Z", "patchedCveIds": [] }, "10.4.0": { "version": "10.4.0", "releaseDate": "2018-06-06T00:00:00.000Z", "patchedCveIds": [] }, "10.4.1": { "version": "10.4.1", "releaseDate": "2018-06-12T00:00:00.000Z", "patchedCveIds": [ "CVE-2018-7161", "CVE-2018-7162", "CVE-2018-7164", "CVE-2018-1000168" ] }, "10.5.0": { "version": "10.5.0", "releaseDate": "2018-06-20T00:00:00.000Z", "patchedCveIds": [ "CVE-2018-732" ] }, "10.6.0": { "version": "10.6.0", "releaseDate": "2018-07-04T00:00:00.000Z", "patchedCveIds": [] }, "10.7.0": { "version": "10.7.0", "releaseDate": "2018-07-18T00:00:00.000Z", "patchedCveIds": [] }, "10.8.0": { "version": "10.8.0", "releaseDate": "2018-08-01T00:00:00.000Z", "patchedCveIds": [] }, "10.9.0": { "version": "10.9.0", "releaseDate": "2018-08-15T00:00:00.000Z", "patchedCveIds": [ "CVE-2018-732", "CVE-2018-7166", "CVE-2018-12115" ] }, "10.10.0": { "version": "10.10.0", "releaseDate": "2018-09-06T00:00:00.000Z", "patchedCveIds": [] }, "10.11.0": { "version": "10.11.0", "releaseDate": "2018-09-20T00:00:00.000Z", "patchedCveIds": [] }, "10.12.0": { "version": "10.12.0", "releaseDate": "2018-10-10T00:00:00.000Z", "patchedCveIds": [] }, "10.13.0": { "version": "10.13.0", "releaseDate": "2018-10-30T00:00:00.000Z", "patchedCveIds": [] }, "10.14.0": { "version": "10.14.0", "releaseDate": "2018-11-27T00:00:00.000Z", "patchedCveIds": [ "CVE-2018-734", "CVE-2018-12121", "CVE-2018-12122", "CVE-2018-12123", "CVE-2019-735" ] }, "10.14.1": { "version": "10.14.1", "releaseDate": "2018-11-29T00:00:00.000Z", "patchedCveIds": [] }, "10.14.2": { "version": "10.14.2", "releaseDate": "2018-12-11T00:00:00.000Z", "patchedCveIds": [] }, "10.15.0": { "version": "10.15.0", "releaseDate": "2018-12-26T00:00:00.000Z", "patchedCveIds": [] }, "10.15.1": { "version": "10.15.1", "releaseDate": "2019-01-29T00:00:00.000Z", "patchedCveIds": [] }, "10.15.2": { "version": "10.15.2", "releaseDate": "2019-02-28T00:00:00.000Z", "patchedCveIds": [ "CVE-2019-5737" ] }, "10.15.3": { "version": "10.15.3", "releaseDate": "2019-03-05T00:00:00.000Z", "patchedCveIds": [] }, "10.16.0": { "version": "10.16.0", "releaseDate": "2019-05-28T00:00:00.000Z", "patchedCveIds": [] }, "10.16.1": { "version": "10.16.1", "releaseDate": "2019-07-31T00:00:00.000Z", "patchedCveIds": [] }, "10.16.2": { "version": "10.16.2", "releaseDate": "2019-08-06T00:00:00.000Z", "patchedCveIds": [] }, "10.16.3": { "version": "10.16.3", "releaseDate": "2019-08-15T00:00:00.000Z", "patchedCveIds": [ "CVE-2019-9511", "CVE-2019-9512", "CVE-2019-9513", "CVE-2019-9514", "CVE-2019-9515", "CVE-2019-9516", "CVE-2019-9517", "CVE-2019-9518" ] }, "10.17.0": { "version": "10.17.0", "releaseDate": "2019-10-22T00:00:00.000Z", "patchedCveIds": [] }, "10.18.0": { "version": "10.18.0", "releaseDate": "2019-12-17T00:00:00.000Z", "patchedCveIds": [] }, "10.18.1": { "version": "10.18.1", "releaseDate": "2020-01-09T00:00:00.000Z", "patchedCveIds": [] }, "10.19.0": { "version": "10.19.0", "releaseDate": "2020-02-06T00:00:00.000Z", "patchedCveIds": [ "CVE-2019-15604", "CVE-2019-15605", "CVE-2019-15606" ] }, "10.20.0": { "version": "10.20.0", "releaseDate": "2020-04-08T00:00:00.000Z", "patchedCveIds": [] }, "10.20.1": { "version": "10.20.1", "releaseDate": "2020-04-12T00:00:00.000Z", "patchedCveIds": [] }, "10.21.0": { "version": "10.21.0", "releaseDate": "2020-06-02T00:00:00.000Z", "patchedCveIds": [ "CVE-2020-8174", "CVE-2020-10531", "CVE-2020-11080" ] }, "10.22.0": { "version": "10.22.0", "releaseDate": "2020-07-21T00:00:00.000Z", "patchedCveIds": [] }, "10.22.1": { "version": "10.22.1", "releaseDate": "2020-09-15T00:00:00.000Z", "patchedCveIds": [ "CVE-2020-8252" ] }, "10.23.0": { "version": "10.23.0", "releaseDate": "2020-10-27T00:00:00.000Z", "patchedCveIds": [] }, "10.23.1": { "version": "10.23.1", "releaseDate": "2021-01-04T00:00:00.000Z", "patchedCveIds": [ "CVE-2020-1971", "CVE-2020-8265", "CVE-2020-8287" ] }, "10.23.2": { "version": "10.23.2", "releaseDate": "2021-01-26T00:00:00.000Z", "patchedCveIds": [] }, "10.23.3": { "version": "10.23.3", "releaseDate": "2021-02-09T00:00:00.000Z", "patchedCveIds": [] }, "10.24.0": { "version": "10.24.0", "releaseDate": "2021-02-23T00:00:00.000Z", "patchedCveIds": [ "CVE-2018-7160", "CVE-2021-22883", "CVE-2021-22884", "CVE-2021-23840" ] }, "10.24.1": { "version": "10.24.1", "releaseDate": "2021-04-06T00:00:00.000Z", "patchedCveIds": [ "CVE-2020-7774", "CVE-2021-3449", "CVE-2021-3450" ] }, "11.0.0": { "version": "11.0.0", "releaseDate": "2018-10-23T00:00:00.000Z", "patchedCveIds": [] }, "11.1.0": { "version": "11.1.0", "releaseDate": "2018-11-02T00:00:00.000Z", "patchedCveIds": [] }, "11.2.0": { "version": "11.2.0", "releaseDate": "2018-11-15T00:00:00.000Z", "patchedCveIds": [] }, "11.3.0": { "version": "11.3.0", "releaseDate": "2018-11-27T00:00:00.000Z", "patchedCveIds": [ "CVE-2018-734", "CVE-2018-12121", "CVE-2018-12122", "CVE-2018-12123", "CVE-2019-735" ] }, "11.4.0": { "version": "11.4.0", "releaseDate": "2018-12-07T00:00:00.000Z", "patchedCveIds": [] }, "11.5.0": { "version": "11.5.0", "releaseDate": "2018-12-18T00:00:00.000Z", "patchedCveIds": [] }, "11.6.0": { "version": "11.6.0", "releaseDate": "2018-12-26T00:00:00.000Z", "patchedCveIds": [] }, "11.7.0": { "version": "11.7.0", "releaseDate": "2019-01-17T00:00:00.000Z", "patchedCveIds": [] }, "11.8.0": { "version": "11.8.0", "releaseDate": "2019-01-24T00:00:00.000Z", "patchedCveIds": [] }, "11.9.0": { "version": "11.9.0", "releaseDate": "2019-01-30T00:00:00.000Z", "patchedCveIds": [] }, "11.10.0": { "version": "11.10.0", "releaseDate": "2019-02-14T00:00:00.000Z", "patchedCveIds": [] }, "11.10.1": { "version": "11.10.1", "releaseDate": "2019-02-28T00:00:00.000Z", "patchedCveIds": [ "CVE-2019-5737" ] }, "11.11.0": { "version": "11.11.0", "releaseDate": "2019-03-06T00:00:00.000Z", "patchedCveIds": [] }, "11.12.0": { "version": "11.12.0", "releaseDate": "2019-03-15T00:00:00.000Z", "patchedCveIds": [] }, "11.13.0": { "version": "11.13.0", "releaseDate": "2019-03-28T00:00:00.000Z", "patchedCveIds": [] }, "11.14.0": { "version": "11.14.0", "releaseDate": "2019-04-11T00:00:00.000Z", "patchedCveIds": [] }, "11.15.0": { "version": "11.15.0", "releaseDate": "2019-04-30T00:00:00.000Z", "patchedCveIds": [] }, "12.0.0": { "version": "12.0.0", "releaseDate": "2019-04-23T00:00:00.000Z", "patchedCveIds": [ "CVE-2018-734", "CVE-2018-735" ] }, "12.1.0": { "version": "12.1.0", "releaseDate": "2019-04-29T00:00:00.000Z", "patchedCveIds": [] }, "12.2.0": { "version": "12.2.0", "releaseDate": "2019-05-07T00:00:00.000Z", "patchedCveIds": [] }, "12.3.0": { "version": "12.3.0", "releaseDate": "2019-05-21T00:00:00.000Z", "patchedCveIds": [] }, "12.3.1": { "version": "12.3.1", "releaseDate": "2019-05-22T00:00:00.000Z", "patchedCveIds": [] }, "12.4.0": { "version": "12.4.0", "releaseDate": "2019-06-04T00:00:00.000Z", "patchedCveIds": [] }, "12.5.0": { "version": "12.5.0", "releaseDate": "2019-06-27T00:00:00.000Z", "patchedCveIds": [] }, "12.6.0": { "version": "12.6.0", "releaseDate": "2019-07-03T00:00:00.000Z", "patchedCveIds": [] }, "12.7.0": { "version": "12.7.0", "releaseDate": "2019-07-23T00:00:00.000Z", "patchedCveIds": [] }, "12.8.0": { "version": "12.8.0", "releaseDate": "2019-08-06T00:00:00.000Z", "patchedCveIds": [] }, "12.8.1": { "version": "12.8.1", "releaseDate": "2019-08-15T00:00:00.000Z", "patchedCveIds": [ "CVE-2019-9511", "CVE-2019-9512", "CVE-2019-9513", "CVE-2019-9514", "CVE-2019-9515", "CVE-2019-9516", "CVE-2019-9517", "CVE-2019-9518" ] }, "12.9.0": { "version": "12.9.0", "releaseDate": "2019-08-20T00:00:00.000Z", "patchedCveIds": [] }, "12.9.1": { "version": "12.9.1", "releaseDate": "2019-08-26T00:00:00.000Z", "patchedCveIds": [] }, "12.10.0": { "version": "12.10.0", "releaseDate": "2019-09-03T00:00:00.000Z", "patchedCveIds": [] }, "12.11.0": { "version": "12.11.0", "releaseDate": "2019-09-25T00:00:00.000Z", "patchedCveIds": [] }, "12.11.1": { "version": "12.11.1", "releaseDate": "2019-10-01T00:00:00.000Z", "patchedCveIds": [] }, "12.12.0": { "version": "12.12.0", "releaseDate": "2019-10-11T00:00:00.000Z", "patchedCveIds": [] }, "12.13.0": { "version": "12.13.0", "releaseDate": "2019-10-21T00:00:00.000Z", "patchedCveIds": [] }, "12.13.1": { "version": "12.13.1", "releaseDate": "2019-11-19T00:00:00.000Z", "patchedCveIds": [] }, "12.14.0": { "version": "12.14.0", "releaseDate": "2019-12-17T00:00:00.000Z", "patchedCveIds": [] }, "12.14.1": { "version": "12.14.1", "releaseDate": "2020-01-07T00:00:00.000Z", "patchedCveIds": [] }, "12.15.0": { "version": "12.15.0", "releaseDate": "2020-02-06T00:00:00.000Z", "patchedCveIds": [ "CVE-2019-15604", "CVE-2019-15605", "CVE-2019-15606" ] }, "12.16.0": { "version": "12.16.0", "releaseDate": "2020-02-11T00:00:00.000Z", "patchedCveIds": [] }, "12.16.1": { "version": "12.16.1", "releaseDate": "2020-02-18T00:00:00.000Z", "patchedCveIds": [] }, "12.16.2": { "version": "12.16.2", "releaseDate": "2020-04-08T00:00:00.000Z", "patchedCveIds": [] }, "12.16.3": { "version": "12.16.3", "releaseDate": "2020-04-28T00:00:00.000Z", "patchedCveIds": [] }, "12.17.0": { "version": "12.17.0", "releaseDate": "2020-05-26T00:00:00.000Z", "patchedCveIds": [] }, "12.18.0": { "version": "12.18.0", "releaseDate": "2020-06-02T00:00:00.000Z", "patchedCveIds": [ "CVE-2020-8172", "CVE-2020-8174", "CVE-2020-11080" ] }, "12.18.1": { "version": "12.18.1", "releaseDate": "2020-06-17T00:00:00.000Z", "patchedCveIds": [] }, "12.18.2": { "version": "12.18.2", "releaseDate": "2020-06-30T00:00:00.000Z", "patchedCveIds": [] }, "12.18.3": { "version": "12.18.3", "releaseDate": "2020-07-22T00:00:00.000Z", "patchedCveIds": [] }, "12.18.4": { "version": "12.18.4", "releaseDate": "2020-09-15T00:00:00.000Z", "patchedCveIds": [ "CVE-2020-8201", "CVE-2020-8252" ] }, "12.19.0": { "version": "12.19.0", "releaseDate": "2020-10-06T00:00:00.000Z", "patchedCveIds": [] }, "12.19.1": { "version": "12.19.1", "releaseDate": "2020-11-16T00:00:00.000Z", "patchedCveIds": [ "CVE-2020-8277" ] }, "12.20.0": { "version": "12.20.0", "releaseDate": "2020-11-24T00:00:00.000Z", "patchedCveIds": [] }, "12.20.1": { "version": "12.20.1", "releaseDate": "2021-01-04T00:00:00.000Z", "patchedCveIds": [ "CVE-2020-1971", "CVE-2020-8265", "CVE-2020-8287" ] }, "12.20.2": { "version": "12.20.2", "releaseDate": "2021-02-10T00:00:00.000Z", "patchedCveIds": [] }, "12.21.0": { "version": "12.21.0", "releaseDate": "2021-02-23T00:00:00.000Z", "patchedCveIds": [ "CVE-2018-7160", "CVE-2021-22883", "CVE-2021-22884", "CVE-2021-23840" ] }, "12.22.0": { "version": "12.22.0", "releaseDate": "2021-03-30T00:00:00.000Z", "patchedCveIds": [] }, "12.22.1": { "version": "12.22.1", "releaseDate": "2021-04-06T00:00:00.000Z", "patchedCveIds": [ "CVE-2020-7774", "CVE-2021-3449", "CVE-2021-3450" ] }, "12.22.2": { "version": "12.22.2", "releaseDate": "2021-07-01T00:00:00.000Z", "patchedCveIds": [ "CVE-2021-22918", "CVE-2021-22921", "CVE-2021-23362", "CVE-2021-27290" ] }, "12.22.3": { "version": "12.22.3", "releaseDate": "2021-07-05T00:00:00.000Z", "patchedCveIds": [] }, "12.22.4": { "version": "12.22.4", "releaseDate": "2021-07-29T00:00:00.000Z", "patchedCveIds": [ "CVE-2021-22930" ] }, "12.22.5": { "version": "12.22.5", "releaseDate": "2021-08-11T00:00:00.000Z", "patchedCveIds": [ "CVE-2021-3672", "CVE-2021-22930", "CVE-2021-22931", "CVE-2021-22939", "CVE-2021-22940" ] }, "12.22.6": { "version": "12.22.6", "releaseDate": "2021-08-31T00:00:00.000Z", "patchedCveIds": [ "CVE-2021-32803", "CVE-2021-32804", "CVE-2021-37701", "CVE-2021-37712", "CVE-2021-37713", "CVE-2021-39134", "CVE-2021-39135" ] }, "12.22.7": { "version": "12.22.7", "releaseDate": "2021-10-12T00:00:00.000Z", "patchedCveIds": [ "CVE-2021-22959", "CVE-2021-22960" ] }, "12.22.8": { "version": "12.22.8", "releaseDate": "2021-12-16T00:00:00.000Z", "patchedCveIds": [] }, "12.22.9": { "version": "12.22.9", "releaseDate": "2022-01-10T00:00:00.000Z", "patchedCveIds": [ "CVE-2021-44531", "CVE-2021-44532", "CVE-2021-44533", "CVE-2022-21824" ] }, "12.22.10": { "version": "12.22.10", "releaseDate": "2022-02-01T00:00:00.000Z", "patchedCveIds": [] }, "12.22.11": { "version": "12.22.11", "releaseDate": "2022-03-17T00:00:00.000Z", "patchedCveIds": [ "CVE-2022-778" ] }, "12.22.12": { "version": "12.22.12", "releaseDate": "2022-04-05T00:00:00.000Z", "patchedCveIds": [] }, "13.0.0": { "version": "13.0.0", "releaseDate": "2019-10-22T00:00:00.000Z", "patchedCveIds": [] }, "13.0.1": { "version": "13.0.1", "releaseDate": "2019-10-23T00:00:00.000Z", "patchedCveIds": [] }, "13.1.0": { "version": "13.1.0", "releaseDate": "2019-11-05T00:00:00.000Z", "patchedCveIds": [] }, "13.2.0": { "version": "13.2.0", "releaseDate": "2019-11-21T00:00:00.000Z", "patchedCveIds": [] }, "13.3.0": { "version": "13.3.0", "releaseDate": "2019-12-03T00:00:00.000Z", "patchedCveIds": [] }, "13.4.0": { "version": "13.4.0", "releaseDate": "2019-12-17T00:00:00.000Z", "patchedCveIds": [] }, "13.5.0": { "version": "13.5.0", "releaseDate": "2019-12-18T00:00:00.000Z", "patchedCveIds": [] }, "13.6.0": { "version": "13.6.0", "releaseDate": "2020-01-07T00:00:00.000Z", "patchedCveIds": [] }, "13.7.0": { "version": "13.7.0", "releaseDate": "2020-01-21T00:00:00.000Z", "patchedCveIds": [] }, "13.8.0": { "version": "13.8.0", "releaseDate": "2020-02-06T00:00:00.000Z", "patchedCveIds": [ "CVE-2019-15604", "CVE-2019-15605", "CVE-2019-15606" ] }, "13.9.0": { "version": "13.9.0", "releaseDate": "2020-02-18T00:00:00.000Z", "patchedCveIds": [] }, "13.10.0": { "version": "13.10.0", "releaseDate": "2020-03-04T00:00:00.000Z", "patchedCveIds": [] }, "13.10.1": { "version": "13.10.1", "releaseDate": "2020-03-04T00:00:00.000Z", "patchedCveIds": [] }, "13.11.0": { "version": "13.11.0", "releaseDate": "2020-03-11T00:00:00.000Z", "patchedCveIds": [] }, "13.12.0": { "version": "13.12.0", "releaseDate": "2020-03-26T00:00:00.000Z", "patchedCveIds": [] }, "13.13.0": { "version": "13.13.0", "releaseDate": "2020-04-14T00:00:00.000Z", "patchedCveIds": [] }, "13.14.0": { "version": "13.14.0", "releaseDate": "2020-04-29T00:00:00.000Z", "patchedCveIds": [] }, "14.0.0": { "version": "14.0.0", "releaseDate": "2020-04-21T00:00:00.000Z", "patchedCveIds": [] }, "14.1.0": { "version": "14.1.0", "releaseDate": "2020-04-29T00:00:00.000Z", "patchedCveIds": [] }, "14.2.0": { "version": "14.2.0", "releaseDate": "2020-05-05T00:00:00.000Z", "patchedCveIds": [] }, "14.3.0": { "version": "14.3.0", "releaseDate": "2020-05-19T00:00:00.000Z", "patchedCveIds": [] }, "14.4.0": { "version": "14.4.0", "releaseDate": "2020-06-02T00:00:00.000Z", "patchedCveIds": [ "CVE-2020-8172", "CVE-2020-8174", "CVE-2020-11080" ] }, "14.5.0": { "version": "14.5.0", "releaseDate": "2020-06-30T00:00:00.000Z", "patchedCveIds": [] }, "14.6.0": { "version": "14.6.0", "releaseDate": "2020-07-21T00:00:00.000Z", "patchedCveIds": [] }, "14.7.0": { "version": "14.7.0", "releaseDate": "2020-07-29T00:00:00.000Z", "patchedCveIds": [] }, "14.8.0": { "version": "14.8.0", "releaseDate": "2020-08-11T00:00:00.000Z", "patchedCveIds": [] }, "14.9.0": { "version": "14.9.0", "releaseDate": "2020-08-27T00:00:00.000Z", "patchedCveIds": [] }, "14.10.0": { "version": "14.10.0", "releaseDate": "2020-09-08T00:00:00.000Z", "patchedCveIds": [] }, "14.10.1": { "version": "14.10.1", "releaseDate": "2020-09-10T00:00:00.000Z", "patchedCveIds": [] }, "14.11.0": { "version": "14.11.0", "releaseDate": "2020-09-15T00:00:00.000Z", "patchedCveIds": [ "CVE-2020-8201", "CVE-2020-8251" ] }, "14.12.0": { "version": "14.12.0", "releaseDate": "2020-09-22T00:00:00.000Z", "patchedCveIds": [] }, "14.13.0": { "version": "14.13.0", "releaseDate": "2020-09-29T00:00:00.000Z", "patchedCveIds": [] }, "14.13.1": { "version": "14.13.1", "releaseDate": "2020-10-07T00:00:00.000Z", "patchedCveIds": [] }, "14.14.0": { "version": "14.14.0", "releaseDate": "2020-10-15T00:00:00.000Z", "patchedCveIds": [] }, "14.15.0": { "version": "14.15.0", "releaseDate": "2020-10-27T00:00:00.000Z", "patchedCveIds": [] }, "14.15.1": { "version": "14.15.1", "releaseDate": "2020-11-16T00:00:00.000Z", "patchedCveIds": [ "CVE-2020-8277" ] }, "14.15.2": { "version": "14.15.2", "releaseDate": "2020-12-15T00:00:00.000Z", "patchedCveIds": [] }, "14.15.3": { "version": "14.15.3", "releaseDate": "2020-12-17T00:00:00.000Z", "patchedCveIds": [] }, "14.15.4": { "version": "14.15.4", "releaseDate": "2021-01-04T00:00:00.000Z", "patchedCveIds": [ "CVE-2020-1971", "CVE-2020-8265", "CVE-2020-8287" ] }, "14.15.5": { "version": "14.15.5", "releaseDate": "2021-02-09T00:00:00.000Z", "patchedCveIds": [ "CVE-2021-21148" ] }, "14.16.0": { "version": "14.16.0", "releaseDate": "2021-02-23T00:00:00.000Z", "patchedCveIds": [ "CVE-2018-7160", "CVE-2021-22883", "CVE-2021-22884", "CVE-2021-23840" ] }, "14.16.1": { "version": "14.16.1", "releaseDate": "2021-04-06T00:00:00.000Z", "patchedCveIds": [ "CVE-2020-7774", "CVE-2021-3449", "CVE-2021-3450" ] }, "14.17.0": { "version": "14.17.0", "releaseDate": "2021-05-11T00:00:00.000Z", "patchedCveIds": [] }, "14.17.1": { "version": "14.17.1", "releaseDate": "2021-06-15T00:00:00.000Z", "patchedCveIds": [] }, "14.17.2": { "version": "14.17.2", "releaseDate": "2021-07-01T00:00:00.000Z", "patchedCveIds": [ "CVE-2021-22918", "CVE-2021-22921" ] }, "14.17.3": { "version": "14.17.3", "releaseDate": "2021-07-05T00:00:00.000Z", "patchedCveIds": [] }, "14.17.4": { "version": "14.17.4", "releaseDate": "2021-07-29T00:00:00.000Z", "patchedCveIds": [ "CVE-2021-22930" ] }, "14.17.5": { "version": "14.17.5", "releaseDate": "2021-08-11T00:00:00.000Z", "patchedCveIds": [ "CVE-2021-3672", "CVE-2021-22930", "CVE-2021-22931", "CVE-2021-22939", "CVE-2021-22940" ] }, "14.17.6": { "version": "14.17.6", "releaseDate": "2021-08-31T00:00:00.000Z", "patchedCveIds": [ "CVE-2021-32803", "CVE-2021-32804", "CVE-2021-37701", "CVE-2021-37712", "CVE-2021-37713", "CVE-2021-39134", "CVE-2021-39135" ] }, "14.18.0": { "version": "14.18.0", "releaseDate": "2021-09-28T00:00:00.000Z", "patchedCveIds": [] }, "14.18.1": { "version": "14.18.1", "releaseDate": "2021-10-12T00:00:00.000Z", "patchedCveIds": [ "CVE-2021-22959", "CVE-2021-22960" ] }, "14.18.2": { "version": "14.18.2", "releaseDate": "2021-11-30T00:00:00.000Z", "patchedCveIds": [] }, "14.18.3": { "version": "14.18.3", "releaseDate": "2022-01-10T00:00:00.000Z", "patchedCveIds": [ "CVE-2021-44531", "CVE-2021-44532", "CVE-2021-44533", "CVE-2022-21824" ] }, "14.19.0": { "version": "14.19.0", "releaseDate": "2022-02-01T00:00:00.000Z", "patchedCveIds": [] }, "14.19.1": { "version": "14.19.1", "releaseDate": "2022-03-17T00:00:00.000Z", "patchedCveIds": [ "CVE-2022-778" ] }, "14.19.2": { "version": "14.19.2", "releaseDate": "2022-05-04T00:00:00.000Z", "patchedCveIds": [] }, "14.19.3": { "version": "14.19.3", "releaseDate": "2022-05-17T00:00:00.000Z", "patchedCveIds": [] }, "14.20.0": { "version": "14.20.0", "releaseDate": "2022-07-07T00:00:00.000Z", "patchedCveIds": [] }, "14.20.1": { "version": "14.20.1", "releaseDate": "2022-09-23T00:00:00.000Z", "patchedCveIds": [ "CVE-2022-32212", "CVE-2022-32213", "CVE-2022-35256" ] }, "14.21.0": { "version": "14.21.0", "releaseDate": "2022-11-01T00:00:00.000Z", "patchedCveIds": [] }, "14.21.1": { "version": "14.21.1", "releaseDate": "2022-11-04T00:00:00.000Z", "patchedCveIds": [ "CVE-2022-43548" ] }, "14.21.2": { "version": "14.21.2", "releaseDate": "2022-12-13T00:00:00.000Z", "patchedCveIds": [] }, "14.21.3": { "version": "14.21.3", "releaseDate": "2023-02-16T00:00:00.000Z", "patchedCveIds": [ "CVE-2023-23918", "CVE-2023-23920" ] }, "15.0.0": { "version": "15.0.0", "releaseDate": "2020-10-20T00:00:00.000Z", "patchedCveIds": [] }, "15.0.1": { "version": "15.0.1", "releaseDate": "2020-10-21T00:00:00.000Z", "patchedCveIds": [] }, "15.1.0": { "version": "15.1.0", "releaseDate": "2020-11-04T00:00:00.000Z", "patchedCveIds": [] }, "15.2.0": { "version": "15.2.0", "releaseDate": "2020-11-10T00:00:00.000Z", "patchedCveIds": [] }, "15.2.1": { "version": "15.2.1", "releaseDate": "2020-11-16T00:00:00.000Z", "patchedCveIds": [ "CVE-2020-8277" ] }, "15.3.0": { "version": "15.3.0", "releaseDate": "2020-11-24T00:00:00.000Z", "patchedCveIds": [] }, "15.4.0": { "version": "15.4.0", "releaseDate": "2020-12-09T00:00:00.000Z", "patchedCveIds": [] }, "15.5.0": { "version": "15.5.0", "releaseDate": "2020-12-22T00:00:00.000Z", "patchedCveIds": [ "CVE-2020-1971" ] }, "15.5.1": { "version": "15.5.1", "releaseDate": "2021-01-04T00:00:00.000Z", "patchedCveIds": [ "CVE-2020-8265", "CVE-2020-8287" ] }, "15.6.0": { "version": "15.6.0", "releaseDate": "2021-01-14T00:00:00.000Z", "patchedCveIds": [] }, "15.7.0": { "version": "15.7.0", "releaseDate": "2021-01-26T00:00:00.000Z", "patchedCveIds": [] }, "15.8.0": { "version": "15.8.0", "releaseDate": "2021-02-02T00:00:00.000Z", "patchedCveIds": [] }, "15.9.0": { "version": "15.9.0", "releaseDate": "2021-02-17T00:00:00.000Z", "patchedCveIds": [] }, "15.10.0": { "version": "15.10.0", "releaseDate": "2021-02-23T00:00:00.000Z", "patchedCveIds": [ "CVE-2018-7160", "CVE-2021-22883", "CVE-2021-22884", "CVE-2021-23840" ] }, "15.11.0": { "version": "15.11.0", "releaseDate": "2021-03-03T00:00:00.000Z", "patchedCveIds": [] }, "15.12.0": { "version": "15.12.0", "releaseDate": "2021-03-17T00:00:00.000Z", "patchedCveIds": [] }, "15.13.0": { "version": "15.13.0", "releaseDate": "2021-03-31T00:00:00.000Z", "patchedCveIds": [] }, "15.14.0": { "version": "15.14.0", "releaseDate": "2021-04-06T00:00:00.000Z", "patchedCveIds": [ "CVE-2020-7774", "CVE-2021-3449", "CVE-2021-3450" ] }, "16.0.0": { "version": "16.0.0", "releaseDate": "2021-04-20T00:00:00.000Z", "patchedCveIds": [] }, "16.1.0": { "version": "16.1.0", "releaseDate": "2021-05-04T00:00:00.000Z", "patchedCveIds": [] }, "16.2.0": { "version": "16.2.0", "releaseDate": "2021-05-19T00:00:00.000Z", "patchedCveIds": [] }, "16.3.0": { "version": "16.3.0", "releaseDate": "2021-06-02T00:00:00.000Z", "patchedCveIds": [] }, "16.4.0": { "version": "16.4.0", "releaseDate": "2021-06-23T00:00:00.000Z", "patchedCveIds": [] }, "16.4.1": { "version": "16.4.1", "releaseDate": "2021-07-01T00:00:00.000Z", "patchedCveIds": [ "CVE-2021-22918", "CVE-2021-22921" ] }, "16.4.2": { "version": "16.4.2", "releaseDate": "2021-07-05T00:00:00.000Z", "patchedCveIds": [] }, "16.5.0": { "version": "16.5.0", "releaseDate": "2021-07-14T00:00:00.000Z", "patchedCveIds": [] }, "16.6.0": { "version": "16.6.0", "releaseDate": "2021-07-29T00:00:00.000Z", "patchedCveIds": [ "CVE-2021-22930" ] }, "16.6.1": { "version": "16.6.1", "releaseDate": "2021-08-03T00:00:00.000Z", "patchedCveIds": [] }, "16.6.2": { "version": "16.6.2", "releaseDate": "2021-08-11T00:00:00.000Z", "patchedCveIds": [ "CVE-2021-3672", "CVE-2021-22930", "CVE-2021-22931", "CVE-2021-22939", "CVE-2021-22940" ] }, "16.7.0": { "version": "16.7.0", "releaseDate": "2021-08-17T00:00:00.000Z", "patchedCveIds": [] }, "16.8.0": { "version": "16.8.0", "releaseDate": "2021-08-25T00:00:00.000Z", "patchedCveIds": [] }, "16.9.0": { "version": "16.9.0", "releaseDate": "2021-09-07T00:00:00.000Z", "patchedCveIds": [] }, "16.9.1": { "version": "16.9.1", "releaseDate": "2021-09-10T00:00:00.000Z", "patchedCveIds": [] }, "16.10.0": { "version": "16.10.0", "releaseDate": "2021-09-22T00:00:00.000Z", "patchedCveIds": [] }, "16.11.0": { "version": "16.11.0", "releaseDate": "2021-10-08T00:00:00.000Z", "patchedCveIds": [ "CVE-2021-22940" ] }, "16.11.1": { "version": "16.11.1", "releaseDate": "2021-10-12T00:00:00.000Z", "patchedCveIds": [ "CVE-2021-22959", "CVE-2021-22960" ] }, "16.12.0": { "version": "16.12.0", "releaseDate": "2021-10-20T00:00:00.000Z", "patchedCveIds": [] }, "16.13.0": { "version": "16.13.0", "releaseDate": "2021-10-26T00:00:00.000Z", "patchedCveIds": [] }, "16.13.1": { "version": "16.13.1", "releaseDate": "2021-12-01T00:00:00.000Z", "patchedCveIds": [] }, "16.13.2": { "version": "16.13.2", "releaseDate": "2022-01-10T00:00:00.000Z", "patchedCveIds": [ "CVE-2021-44531", "CVE-2021-44532", "CVE-2021-44533", "CVE-2022-21824" ] }, "16.14.0": { "version": "16.14.0", "releaseDate": "2022-02-08T00:00:00.000Z", "patchedCveIds": [] }, "16.14.1": { "version": "16.14.1", "releaseDate": "2022-03-15T00:00:00.000Z", "patchedCveIds": [] }, "16.14.2": { "version": "16.14.2", "releaseDate": "2022-03-17T00:00:00.000Z", "patchedCveIds": [ "CVE-2022-778" ] }, "16.15.0": { "version": "16.15.0", "releaseDate": "2022-04-26T00:00:00.000Z", "patchedCveIds": [] }, "16.15.1": { "version": "16.15.1", "releaseDate": "2022-06-01T00:00:00.000Z", "patchedCveIds": [] }, "16.16.0": { "version": "16.16.0", "releaseDate": "2022-07-07T00:00:00.000Z", "patchedCveIds": [] }, "16.17.0": { "version": "16.17.0", "releaseDate": "2022-08-16T00:00:00.000Z", "patchedCveIds": [] }, "16.17.1": { "version": "16.17.1", "releaseDate": "2022-09-23T00:00:00.000Z", "patchedCveIds": [ "CVE-2022-32212", "CVE-2022-32213", "CVE-2022-35255", "CVE-2022-35256" ] }, "16.18.0": { "version": "16.18.0", "releaseDate": "2022-10-12T00:00:00.000Z", "patchedCveIds": [] }, "16.18.1": { "version": "16.18.1", "releaseDate": "2022-11-04T00:00:00.000Z", "patchedCveIds": [ "CVE-2022-43548" ] }, "16.19.0": { "version": "16.19.0", "releaseDate": "2022-12-13T00:00:00.000Z", "patchedCveIds": [] }, "16.19.1": { "version": "16.19.1", "releaseDate": "2023-02-16T00:00:00.000Z", "patchedCveIds": [ "CVE-2023-23918", "CVE-2023-23919", "CVE-2023-23920", "CVE-2023-23936", "CVE-2023-24807" ] }, "16.20.0": { "version": "16.20.0", "releaseDate": "2023-03-29T00:00:00.000Z", "patchedCveIds": [] }, "16.20.1": { "version": "16.20.1", "releaseDate": "2023-06-20T00:00:00.000Z", "patchedCveIds": [ "CVE-2023-30581", "CVE-2023-30585", "CVE-2023-30588", "CVE-2023-30589", "CVE-2023-30590" ] }, "16.20.2": { "version": "16.20.2", "releaseDate": "2023-08-09T00:00:00.000Z", "patchedCveIds": [ "CVE-2023-32002", "CVE-2023-32006", "CVE-2023-32559" ] }, "17.0.0": { "version": "17.0.0", "releaseDate": "2021-10-19T00:00:00.000Z", "patchedCveIds": [] }, "17.0.1": { "version": "17.0.1", "releaseDate": "2021-10-20T00:00:00.000Z", "patchedCveIds": [] }, "17.1.0": { "version": "17.1.0", "releaseDate": "2021-11-09T00:00:00.000Z", "patchedCveIds": [] }, "17.2.0": { "version": "17.2.0", "releaseDate": "2021-11-30T00:00:00.000Z", "patchedCveIds": [] }, "17.3.0": { "version": "17.3.0", "releaseDate": "2021-12-17T00:00:00.000Z", "patchedCveIds": [ "CVE-2021-4044" ] }, "17.3.1": { "version": "17.3.1", "releaseDate": "2022-01-10T00:00:00.000Z", "patchedCveIds": [ "CVE-2021-44531", "CVE-2021-44532", "CVE-2021-44533", "CVE-2022-21824" ] }, "17.4.0": { "version": "17.4.0", "releaseDate": "2022-01-18T00:00:00.000Z", "patchedCveIds": [] }, "17.5.0": { "version": "17.5.0", "releaseDate": "2022-02-10T00:00:00.000Z", "patchedCveIds": [] }, "17.6.0": { "version": "17.6.0", "releaseDate": "2022-02-22T00:00:00.000Z", "patchedCveIds": [] }, "17.7.0": { "version": "17.7.0", "releaseDate": "2022-03-09T00:00:00.000Z", "patchedCveIds": [] }, "17.7.1": { "version": "17.7.1", "releaseDate": "2022-03-10T00:00:00.000Z", "patchedCveIds": [] }, "17.7.2": { "version": "17.7.2", "releaseDate": "2022-03-17T00:00:00.000Z", "patchedCveIds": [ "CVE-2022-778" ] }, "17.8.0": { "version": "17.8.0", "releaseDate": "2022-03-22T00:00:00.000Z", "patchedCveIds": [] }, "17.9.0": { "version": "17.9.0", "releaseDate": "2022-04-07T00:00:00.000Z", "patchedCveIds": [] }, "17.9.1": { "version": "17.9.1", "releaseDate": "2022-06-01T00:00:00.000Z", "patchedCveIds": [] }, "18.0.0": { "version": "18.0.0", "releaseDate": "2022-04-19T00:00:00.000Z", "patchedCveIds": [] }, "18.1.0": { "version": "18.1.0", "releaseDate": "2022-05-03T00:00:00.000Z", "patchedCveIds": [] }, "18.2.0": { "version": "18.2.0", "releaseDate": "2022-05-17T00:00:00.000Z", "patchedCveIds": [] }, "18.3.0": { "version": "18.3.0", "releaseDate": "2022-06-01T00:00:00.000Z", "patchedCveIds": [] }, "18.4.0": { "version": "18.4.0", "releaseDate": "2022-06-16T00:00:00.000Z", "patchedCveIds": [] }, "18.5.0": { "version": "18.5.0", "releaseDate": "2022-07-07T00:00:00.000Z", "patchedCveIds": [ "CVE-2022-2097", "CVE-2022-32212", "CVE-2022-32213", "CVE-2022-32214", "CVE-2022-32215", "CVE-2022-32222", "CVE-2022-32223" ] }, "18.6.0": { "version": "18.6.0", "releaseDate": "2022-07-13T00:00:00.000Z", "patchedCveIds": [] }, "18.7.0": { "version": "18.7.0", "releaseDate": "2022-07-26T00:00:00.000Z", "patchedCveIds": [] }, "18.8.0": { "version": "18.8.0", "releaseDate": "2022-08-24T00:00:00.000Z", "patchedCveIds": [] }, "18.9.0": { "version": "18.9.0", "releaseDate": "2022-09-08T00:00:00.000Z", "patchedCveIds": [] }, "18.9.1": { "version": "18.9.1", "releaseDate": "2022-09-23T00:00:00.000Z", "patchedCveIds": [ "CVE-2022-32212", "CVE-2022-32213", "CVE-2022-32215", "CVE-2022-32222", "CVE-2022-35255", "CVE-2022-35256" ] }, "18.10.0": { "version": "18.10.0", "releaseDate": "2022-09-28T00:00:00.000Z", "patchedCveIds": [] }, "18.11.0": { "version": "18.11.0", "releaseDate": "2022-10-13T00:00:00.000Z", "patchedCveIds": [] }, "18.12.0": { "version": "18.12.0", "releaseDate": "2022-10-25T00:00:00.000Z", "patchedCveIds": [] }, "18.12.1": { "version": "18.12.1", "releaseDate": "2022-11-03T00:00:00.000Z", "patchedCveIds": [ "CVE-2022-3602", "CVE-2022-3786", "CVE-2022-43548" ] }, "18.13.0": { "version": "18.13.0", "releaseDate": "2023-01-05T00:00:00.000Z", "patchedCveIds": [] }, "18.14.0": { "version": "18.14.0", "releaseDate": "2023-02-02T00:00:00.000Z", "patchedCveIds": [] }, "18.14.1": { "version": "18.14.1", "releaseDate": "2023-02-16T00:00:00.000Z", "patchedCveIds": [ "CVE-2023-23918", "CVE-2023-23919", "CVE-2023-23920", "CVE-2023-23936", "CVE-2023-24807" ] }, "18.14.2": { "version": "18.14.2", "releaseDate": "2023-02-21T00:00:00.000Z", "patchedCveIds": [] }, "18.15.0": { "version": "18.15.0", "releaseDate": "2023-03-07T00:00:00.000Z", "patchedCveIds": [] }, "18.16.0": { "version": "18.16.0", "releaseDate": "2023-04-12T00:00:00.000Z", "patchedCveIds": [] }, "18.16.1": { "version": "18.16.1", "releaseDate": "2023-06-20T00:00:00.000Z", "patchedCveIds": [ "CVE-2023-30581", "CVE-2023-30585", "CVE-2023-30588", "CVE-2023-30589", "CVE-2023-30590" ] }, "18.17.0": { "version": "18.17.0", "releaseDate": "2023-07-18T00:00:00.000Z", "patchedCveIds": [] }, "18.17.1": { "version": "18.17.1", "releaseDate": "2023-08-09T00:00:00.000Z", "patchedCveIds": [ "CVE-2023-32002", "CVE-2023-32006", "CVE-2023-32559" ] }, "18.18.0": { "version": "18.18.0", "releaseDate": "2023-09-18T00:00:00.000Z", "patchedCveIds": [] }, "18.18.1": { "version": "18.18.1", "releaseDate": "2023-10-10T00:00:00.000Z", "patchedCveIds": [] }, "18.18.2": { "version": "18.18.2", "releaseDate": "2023-10-13T00:00:00.000Z", "patchedCveIds": [ "CVE-2023-38552", "CVE-2023-39333", "CVE-2023-44487", "CVE-2023-45143" ] }, "18.19.0": { "version": "18.19.0", "releaseDate": "2023-11-29T00:00:00.000Z", "patchedCveIds": [] }, "18.19.1": { "version": "18.19.1", "releaseDate": "2024-02-14T00:00:00.000Z", "patchedCveIds": [ "CVE-2023-46809", "CVE-2024-21892", "CVE-2024-22019", "CVE-2024-22025", "CVE-2024-24806" ] }, "18.20.0": { "version": "18.20.0", "releaseDate": "2024-03-26T00:00:00.000Z", "patchedCveIds": [] }, "18.20.1": { "version": "18.20.1", "releaseDate": "2024-04-03T00:00:00.000Z", "patchedCveIds": [ "CVE-2024-27982", "CVE-2024-27983" ] }, "18.20.2": { "version": "18.20.2", "releaseDate": "2024-04-10T00:00:00.000Z", "patchedCveIds": [ "CVE-2024-27980" ] }, "18.20.3": { "version": "18.20.3", "releaseDate": "2024-05-21T00:00:00.000Z", "patchedCveIds": [] }, "18.20.4": { "version": "18.20.4", "releaseDate": "2024-07-08T00:00:00.000Z", "patchedCveIds": [ "CVE-2024-22020", "CVE-2024-27980", "CVE-2024-36138" ] }, "18.20.5": { "version": "18.20.5", "releaseDate": "2024-11-12T00:00:00.000Z", "patchedCveIds": [] }, "18.20.6": { "version": "18.20.6", "releaseDate": "2025-01-21T00:00:00.000Z", "patchedCveIds": [ "CVE-2025-22150", "CVE-2025-23084", "CVE-2025-23085" ] }, "18.20.7": { "version": "18.20.7", "releaseDate": "2025-02-20T00:00:00.000Z", "patchedCveIds": [] }, "18.20.8": { "version": "18.20.8", "releaseDate": "2025-03-27T00:00:00.000Z", "patchedCveIds": [] }, "19.0.0": { "version": "19.0.0", "releaseDate": "2022-10-18T00:00:00.000Z", "patchedCveIds": [] }, "19.0.1": { "version": "19.0.1", "releaseDate": "2022-11-04T00:00:00.000Z", "patchedCveIds": [ "CVE-2022-3602", "CVE-2022-3786", "CVE-2022-43548" ] }, "19.1.0": { "version": "19.1.0", "releaseDate": "2022-11-14T00:00:00.000Z", "patchedCveIds": [] }, "19.2.0": { "version": "19.2.0", "releaseDate": "2022-11-29T00:00:00.000Z", "patchedCveIds": [] }, "19.3.0": { "version": "19.3.0", "releaseDate": "2022-12-14T00:00:00.000Z", "patchedCveIds": [] }, "19.4.0": { "version": "19.4.0", "releaseDate": "2023-01-06T00:00:00.000Z", "patchedCveIds": [] }, "19.5.0": { "version": "19.5.0", "releaseDate": "2023-01-24T00:00:00.000Z", "patchedCveIds": [] }, "19.6.0": { "version": "19.6.0", "releaseDate": "2023-02-02T00:00:00.000Z", "patchedCveIds": [] }, "19.6.1": { "version": "19.6.1", "releaseDate": "2023-02-16T00:00:00.000Z", "patchedCveIds": [ "CVE-2023-23918", "CVE-2023-23919", "CVE-2023-23920" ] }, "19.7.0": { "version": "19.7.0", "releaseDate": "2023-02-21T00:00:00.000Z", "patchedCveIds": [] }, "19.8.0": { "version": "19.8.0", "releaseDate": "2023-03-14T00:00:00.000Z", "patchedCveIds": [] }, "19.8.1": { "version": "19.8.1", "releaseDate": "2023-03-15T00:00:00.000Z", "patchedCveIds": [] }, "19.9.0": { "version": "19.9.0", "releaseDate": "2023-04-10T00:00:00.000Z", "patchedCveIds": [] }, "20.0.0": { "version": "20.0.0", "releaseDate": "2023-04-18T00:00:00.000Z", "patchedCveIds": [] }, "20.1.0": { "version": "20.1.0", "releaseDate": "2023-05-03T00:00:00.000Z", "patchedCveIds": [] }, "20.2.0": { "version": "20.2.0", "releaseDate": "2023-05-16T00:00:00.000Z", "patchedCveIds": [] }, "20.3.0": { "version": "20.3.0", "releaseDate": "2023-06-08T00:00:00.000Z", "patchedCveIds": [] }, "20.3.1": { "version": "20.3.1", "releaseDate": "2023-06-20T00:00:00.000Z", "patchedCveIds": [ "CVE-2023-30581", "CVE-2023-30582", "CVE-2023-30583", "CVE-2023-30584", "CVE-2023-30585", "CVE-2023-30586", "CVE-2023-30587", "CVE-2023-30588", "CVE-2023-30589", "CVE-2023-30590" ] }, "20.4.0": { "version": "20.4.0", "releaseDate": "2023-07-05T00:00:00.000Z", "patchedCveIds": [] }, "20.5.0": { "version": "20.5.0", "releaseDate": "2023-07-18T00:00:00.000Z", "patchedCveIds": [] }, "20.5.1": { "version": "20.5.1", "releaseDate": "2023-08-09T00:00:00.000Z", "patchedCveIds": [ "CVE-2023-32002", "CVE-2023-32003", "CVE-2023-32004", "CVE-2023-32005", "CVE-2023-32006", "CVE-2023-32558", "CVE-2023-32559" ] }, "20.6.0": { "version": "20.6.0", "releaseDate": "2023-09-04T00:00:00.000Z", "patchedCveIds": [] }, "20.6.1": { "version": "20.6.1", "releaseDate": "2023-09-08T00:00:00.000Z", "patchedCveIds": [] }, "20.7.0": { "version": "20.7.0", "releaseDate": "2023-09-18T00:00:00.000Z", "patchedCveIds": [] }, "20.8.0": { "version": "20.8.0", "releaseDate": "2023-09-28T00:00:00.000Z", "patchedCveIds": [] }, "20.8.1": { "version": "20.8.1", "releaseDate": "2023-10-13T00:00:00.000Z", "patchedCveIds": [ "CVE-2023-38552", "CVE-2023-39331", "CVE-2023-39332", "CVE-2023-39333", "CVE-2023-44487", "CVE-2023-45143" ] }, "20.9.0": { "version": "20.9.0", "releaseDate": "2023-10-24T00:00:00.000Z", "patchedCveIds": [] }, "20.10.0": { "version": "20.10.0", "releaseDate": "2023-11-22T00:00:00.000Z", "patchedCveIds": [] }, "20.11.0": { "version": "20.11.0", "releaseDate": "2024-01-09T00:00:00.000Z", "patchedCveIds": [] }, "20.11.1": { "version": "20.11.1", "releaseDate": "2024-02-14T00:00:00.000Z", "patchedCveIds": [ "CVE-2023-46809", "CVE-2024-21890", "CVE-2024-21891", "CVE-2024-21892", "CVE-2024-21896", "CVE-2024-22017", "CVE-2024-22019", "CVE-2024-22025", "CVE-2024-24806" ] }, "20.12.0": { "version": "20.12.0", "releaseDate": "2024-03-26T00:00:00.000Z", "patchedCveIds": [] }, "20.12.1": { "version": "20.12.1", "releaseDate": "2024-04-03T00:00:00.000Z", "patchedCveIds": [ "CVE-2024-27982", "CVE-2024-27983" ] }, "20.12.2": { "version": "20.12.2", "releaseDate": "2024-04-10T00:00:00.000Z", "patchedCveIds": [ "CVE-2024-27980" ] }, "20.13.0": { "version": "20.13.0", "releaseDate": "2024-05-07T00:00:00.000Z", "patchedCveIds": [] }, "20.13.1": { "version": "20.13.1", "releaseDate": "2024-05-09T00:00:00.000Z", "patchedCveIds": [] }, "20.14.0": { "version": "20.14.0", "releaseDate": "2024-05-28T00:00:00.000Z", "patchedCveIds": [] }, "20.15.0": { "version": "20.15.0", "releaseDate": "2024-06-20T00:00:00.000Z", "patchedCveIds": [] }, "20.15.1": { "version": "20.15.1", "releaseDate": "2024-07-08T00:00:00.000Z", "patchedCveIds": [ "CVE-2024-22018", "CVE-2024-22020", "CVE-2024-27980", "CVE-2024-36137", "CVE-2024-36138", "CVE-2024-37372" ] }, "20.16.0": { "version": "20.16.0", "releaseDate": "2024-07-24T00:00:00.000Z", "patchedCveIds": [] }, "20.17.0": { "version": "20.17.0", "releaseDate": "2024-08-21T00:00:00.000Z", "patchedCveIds": [] }, "20.18.0": { "version": "20.18.0", "releaseDate": "2024-10-03T00:00:00.000Z", "patchedCveIds": [] }, "20.18.1": { "version": "20.18.1", "releaseDate": "2024-11-20T00:00:00.000Z", "patchedCveIds": [] }, "20.18.2": { "version": "20.18.2", "releaseDate": "2025-01-21T00:00:00.000Z", "patchedCveIds": [ "CVE-2025-22150", "CVE-2025-23083", "CVE-2025-23084", "CVE-2025-23085" ] }, "20.18.3": { "version": "20.18.3", "releaseDate": "2025-02-10T00:00:00.000Z", "patchedCveIds": [] }, "20.19.0": { "version": "20.19.0", "releaseDate": "2025-03-13T00:00:00.000Z", "patchedCveIds": [] }, "21.0.0": { "version": "21.0.0", "releaseDate": "2023-10-17T00:00:00.000Z", "patchedCveIds": [] }, "21.1.0": { "version": "21.1.0", "releaseDate": "2023-10-24T00:00:00.000Z", "patchedCveIds": [] }, "21.2.0": { "version": "21.2.0", "releaseDate": "2023-11-14T00:00:00.000Z", "patchedCveIds": [] }, "21.3.0": { "version": "21.3.0", "releaseDate": "2023-11-30T00:00:00.000Z", "patchedCveIds": [] }, "21.4.0": { "version": "21.4.0", "releaseDate": "2023-12-05T00:00:00.000Z", "patchedCveIds": [] }, "21.5.0": { "version": "21.5.0", "releaseDate": "2023-12-19T00:00:00.000Z", "patchedCveIds": [] }, "21.6.0": { "version": "21.6.0", "releaseDate": "2024-01-15T00:00:00.000Z", "patchedCveIds": [] }, "21.6.1": { "version": "21.6.1", "releaseDate": "2024-01-22T00:00:00.000Z", "patchedCveIds": [] }, "21.6.2": { "version": "21.6.2", "releaseDate": "2024-02-14T00:00:00.000Z", "patchedCveIds": [ "CVE-2023-46809", "CVE-2024-21890", "CVE-2024-21891", "CVE-2024-21892", "CVE-2024-21896", "CVE-2024-22017", "CVE-2024-22019", "CVE-2024-22025" ] }, "21.7.0": { "version": "21.7.0", "releaseDate": "2024-03-06T00:00:00.000Z", "patchedCveIds": [] }, "21.7.1": { "version": "21.7.1", "releaseDate": "2024-03-08T00:00:00.000Z", "patchedCveIds": [] }, "21.7.2": { "version": "21.7.2", "releaseDate": "2024-04-03T00:00:00.000Z", "patchedCveIds": [ "CVE-2024-27982", "CVE-2024-27983" ] }, "21.7.3": { "version": "21.7.3", "releaseDate": "2024-04-10T00:00:00.000Z", "patchedCveIds": [ "CVE-2024-27980" ] }, "22.0.0": { "version": "22.0.0", "releaseDate": "2024-04-24T00:00:00.000Z", "patchedCveIds": [ "CVE-2024-27980" ] }, "22.1.0": { "version": "22.1.0", "releaseDate": "2024-05-02T00:00:00.000Z", "patchedCveIds": [] }, "22.2.0": { "version": "22.2.0", "releaseDate": "2024-05-15T00:00:00.000Z", "patchedCveIds": [] }, "22.3.0": { "version": "22.3.0", "releaseDate": "2024-06-11T00:00:00.000Z", "patchedCveIds": [] }, "22.4.0": { "version": "22.4.0", "releaseDate": "2024-07-02T00:00:00.000Z", "patchedCveIds": [] }, "22.4.1": { "version": "22.4.1", "releaseDate": "2024-07-08T00:00:00.000Z", "patchedCveIds": [ "CVE-2024-22018", "CVE-2024-22020", "CVE-2024-27980", "CVE-2024-36137", "CVE-2024-36138", "CVE-2024-37372" ] }, "22.5.0": { "version": "22.5.0", "releaseDate": "2024-07-17T00:00:00.000Z", "patchedCveIds": [] }, "22.5.1": { "version": "22.5.1", "releaseDate": "2024-07-19T00:00:00.000Z", "patchedCveIds": [] }, "22.6.0": { "version": "22.6.0", "releaseDate": "2024-08-06T00:00:00.000Z", "patchedCveIds": [] }, "22.7.0": { "version": "22.7.0", "releaseDate": "2024-08-22T00:00:00.000Z", "patchedCveIds": [] }, "22.8.0": { "version": "22.8.0", "releaseDate": "2024-09-03T00:00:00.000Z", "patchedCveIds": [] }, "22.9.0": { "version": "22.9.0", "releaseDate": "2024-09-17T00:00:00.000Z", "patchedCveIds": [] }, "22.10.0": { "version": "22.10.0", "releaseDate": "2024-10-16T00:00:00.000Z", "patchedCveIds": [] }, "22.11.0": { "version": "22.11.0", "releaseDate": "2024-10-29T00:00:00.000Z", "patchedCveIds": [] }, "22.12.0": { "version": "22.12.0", "releaseDate": "2024-12-03T00:00:00.000Z", "patchedCveIds": [] }, "22.13.0": { "version": "22.13.0", "releaseDate": "2025-01-07T00:00:00.000Z", "patchedCveIds": [] }, "22.13.1": { "version": "22.13.1", "releaseDate": "2025-01-21T00:00:00.000Z", "patchedCveIds": [ "CVE-2025-22150", "CVE-2025-23083", "CVE-2025-23084", "CVE-2025-23085" ] }, "22.14.0": { "version": "22.14.0", "releaseDate": "2025-02-11T00:00:00.000Z", "patchedCveIds": [] }, "23.0.0": { "version": "23.0.0", "releaseDate": "2024-10-16T00:00:00.000Z", "patchedCveIds": [] }, "23.1.0": { "version": "23.1.0", "releaseDate": "2024-10-24T00:00:00.000Z", "patchedCveIds": [] }, "23.2.0": { "version": "23.2.0", "releaseDate": "2024-11-11T00:00:00.000Z", "patchedCveIds": [] }, "23.3.0": { "version": "23.3.0", "releaseDate": "2024-11-20T00:00:00.000Z", "patchedCveIds": [] }, "23.4.0": { "version": "23.4.0", "releaseDate": "2024-12-10T00:00:00.000Z", "patchedCveIds": [] }, "23.5.0": { "version": "23.5.0", "releaseDate": "2024-12-19T00:00:00.000Z", "patchedCveIds": [] }, "23.6.0": { "version": "23.6.0", "releaseDate": "2025-01-07T00:00:00.000Z", "patchedCveIds": [] }, "23.6.1": { "version": "23.6.1", "releaseDate": "2025-01-21T00:00:00.000Z", "patchedCveIds": [ "CVE-2025-22150", "CVE-2025-23083", "CVE-2025-23084", "CVE-2025-23085" ] }, "23.7.0": { "version": "23.7.0", "releaseDate": "2025-01-30T00:00:00.000Z", "patchedCveIds": [] }, "23.8.0": { "version": "23.8.0", "releaseDate": "2025-02-13T00:00:00.000Z", "patchedCveIds": [] }, "23.9.0": { "version": "23.9.0", "releaseDate": "2025-02-26T00:00:00.000Z", "patchedCveIds": [] }, "23.10.0": { "version": "23.10.0", "releaseDate": "2025-03-13T00:00:00.000Z", "patchedCveIds": [] }, "23.11.0": { "version": "23.11.0", "releaseDate": "2025-04-01T00:00:00.000Z", "patchedCveIds": [] } }, "cves": { "CVE-2013-2882": { "id": "CVE-2013-2882", "baseScore": 7.5, "publishedDate": "2013-07-31T13:20:00.000Z", "lastModifiedDate": "2024-11-21T01:52:00.000Z", "description": "Google V8, as used in Google Chrome before 28.0.1500.95, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that leverage \"type confusion.\"" }, "CVE-2013-6668": { "id": "CVE-2013-6668", "baseScore": 7.5, "publishedDate": "2014-03-05T05:11:00.000Z", "lastModifiedDate": "2024-11-21T01:59:00.000Z", "description": "Multiple unspecified vulnerabilities in Google V8 before 3.24.35.10, as used in Google Chrome before 33.0.1750.146, allow attackers to cause a denial of service or possibly have other impact via unknown vectors." }, "CVE-2014-224": { "id": "CVE-2014-224", "baseScore": 7.4, "publishedDate": "2014-06-05T21:55:00.000Z", "lastModifiedDate": "2024-11-21T02:01:00.000Z", "description": "OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the \"CCS Injection\" vulnerability." }, "CVE-2014-9748": { "id": "CVE-2014-9748", "baseScore": 8.1, "publishedDate": "2020-02-11T17:15:00.000Z", "lastModifiedDate": "2024-11-21T02:21:00.000Z", "description": "The uv_rwlock_t fallback implementation for Windows XP and Server 2003 in libuv before 1.7.4 does not properly prevent threads from releasing the locks of other threads, which allows attackers to cause a denial of service (deadlock) or possibly have unspecified other impact by leveraging a race condition." }, "CVE-2015-278": { "id": "CVE-2015-278", "baseScore": 10, "publishedDate": "2015-05-18T15:59:00.000Z", "lastModifiedDate": "2024-11-21T02:22:00.000Z", "description": "libuv before 0.10.34 does not properly drop group privileges, which allows context-dependent attackers to gain privileges via unspecified vectors." }, "CVE-2015-1788": { "id": "CVE-2015-1788", "baseScore": 4.3, "publishedDate": "2015-06-12T19:59:00.000Z", "lastModifiedDate": "2024-11-21T02:26:00.000Z", "description": "The BN_GF2m_mod_inv function in crypto/bn/bn_gf2m.c in OpenSSL before 0.9.8s, 1.0.0 before 1.0.0e, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b does not properly handle ECParameters structures in which the curve is over a malformed binary polynomial field, which allows remote attackers to cause a denial of service (infinite loop) via a session that uses an Elliptic Curve algorithm, as demonstrated by an attack against a server that supports client authentication." }, "CVE-2015-1793": { "id": "CVE-2015-1793", "baseScore": 6.5, "publishedDate": "2015-07-09T19:17:00.000Z", "lastModifiedDate": "2024-11-21T02:26:00.000Z", "description": "The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly process X.509 Basic Constraints cA values during identification of alternative certificate chains, which allows remote attackers to spoof a Certification Authority role and trigger unintended certificate verifications via a valid leaf certificate." }, "CVE-2015-3193": { "id": "CVE-2015-3193", "baseScore": 7.5, "publishedDate": "2015-12-06T20:59:00.000Z", "lastModifiedDate": "2024-11-21T02:28:00.000Z", "description": "The Montgomery squaring implementation in crypto/bn/asm/x86_64-mont5.pl in OpenSSL 1.0.2 before 1.0.2e on the x86_64 platform, as used by the BN_mod_exp function, mishandles carry propagation and produces incorrect output, which makes it easier for remote attackers to obtain sensitive private-key information via an attack against use of a (1) Diffie-Hellman (DH) or (2) Diffie-Hellman Ephemeral (DHE) ciphersuite." }, "CVE-2015-3194": { "id": "CVE-2015-3194", "baseScore": 7.5, "publishedDate": "2015-12-06T20:59:00.000Z", "lastModifiedDate": "2024-11-21T02:28:00.000Z", "description": "crypto/rsa/rsa_ameth.c in OpenSSL 1.0.1 before 1.0.1q and 1.0.2 before 1.0.2e allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an RSA PSS ASN.1 signature that lacks a mask generation function parameter." }, "CVE-2015-6764": { "id": "CVE-2015-6764", "baseScore": 9.8, "publishedDate": "2015-12-06T01:59:00.000Z", "lastModifiedDate": "2024-11-21T02:35:00.000Z", "description": "The BasicJsonStringifier::SerializeJSArray function in json-stringifier.h in the JSON stringifier in Google V8, as used in Google Chrome before 47.0.2526.73, improperly loads array elements, which allows remote attackers to cause a denial of service (out-of-bounds memory access) or possibly have unspecified other impact via crafted JavaScript code." }, "CVE-2015-7384": { "id": "CVE-2015-7384", "baseScore": 7.5, "publishedDate": "2017-10-10T16:29:00.000Z", "lastModifiedDate": "2024-11-21T02:36:00.000Z", "description": "Node.js 4.0.0, 4.1.0, and 4.1.1 allows remote attackers to cause a denial of service." }, "CVE-2015-8027": { "id": "CVE-2015-8027", "baseScore": 7.5, "publishedDate": "2016-01-02T21:59:00.000Z", "lastModifiedDate": "2024-11-21T02:37:00.000Z", "description": "Node.js 0.12.x before 0.12.9, 4.x before 4.2.3, and 5.x before 5.1.1 does not ensure the availability of a parser for each HTTP socket, which allows remote attackers to cause a denial of service (uncaughtException and service outage) via a pipelined HTTP request." }, "CVE-2016-702": { "id": "CVE-2016-702", "baseScore": 5.1, "publishedDate": "2016-03-03T20:59:00.000Z", "lastModifiedDate": "2024-11-21T02:42:00.000Z", "description": "The MOD_EXP_CTIME_COPY_FROM_PREBUF function in crypto/bn/bn_exp.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not properly consider cache-bank access times during modular exponentiation, which makes it easier for local users to discover RSA keys by running a crafted application on the same Intel Sandy Bridge CPU core as a victim and leveraging cache-bank conflicts, aka a \"CacheBleed\" attack." }, "CVE-2016-705": { "id": "CVE-2016-705", "baseScore": 9.8, "publishedDate": "2016-03-03T20:59:00.000Z", "lastModifiedDate": "2024-11-21T02:42:00.000Z", "description": "Double free vulnerability in the dsa_priv_decode function in crypto/dsa/dsa_ameth.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a malformed DSA private key." }, "CVE-2016-797": { "id": "CVE-2016-797", "baseScore": 7.5, "publishedDate": "2016-03-03T20:59:00.000Z", "lastModifiedDate": "2024-11-21T02:42:00.000Z", "description": "Multiple integer overflows in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allow remote attackers to cause a denial of service (heap memory corruption or NULL pointer dereference) or possibly have unspecified other impact via a long digit string that is mishandled by the (1) BN_dec2bn or (2) BN_hex2bn function, related to crypto/bn/bn.h and crypto/bn/bn_print.c." }, "CVE-2016-1669": { "id": "CVE-2016-1669", "baseScore": 8.8, "publishedDate": "2016-05-14T21:59:00.000Z", "lastModifiedDate": "2024-11-21T02:46:00.000Z", "description": "The Zone::New function in zone.cc in Google V8 before 5.0.71.47, as used in Google Chrome before 50.0.2661.102, does not properly determine when to expand certain memory allocations, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via crafted JavaScript code." }, "CVE-2016-1699": { "id": "CVE-2016-1699", "baseScore": 6.5, "publishedDate": "2016-06-05T23:59:00.000Z", "lastModifiedDate": "2024-11-21T02:46:00.000Z", "description": "WebKit/Source/devtools/front_end/devtools.js in the Developer Tools (aka DevTools) subsystem in Blink, as used in Google Chrome before 51.0.2704.79, does not ensure that the remoteFrontendUrl parameter is associated with a chrome-devtools-frontend.appspot.com URL, which allows remote attackers to bypass intended access restrictions via a crafted URL." }, "CVE-2016-2086": { "id": "CVE-2016-2086", "baseScore": 7.5, "publishedDate": "2016-04-07T21:59:00.000Z", "lastModifiedDate": "2024-11-21T02:47:00.000Z", "description": "Node.js 0.10.x before 0.10.42, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allow remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header." }, "CVE-2016-2105": { "id": "CVE-2016-2105", "baseScore": 7.5, "publishedDate": "2016-05-05T01:59:00.000Z", "lastModifiedDate": "2024-11-21T02:47:00.000Z", "description": "Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of binary data." }, "CVE-2016-2107": { "id": "CVE-2016-2107", "baseScore": 5.9, "publishedDate": "2016-05-05T01:59:00.000Z", "lastModifiedDate": "2024-11-21T02:47:00.000Z", "description": "The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-0169." }, "CVE-2016-2178": { "id": "CVE-2016-2178", "baseScore": 5.5, "publishedDate": "2016-06-20T01:59:00.000Z", "lastModifiedDate": "2024-11-21T02:47:00.000Z", "description": "The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through 1.0.2h does not properly ensure the use of constant-time operations, which makes it easier for local users to discover a DSA private key via a timing side-channel attack." }, "CVE-2016-2183": { "id": "CVE-2016-2183", "baseScore": 7.5, "publishedDate": "2016-09-01T00:59:00.000Z", "lastModifiedDate": "2025-03-31T15:15:00.000Z", "description": "The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a \"Sweet32\" attack." }, "CVE-2016-2216": { "id": "CVE-2016-2216", "baseScore": 7.5, "publishedDate": "2016-04-07T21:59:00.000Z", "lastModifiedDate": "2024-11-21T02:48:00.000Z", "description": "The HTTP header parsing code in Node.js 0.10.x before 0.10.42, 0.11.6 through 0.11.16, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allows remote attackers to bypass an HTTP response-splitting protection mechanism via UTF-8 encoded Unicode characters in the HTTP header, as demonstrated by %c4%8d%c4%8a." }, "CVE-2016-5172": { "id": "CVE-2016-5172", "baseScore": 6.5, "publishedDate": "2016-09-25T20:59:00.000Z", "lastModifiedDate": "2024-11-21T02:53:00.000Z", "description": "The parser in Google V8, as used in Google Chrome before 53.0.2785.113, mishandles scopes, which allows remote attackers to obtain sensitive information from arbitrary memory locations via crafted JavaScript code." }, "CVE-2016-5180": { "id": "CVE-2016-5180", "baseScore": 9.8, "publishedDate": "2016-10-03T15:59:00.000Z", "lastModifiedDate": "2024-11-21T02:53:00.000Z", "description": "Heap-based buffer overflow in the ares_create_query function in c-ares 1.x before 1.12.0 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly execute arbitrary code via a hostname with an escaped trailing dot." }, "CVE-2016-5325": { "id": "CVE-2016-5325", "baseScore": 6.1, "publishedDate": "2016-10-10T16:59:00.000Z", "lastModifiedDate": "2024-11-21T02:54:00.000Z", "description": "CRLF injection vulnerability in the ServerResponse#writeHead function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the reason argument." }, "CVE-2016-6303": { "id": "CVE-2016-6303", "baseScore": 9.8, "publishedDate": "2016-09-16T05:59:00.000Z", "lastModifiedDate": "2024-11-21T02:55:00.000Z", "description": "Integer overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c in OpenSSL before 1.1.0 allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors." }, "CVE-2016-6304": { "id": "CVE-2016-6304", "baseScore": 7.5, "publishedDate": "2016-09-26T19:59:00.000Z", "lastModifiedDate": "2024-11-21T02:55:00.000Z", "description": "Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause a denial of service (memory consumption) via large OCSP Status Request extensions." }, "CVE-2016-6306": { "id": "CVE-2016-6306", "baseScore": 5.9, "publishedDate": "2016-09-26T19:59:00.000Z", "lastModifiedDate": "2024-11-21T02:55:00.000Z", "description": "The certificate parser in OpenSSL before 1.0.1u and 1.0.2 before 1.0.2i might allow remote attackers to cause a denial of service (out-of-bounds read) via crafted certificate operations, related to s3_clnt.c and s3_srvr.c." }, "CVE-2016-7052": { "id": "CVE-2016-7052", "baseScore": 7.5, "publishedDate": "2016-09-26T19:59:00.000Z", "lastModifiedDate": "2024-11-21T02:57:00.000Z", "description": "crypto/x509/x509_vfy.c in OpenSSL 1.0.2i allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) by triggering a CRL operation." }, "CVE-2016-7099": { "id": "CVE-2016-7099", "baseScore": 5.9, "publishedDate": "2016-10-10T16:59:00.000Z", "lastModifiedDate": "2024-11-21T02:57:00.000Z", "description": "The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 does not properly handle wildcards in name fields of X.509 certificates, which allows man-in-the-middle attackers to spoof servers via a crafted certificate." }, "CVE-2017-3738": { "id": "CVE-2017-3738", "baseScore": 5.9, "publishedDate": "2017-12-07T16:29:00.000Z", "lastModifiedDate": "2024-11-21T03:26:00.000Z", "description": "There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation). Note: The impact from this issue is similar to CVE-2017-3736, CVE-2017-3732 and CVE-2015-3193. OpenSSL version 1.0.2-1.0.2m and 1.1.0-1.1.0g are affected. Fixed in OpenSSL 1.0.2n. Due to the low severity of this issue we are not issuing a new release of OpenSSL 1.1.0 at this time. The fix will be included in OpenSSL 1.1.0h when it becomes available. The fix is also available in commit e502cc86d in the OpenSSL git repository." }, "CVE-2017-14919": { "id": "CVE-2017-14919", "baseScore": 7.5, "publishedDate": "2017-10-30T19:29:00.000Z", "lastModifiedDate": "2024-11-21T03:13:00.000Z", "description": "Node.js before 4.8.5, 6.x before 6.11.5, and 8.x before 8.8.0 allows remote attackers to cause a denial of service (uncaught exception and crash) by leveraging a change in the zlib module 1.2.9 making 8 an invalid value for the windowBits parameter." }, "CVE-2017-15896": { "id": "CVE-2017-15896", "baseScore": 9.1, "publishedDate": "2017-12-11T21:29:00.000Z", "lastModifiedDate": "2024-11-21T03:15:00.000Z", "description": "Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake failure. The result was that an active network attacker could send application data to Node.js using the TLS or HTTP2 modules in a way that bypassed TLS authentication and encryption." }, "CVE-2017-15897": { "id": "CVE-2017-15897", "baseScore": 3.1, "publishedDate": "2017-12-11T21:29:00.000Z", "lastModifiedDate": "2024-11-21T03:15:00.000Z", "description": "Node.js had a bug in versions 8.X and 9.X which caused buffers to not be initialized when the encoding for the fill value did not match the encoding specified. For example, 'Buffer.alloc(0x100, \"This is not correctly encoded\", \"hex\");' The buffer implementation was updated such that the buffer will be initialized to all zeros in these cases." }, "CVE-2017-1000381": { "id": "CVE-2017-1000381", "baseScore": 7.5, "publishedDate": "2017-07-07T17:29:00.000Z", "lastModifiedDate": "2024-11-21T03:04:00.000Z", "description": "The c-ares function `ares_parse_naptr_reply()`, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way." }, "CVE-2018-732": { "id": "CVE-2018-732", "baseScore": 7.5, "publishedDate": "2018-06-12T13:29:00.000Z", "lastModifiedDate": "2024-11-21T03:38:00.000Z", "description": "During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2-1.0.2o)." }, "CVE-2018-734": { "id": "CVE-2018-734", "baseScore": 5.9, "publishedDate": "2018-10-30T12:29:00.000Z", "lastModifiedDate": "2024-11-21T03:38:00.000Z", "description": "The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p)." }, "CVE-2018-735": { "id": "CVE-2018-735", "baseScore": 5.9, "publishedDate": "2018-10-29T13:29:00.000Z", "lastModifiedDate": "2024-11-21T03:38:00.000Z", "description": "The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.1.1a (Affected 1.1.1)." }, "CVE-2018-5407": { "id": "CVE-2018-5407", "baseScore": 4.7, "publishedDate": "2018-11-15T21:29:00.000Z", "lastModifiedDate": "2024-11-21T04:08:00.000Z", "description": "Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'." }, "CVE-2018-7158": { "id": "CVE-2018-7158", "baseScore": 7.5, "publishedDate": "2018-05-17T14:29:00.000Z", "lastModifiedDate": "2024-11-21T04:11:00.000Z", "description": "The `'path'` module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. The code in question was replaced in Node.js 6.x and later so this vulnerability only impacts all versions of Node.js 4.x. The regular expression, `splitPathRe`, used within the `'path'` module for the various path parsing functions, including `path.dirname()`, `path.extname()` and `path.parse()` was structured in such a way as to allow an attacker to craft a string, that when passed through one of these functions, could take a significant amount of time to evaluate, potentially leading to a full denial of service." }, "CVE-2018-7159": { "id": "CVE-2018-7159", "baseScore": 5.3, "publishedDate": "2018-05-17T14:29:00.000Z", "lastModifiedDate": "2024-11-21T04:11:00.000Z", "description": "The HTTP parser in all current versions of Node.js ignores spaces in the `Content-Length` header, allowing input such as `Content-Length: 1 2` to be interpreted as having a value of `12`. The HTTP specification does not allow for spaces in the `Content-Length` value and the Node.js HTTP parser has been brought into line on this particular difference. The security risk of this flaw to Node.js users is considered to be VERY LOW as it is difficult, and may be impossible, to craft an attack that makes use of this flaw in a way that could not already be achieved by supplying an incorrect value for `Content-Length`. Vulnerabilities may exist in user-code that make incorrect assumptions about the potential accuracy of this value compared to the actual length of the data supplied. Node.js users crafting lower-level HTTP utilities are advised to re-check the length of any input supplied after parsing is complete." }, "CVE-2018-7160": { "id": "CVE-2018-7160", "baseScore": 8.8, "publishedDate": "2018-05-17T14:29:00.000Z", "lastModifiedDate": "2024-11-21T04:11:00.000Z", "description": "The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. An attack is possible from malicious websites open in a web browser on the same computer, or another computer with network access to the computer running the Node.js process. A malicious website could use a DNS rebinding attack to trick the web browser to bypass same-origin-policy checks and to allow HTTP connections to localhost or to hosts on the local network. If a Node.js process with the debug port active is running on localhost or on a host on the local network, the malicious website could connect to it as a debugger, and get full code execution access." }, "CVE-2018-7161": { "id": "CVE-2018-7161", "baseScore": 7.5, "publishedDate": "2018-06-13T16:29:00.000Z", "lastModifiedDate": "2024-11-21T04:11:00.000Z", "description": "All versions of Node.js 8.x, 9.x, and 10.x are vulnerable and the severity is HIGH. An attacker can cause a denial of service (DoS) by causing a node server providing an http2 server to crash. This can be accomplished by interacting with the http2 server in a manner that triggers a cleanup bug where objects are used in native code after they are no longer available. This has been addressed by updating the http2 implementation." }, "CVE-2018-7162": { "id": "CVE-2018-7162", "baseScore": 7.5, "publishedDate": "2018-06-13T16:29:00.000Z", "lastModifiedDate": "2024-11-21T04:11:00.000Z", "description": "All versions of Node.js 9.x and 10.x are vulnerable and the severity is HIGH. An attacker can cause a denial of service (DoS) by causing a node process which provides an http server supporting TLS server to crash. This can be accomplished by sending duplicate/unexpected messages during the handshake. This vulnerability has been addressed by updating the TLS implementation." }, "CVE-2018-7164": { "id": "CVE-2018-7164", "baseScore": 7.5, "publishedDate": "2018-06-13T16:29:00.000Z", "lastModifiedDate": "2024-11-21T04:11:00.000Z", "description": "Node.js versions 9.7.0 and later and 10.x are vulnerable and the severity is MEDIUM. A bug introduced in 9.7.0 increases the memory consumed when reading from the network into JavaScript using the net.Socket object directly as a stream. An attacker could use this cause a denial of service by sending tiny chunks of data in short succession. This vulnerability was restored by reverting to the prior behaviour." }, "CVE-2018-7166": { "id": "CVE-2018-7166", "baseScore": 7.5, "publishedDate": "2018-08-21T12:29:00.000Z", "lastModifiedDate": "2024-11-21T04:11:00.000Z", "description": "In all versions of Node.js 10 prior to 10.9.0, an argument processing flaw can cause `Buffer.alloc()` to return uninitialized memory. This method is intended to be safe and only return initialized, or cleared, memory. The third argument specifying `encoding` can be passed as a number, this is misinterpreted by `Buffer's` internal \"fill\" method as the `start` to a fill operation. This flaw may be abused where `Buffer.alloc()` arguments are derived from user input to return uncleared memory blocks that may contain sensitive information." }, "CVE-2018-7167": { "id": "CVE-2018-7167", "baseScore": 7.5, "publishedDate": "2018-06-13T16:29:00.000Z", "lastModifiedDate": "2024-11-21T04:11:00.000Z", "description": "Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a hang which could result in a Denial of Service. In order to address this vulnerability, the implementations of Buffer.alloc() and Buffer.fill() were updated so that they zero fill instead of hanging in these cases. All versions of Node.js 6.x (LTS \"Boron\"), 8.x (LTS \"Carbon\"), and 9.x are vulnerable. All versions of Node.js 10.x (Current) are NOT vulnerable." }, "CVE-2018-12115": { "id": "CVE-2018-12115", "baseScore": 7.5, "publishedDate": "2018-08-21T12:29:00.000Z", "lastModifiedDate": "2024-11-21T03:44:00.000Z", "description": "In all versions of Node.js prior to 6.14.4, 8.11.4 and 10.9.0 when used with UCS-2 encoding (recognized by Node.js under the names `'ucs2'`, `'ucs-2'`, `'utf16le'` and `'utf-16le'`), `Buffer#write()` can be abused to write outside of the bounds of a single `Buffer`. Writes that start from the second-to-last position of a buffer cause a miscalculation of the maximum length of the input bytes to be written." }, "CVE-2018-12116": { "id": "CVE-2018-12116", "baseScore": 7.5, "publishedDate": "2018-11-28T17:29:00.000Z", "lastModifiedDate": "2024-11-21T03:44:00.000Z", "description": "Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to made to the same server." }, "CVE-2018-12120": { "id": "CVE-2018-12120", "baseScore": 8.1, "publishedDate": "2018-11-28T17:29:00.000Z", "lastModifiedDate": "2024-11-21T03:44:00.000Z", "description": "Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as `node --debug=localhost`. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable." }, "CVE-2018-12121": { "id": "CVE-2018-12121", "baseScore": 7.5, "publishedDate": "2018-11-28T17:29:00.000Z", "lastModifiedDate": "2024-12-27T16:15:00.000Z", "description": "Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers (almost 80 KB per connection), and carefully timed completion of the headers, it is possible to cause the HTTP server to abort from heap allocation failure. Attack potential is mitigated by the use of a load balancer or other proxy layer." }, "CVE-2018-12122": { "id": "CVE-2018-12122", "baseScore": 7.5, "publishedDate": "2018-11-28T17:29:00.000Z", "lastModifiedDate": "2024-12-13T14:15:00.000Z", "description": "Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Slowloris HTTP Denial of Service: An attacker can cause a Denial of Service (DoS) by sending headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time." }, "CVE-2018-12123": { "id": "CVE-2018-12123", "baseScore": 4.3, "publishedDate": "2018-11-28T17:29:00.000Z", "lastModifiedDate": "2024-12-13T14:15:00.000Z", "description": "Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case \"javascript:\" (e.g. \"javAscript:\") protocol (other protocols are not affected). If security decisions are made about the URL based on the hostname, they may be incorrect." }, "CVE-2018-1000168": { "id": "CVE-2018-1000168", "baseScore": 7.5, "publishedDate": "2018-05-08T15:29:00.000Z", "lastModifiedDate": "2024-11-21T03:39:00.000Z", "description": "nghttp2 version >= 1.10.0 and nghttp2 <= v1.31.0 contains an Improper Input Validation CWE-20 vulnerability in ALTSVC frame handling that can result in segmentation fault leading to denial of service. This attack appears to be exploitable via network client. This vulnerability appears to have been fixed in >= 1.31.1." }, "CVE-2019-735": { "id": "CVE-2019-735", "baseScore": 7.8, "publishedDate": "2019-04-09T21:29:00.000Z", "lastModifiedDate": "2024-11-21T04:17:00.000Z", "description": "An elevation of privilege vulnerability exists when the Windows Client Server Run-Time Subsystem (CSRSS) fails to properly handle objects in memory, aka 'Windows CSRSS Elevation of Privilege Vulnerability'." }, "CVE-2019-1559": { "id": "CVE-2019-1559", "baseScore": 5.9, "publishedDate": "2019-02-27T23:29:00.000Z", "lastModifiedDate": "2024-11-21T04:36:00.000Z", "description": "If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable \"non-stitched\" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q)." }, "CVE-2019-5737": { "id": "CVE-2019-5737", "baseScore": 7.5, "publishedDate": "2019-03-28T17:29:00.000Z", "lastModifiedDate": "2024-11-21T04:45:00.000Z", "description": "In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1, an attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep-alive mode and by sending headers very slowly. This keeps the connection and associated resources alive for a long period of time. Potential attacks are mitigated by the use of a load balancer or other proxy layer. This vulnerability is an extension of CVE-2018-12121, addressed in November and impacts all active Node.js release lines including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1." }, "CVE-2019-5739": { "id": "CVE-2019-5739", "baseScore": 7.5, "publishedDate": "2019-03-28T17:29:00.000Z", "lastModifiedDate": "2024-11-21T04:45:00.000Z", "description": "Keep-alive HTTP and HTTPS connections can remain open and inactive for up to 2 minutes in Node.js 6.16.0 and earlier. Node.js 8.0.0 introduced a dedicated server.keepAliveTimeout which defaults to 5 seconds. The behavior in Node.js 6.16.0 and earlier is a potential Denial of Service (DoS) attack vector. Node.js 6.17.0 introduces server.keepAliveTimeout and the 5-second default." }, "CVE-2019-9511": { "id": "CVE-2019-9511", "baseScore": 7.5, "publishedDate": "2019-08-13T21:15:00.000Z", "lastModifiedDate": "2025-01-14T19:29:00.000Z", "description": "Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both." }, "CVE-2019-9512": { "id": "CVE-2019-9512", "baseScore": 7.5, "publishedDate": "2019-08-13T21:15:00.000Z", "lastModifiedDate": "2024-11-21T04:51:00.000Z", "description": "Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both." }, "CVE-2019-9513": { "id": "CVE-2019-9513", "baseScore": 7.5, "publishedDate": "2019-08-13T21:15:00.000Z", "lastModifiedDate": "2025-01-14T19:29:00.000Z", "description": "Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU." }, "CVE-2019-9514": { "id": "CVE-2019-9514", "baseScore": 7.5, "publishedDate": "2019-08-13T21:15:00.000Z", "lastModifiedDate": "2025-01-14T19:29:00.000Z", "description": "Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both." }, "CVE-2019-9515": { "id": "CVE-2019-9515", "baseScore": 7.5, "publishedDate": "2019-08-13T21:15:00.000Z", "lastModifiedDate": "2025-01-14T19:29:00.000Z", "description": "Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both." }, "CVE-2019-9516": { "id": "CVE-2019-9516", "baseScore": 6.5, "publishedDate": "2019-08-13T21:15:00.000Z", "lastModifiedDate": "2025-01-14T19:29:00.000Z", "description": "Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory." }, "CVE-2019-9517": { "id": "CVE-2019-9517", "baseScore": 7.5, "publishedDate": "2019-08-13T21:15:00.000Z", "lastModifiedDate": "2025-01-14T19:29:00.000Z", "description": "Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both." }, "CVE-2019-9518": { "id": "CVE-2019-9518", "baseScore": 7.5, "publishedDate": "2019-08-13T21:15:00.000Z", "lastModifiedDate": "2025-01-14T19:29:00.000Z", "description": "Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU." }, "CVE-2019-15604": { "id": "CVE-2019-15604", "baseScore": 7.5, "publishedDate": "2020-02-07T15:15:00.000Z", "lastModifiedDate": "2024-11-21T04:29:00.000Z", "description": "Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a crafted X.509 certificate" }, "CVE-2019-15605": { "id": "CVE-2019-15605", "baseScore": 9.8, "publishedDate": "2020-02-07T15:15:00.000Z", "lastModifiedDate": "2024-11-21T04:29:00.000Z", "description": "HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed" }, "CVE-2019-15606": { "id": "CVE-2019-15606", "baseScore": 9.8, "publishedDate": "2020-02-07T15:15:00.000Z", "lastModifiedDate": "2024-11-21T04:29:00.000Z", "description": "Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons" }, "CVE-2020-1971": { "id": "CVE-2020-1971", "baseScore": 5.9, "publishedDate": "2020-12-08T16:15:00.000Z", "lastModifiedDate": "2024-11-21T05:11:00.000Z", "description": "The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the \"-crl_download\" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w)." }, "CVE-2020-7774": { "id": "CVE-2020-7774", "baseScore": 9.8, "publishedDate": "2020-11-17T13:15:00.000Z", "lastModifiedDate": "2024-11-21T05:37:00.000Z", "description": "The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution." }, "CVE-2020-8172": { "id": "CVE-2020-8172", "baseScore": 7.4, "publishedDate": "2020-06-08T14:15:00.000Z", "lastModifiedDate": "2024-11-21T05:38:00.000Z", "description": "TLS session reuse can lead to host certificate verification bypass in node version < 12.18.0 and < 14.4.0." }, "CVE-2020-8174": { "id": "CVE-2020-8174", "baseScore": 8.1, "publishedDate": "2020-07-24T22:15:00.000Z", "lastModifiedDate": "2024-11-21T05:38:00.000Z", "description": "napi_get_value_string_*() allows various kinds of memory corruption in node < 10.21.0, 12.18.0, and < 14.4.0." }, "CVE-2020-8201": { "id": "CVE-2020-8201", "baseScore": 7.4, "publishedDate": "2020-09-18T21:15:00.000Z", "lastModifiedDate": "2024-11-21T05:38:00.000Z", "description": "Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system. The attack was possible due to a bug in processing of carrier-return symbols in the HTTP header names." }, "CVE-2020-8251": { "id": "CVE-2020-8251", "baseScore": 7.5, "publishedDate": "2020-09-18T21:15:00.000Z", "lastModifiedDate": "2024-11-21T05:38:00.000Z", "description": "Node.js < 14.11.0 is vulnerable to HTTP denial of service (DoS) attacks based on delayed requests submission which can make the server unable to accept new connections." }, "CVE-2020-8252": { "id": "CVE-2020-8252", "baseScore": 7.8, "publishedDate": "2020-09-18T21:15:00.000Z", "lastModifiedDate": "2024-11-21T05:38:00.000Z", "description": "The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes." }, "CVE-2020-8265": { "id": "CVE-2020-8265", "baseScore": 8.1, "publishedDate": "2021-01-06T21:15:00.000Z", "lastModifiedDate": "2024-11-21T05:38:00.000Z", "description": "Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits." }, "CVE-2020-8277": { "id": "CVE-2020-8277", "baseScore": 7.5, "publishedDate": "2020-11-19T01:15:00.000Z", "lastModifiedDate": "2024-11-21T05:38:00.000Z", "description": "A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed in 15.2.1, 14.15.1, and 12.19.1." }, "CVE-2020-8287": { "id": "CVE-2020-8287", "baseScore": 6.5, "publishedDate": "2021-01-06T21:15:00.000Z", "lastModifiedDate": "2024-11-21T05:38:00.000Z", "description": "Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling." }, "CVE-2020-10531": { "id": "CVE-2020-10531", "baseScore": 8.8, "publishedDate": "2020-03-12T19:15:00.000Z", "lastModifiedDate": "2024-11-21T04:55:00.000Z", "description": "An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp." }, "CVE-2020-11080": { "id": "CVE-2020-11080", "baseScore": 7.5, "publishedDate": "2020-06-03T23:15:00.000Z", "lastModifiedDate": "2024-11-21T04:56:00.000Z", "description": "In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection." }, "CVE-2021-3449": { "id": "CVE-2021-3449", "baseScore": 5.9, "publishedDate": "2021-03-25T15:15:00.000Z", "lastModifiedDate": "2024-11-21T06:21:00.000Z", "description": "An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j)." }, "CVE-2021-3450": { "id": "CVE-2021-3450", "baseScore": 7.4, "publishedDate": "2021-03-25T15:15:00.000Z", "lastModifiedDate": "2024-11-21T06:21:00.000Z", "description": "The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a \"purpose\" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named \"purpose\" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j)." }, "CVE-2021-3672": { "id": "CVE-2021-3672", "baseScore": 5.6, "publishedDate": "2021-11-23T19:15:00.000Z", "lastModifiedDate": "2024-11-21T06:22:00.000Z", "description": "A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability." }, "CVE-2021-4044": { "id": "CVE-2021-4044", "baseScore": 7.5, "publishedDate": "2021-12-14T19:15:00.000Z", "lastModifiedDate": "2024-11-21T06:36:00.000Z", "description": "Internally libssl in OpenSSL calls X509_verify_cert() on the client side to verify a certificate supplied by a server. That function may return a negative return value to indicate an internal error (for example out of memory). Such a negative return value is mishandled by OpenSSL and will cause an IO function (such as SSL_connect() or SSL_do_handshake()) to not indicate success and a subsequent call to SSL_get_error() to return the value SSL_ERROR_WANT_RETRY_VERIFY. This return value is only supposed to be returned by OpenSSL if the application has previously called SSL_CTX_set_cert_verify_callback(). Since most applications do not do this the SSL_ERROR_WANT_RETRY_VERIFY return value from SSL_get_error() will be totally unexpected and applications may not behave correctly as a result. The exact behaviour will depend on the application but it could result in crashes, infinite loops or other similar incorrect responses. This issue is made more serious in combination with a separate bug in OpenSSL 3.0 that will cause X509_verify_cert() to indicate an internal error when processing a certificate chain. This will occur where a certificate does not include the Subject Alternative Name extension but where a Certificate Authority has enforced name constraints. This issue can occur even with valid chains. By combining the two issues an attacker could induce incorrect, application dependent behaviour. Fixed in OpenSSL 3.0.1 (Affected 3.0.0)." }, "CVE-2021-21148": { "id": "CVE-2021-21148", "baseScore": 8.8, "publishedDate": "2021-02-09T16:15:00.000Z", "lastModifiedDate": "2025-02-05T13:56:00.000Z", "description": "Heap buffer overflow in V8 in Google Chrome prior to 88.0.4324.150 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page." }, "CVE-2021-22883": { "id": "CVE-2021-22883", "baseScore": 7.5, "publishedDate": "2021-03-03T18:15:00.000Z", "lastModifiedDate": "2024-11-21T05:50:00.000Z", "description": "Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory." }, "CVE-2021-22884": { "id": "CVE-2021-22884", "baseScore": 7.5, "publishedDate": "2021-03-03T18:15:00.000Z", "lastModifiedDate": "2024-11-21T05:50:00.000Z", "description": "Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160." }, "CVE-2021-22918": { "id": "CVE-2021-22918", "baseScore": 5.3, "publishedDate": "2021-07-12T11:15:00.000Z", "lastModifiedDate": "2024-11-21T05:50:00.000Z", "description": "Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo()." }, "CVE-2021-22921": { "id": "CVE-2021-22921", "baseScore": 7.8, "publishedDate": "2021-07-12T11:15:00.000Z", "lastModifiedDate": "2024-11-21T05:50:00.000Z", "description": "Node.js before 16.4.1, 14.17.2, and 12.22.2 is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH and DLL hijacking." }, "CVE-2021-22930": { "id": "CVE-2021-22930", "baseScore": 9.8, "publishedDate": "2021-10-07T14:15:00.000Z", "lastModifiedDate": "2024-11-21T05:50:00.000Z", "description": "Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior." }, "CVE-2021-22931": { "id": "CVE-2021-22931", "baseScore": 9.8, "publishedDate": "2021-08-16T19:15:00.000Z", "lastModifiedDate": "2024-11-21T05:50:00.000Z", "description": "Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library." }, "CVE-2021-22939": { "id": "CVE-2021-22939", "baseScore": 5.3, "publishedDate": "2021-08-16T19:15:00.000Z", "lastModifiedDate": "2024-11-21T05:50:00.000Z", "description": "If the Node.js https API was used incorrectly and \"undefined\" was in passed for the \"rejectUnauthorized\" parameter, no error was returned and connections to servers with an expired certificate would have been accepted." }, "CVE-2021-22940": { "id": "CVE-2021-22940", "baseScore": 7.5, "publishedDate": "2021-08-16T19:15:00.000Z", "lastModifiedDate": "2024-11-21T05:50:00.000Z", "description": "Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior." }, "CVE-2021-22959": { "id": "CVE-2021-22959", "baseScore": 6.5, "publishedDate": "2021-11-15T15:15:00.000Z", "lastModifiedDate": "2024-11-21T05:51:00.000Z", "description": "The parser in accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6." }, "CVE-2021-22960": { "id": "CVE-2021-22960", "baseScore": 6.5, "publishedDate": "2021-11-03T20:15:00.000Z", "lastModifiedDate": "2024-11-21T05:51:00.000Z", "description": "The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions." }, "CVE-2021-23362": { "id": "CVE-2021-23362", "baseScore": 5.3, "publishedDate": "2021-03-23T17:15:00.000Z", "lastModifiedDate": "2024-11-21T05:51:00.000Z", "description": "The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity." }, "CVE-2021-23840": { "id": "CVE-2021-23840", "baseScore": 7.5, "publishedDate": "2021-02-16T17:15:00.000Z", "lastModifiedDate": "2024-11-21T05:51:00.000Z", "description": "Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x)." }, "CVE-2021-27290": { "id": "CVE-2021-27290", "baseScore": 7.5, "publishedDate": "2021-03-12T22:15:00.000Z", "lastModifiedDate": "2024-11-21T05:57:00.000Z", "description": "ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option." }, "CVE-2021-32803": { "id": "CVE-2021-32803", "baseScore": 8.1, "publishedDate": "2021-08-03T19:15:00.000Z", "lastModifiedDate": "2024-11-21T06:07:00.000Z", "description": "The npm package \"tar\" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary `stat` calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the `node-tar` directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where `node-tar` checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass `node-tar` symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2." }, "CVE-2021-32804": { "id": "CVE-2021-32804", "baseScore": 8.1, "publishedDate": "2021-08-03T19:15:00.000Z", "lastModifiedDate": "2024-11-21T06:07:00.000Z", "description": "The npm package \"tar\" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom `onentry` method which sanitizes the `entry.path` or a `filter` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar." }, "CVE-2021-37701": { "id": "CVE-2021-37701", "baseScore": 8.6, "publishedDate": "2021-08-31T17:15:00.000Z", "lastModifiedDate": "2024-11-21T06:15:00.000Z", "description": "The npm package \"tar\" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both `\\` and `/` characters as path separators, however `\\` is a valid filename character on posix systems. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at `FOO`, followed by a symbolic link named `foo`, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but _not_ from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within the `FOO` directory would then be placed in the target of the symbolic link, thinking that the directory had already been created. These issues were addressed in releases 4.4.16, 5.0.8 and 6.1.7. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-9r2w-394v-53qc." }, "CVE-2021-37712": { "id": "CVE-2021-37712", "baseScore": 8.6, "publishedDate": "2021-08-31T17:15:00.000Z", "lastModifiedDate": "2024-11-21T06:15:00.000Z", "description": "The npm package \"tar\" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with names containing unicode values that normalized to the same value. Additionally, on Windows systems, long path portions would resolve to the same file system entities as their 8.3 \"short path\" counterparts. A specially crafted tar archive could thus include a directory with one form of the path, followed by a symbolic link with a different string that resolves to the same file system entity, followed by a file using the first form. By first creating a directory, and then replacing that directory with a symlink that had a different apparent name that resolved to the same entry in the filesystem, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-qq89-hq3f-393p." }, "CVE-2021-37713": { "id": "CVE-2021-37713", "baseScore": 8.6, "publishedDate": "2021-08-31T17:15:00.000Z", "lastModifiedDate": "2024-11-21T06:15:00.000Z", "description": "The npm package \"tar\" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, in part, accomplished by sanitizing absolute paths of entries within the archive, skipping archive entries that contain `..` path portions, and resolving the sanitized paths against the extraction target directory. This logic was insufficient on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target, such as `C:some\\path`. If the drive letter does not match the extraction target, for example `D:\\extraction\\dir`, then the result of `path.resolve(extractionDirectory, entryPath)` would resolve against the current working directory on the `C:` drive, rather than the extraction target directory. Additionally, a `..` portion of the path could occur immediately after the drive letter, such as `C:../foo`, and was not properly sanitized by the logic that checked for `..` within the normalized and split portions of the path. This only affects users of `node-tar` on Windows systems. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. There is no reasonable way to work around this issue without performing the same path normalization procedures that node-tar now does. Users are encouraged to upgrade to the latest patched versions of node-tar, rather than attempt to sanitize paths themselves." }, "CVE-2021-39134": { "id": "CVE-2021-39134", "baseScore": 7.8, "publishedDate": "2021-08-31T17:15:00.000Z", "lastModifiedDate": "2024-11-21T06:18:00.000Z", "description": "`@npmcli/arborist`, the library that calculates dependency trees and manages the `node_modules` folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder. This is, in part, accomplished by resolving dependency specifiers defined in `package.json` manifests for dependencies with a specific name, and nesting folders to resolve conflicting dependencies. When multiple dependencies differ only in the case of their name, Arborist's internal data structure saw them as separate items that could coexist within the same level in the `node_modules` hierarchy. However, on case-insensitive file systems (such as macOS and Windows), this is not the case. Combined with a symlink dependency such as `file:/some/path`, this allowed an attacker to create a situation in which arbitrary contents could be written to any location on the filesystem. For example, a package `pwn-a` could define a dependency in their `package.json` file such as `\"foo\": \"file:/some/path\"`. Another package, `pwn-b` could define a dependency such as `FOO: \"file:foo.tgz\"`. On case-insensitive file systems, if `pwn-a` was installed, and then `pwn-b` was installed afterwards, the contents of `foo.tgz` would be written to `/some/path`, and any existing contents of `/some/path` would be removed. Anyone using npm v7.20.6 or earlier on a case-insensitive filesystem is potentially affected. This is patched in @npmcli/arborist 2.8.2 which is included in npm v7.20.7 and above." }, "CVE-2021-39135": { "id": "CVE-2021-39135", "baseScore": 7.8, "publishedDate": "2021-08-31T17:15:00.000Z", "lastModifiedDate": "2024-11-21T06:18:00.000Z", "description": "`@npmcli/arborist`, the library that calculates dependency trees and manages the node_modules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder. This is accomplished by extracting package contents into a project's `node_modules` folder. If the `node_modules` folder of the root project or any of its dependencies is somehow replaced with a symbolic link, it could allow Arborist to write package dependencies to any arbitrary location on the file system. Note that symbolic links contained within package artifact contents are filtered out, so another means of creating a `node_modules` symbolic link would have to be employed. 1. A `preinstall` script could replace `node_modules` with a symlink. (This is prevented by using `--ignore-scripts`.) 2. An attacker could supply the target with a git repository, instructing them to run `npm install --ignore-scripts` in the root. This may be successful, because `npm install --ignore-scripts` is typically not capable of making changes outside of the project directory, so it may be deemed safe. This is patched in @npmcli/arborist 2.8.2 which is included in npm v7.20.7 and above. For more information including workarounds please see the referenced GHSA-gmw6-94gg-2rc2." }, "CVE-2021-44531": { "id": "CVE-2021-44531", "baseScore": 7.4, "publishedDate": "2022-02-24T19:15:00.000Z", "lastModifiedDate": "2024-11-21T06:31:00.000Z", "description": "Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the --security-revert command-line option." }, "CVE-2021-44532": { "id": "CVE-2021-44532", "baseScore": 5.3, "publishedDate": "2022-02-24T19:15:00.000Z", "lastModifiedDate": "2024-11-21T06:31:00.000Z", "description": "Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option." }, "CVE-2021-44533": { "id": "CVE-2021-44533", "baseScore": 5.3, "publishedDate": "2022-02-24T19:15:00.000Z", "lastModifiedDate": "2024-11-21T06:31:00.000Z", "description": "Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification.Affected versions of Node.js that do not accept multi-value Relative Distinguished Names and are thus not vulnerable to such attacks themselves. However, third-party code that uses node's ambiguous presentation of certificate subjects may be vulnerable." }, "CVE-2022-778": { "id": "CVE-2022-778", "baseScore": 7.5, "publishedDate": "2022-03-15T17:15:00.000Z", "lastModifiedDate": "2024-11-21T06:39:00.000Z", "description": "The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc)." }, "CVE-2022-2097": { "id": "CVE-2022-2097", "baseScore": 5.3, "publishedDate": "2022-07-05T11:15:00.000Z", "lastModifiedDate": "2024-11-21T07:00:00.000Z", "description": "AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of \"in place\" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p)." }, "CVE-2022-3602": { "id": "CVE-2022-3602", "baseScore": 7.5, "publishedDate": "2022-11-01T18:15:00.000Z", "lastModifiedDate": "2024-11-21T07:19:00.000Z", "description": "A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution. The risk may be further mitigated based on stack layout for any given platform/compiler. Pre-announcements of CVE-2022-3602 described this issue as CRITICAL. Further analysis based on some of the mitigating factors described above have led this to be downgraded to HIGH. Users are still encouraged to upgrade to a new version as soon as possible. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Fixed in OpenSSL 3.0.7 (Affected 3.0.0,3.0.1,3.0.2,3.0.3,3.0.4,3.0.5,3.0.6)." }, "CVE-2022-3786": { "id": "CVE-2022-3786", "baseScore": 7.5, "publishedDate": "2022-11-01T18:15:00.000Z", "lastModifiedDate": "2024-11-21T07:20:00.000Z", "description": "A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.' character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects.\n\n" }, "CVE-2022-21824": { "id": "CVE-2022-21824", "baseScore": 8.2, "publishedDate": "2022-02-24T19:15:00.000Z", "lastModifiedDate": "2024-11-21T06:45:00.000Z", "description": "Due to the formatting logic of the \"console.table()\" function it was not safe to allow user controlled input to be passed to the \"properties\" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be \"__proto__\". The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js >= 12.22.9, >= 14.18.3, >= 16.13.2, and >= 17.3.1 use a null protoype for the object these properties are being assigned to." }, "CVE-2022-32212": { "id": "CVE-2022-32212", "baseScore": 8.1, "publishedDate": "2022-07-14T15:15:00.000Z", "lastModifiedDate": "2024-11-21T07:05:00.000Z", "description": "A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks." }, "CVE-2022-32213": { "id": "CVE-2022-32213", "baseScore": 6.5, "publishedDate": "2022-07-14T15:15:00.000Z", "lastModifiedDate": "2024-11-21T07:05:00.000Z", "description": "The llhttp parser