update core index.json (#1273)

* vuln: update core index.json * vuln: update core index.json --------- Co-authored-by: Create or Update Pull Request Action <[email protected]> Co-authored-by: Ulises Gascón <[email protected]>
nodejs · Apr 3, 2024 · 6fffbfa · 6fffbfa
1 parent a595c40
commit 6fffbfa
Showing 1 changed file with 24 additions and 0 deletions.
diff --git a/vuln/core/index.json b/vuln/core/index.json
@@ -1714,5 +1714,29 @@
     "affectedEnvironments": [
       "all"
     ]
+  },
+  "139": {
+    "cve": [
+      "CVE-2024-27983"
+    ],
+    "vulnerable": "18.x || 20.x || 21.x",
+    "patched": "^18.20.1 || ^20.12.1 || ^21.7.2",
+    "ref": "https://nodejs.org/en/blog/vulnerability/april-2024-security-releases/",
+    "overview": "An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.",
+    "affectedEnvironments": [
+      "all"
+    ]
+  },
+  "140": {
+    "cve": [
+      "CVE-2024-27982"
+    ],
+    "vulnerable": "18.x || 20.x || 21.x",
+    "patched": "^18.20.1 || ^20.12.1 || ^21.7.2",
+    "ref": "https://nodejs.org/en/blog/vulnerability/april-2024-security-releases/",
+    "overview": "The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in a second request within the body of the first.",
+    "affectedEnvironments": [
+      "all"
+    ]
   }
 }