Vulnerability CVE-2018-12122


Published: 2018-11-28

Description:
Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Slowloris HTTP Denial of Service: An attacker can cause a Denial of Service (DoS) by sending headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time.

Type:

CWE-400

(Uncontrolled Resource Consumption ('Resource Exhaustion'))

Vendor: Nodejs
Product: Node.js 
Version:
8.9.4
8.9.3
8.9.2
8.9.1
8.9.0
8.8.1
8.8.0
8.7.0
8.6.0
8.5.0
8.4.0
8.3.0
8.2.1
8.2.0
8.11.3
8.11.2
8.11.1
8.11.0
8.10.0
8.1.4
8.1.3
8.1.2
8.1.1
8.1.0
8.0.0
6.9.5
6.9.4
6.9.3
6.9.2
6.9.1
6.9.0
6.8.1
6.8.0
6.7.0
6.6.0
6.5.0
6.4.0
6.3.1
6.3.0
6.2.2
6.2.1
6.2.0
6.14.3
6.14.2
6.14.1
6.14.0
6.13.1
6.13.0
6.12.3
6.12.2
6.12.1
6.12.0
6.11.5
6.11.4
6.11.3
6.11.2
6.11.1
6.11.0
6.10.3
6.10.2
6.10.1
6.10.0
6.1.0
6.0.0
10.8.0
10.7.0
10.6.0
10.5.0
10.4.1
10.4.0
10.3.0
10.2.1
10.2.0
10.1.0
10.0.0
Vendor: SUSE
Product: Suse openstack cloud 
Version: 8; 7;
Product: Suse enterprise storage 
Version: 4;
Product: Suse linux enterprise server 
Version: 15; 12;

CVSS2 => (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
None
None
Partial

 References:
http://www.securityfocus.com/bid/106043
https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/

Related CVE
CVE-2018-19655
A stack-based buffer overflow in the find_green() function of dcraw through 9.28, as used in ufraw-batch and many other products, may allow a remote attacker to cause a control-flow hijack, denial-of-service, or unspecified other impact via a malicio...
CVE-2018-12116
Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then data can be provided which will trigger a secon...
CVE-2018-19543
An issue was discovered in JasPer 2.0.14. There is a heap-based buffer over-read of size 8 in the function jp2_decode in libjasper/jp2/jp2_dec.c.
CVE-2018-19542
An issue was discovered in JasPer 2.0.14. There is a NULL pointer dereference in the function jp2_decode in libjasper/jp2/jp2_dec.c, leading to a denial of service.
CVE-2018-19541
An issue was discovered in JasPer 2.0.14. There is a heap-based buffer over-read of size 8 in the function jas_image_depalettize in libjasper/base/jas_image.c.
CVE-2018-19540
An issue was discovered in JasPer 2.0.14. There is a heap-based buffer overflow of size 1 in the function jas_icctxtdesc_input in libjasper/base/jas_icc.c.
CVE-2018-19539
An issue was discovered in JasPer 2.0.14. There is an access violation in the function jas_image_readcmpt in libjasper/base/jas_image.c, leading to a denial of service.
CVE-2018-19208
In libwpd 0.10.2, there is a NULL pointer dereference in the function WP6ContentListener::defineTable in WP6ContentListener.cpp that will lead to a denial of service attack. This is related to WPXTable.h.

Copyright 2019, cxsecurity.com

 

Back to Top