Vulnerability CVE-2018-7167


Published: 2018-06-13

Description:
Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a hang which could result in a Denial of Service. In order to address this vulnerability, the implementations of Buffer.alloc() and Buffer.fill() were updated so that they zero fill instead of hanging in these cases. All versions of Node.js 6.x (LTS "Boron"), 8.x (LTS "Carbon"), and 9.x are vulnerable. All versions of Node.js 10.x (Current) are NOT vulnerable.

Type:

CWE-119

(Improper Restriction of Operations within the Bounds of a Memory Buffer)

Vendor: Nodejs
Product: Node.js 
Version:
9.9.0
9.8.0
9.7.1
9.7.0
9.6.1
9.6.0
9.5.0
9.4.0
9.3.0
9.2.1
9.2.0
9.11.2
9.11.1
9.11.0
9.10.1
9.10.0
9.1.0
9.0.0
8.9.4
8.9.3
8.9.2
8.9.1
8.9.0
8.8.1
8.8.0
8.7.0
8.6.0
8.5.0
8.4.0
8.3.0
8.2.1
8.2.0
8.11.3
8.11.2
8.11.1
8.11.0
8.10.0
8.1.4
8.1.3
8.1.2
8.1.1
8.1.0
8.0.0
6.9.5
6.9.4
6.9.3
6.9.2
6.9.1
6.9.0
6.8.1
6.8.0
6.7.0
6.6.0
6.5.0
6.4.0
6.3.1
6.3.0
6.2.2
6.2.1
6.2.0
6.14.3
6.14.2
6.14.1
6.14.0
6.13.1
6.13.0
6.12.3
6.12.2
6.12.1
6.12.0
6.11.5
6.11.4
6.11.3
6.11.2
6.11.1
6.11.0
6.10.3
6.10.2
6.10.1
6.10.0
6.1.0

CVSS2 => (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
None
None
Partial

 References:
http://www.securityfocus.com/bid/106363
https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/

Related CVE
CVE-2019-5739
Keep-alive HTTP and HTTPS connections can remain open and inactive for up to 2 minutes in Node.js 6.16.0 and earlier. Node.js 8.0.0 introduced a dedicated server.keepAliveTimeout which defaults to 5 seconds. The behavior in Node.js 6.16.0 and earlier...
CVE-2019-5737
An attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep-alive mode and by sending headers very slowly thereby keeping the connection and associated resources alive for a long period of time. Attack potentia...
CVE-2018-12123
Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a m...
CVE-2018-12122
Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Slowloris HTTP Denial of Service: An attacker can cause a Denial of Service (DoS) by sending headers very slowly keeping HTTP or HTTPS connections and associated resources ali...
CVE-2018-12121
Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers (almost 80 KB per connection), and carefully timed completion of ...
CVE-2018-12120
Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote compu...
CVE-2018-12116
Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then data can be provided which will trigger a secon...
CVE-2018-5407
Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'.

Copyright 2019, cxsecurity.com

 

Back to Top