Vulnerability CVE-2019-5737


Published: 2019-03-28

Description:
In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1, an attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep-alive mode and by sending headers very slowly. This keeps the connection and associated resources alive for a long period of time. Potential attacks are mitigated by the use of a load balancer or other proxy layer. This vulnerability is an extension of CVE-2018-12121, addressed in November and impacts all active Node.js release lines including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1.

Type:

CWE-400

(Uncontrolled Resource Consumption ('Resource Exhaustion'))

Vendor: Nodejs
Product: Node.js 
Version:
8.9.4
8.9.3
8.9.2
8.9.1
8.9.0
8.15.1
8.15.0
8.14.1
8.14.0
8.13.0
8.12.0
8.11.4
8.11.3
8.11.2
8.11.1
8.10.0
6.9.5
6.9.4
6.9.3
6.9.2
6.9.1
6.9.0
6.16.0
6.15.1
6.15.0
6.14.4
6.14.3
6.14.2
6.14.1
6.14.0
6.13.1
6.13.0
6.12.3
6.12.2
6.12.1
6.12.0
6.11.5
6.11.4
6.11.3
6.11.2
6.10.3
6.10.1
6.10.0
10.15.2
10.15.1
10.15.0
10.14.2
10.14.1
10.14.0
10.13.0
Vendor: Opensuse
Product: LEAP 
Version: 42.3;

CVSS2 => (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
None
None
Partial

 References:
http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00059.html
https://access.redhat.com/errata/RHSA-2019:1821
https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/
https://security.netapp.com/advisory/ntap-20190502-0008/

Related CVE
CVE-2019-14235
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid...
CVE-2019-14233
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large ...
CVE-2019-14232
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs...
CVE-2019-11730
A vulnerability exists where if a user opens a locally saved HTML file, this file can use file: URIs to access other files in the same directory or sub-directories if the names are known or guessed. The Fetch API can then be used to read the contents...
CVE-2019-5839
Excessive data validation in URL parser in Google Chrome prior to 75.0.3770.80 allowed a remote attacker who convinced a user to input a URL to bypass website URL validation via a crafted URL.
CVE-2019-5838
Insufficient policy enforcement in extensions API in Google Chrome prior to 75.0.3770.80 allowed an attacker who convinced a user to install a malicious extension to bypass restrictions on file URIs via a crafted Chrome Extension.
CVE-2019-5837
Resource size information leakage in Blink in Google Chrome prior to 75.0.3770.80 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
CVE-2019-5836
Heap buffer overflow in ANGLE in Google Chrome prior to 75.0.3770.80 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Copyright 2019, cxsecurity.com

 

Back to Top