Page 6 of 41 results (0.016 seconds)

CVSS: 7.8EPSS: 14%CPEs: 12EXPL: 0

CVE-2019-9512 – Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service

https://notcve.org/view.php?id=CVE-2019-9512

Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. Algunas implementaciones de HTTP / 2 son vulnerables a las inundaciones de ping, lo que puede conducir a una denegación de servicio. El atacante envía pings continuos a un par HTTP / 2, haciendo que el par construya una cola interna de respuestas. • http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00076.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00002.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00011.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00021.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html http://lists.opensuse.org/opensuse-security-announce/2019-09 • CWE-400: Uncontrolled Resource Consumption •

CVSS: 7.8EPSS: 79%CPEs: 55EXPL: 0

CVE-2019-9514 – Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service

https://notcve.org/view.php?id=CVE-2019-9514

Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both. Algunas implementaciones de HTTP / 2 son vulnerables a una inundación de reinicio, lo que puede conducir a una denegación de servicio. El atacante abre una serie de secuencias y envía una solicitud no válida sobre cada secuencia que debería solicitar una secuencia de tramas RST_STREAM del par. • http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00076.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00002.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00011.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00021.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html http://lists.opensuse.org/opensuse-security-announce/2019-09 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •

CVSS: 7.5EPSS: 1%CPEs: 5EXPL: 0

CVE-2019-5737 – nodejs: Insufficient Slowloris fix causing DoS via server.headersTimeout bypass

https://notcve.org/view.php?id=CVE-2019-5737

In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1, an attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep-alive mode and by sending headers very slowly. This keeps the connection and associated resources alive for a long period of time. Potential attacks are mitigated by the use of a load balancer or other proxy layer. This vulnerability is an extension of CVE-2018-12121, addressed in November and impacts all active Node.js release lines including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1. En Node.js, que incluye la versión 6.x en versiones anteriores a la 6.17.0, 8.x en versiones anteriores a la 8.15.1, 10.x en versiones anteriores a la 10.15.2 y 11.x en versiones anteriores a la 11.10.1, un atacante puede provocar una denegación de servicio (DoS) instalando una conexión HTTP o HTTPS en modo keep-alive y enviando encabezados muy lentamente. • http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00059.html https://access.redhat.com/errata/RHSA-2019:1821 https://nodejs.org/en/blog/vulnerability/february-2019-security-releases https://security.gentoo.org/glsa/202003-48 https://security.netapp.com/advisory/ntap-20190502-0008 https://access.redhat.com/security/cve/CVE-2019-5737 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •

CVSS: 7.5EPSS: 1%CPEs: 18EXPL: 0

CVE-2018-12121 – nodejs: Denial of Service with large HTTP headers

https://notcve.org/view.php?id=CVE-2018-12121

Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers (almost 80 KB per connection), and carefully timed completion of the headers, it is possible to cause the HTTP server to abort from heap allocation failure. Attack potential is mitigated by the use of a load balancer or other proxy layer. Node.js: Todas las versiones anteriores a la 6.15.0, 8.14.0, 10.14.0 y 11.3.0: Denegación de servicio (DoS) con cabeceras HTTP grandes. Mediante la combinación de muchas peticiones con cabeceras de tamaño máximo (casi 80 KB por conexión) y al terminar a su debido tiempo las cabeceras, es posible provocar que el servidor HTTP aborte el fallo de asignación de memoria dinámica (heap). El potencial del ataque se ve mitigado por el uso de un balance de carga u otra capa del proxy. • http://www.securityfocus.com/bid/106043 https://access.redhat.com/errata/RHSA-2019:1821 https://access.redhat.com/errata/RHSA-2019:2258 https://access.redhat.com/errata/RHSA-2019:3497 https://nodejs.org/en/blog/vulnerability/november-2018-security-releases https://security.gentoo.org/glsa/202003-48 https://access.redhat.com/security/cve/CVE-2018-12121 https://bugzilla.redhat.com/show_bug.cgi?id=1661002 • CWE-400: Uncontrolled Resource Consumption •

CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0

CVE-2018-12123 – nodejs: Hostname spoofing in URL parser for javascript protocol

https://notcve.org/view.php?id=CVE-2018-12123

Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case "javascript:" (e.g. "javAscript:") protocol (other protocols are not affected). If security decisions are made about the URL based on the hostname, they may be incorrect. Node.js: Todas las versiones anteriores a la 6.15.0, 8.14.0, 10.14.0 y 11.3.0: Suplantación dek nombre del host en un analizador de URL para el protocolo JavaScript. Si una aplicación de Node.js está empleando url.parse() para determinar el nombre de host de la URL, dicho nombre puede suplantarse mediante un protocolo "javascript:" de letra mixta (por ejemplo, "javAscript:"). • https://access.redhat.com/errata/RHSA-2019:1821 https://nodejs.org/en/blog/vulnerability/november-2018-security-releases https://security.gentoo.org/glsa/202003-48 https://access.redhat.com/security/cve/CVE-2018-12123 https://bugzilla.redhat.com/show_bug.cgi?id=1661010 • CWE-20: Improper Input Validation CWE-115: Misinterpretation of Input •