CVE-2017-15010

nodejs-tough-cookie: Regular expression denial of service

Severity Score

7.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A ReDoS (regular expression denial of service) flaw was found in the tough-cookie module before 2.3.3 for Node.js. An attacker that is able to make an HTTP request using a specially crafted cookie may cause the application to consume an excessive amount of CPU.

Se detectó una vulnerabilidad de denegación de servicio con expresiones regulares (ReDoS) en el módulo tough-cookie en versiones anteriores a la 2.3.3 para Node.js. Un atacante que sea capaz de realizar una petición HTTP utilizando una cookie especialmente manipulada podría hacer que la aplicación consuma una cantidad excesiva de recursos de CPU.

A regular expression denial of service flaw was found in Tough-Cookie. An attacker able to make an application using Touch-Cookie to parse a sufficiently large HTTP request Cookie header could cause the application to consume an excessive amount of CPU.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-09-21 First Exploit
2017-10-03 CVE Reserved
2017-10-03 CVE Published
2024-08-05 CVE Updated
2024-09-05 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-400: Uncontrolled Resource Consumption

CAPEC

References (12)

URL	Tag	Source
http://www.securityfocus.com/bid/101185	Third Party Advisory
https://nodesecurity.io/advisories/525	Third Party Advisory

URL	Date	SRC
https://github.com/ossf-cve-benchmark/CVE-2017-15010	2017-09-21

URL	Date	SRC
https://snyk.io/vuln/npm:tough-cookie:20170905	2023-11-07

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2017:2912	2023-11-07
https://access.redhat.com/errata/RHSA-2017:2913	2023-11-07
https://access.redhat.com/errata/RHSA-2018:1263	2023-11-07
https://access.redhat.com/errata/RHSA-2018:1264	2023-11-07
https://github.com/salesforce/tough-cookie/issues/92	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6VEBDTGNHVM677SLZDEHMWOP3ISMZSFT	2023-11-07
https://access.redhat.com/security/cve/CVE-2017-15010	2018-04-30
https://bugzilla.redhat.com/show_bug.cgi?id=1493989	2018-04-30

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Salesforce Search vendor "Salesforce"		Tough-cookie Search vendor "Salesforce" for product "Tough-cookie"				<= 2.3.2 Search vendor "Salesforce" for product "Tough-cookie" and version " <= 2.3.2"		node.js		Affected