CVE-2018-7161
nodejs: denial of service (DoS) by causing a node server providing an http2 server to crash
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
All versions of Node.js 8.x, 9.x, and 10.x are vulnerable and the severity is HIGH. An attacker can cause a denial of service (DoS) by causing a node server providing an http2 server to crash. This can be accomplished by interacting with the http2 server in a manner that triggers a cleanup bug where objects are used in native code after they are no longer available. This has been addressed by updating the http2 implementation.
Todas las versiones 8.x, 9.x y 10.x de Node.js son vulnerables y la gravedad es ALTA. Un atacante podría provocar una denegación de servicio (DoS) haciendo que un servidor node que proporcione un servidor http2 se cierre inesperadamente. Esto puede lograrse interactuando con el servidor http2 de forma que desencadene un error de limpieza por el cual los objetos se emplean en el código nativo tras dejar de estar disponibles. Esto ha sido abordado actualizando la implementación http2.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2018-02-15 CVE Reserved
- 2018-06-13 CVE Published
- 2024-01-31 EPSS Updated
- 2024-09-17 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
- CWE-400: Uncontrolled Resource Consumption
CAPEC
References (5)
URL | Tag | Source |
---|---|---|
http://www.securityfocus.com/bid/106363 | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://nodejs.org/en/blog/vulnerability/june-2018-security-releases | 2022-08-16 |
URL | Date | SRC |
---|---|---|
https://security.gentoo.org/glsa/202003-48 | 2022-08-16 | |
https://access.redhat.com/security/cve/CVE-2018-7161 | 2018-10-18 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1591013 | 2018-10-18 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Nodejs Search vendor "Nodejs" | Node.js Search vendor "Nodejs" for product "Node.js" | >= 8.0.0 <= 8.8.1 Search vendor "Nodejs" for product "Node.js" and version " >= 8.0.0 <= 8.8.1" | - |
Affected
| ||||||
Nodejs Search vendor "Nodejs" | Node.js Search vendor "Nodejs" for product "Node.js" | >= 8.9.0 < 8.11.3 Search vendor "Nodejs" for product "Node.js" and version " >= 8.9.0 < 8.11.3" | lts |
Affected
| ||||||
Nodejs Search vendor "Nodejs" | Node.js Search vendor "Nodejs" for product "Node.js" | >= 9.0.0 < 9.11.2 Search vendor "Nodejs" for product "Node.js" and version " >= 9.0.0 < 9.11.2" | - |
Affected
| ||||||
Nodejs Search vendor "Nodejs" | Node.js Search vendor "Nodejs" for product "Node.js" | >= 10.0.0 < 10.4.1 Search vendor "Nodejs" for product "Node.js" and version " >= 10.0.0 < 10.4.1" | - |
Affected
|