// For flags

CVE-2018-7161

nodejs: denial of service (DoS) by causing a node server providing an http2 server to crash

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

All versions of Node.js 8.x, 9.x, and 10.x are vulnerable and the severity is HIGH. An attacker can cause a denial of service (DoS) by causing a node server providing an http2 server to crash. This can be accomplished by interacting with the http2 server in a manner that triggers a cleanup bug where objects are used in native code after they are no longer available. This has been addressed by updating the http2 implementation.

Todas las versiones 8.x, 9.x y 10.x de Node.js son vulnerables y la gravedad es ALTA. Un atacante podría provocar una denegación de servicio (DoS) haciendo que un servidor node que proporcione un servidor http2 se cierre inesperadamente. Esto puede lograrse interactuando con el servidor http2 de forma que desencadene un error de limpieza por el cual los objetos se emplean en el código nativo tras dejar de estar disponibles. Esto ha sido abordado actualizando la implementación http2.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
None
Integrity
None
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2018-02-15 CVE Reserved
  • 2018-06-13 CVE Published
  • 2024-01-31 EPSS Updated
  • 2024-09-17 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-20: Improper Input Validation
  • CWE-400: Uncontrolled Resource Consumption
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Nodejs
Search vendor "Nodejs"
Node.js
Search vendor "Nodejs" for product "Node.js"
>= 8.0.0 <= 8.8.1
Search vendor "Nodejs" for product "Node.js" and version " >= 8.0.0 <= 8.8.1"
-
Affected
Nodejs
Search vendor "Nodejs"
Node.js
Search vendor "Nodejs" for product "Node.js"
>= 8.9.0 < 8.11.3
Search vendor "Nodejs" for product "Node.js" and version " >= 8.9.0 < 8.11.3"
lts
Affected
Nodejs
Search vendor "Nodejs"
Node.js
Search vendor "Nodejs" for product "Node.js"
>= 9.0.0 < 9.11.2
Search vendor "Nodejs" for product "Node.js" and version " >= 9.0.0 < 9.11.2"
-
Affected
Nodejs
Search vendor "Nodejs"
Node.js
Search vendor "Nodejs" for product "Node.js"
>= 10.0.0 < 10.4.1
Search vendor "Nodejs" for product "Node.js" and version " >= 10.0.0 < 10.4.1"
-
Affected