7.5
CVE-2019-5737
- EPSS 16.18%
- Veröffentlicht 28.03.2019 17:29:01
- Zuletzt bearbeitet 21.11.2024 04:45:24
- Quelle cve-request@iojs.org
- CVE-Watchlists
- Unerledigt
In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1, an attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep-alive mode and by sending headers very slowly. This keeps the connection and associated resources alive for a long period of time. Potential attacks are mitigated by the use of a load balancer or other proxy layer. This vulnerability is an extension of CVE-2018-12121, addressed in November and impacts all active Node.js release lines including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 16.18% | 0.965 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
| nvd@nist.gov | 5 | 10 | 2.9 |
AV:N/AC:L/Au:N/C:N/I:N/A:P
|
CWE-400 Uncontrolled Resource Consumption
The product does not properly control the allocation and maintenance of a limited resource.
CWE-770 Allocation of Resources Without Limits or Throttling
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
https://security.gentoo.org/glsa/202003-48
https://access.redhat.com/errata/RHSA-2019:1821
http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00059.html
https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/
https://security.netapp.com/advisory/ntap-20190502-0008/