CVE-2020-15168

EPSS 0.07%
Veröffentlicht 10.09.2020 19:15:13
Zuletzt bearbeitet 21.11.2024 05:04:59
Quelle security-advisories@github.com
Teams Watchlist Login
Unerledigt Login

node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 2 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Node-fetch Project ≫ Node-fetch SwPlatformnode.js Version < 2.6.1

Node-fetch Project ≫ Node-fetch Version3.0.0 Updatebeta1 SwPlatformnode.js

Node-fetch Project ≫ Node-fetch Version3.0.0 Updatebeta5 SwPlatformnode.js

Node-fetch Project ≫ Node-fetch Version3.0.0 Updatebeta6 SwPlatformnode.js

Node-fetch Project ≫ Node-fetch Version3.0.0 Updatebeta7 SwPlatformnode.js

Node-fetch Project ≫ Node-fetch Version3.0.0 Updatebeta8 SwPlatformnode.js

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.07%	0.228

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:N/A:P
security-advisories@github.com	2.6	1.2	1.4	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

https://github.com/node-fetch/node-fetch/security/advisories/GHSA-w7rc-rwvf-8q5r

Third Party Advisory

https://www.npmjs.com/package/node-fetch

Third Party Advisory

Product

https://nvd.nist.gov/vuln/detail/CVE-2020-15168

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-15168

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-15168

EUVD