admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-06-08 14:08:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

- Added submissions from Node.js Foundation for March 2018 Security Releases from 2018-05-17.

Browse Source
This commit is contained in:
CVE Team 2018-05-17 09:31:05 -04:00
parent d91b8ed826
commit dcdda28998
No known key found for this signature in database
GPG Key ID: 0DA1F9F56BC892E8
3 changed files with 147 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
2018/7xxx/CVE-2018-7158.json
View File

@ -1,8 +1,32 @@
{ {
"CVE_data_meta" : { "CVE_data_meta" : {
"ASSIGNER" : "cve@mitre.org", "ASSIGNER" : "cve-request@iojs.org",
"DATE_PUBLIC" : "2018-03-21T00:00:00",
"ID" : "CVE-2018-7158", "ID" : "CVE-2018-7158",
"STATE" : "RESERVED" "STATE" : "PUBLIC"
},
"affects" : {
"vendor" : {
"vendor_data" : [
{
"product" : {
"product_data" : [
{
"product_name" : "Node.js",
"version" : {
"version_data" : [
{
"version_value" : "4.x"
}
]
}
}
]
},
"vendor_name" : "The Node.js Project"
}
]
}
}, },
"data_format" : "MITRE", "data_format" : "MITRE",
"data_type" : "CVE", "data_type" : "CVE",
@ -11,7 +35,26 @@
"description_data" : [ "description_data" : [
{ {
"lang" : "eng", "lang" : "eng",
"value" : "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." "value" : "The `'path'` module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. The code in question was replaced in Node.js 6.x and later so this vulnerability only impacts all versions of Node.js 4.x. The regular expression, `splitPathRe`, used within the `'path'` module for the various path parsing functions, including `path.dirname()`, `path.extname()` and `path.parse()` was structured in such a way as to allow an attacker to craft a string, that when passed through one of these functions, could take a significant amount of time to evaluate, potentially leading to a full denial of service."
}
]
},
"problemtype" : {
"problemtype_data" : [
{
"description" : [
{
"lang" : "eng",
"value" : "CWE-185: Incorrect Regular Expression"
}
]
}
]
},
"references" : {
"reference_data" : [
{
"url" : "https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/"
} }
] ]
} }

58
2018/7xxx/CVE-2018-7159.json
View File

@ -1,8 +1,41 @@
{ {
"CVE_data_meta" : { "CVE_data_meta" : {
"ASSIGNER" : "cve@mitre.org", "ASSIGNER" : "cve-request@iojs.org",
"DATE_PUBLIC" : "2018-03-21T00:00:00",
"ID" : "CVE-2018-7159", "ID" : "CVE-2018-7159",
"STATE" : "RESERVED" "STATE" : "PUBLIC"
},
"affects" : {
"vendor" : {
"vendor_data" : [
{
"product" : {
"product_data" : [
{
"product_name" : "Node.js",
"version" : {
"version_data" : [
{
"version_value" : "4.x"
},
{
"version_value" : "6.x"
},
{
"version_value" : "8.x"
},
{
"version_value" : "9.x"
}
]
}
}
]
},
"vendor_name" : "The Node.js Project"
}
]
}
}, },
"data_format" : "MITRE", "data_format" : "MITRE",
"data_type" : "CVE", "data_type" : "CVE",
@ -11,7 +44,26 @@
"description_data" : [ "description_data" : [
{ {
"lang" : "eng", "lang" : "eng",
"value" : "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." "value" : "The HTTP parser in all current versions of Node.js ignores spaces in the `Content-Length` header, allowing input such as `Content-Length: 1 2` to be interpreted as having a value of `12`. The HTTP specification does not allow for spaces in the `Content-Length` value and the Node.js HTTP parser has been brought into line on this particular difference. The security risk of this flaw to Node.js users is considered to be VERY LOW as it is difficult, and may be impossible, to craft an attack that makes use of this flaw in a way that could not already be achieved by supplying an incorrect value for `Content-Length`. Vulnerabilities may exist in user-code that make incorrect assumptions about the potential accuracy of this value compared to the actual length of the data supplied. Node.js users crafting lower-level HTTP utilities are advised to re-check the length of any input supplied after parsing is complete."
}
]
},
"problemtype" : {
"problemtype_data" : [
{
"description" : [
{
"lang" : "eng",
"value" : "CWE-115: Misinterpretation of Input"
}
]
}
]
},
"references" : {
"reference_data" : [
{
"url" : "https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/"
} }
] ]
} }

49
2018/7xxx/CVE-2018-7160.json
View File

@ -1,8 +1,32 @@
{ {
"CVE_data_meta" : { "CVE_data_meta" : {
"ASSIGNER" : "cve@mitre.org", "ASSIGNER" : "cve-request@iojs.org",
"DATE_PUBLIC" : "2018-03-21T00:00:00",
"ID" : "CVE-2018-7160", "ID" : "CVE-2018-7160",
"STATE" : "RESERVED" "STATE" : "PUBLIC"
},
"affects" : {
"vendor" : {
"vendor_data" : [
{
"product" : {
"product_data" : [
{
"product_name" : "Node.js",
"version" : {
"version_data" : [
{
"version_value" : "^6.0.0 || ^8.0.0 || ^9.0.0"
}
]
}
}
]
},
"vendor_name" : "The Node.js Project"
}
]
}
}, },
"data_format" : "MITRE", "data_format" : "MITRE",
"data_type" : "CVE", "data_type" : "CVE",
@ -11,7 +35,26 @@
"description_data" : [ "description_data" : [
{ {
"lang" : "eng", "lang" : "eng",
"value" : "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." "value" : "The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. An attack is possible from malicious websites open in a web browser on the same computer, or another computer with network access to the computer running the Node.js process. A malicious website could use a DNS rebinding attack to trick the web browser to bypass same-origin-policy checks and to allow HTTP connections to localhost or to hosts on the local network. If a Node.js process with the debug port active is running on localhost or on a host on the local network, the malicious website could connect to it as a debugger, and get full code execution access."
}
]
},
"problemtype" : {
"problemtype_data" : [
{
"description" : [
{
"lang" : "eng",
"value" : "CWE-350: Reliance on Reverse DNS Resolution for a Security-Critical Action"
}
]
}
]
},
"references" : {
"reference_data" : [
{
"url" : "https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/"
} }
] ]
} }