CVE-2017-16026

Published: Jun 4, 2018Modified: Nov 21, 2024

5.9

Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.2 / Impact: 3.6

Source: NVD

Description

Request is an http client. If a request is made using ```multipart```, and the body type is a ```number```, then the specified number of non-zero memory is passed in the body. This affects Request >=2.2.6 <2.47.0 || >2.51.0 <=2.67.0.

Affected (2)

Products: Request Project: Request

Request Project

1 product

Request

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Request Project Request	After 2.51.0 to 2.67.0
Request Project Request	From 2.2.6 to 2.47.0

Related CWEs

CWE-20

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CWE-201

Insertion of Sensitive Information Into Sent Data

The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.

References (6)

https://github.com/request/request/issues/1904

Source: support@hackerone.com

ExploitIssue TrackingThird Party Advisory

https://github.com/request/request/pull/2018

Source: support@hackerone.com

ExploitIssue TrackingThird Party Advisory

https://nodesecurity.io/advisories/309

Source: support@hackerone.com

ExploitThird Party Advisory

https://github.com/request/request/issues/1904

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitIssue TrackingThird Party Advisory

https://github.com/request/request/pull/2018

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitIssue TrackingThird Party Advisory

https://nodesecurity.io/advisories/309

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.