CVE-2018-3739

Published: Jun 7, 2018Modified: Nov 21, 2024

9.1

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Exploitability: 3.9 / Impact: 5.2

Source: NVD

Description

https-proxy-agent before 2.1.1 passes auth option to the Buffer constructor without proper sanitization, resulting in DoS and uninitialized memory leak in setups where an attacker could submit typed input to the 'auth' parameter (e.g. JSON).

Affected (1)

Products: Https Proxy Agent Project: Https Proxy Agent

Https Proxy Agent Project

1 product

Https Proxy Agent

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Https Proxy Agent Project Https Proxy Agent	Before 2.2.0

Related CWEs

CWE-125

Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer.

CWE-400

Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

References (2)

https://hackerone.com/reports/319532

Source: support@hackerone.com

ExploitThird Party Advisory

https://hackerone.com/reports/319532

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.