CVE-2019-5737

Published: Mar 28, 2019Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1, an attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep-alive mode and by sending headers very slowly. This keeps the connection and associated resources alive for a long period of time. Potential attacks are mitigated by the use of a load balancer or other proxy layer. This vulnerability is an extension of CVE-2018-12121, addressed in November and impacts all active Node.js release lines including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1.

Affected (5)

Products: Nodejs: Node.js · Opensuse: Leap

1 product

1 product

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Nodejs Node.js	From 11.0.0 to 11.10.1
Nodejs Node.js	From 10.0.0 to 10.15.2
Nodejs Node.js	From 6.0.0 to 6.17.0
Nodejs Node.js	From 8.0.0 to 8.15.1

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Opensuse Leap	Version 42.3

Related CWEs

Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

References (14)

http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html

Source: cve-request@iojs.org

Mailing ListThird Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html

Source: cve-request@iojs.org

Mailing ListThird Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00059.html

Source: cve-request@iojs.org

Mailing ListThird Party Advisory

https://access.redhat.com/errata/RHSA-2019:1821

Source: cve-request@iojs.org

Third Party Advisory

https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/

Source: cve-request@iojs.org

Third Party Advisory

https://security.gentoo.org/glsa/202003-48

Source: cve-request@iojs.org

Third Party Advisory

https://security.netapp.com/advisory/ntap-20190502-0008/

Source: cve-request@iojs.org

Third Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00059.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://access.redhat.com/errata/RHSA-2019:1821

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://security.gentoo.org/glsa/202003-48

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://security.netapp.com/advisory/ntap-20190502-0008/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.