PT-2018-11028 · Node.Js+4 · Node.Js+4

Trevor Norris

·

Publicado

2018-11-27

·

Atualizado

2026-05-18

·

CVE-2018-12121

CVSS v3.1

7.5

Alta

VetorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions Node.js versions prior to 6.15.0 Node.js versions prior to 8.14.0 Node.js versions prior to 10.14.0 Node.js versions prior to 11.3.0
Description The issue allows for a Denial of Service with large HTTP headers. By using a combination of many requests with maximum sized headers, and carefully timed completion of the headers, it is possible to cause the HTTP server to abort from heap allocation failure. The attack potential is mitigated by the use of a load balancer or other proxy layer.
Recommendations For versions prior to 6.15.0, update to version 6.15.0 or later. For versions prior to 8.14.0, update to version 8.14.0 or later. For versions prior to 10.14.0, update to version 10.14.0 or later. For versions prior to 11.3.0, update to version 11.3.0 or later.

Correção

DoS

Resource Exhaustion

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-400

Identificadores relacionados

ALT-PU-2018-2749
CESA-2019_2258
CESA-2019_3497
CLEANSTART-2026-BD71263
CLEANSTART-2026-IS74202
CLEANSTART-2026-JR35772
CLEANSTART-2026-JY06700
CLEANSTART-2026-KN34553
CLEANSTART-2026-KZ45320
CLEANSTART-2026-LJ44720
CLEANSTART-2026-LN12820
CLEANSTART-2026-TX00223
CLEANSTART-2026-WI75198
CVE-2018-12121
MGASA-2019-0277
OPENSUSE-SU-2019:0089-1
OPENSUSE-SU-2019_0088-1
OPENSUSE-SU-2019_0089-1
OPENSUSE-SU-2019_0234-1
RHSA-2019:1821
RHSA-2019:2258
RHSA-2019:2939
RHSA-2019:3497
RHSA-2019_2258
RHSA-2019_3497
SUSE-SU-2019:0117-1
SUSE-SU-2019:0118-1
SUSE-SU-2019:0395-1
SUSE-SU-2019:14246-1
SUSE-SU-2019_14246-1

Produtos afetados

Alt Linux
Centos
Node.Js
Red Hat
Suse