PT-2018-4631 · Javascript · Tough-Cookie

David Kirchner

Publicado

2018-09-05

Atualizado

2018-10-31

CVE-2016-1000232

CVSS v3.1

5.3

Média

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Name of the Vulnerable Software and Affected Versions tough-cookie versions prior to 2.3.0

Description The issue is related to a Regular Expression Parsing vulnerability in HTTP request Cookie Header parsing, which can result in Denial of Service. This can be exploited via a custom HTTP header passed by the client, specifically when long strings of semicolons exist in the Set-Cookie header.

Recommendations Update to version 2.3.0 or later. As a temporary workaround, consider restricting the use of custom HTTP headers or limiting the length of strings in the Set-Cookie header to minimize the risk of exploitation.

Correção

DoS

RCE

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-1333CWE-20

Identificadores relacionados

CVE-2016-1000232

GHSA-QHV9-728R-6JQG

RHSA-2016:2101

RHSA-2017:2912

Produtos afetados

Tough-Cookie

PT-2018-4631 · Javascript · Tough-Cookie

CVE-2016-1000232

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 13