PT-2018-4631 · Javascript · Tough-Cookie

David Kirchner

Published

2018-09-05

Updated

2018-10-31

CVE-2016-1000232

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Name of the Vulnerable Software and Affected Versions tough-cookie versions prior to 2.3.0

Description The issue is related to a Regular Expression Parsing vulnerability in HTTP request Cookie Header parsing, which can result in Denial of Service. This can be exploited via a custom HTTP header passed by the client, specifically when long strings of semicolons exist in the Set-Cookie header.

Recommendations Update to version 2.3.0 or later. As a temporary workaround, consider restricting the use of custom HTTP headers or limiting the length of strings in the Set-Cookie header to minimize the risk of exploitation.

Fix

DoS

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1333CWE-20

Related Identifiers

CVE-2016-1000232

GHSA-QHV9-728R-6JQG

RHSA-2016:2101

RHSA-2017:2912

Affected Products

Tough-Cookie

PT-2018-4631 · Javascript · Tough-Cookie

CVE-2016-1000232

Weakness Enumeration

Related Identifiers

Affected Products

References · 13