GHSA-3p92-886g-qxpq

Опубликовано: 04 июн. 2019

Источник: github

Github: Прошло ревью

CVSS3: 5.1

Описание

Remote Memory Exposure in floody

Versions of floody before 0.1.1 are vulnerable to remote memory exposure.

.write(number)in the affectedfloody` versions passes a number to Buffer constructor, appending a chunk of uninitialized memory.

Proof of Concept:

var f = require('floody')(process.stdout); f.write(USERSUPPLIEDINPUT); 'f.stop(); ## Recommendation Update to version 0.1.1 or later.

Наименование

floody

npm

Затронутые версииВерсия исправления

< 0.1.1

0.1.1

5.1 Medium

CVSS3

CWE-201

5.1 Medium

CVSS3

CWE-201