CVE-2017-16025

Опубликовано: 04 июн. 2018

Источник: nvd

CVSS3: 5.9

CVSS2: 4.3

EPSS Низкий

Описание

Nes is a websocket extension library for hapi. Hapi is a webserver framework. Versions below and including 6.4.0 have a denial of service vulnerability via an invalid Cookie header. This is only present when websocket authentication is set to cookie. Submitting an invalid cookie on the websocket upgrade request will cause the node process to error out.

Ссылки

https://github.com/hapijs/nes/commit/249ba1755ed6977fbc208463c87364bf884ad655
Patch
Third Party Advisory
https://github.com/hapijs/nes/issues/171
Third Party Advisory
https://nodesecurity.io/advisories/331
Third Party Advisory
https://github.com/hapijs/nes/commit/249ba1755ed6977fbc208463c87364bf884ad655
Patch
Third Party Advisory
https://github.com/hapijs/nes/issues/171
Third Party Advisory
https://nodesecurity.io/advisories/331
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:hapijs:nes:*:*:*:*:*:node.js:*:*

Версия до 6.4.0 (включая)

EPSS

Процентиль: 58%

0.00365

Низкий

5.9 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-400

CWE-287

Связанные уязвимости

GHSA-3pwh-5mmc-mwrx

github

больше 7 лет назад

Denial of Service in nes