CVE-2017-16098

Опубликовано: 07 июн. 2018

Источник: nvd

CVSS3: 7.5

CVSS2: 5

EPSS Низкий

Описание

charset 1.0.0 and below are vulnerable to regular expression denial of service. Input of around 50k characters is required for a slow down of around 2 seconds. Unless node was compiled using the -DHTTP_MAX_HEADER_SIZE= option the default header max length is 80kb, so the impact of the ReDoS is relatively low.

Ссылки

https://github.com/node-modules/charset/issues/10
Exploit
Third Party Advisory
https://nodesecurity.io/advisories/524
Third Party Advisory
https://github.com/node-modules/charset/issues/10
Exploit
Third Party Advisory
https://nodesecurity.io/advisories/524
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:charset_project:charset:*:*:*:*:*:node.js:*:*

Версия до 1.0.1 (исключая)

EPSS

Процентиль: 55%

0.00328

Низкий

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-400

Связанные уязвимости

GHSA-9cp3-fh5x-xfcj