CVE-2019-10196

Опубликовано: 19 мар. 2021

Источник: nvd

CVSS3: 9.8

CVSS2: 9

EPSS Низкий

Описание

A flaw was found in http-proxy-agent, prior to version 2.1.0. It was discovered http-proxy-agent passes an auth option to the Buffer constructor without proper sanitization. This could result in a Denial of Service through the usage of all available CPU resources and data exposure through an uninitialized memory leak in setups where an attacker could submit typed input to the auth parameter.

Ссылки

https://bugzilla.redhat.com/show_bug.cgi?id=1567245
Issue Tracking
Patch
Third Party Advisory
https://www.npmjs.com/advisories/607
Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1567245
Issue Tracking
Patch
Third Party Advisory
https://www.npmjs.com/advisories/607
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:http-proxy-agent_project:http-proxy-agent:*:*:*:*:*:node.js:*:*

Версия до 2.1.0 (исключая)

Конфигурация 2

cpe:2.3:o:fedoraproject:fedora:27:*:*:*:*:*:*:*

Конфигурация 3

Одно из

cpe:2.3:a:redhat:software_collections:-:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*

EPSS

Процентиль: 58%

0.00364

Низкий

9.8 Critical

CVSS3

9 Critical

CVSS2

Дефекты

CWE-665

Связанные уязвимости

CVE-2019-10196

CVSS3: 7.3

redhat

почти 8 лет назад

GHSA-86wf-436m-h424