CVE-2022-39288

Опубликовано: 10 окт. 2022

Источник: nvd

CVSS3: 7.5

EPSS Низкий

Описание

fastify is a fast and low overhead web framework, for Node.js. Affected versions of fastify are subject to a denial of service via malicious use of the Content-Type header. An attacker can send an invalid Content-Type header that can cause the application to crash. This issue has been addressed in commit fbb07e8d and will be included in release version 4.8.1. Users are advised to upgrade. Users unable to upgrade may manually filter out http content with malicious Content-Type headers.

Ссылки

https://github.com/fastify/fastify/commit/fbb07e8dfad74c69cd4cd2211aedab87194618e3
Patch
Third Party Advisory
https://github.com/fastify/fastify/security/advisories/GHSA-455w-c45v-86rg
Mitigation
Third Party Advisory
https://github.com/fastify/fastify/security/policy
Third Party Advisory
https://github.com/fastify/fastify/commit/fbb07e8dfad74c69cd4cd2211aedab87194618e3
Patch
Third Party Advisory
https://github.com/fastify/fastify/security/advisories/GHSA-455w-c45v-86rg
Mitigation
Third Party Advisory
https://github.com/fastify/fastify/security/policy
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:fastify:fastify:*:*:*:*:*:node.js:*:*

Версия до 4.8.1 (исключая)

EPSS

Процентиль: 86%

0.03001

Низкий

7.5 High

CVSS3

Дефекты

CWE-754

Связанные уязвимости

GHSA-455w-c45v-86rg