Описание
Node.js 0.8 before 0.8.28 and 0.10 before 0.10.30 does not consider the possibility of recursive processing that triggers V8 garbage collection in conjunction with a V8 interrupt, which allows remote attackers to cause a denial of service (memory corruption and application crash) via deep JSON objects whose parsing lets this interrupt mask an overflow of the program stack.
It was discovered that V8 did not properly check the stack size limit in certain cases. A remote attacker able to send a request that caused a script executed by V8 to use deep recursion could trigger a stack overflow, leading to a crash of an application using V8.
Отчет
Red Hat Product Security has rated this issue as having Low security impact in Red Hat Enterprise Linux OpenStack Platform. This issue is not currently planned to be addressed in a future security update. Red Hat Satellite 6.5 ship v8 however has been rated as a security impact of Moderate, product version Satellite 6.6 onward is not affected. Satellite 6.5 is in Maintenance Support phase of the product life cycle and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 6 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| CloudForms Management Engine 5 | ruby193-v8 | Will not fix | ||
| OpenShift Enterprise 1 | ruby193-v8 | Will not fix | ||
| Red Hat Enterprise Linux OpenStack Platform 5 (Icehouse) | v8 | Will not fix | ||
| Red Hat OpenShift Enterprise 2 | v8 | Will not fix | ||
| Red Hat OpenStack Platform 4 | ruby193-v8 | Will not fix | ||
| Red Hat OpenStack Platform 4 | v8 | Will not fix | ||
| Red Hat Satellite 6 | v8 | Will not fix | ||
| Red Hat Subscription Asset Manager | ruby193-v8 | Will not fix | ||
| Red Hat Subscription Asset Manager | v8 | Will not fix | ||
| Red Hat Software Collections 1 for Red Hat Enterprise Linux 6 | v8314-v8 | Fixed | RHSA-2014:1744 | 30.10.2014 |
Показывать по
Дополнительная информация
Статус:
EPSS
6.8 Medium
CVSS2
Связанные уязвимости
Node.js 0.8 before 0.8.28 and 0.10 before 0.10.30 does not consider the possibility of recursive processing that triggers V8 garbage collection in conjunction with a V8 interrupt, which allows remote attackers to cause a denial of service (memory corruption and application crash) via deep JSON objects whose parsing lets this interrupt mask an overflow of the program stack.
Node.js 0.8 before 0.8.28 and 0.10 before 0.10.30 does not consider the possibility of recursive processing that triggers V8 garbage collection in conjunction with a V8 interrupt, which allows remote attackers to cause a denial of service (memory corruption and application crash) via deep JSON objects whose parsing lets this interrupt mask an overflow of the program stack.
Node.js 0.8 before 0.8.28 and 0.10 before 0.10.30 does not consider th ...
Node.js 0.8 before 0.8.28 and 0.10 before 0.10.30 does not consider the possibility of recursive processing that triggers V8 garbage collection in conjunction with a V8 interrupt, which allows remote attackers to cause a denial of service (memory corruption and application crash) via deep JSON objects whose parsing lets this interrupt mask an overflow of the program stack.
EPSS
6.8 Medium
CVSS2