CVE-2015-8855

Опубликовано: 03 апр. 2015

Источник: redhat

CVSS2: 4.3

EPSS Низкий

Описание

The semver package before 4.3.2 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)."

A denial of service flaw was found in the way semver, the semantic version comparison library for Node.js, parsed certain package versions. A remote attacker could use a specially crafted version string that, when processed, would lead to excessive CPU consumption.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat Software Collections	nodejs010-nodejs-semver	Will not fix

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-400

https://bugzilla.redhat.com/show_bug.cgi?id=1209496nodejs-semver: npm Regular Expression Denial of Service during package versions parsing

EPSS

Процентиль: 76%

0.01023

Низкий

4.3 Medium

CVSS2

Связанные уязвимости

CVE-2015-8855

CVSS3: 7.5

ubuntu

больше 8 лет назад

The semver package before 4.3.2 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)."

CVE-2015-8855

CVSS3: 7.5

nvd

больше 8 лет назад

The semver package before 4.3.2 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)."

CVE-2015-8855

CVSS3: 7.5

debian

больше 8 лет назад

The semver package before 4.3.2 for Node.js allows attackers to cause ...

GHSA-x6fg-f45m-jf5q

CVSS3: 7.5

github

больше 7 лет назад

Regular Expression Denial of Service in semver

EPSS

Процентиль: 76%

0.01023

Низкий

4.3 Medium

CVSS2