Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2017-1000048

Опубликовано: 01 мар. 2017
Источник: redhat
CVSS3: 5.3
EPSS Низкий

Описание

the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.

It was found that ljharb's qs module for Node.js did not properly parse query strings. An attacker could send a specially crafted query that overwrites the resulting object's prototype properties (such as toString() or hasOwnProperty()), resulting in a denial of service when the overwritten function would be executed.

Отчет

Red Hat Quay include nodejs-qs as a build time dependency. Nodejs-qs is used by protractor for testing as build time, and is not included as runtime.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Mobile Application Platform 4fh-mbaasWill not fix
Red Hat Mobile Application Platform 4fh-nguiWill not fix
Red Hat Mobile Application Platform 4fh-scmWill not fix
Red Hat Mobile Application Platform 4fh-statsdWill not fix
Red Hat Mobile Application Platform 4fh-supercoreWill not fix
Red Hat OpenShift Enterprise 3nodejs-qsUnder investigation
Red Hat Quay 3quay/quay-rhel8Not affected
Red Hat Software Collectionsrh-nodejs4-nodejs-qsNot affected
Red Hat Software Collections for Red Hat Enterprise Linux 6rh-nodejs6-nodejs-qsFixedRHSA-2017:267207.09.2017
Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUSrh-nodejs6-nodejs-qsFixedRHSA-2017:267207.09.2017

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-20
https://bugzilla.redhat.com/show_bug.cgi?id=1427872nodejs-qs: Prototype override protection bypass

EPSS

Процентиль: 67%
0.00532
Низкий

5.3 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2017-1000048

CVSS3: 7.5
ubuntu
больше 8 лет назад

the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.

nvd логотип

CVE-2017-1000048

CVSS3: 7.5
nvd
больше 8 лет назад

the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.

github логотип

GHSA-gqgv-6jq5-jjj9

CVSS3: 7.5
github
почти 6 лет назад

Prototype Pollution Protection Bypass in qs

EPSS

Процентиль: 67%
0.00532
Низкий

5.3 Medium

CVSS3