Описание
sshpk is vulnerable to ReDoS when parsing crafted invalid public keys.
Отчет
Red Hat Quay includes sshpk as a dependency of protractor which is only used during a build. The sshpk dependency is not used at runtime therefore this vulnerability has a low impact for Red Hat Quay.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 8 | nodejs:10/nodejs | Not affected | ||
| Red Hat Mobile Application Platform 4 | nodejs-sshpk | Not affected | ||
| Red Hat Quay 3 | quay/quay-rhel8 | Fix deferred | ||
| Red Hat Software Collections | rh-nodejs10-nodejs | Not affected | ||
| Red Hat Software Collections | rh-nodejs6-nodejs-sshpk | Will not fix | ||
| Red Hat Virtualization 4 | ovirt-engine-api-explorer | Not affected | ||
| Red Hat Virtualization 4 | ovirt-engine-dashboard | Not affected | ||
| Red Hat Virtualization 4 | ovirt-engine-ui-extensions | Not affected | ||
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | rh-nodejs8-nodejs | Fixed | RHSA-2020:2625 | 19.06.2020 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS | rh-nodejs8-nodejs | Fixed | RHSA-2020:2625 | 19.06.2020 |
Показывать по
10
Дополнительная информация
Статус:
Moderate
Дефект:
CWE-400
https://bugzilla.redhat.com/show_bug.cgi?id=1567228nodejs-sshpk: ReDoS when parsing crafted invalid public keys in lib/formats/ssh.js
EPSS
Процентиль: 67%
0.00562
Низкий
5.3 Medium
CVSS3
Связанные уязвимости
CVSS3: 7.5
ubuntu
около 7 лет назад
sshpk is vulnerable to ReDoS when parsing crafted invalid public keys.
CVSS3: 7.5
nvd
около 7 лет назад
sshpk is vulnerable to ReDoS when parsing crafted invalid public keys.
CVSS3: 7.5
debian
около 7 лет назад
sshpk is vulnerable to ReDoS when parsing crafted invalid public keys.
CVSS3: 7.5
fstec
больше 7 лет назад
Уязвимость библиотеки sshpk программной платформы Node.js, позволяющая нарушителю вызвать отказ в обслуживании
EPSS
Процентиль: 67%
0.00562
Низкий
5.3 Medium
CVSS3