Описание
https-proxy-agent before 2.1.1 passes auth option to the Buffer constructor without proper sanitization, resulting in DoS and uninitialized memory leak in setups where an attacker could submit typed input to the 'auth' parameter (e.g. JSON).
A flaw was found in https-proxy-agent, prior to version 2.2.0. It was discovered https-proxy-agent passes an auth option to the Buffer constructor without proper sanitization. This could result in a Denial of Service through the usage of all available CPU resources and data exposure through an uninitialized memory leak in setups where an attacker could submit typed input to the auth parameter.
Отчет
This issue did not affect the versions of nodejs as shipped with Red Hat Enterprise Linux 8 as they already include the patched code. This issue did not affect the versions of rh-nodejs10-nodejs as shipped with Red Hat Software Collections 3 as they already include the patched code. Red Hat Quay uses nodejs-https-proxy-agent, but only as a development dependency, it is not used at runtime. Therefore we rated this issue as having a low impact for Red Hat Quay.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 8 | nodejs:10/nodejs | Not affected | ||
| Red Hat Mobile Application Platform 4 | nodejs-https-proxy-agent | Not affected | ||
| Red Hat Quay 3 | quay/quay-rhel8 | Fix deferred | ||
| Red Hat Software Collections | rh-nodejs10-nodejs | Not affected | ||
| Red Hat Software Collections | rh-nodejs8-nodejs | Out of support scope |
Показывать по
Дополнительная информация
Статус:
EPSS
8.2 High
CVSS3
Связанные уязвимости
https-proxy-agent before 2.1.1 passes auth option to the Buffer constructor without proper sanitization, resulting in DoS and uninitialized memory leak in setups where an attacker could submit typed input to the 'auth' parameter (e.g. JSON).
EPSS
8.2 High
CVSS3