Описание
A flaw was found in http-proxy-agent, prior to version 2.1.0. It was discovered http-proxy-agent passes an auth option to the Buffer constructor without proper sanitization. This could result in a Denial of Service through the usage of all available CPU resources and data exposure through an uninitialized memory leak in setups where an attacker could submit typed input to the auth parameter.
Отчет
This issue did not affect the versions of nodejs as shipped with Red Hat Enterprise Linux 8 as they already include the patched code. This issue did not affect the versions of rh-nodejs10-nodejs as shipped with Red Hat Software Collections 3 as they already include the patched code.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 8 | nodejs:10/nodejs | Not affected | ||
| Red Hat Mobile Application Platform 4 | nodejs-http-proxy-agent | Out of support scope | ||
| Red Hat Software Collections | rh-nodejs10-npm | Not affected | ||
| Red Hat Software Collections | rh-nodejs8-npm | Will not fix |
Показывать по
Дополнительная информация
Статус:
EPSS
7.3 High
CVSS3
Связанные уязвимости
A flaw was found in http-proxy-agent, prior to version 2.1.0. It was discovered http-proxy-agent passes an auth option to the Buffer constructor without proper sanitization. This could result in a Denial of Service through the usage of all available CPU resources and data exposure through an uninitialized memory leak in setups where an attacker could submit typed input to the auth parameter.
Resource Exhaustion Denial of Service in http-proxy-agent
EPSS
7.3 High
CVSS3