Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2022-24434

Опубликовано: 05 авг. 2021
Источник: redhat
CVSS3: 7.5
EPSS Низкий

Описание

This affects all versions of package dicer. A malicious attacker can send a modified form to server, and crash the nodejs service. An attacker could sent the payload again and again so that the service continuously crashes.

A flaw was found in the Node.js dicer module. The affected versions of the Node.js dicer module are vulnerable to a denial of service. By sending a specially-crafted form to the server, a remote attacker can crash the node.js service.

Отчет

In Red Hat Advanced Cluster Management for Kubernetes 2.5 and 2.6, the only affected container is behind OpenShift OAuth authentication. This restricts access to the vulnerable library to authenticated users only. For Red Hat Advanced Cluster Management for Kubernetes 2.7 or next versions search-v2-api does not use nodejs, so is not affected for this vulnerability. Therefore, the impact is Moderate.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Advanced Cluster Management for Kubernetes 2rhacm2/search-api-rhel8Will not fix
Red Hat OpenShift Dev Spacesdevspaces-theia-rhel8-containerOut of support scope

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-400
https://bugzilla.redhat.com/show_bug.cgi?id=2196307dicer: nodejs service crash by sending a crafted payload

EPSS

Процентиль: 86%
0.02803
Низкий

7.5 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2022-24434

CVSS3: 7.5
ubuntu
больше 3 лет назад

This affects all versions of package dicer. A malicious attacker can send a modified form to server, and crash the nodejs service. An attacker could sent the payload again and again so that the service continuously crashes.

nvd логотип

CVE-2022-24434

CVSS3: 7.5
nvd
больше 3 лет назад

This affects all versions of package dicer. A malicious attacker can send a modified form to server, and crash the nodejs service. An attacker could sent the payload again and again so that the service continuously crashes.

debian логотип

CVE-2022-24434

CVSS3: 7.5
debian
больше 3 лет назад

This affects all versions of package dicer. A malicious attacker can s ...

github логотип

GHSA-wm7h-9275-46v2

CVSS3: 7.5
github
больше 3 лет назад

Crash in HeaderParser in dicer

fstec логотип

BDU:2022-04395

CVSS3: 7.5
fstec
больше 3 лет назад

Уязвимость парсера потоковой передачи dicer, связанная c некорректной зачисткой или освобождением ресурсов, позволяющая нарушителю вызвать отказ в обслуживании

EPSS

Процентиль: 86%
0.02803
Низкий

7.5 High

CVSS3