Описание
A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like timeouts and body size limits.
A flaw was found in Node.js due to a lack of safeguards on chunk extension bytes. The server may read an unbounded number of bytes from a single connection, which can allow an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and a denial of service.
Отчет
While this vulnerability in Node.js HTTP servers poses a significant risk to system stability and availability, it is classified as a important severity issue rather than a critical one due to several factors. Firstly, while the vulnerability can lead to denial of service (DoS) attacks by causing resource exhaustion, it does not directly compromise the confidentiality or integrity of data stored or processed by the server. Additionally, the exploit requires the attacker to send specially crafted HTTP requests, which may limit the ease and scope of potential attacks compared to more critical vulnerabilities that can be exploited remotely without specific conditions.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Openshift Data Foundation 4 | odf4/mcg-core-rhel9 | Affected | ||
| Red Hat Enterprise Linux 8 | nodejs | Fixed | RHSA-2024:1444 | 20.03.2024 |
| Red Hat Enterprise Linux 8 | nodejs | Fixed | RHSA-2024:1510 | 26.03.2024 |
| Red Hat Enterprise Linux 8 | nodejs | Fixed | RHSA-2024:1687 | 08.04.2024 |
| Red Hat Enterprise Linux 8.6 Extended Update Support | nodejs | Fixed | RHSA-2024:2793 | 09.05.2024 |
| Red Hat Enterprise Linux 8.8 Extended Update Support | nodejs | Fixed | RHSA-2024:1880 | 18.04.2024 |
| Red Hat Enterprise Linux 8.8 Extended Update Support | nodejs | Fixed | RHSA-2024:2651 | 02.05.2024 |
| Red Hat Enterprise Linux 9 | nodejs | Fixed | RHSA-2024:1438 | 20.03.2024 |
| Red Hat Enterprise Linux 9 | nodejs | Fixed | RHSA-2024:1503 | 25.03.2024 |
| Red Hat Enterprise Linux 9 | nodejs | Fixed | RHSA-2024:1688 | 08.04.2024 |
Показывать по
Дополнительная информация
Статус:
7.5 High
CVSS3
Связанные уязвимости
A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like timeouts and body size limits.
A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like timeouts and body size limits.
A vulnerability in Node.js HTTP servers allows an attacker to send a s ...
A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like timeouts and body size limits.
7.5 High
CVSS3