Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

ubuntu логотип

CVE-2022-24999

Опубликовано: 26 нояб. 2022
Источник: ubuntu
Приоритет: medium
EPSS Низкий
CVSS3: 7.5

Описание

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).

РелизСтатусПримечание
bionic

ignored

end of standard support, was needs-triage
devel

not-affected

esm-apps/bionic

needed

esm-apps/focal

needed

esm-apps/jammy

not-affected

esm-apps/noble

not-affected

esm-apps/xenial

needed

focal

ignored

end of standard support, was needs-triage
jammy

not-affected

4.17.3+~4.17.13-1
kinetic

ignored

end of life, was needs-triage

Показывать по

РелизСтатусПримечание
devel

not-affected

esm-apps/bionic

needed

esm-apps/focal

needed

esm-apps/jammy

not-affected

6.10.3+ds+~6.9.7-1
esm-apps/noble

not-affected

6.11.0+ds+~6.9.7-4
esm-apps/xenial

needed

esm-infra-legacy/trusty

needed

jammy

not-affected

6.10.3+ds+~6.9.7-1
noble

not-affected

6.11.0+ds+~6.9.7-4
oracular

not-affected

6.11.0+ds+~6.9.7-4

Показывать по

EPSS

Процентиль: 86%
0.03115
Низкий

7.5 High

CVSS3

Связанные уязвимости

CVSS3: 7.5
redhat
больше 2 лет назад

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).

CVSS3: 7.5
nvd
больше 2 лет назад

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).

CVSS3: 7.5
debian
больше 2 лет назад

qs before 6.10.3, as used in Express before 4.17.3 and other products, ...

CVSS3: 7.5
github
больше 2 лет назад

qs vulnerable to Prototype Pollution

rocky
больше 2 лет назад

Moderate: nodejs:14 security, bug fix, and enhancement update

EPSS

Процентиль: 86%
0.03115
Низкий

7.5 High

CVSS3