CVE-2017-16021 - OpenCVE

uri-js is a module that tries to fully implement RFC 3986. One of these features is validating whether or not a supplied URL is valid or not. To do this, uri-js uses a regular expression, This regular expression is vulnerable to redos. This causes the program to hang and the CPU to idle at 100% usage while uri-js is trying to validate if the supplied URL is valid or not. To check if you're vulnerable, look for a call to `require("uri-js").parse()` where a user is able to send their own input. This affects uri-js 2.1.1 and earlier.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact None

Availability Impact Complete

AV:N/AC:L/Au:S/C:N/I:N/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Garycourt	Uri-js

Configuration 1 [-]

cpe:2.3:a:garycourt:uri-js:*:*:*:*:*:node.js:*:*

References

Link	Resource
https://github.com/garycourt/uri-js/issues/12	Exploit Issue Tracking Third Party Advisory
https://nodesecurity.io/advisories/100	Broken Link Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: hackerone

Published: 2018-04-26T00:00:00

Updated: 2018-06-04T18:57:01

Reserved: 2017-10-29T00:00:00

Link: CVE-2017-16021

JSON object: View

NVD Information

Status : Analyzed

Published: 2018-06-04T19:29:01.303

Modified: 2024-02-15T03:20:20.787

Link: CVE-2017-16021

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "uri-js node module", "vendor": "HackerOne", "versions": [{"status": "affected", "version": "<=2.1.1"}]}], "datePublic": "2018-04-26T00:00:00", "descriptions": [{"lang": "en", "value": "uri-js is a module that tries to fully implement RFC 3986. One of these features is validating whether or not a supplied URL is valid or not. To do this, uri-js uses a regular expression, This regular expression is vulnerable to redos. This causes the program to hang and the CPU to idle at 100% usage while uri-js is trying to validate if the supplied URL is valid or not. To check if you're vulnerable, look for a call to `require(\"uri-js\").parse()` where a user is able to send their own input. This affects uri-js 2.1.1 and earlier."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "Denial of Service (CWE-400)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-06-04T18:57:01", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/garycourt/uri-js/issues/12"}, {"tags": ["x_refsource_MISC"], "url": "https://nodesecurity.io/advisories/100"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "support@hackerone.com", "DATE_PUBLIC": "2018-04-26T00:00:00", "ID": "CVE-2017-16021", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "uri-js node module", "version": {"version_data": [{"version_value": "<=2.1.1"}]}}]}, "vendor_name": "HackerOne"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "uri-js is a module that tries to fully implement RFC 3986. One of these features is validating whether or not a supplied URL is valid or not. To do this, uri-js uses a regular expression, This regular expression is vulnerable to redos. This causes the program to hang and the CPU to idle at 100% usage while uri-js is trying to validate if the supplied URL is valid or not. To check if you're vulnerable, look for a call to `require(\"uri-js\").parse()` where a user is able to send their own input. This affects uri-js 2.1.1 and earlier."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Denial of Service (CWE-400)"}]}]}, "references": {"reference_data": [{"name": "https://github.com/garycourt/uri-js/issues/12", "refsource": "MISC", "url": "https://github.com/garycourt/uri-js/issues/12"}, {"name": "https://nodesecurity.io/advisories/100", "refsource": "MISC", "url": "https://nodesecurity.io/advisories/100"}]}}}}, "cveMetadata": {"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2017-16021", "datePublished": "2018-04-26T00:00:00", "dateReserved": "2017-10-29T00:00:00", "dateUpdated": "2018-06-04T18:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:garycourt:uri-js:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "540B9C87-F30C-4317-8B31-F95A5429BBCF", "versionEndIncluding": "2.1.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "uri-js is a module that tries to fully implement RFC 3986. One of these features is validating whether or not a supplied URL is valid or not. To do this, uri-js uses a regular expression, This regular expression is vulnerable to redos. This causes the program to hang and the CPU to idle at 100% usage while uri-js is trying to validate if the supplied URL is valid or not. To check if you're vulnerable, look for a call to `require(\"uri-js\").parse()` where a user is able to send their own input. This affects uri-js 2.1.1 and earlier."}, {"lang": "es", "value": "uri-js es un m\u00f3dulo que intenta implementar RFC 3986 completamente. Una de estas caracter\u00edsticas es validar si una URL proporcionada es v\u00e1lida o no. Para hacerlo, uri-js emplea una expresi\u00f3n regular que es vulnerable a una denegaci\u00f3n de servicio con expresiones regulares (ReDoS). Esto provoca que el programa se bloquee y que la CPU se vuelva inactiva al uso al 100% mientras uri-js intenta validar si la URL proporcionada es v\u00e1lida o no. Para comprobar si se es vulnerable, se debe buscar una llamada a \"require(\"uri-js\").parse()\" en la que el usuario pueda enviar sus propias entradas. Esto afecta a uri-js en versiones 2.1.1 y anteriores."}], "id": "CVE-2017-16021", "lastModified": "2024-02-15T03:20:20.787", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 6.8, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:C", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-06-04T19:29:01.303", "references": [{"source": "support@hackerone.com", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/garycourt/uri-js/issues/12"}, {"source": "support@hackerone.com", "tags": ["Broken Link", "Third Party Advisory"], "url": "https://nodesecurity.io/advisories/100"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1333"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "support@hackerone.com", "type": "Secondary"}]}