CVE-2018-12122 - OpenCVE

Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Slowloris HTTP Denial of Service: An attacker can cause a Denial of Service (DoS) by sending headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Suse	Suse Enterprise Storage Suse Linux Enterprise Server Suse Openstack Cloud
Nodejs	Node.js

Configuration 1 [-]

OR	cpe:2.3:a:nodejs:node.js:::::lts:::*
	cpe:2.3:a:nodejs:node.js:::::lts:::*
	cpe:2.3:a:nodejs:node.js:::::lts:::*
	cpe:2.3:a:nodejs:node.js:::::-:::*

Configuration 2 [-]

OR	cpe:2.3:a:suse:suse_enterprise_storage:4:::::::*
	cpe:2.3:o:suse:suse_linux_enterprise_server:12:::::::*
	cpe:2.3:o:suse:suse_linux_enterprise_server:15:::::::*
	cpe:2.3:o:suse:suse_openstack_cloud:7:::::::*
	cpe:2.3:o:suse:suse_openstack_cloud:8:::::::*

References

Link	Resource
http://www.securityfocus.com/bid/106043	Third Party Advisory VDB Entry
https://access.redhat.com/errata/RHSA-2019:1821	Third Party Advisory
https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/	Patch Vendor Advisory
https://security.gentoo.org/glsa/202003-48	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: nodejs

Published: 2018-11-28T17:00:00

Updated: 2020-03-20T20:06:05

Reserved: 2018-06-11T00:00:00

Link: CVE-2018-12122

JSON object: View

NVD Information

Status : Analyzed

Published: 2018-11-28T17:29:00.370

Modified: 2022-09-06T17:57:17.550

Link: CVE-2018-12122

JSON object: View

Redhat Information

No data.

CWE

CWE-400

{"containers": {"cna": {"affected": [{"product": "Node.js", "vendor": "The Node.js Project", "versions": [{"status": "affected", "version": "All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0"}]}], "datePublic": "2018-11-28T00:00:00", "descriptions": [{"lang": "en", "value": "Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Slowloris HTTP Denial of Service: An attacker can cause a Denial of Service (DoS) by sending headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption / Denial of Service", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-03-20T20:06:05", "orgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558", "shortName": "nodejs"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"}, {"name": "106043", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/106043"}, {"name": "RHSA-2019:1821", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:1821"}, {"name": "GLSA-202003-48", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202003-48"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve-request@iojs.org", "ID": "CVE-2018-12122", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Node.js", "version": {"version_data": [{"version_value": "All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0"}]}}]}, "vendor_name": "The Node.js Project"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Slowloris HTTP Denial of Service: An attacker can cause a Denial of Service (DoS) by sending headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-400: Uncontrolled Resource Consumption / Denial of Service"}]}]}, "references": {"reference_data": [{"name": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/", "refsource": "CONFIRM", "url": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"}, {"name": "106043", "refsource": "BID", "url": "http://www.securityfocus.com/bid/106043"}, {"name": "RHSA-2019:1821", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:1821"}, {"name": "GLSA-202003-48", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202003-48"}]}}}}, "cveMetadata": {"assignerOrgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558", "assignerShortName": "nodejs", "cveId": "CVE-2018-12122", "datePublished": "2018-11-28T17:00:00", "dateReserved": "2018-06-11T00:00:00", "dateUpdated": "2020-03-20T20:06:05", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*", "matchCriteriaId": "E50DE84C-B33E-46D2-A53C-DE13EB7ACE3F", "versionEndExcluding": "6.15.1", "versionStartIncluding": "6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*", "matchCriteriaId": "1B607427-7A5B-4F24-B042-CF4BF95DC185", "versionEndExcluding": "8.14.0", "versionStartIncluding": "8.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*", "matchCriteriaId": "34D3C40A-3BE7-42A4-BE15-762CEE1754C4", "versionEndExcluding": "10.14.0", "versionStartIncluding": "10.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "matchCriteriaId": "4E62EA78-C705-4AC9-9C0B-3C9114087C37", "versionEndExcluding": "11.3.0", "versionStartIncluding": "11.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:suse:suse_enterprise_storage:4:*:*:*:*:*:*:*", "matchCriteriaId": "30A38AC5-A8B9-4244-8093-40C77ADFF5F2", "vulnerable": true}, {"criteria": "cpe:2.3:o:suse:suse_linux_enterprise_server:12:*:*:*:*:*:*:*", "matchCriteriaId": "9C649194-B8C2-49F7-A819-C635EE584ABF", "vulnerable": true}, {"criteria": "cpe:2.3:o:suse:suse_linux_enterprise_server:15:*:*:*:*:*:*:*", "matchCriteriaId": "AF73A3D9-6566-4CBF-AA5F-5A4B99719A1D", "vulnerable": true}, {"criteria": "cpe:2.3:o:suse:suse_openstack_cloud:7:*:*:*:*:*:*:*", "matchCriteriaId": "F4B73BE9-4340-4A6B-89FE-A40FC4A10187", "vulnerable": true}, {"criteria": "cpe:2.3:o:suse:suse_openstack_cloud:8:*:*:*:*:*:*:*", "matchCriteriaId": "C9C659D0-D6DB-4313-9208-C0C49FECD290", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Slowloris HTTP Denial of Service: An attacker can cause a Denial of Service (DoS) by sending headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time."}, {"lang": "es", "value": "Node.js: Todas las versiones anteriores a la 6.15.0, 8.14.0, 10.14.0 y 11.3.0: Denegaci\u00f3n de servicio (DoS) HTTP mediante Slowloris. Un atacante puede provocar una denegaci\u00f3n de servicio (DoS) enviando cabeceras muy lentamente, manteniendo las conexiones HTTP o HTTPS y los recursos asociados vivos durante un largo per\u00edodo de tiempo."}], "id": "CVE-2018-12122", "lastModified": "2022-09-06T17:57:17.550", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-11-28T17:29:00.370", "references": [{"source": "cve-request@iojs.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/106043"}, {"source": "cve-request@iojs.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:1821"}, {"source": "cve-request@iojs.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"}, {"source": "cve-request@iojs.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202003-48"}], "sourceIdentifier": "cve-request@iojs.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "cve-request@iojs.org", "type": "Secondary"}]}