CVE-2018-7162 - OpenCVE

All versions of Node.js 9.x and 10.x are vulnerable and the severity is HIGH. An attacker can cause a denial of service (DoS) by causing a node process which provides an http server supporting TLS server to crash. This can be accomplished by sending duplicate/unexpected messages during the handshake. This vulnerability has been addressed by updating the TLS implementation.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Complete

AV:N/AC:L/Au:N/C:N/I:N/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Nodejs	Node.js

Configuration 1 [-]

OR	cpe:2.3:a:nodejs:node.js:::::-:::*
	cpe:2.3:a:nodejs:node.js:::::-:::*

References

Link	Resource
http://www.securityfocus.com/bid/104468	Third Party Advisory VDB Entry
https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/	Vendor Advisory
https://security.gentoo.org/glsa/202003-48	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: nodejs

Published: 2018-06-12T00:00:00

Updated: 2020-03-20T20:06:06

Reserved: 2018-02-15T00:00:00

Link: CVE-2018-7162

JSON object: View

NVD Information

Status : Analyzed

Published: 2018-06-13T16:29:01.780

Modified: 2022-08-16T13:00:43.207

Link: CVE-2018-7162

JSON object: View

Redhat Information

No data.

CWE

CWE-20

{"containers": {"cna": {"affected": [{"product": "Node.js", "vendor": "The Node.js Project", "versions": [{"status": "affected", "version": "9.x+"}, {"status": "affected", "version": "10.x+"}]}], "datePublic": "2018-06-12T00:00:00", "descriptions": [{"lang": "en", "value": "All versions of Node.js 9.x and 10.x are vulnerable and the severity is HIGH. An attacker can cause a denial of service (DoS) by causing a node process which provides an http server supporting TLS server to crash. This can be accomplished by sending duplicate/unexpected messages during the handshake. This vulnerability has been addressed by updating the TLS implementation."}], "problemTypes": [{"descriptions": [{"description": "Denial of Service", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-03-20T20:06:06", "orgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558", "shortName": "nodejs"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/"}, {"name": "104468", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/104468"}, {"name": "GLSA-202003-48", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202003-48"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve-request@iojs.org", "DATE_PUBLIC": "2018-06-12T00:00:00", "ID": "CVE-2018-7162", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Node.js", "version": {"version_data": [{"version_value": "9.x+"}, {"version_value": "10.x+"}]}}]}, "vendor_name": "The Node.js Project"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "All versions of Node.js 9.x and 10.x are vulnerable and the severity is HIGH. An attacker can cause a denial of service (DoS) by causing a node process which provides an http server supporting TLS server to crash. This can be accomplished by sending duplicate/unexpected messages during the handshake. This vulnerability has been addressed by updating the TLS implementation."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Denial of Service"}]}]}, "references": {"reference_data": [{"name": "https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/", "refsource": "CONFIRM", "url": "https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/"}, {"name": "104468", "refsource": "BID", "url": "http://www.securityfocus.com/bid/104468"}, {"name": "GLSA-202003-48", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202003-48"}]}}}}, "cveMetadata": {"assignerOrgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558", "assignerShortName": "nodejs", "cveId": "CVE-2018-7162", "datePublished": "2018-06-12T00:00:00", "dateReserved": "2018-02-15T00:00:00", "dateUpdated": "2020-03-20T20:06:06", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "matchCriteriaId": "8C9ECBEB-3A20-44AC-86B9-D4051BC64656", "versionEndExcluding": "9.11.2", "versionStartIncluding": "9.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "matchCriteriaId": "6F40337E-4705-46D3-9731-A3B3A9303A74", "versionEndExcluding": "10.4.1", "versionStartIncluding": "10.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "All versions of Node.js 9.x and 10.x are vulnerable and the severity is HIGH. An attacker can cause a denial of service (DoS) by causing a node process which provides an http server supporting TLS server to crash. This can be accomplished by sending duplicate/unexpected messages during the handshake. This vulnerability has been addressed by updating the TLS implementation."}, {"lang": "es", "value": "Todas las versiones 9.x y 10.x de Node.js son vulnerables y la gravedad es ALTA. Un atacante podr\u00eda provocar una denegaci\u00f3n de servicio (DoS) haciendo que un proceso node que proporcione un servidor http de soporte de un servidor TLS se cierre inesperadamente. Esto puede lograrse mediante el env\u00edo de mensajes duplicados/inesperados durante el handshake. Esto ha sido abordado actualizando la implementaci\u00f3n TLS."}], "id": "CVE-2018-7162", "lastModified": "2022-08-16T13:00:43.207", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.8, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-06-13T16:29:01.780", "references": [{"source": "cve-request@iojs.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/104468"}, {"source": "cve-request@iojs.org", "tags": ["Vendor Advisory"], "url": "https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/"}, {"source": "cve-request@iojs.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202003-48"}], "sourceIdentifier": "cve-request@iojs.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}