CVE-2017-14919

MEDIUM

Description

Node.js before 4.8.5, 6.x before 6.11.5, and 8.x before 8.8.0 allows remote attackers to cause a denial of service (uncaught exception and crash) by leveraging a change in the zlib module 1.2.9 making 8 an invalid value for the windowBits parameter.

References

http://www.securityfocus.com/bid/101881

https://nodejs.org/en/blog/release/v4.8.5/

https://nodejs.org/en/blog/release/v6.11.5/

https://nodejs.org/en/blog/release/v8.8.0/

https://nodejs.org/en/blog/vulnerability/oct-2017-dos/

Details

Source: MITRE

Published: 2017-10-30

Updated: 2017-11-21

Type: CWE-20

Risk Information

CVSS v2.0

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM

CVSS v3.0

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Impact Score: 3.6

Exploitability Score: 3.9

Severity: HIGH

Vulnerable Software

Configuration 1

cpe:2.3:a:nodejs:node.js:4.8.2:*:*:*:*:*:*:*

cpe:2.3:a:nodejs:node.js:4.8.3:*:*:*:*:*:*:*

cpe:2.3:a:nodejs:node.js:4.8.4:*:*:*:*:*:*:*

cpe:2.3:a:nodejs:node.js:6.10.2:*:*:*:*:*:*:*

cpe:2.3:a:nodejs:node.js:6.10.3:*:*:*:*:*:*:*

cpe:2.3:a:nodejs:node.js:6.11.0:*:*:*:*:*:*:*

cpe:2.3:a:nodejs:node.js:6.11.1:*:*:*:*:*:*:*

cpe:2.3:a:nodejs:node.js:6.11.2:*:*:*:*:*:*:*

cpe:2.3:a:nodejs:node.js:6.11.3:*:*:*:*:*:*:*

cpe:2.3:a:nodejs:node.js:6.11.4:*:*:*:*:*:*:*

cpe:2.3:a:nodejs:node.js:8.0.0:*:*:*:*:*:*:*

cpe:2.3:a:nodejs:node.js:8.1.0:*:*:*:*:*:*:*

cpe:2.3:a:nodejs:node.js:8.1.1:*:*:*:*:*:*:*

cpe:2.3:a:nodejs:node.js:8.1.2:*:*:*:*:*:*:*

cpe:2.3:a:nodejs:node.js:8.1.3:*:*:*:*:*:*:*

cpe:2.3:a:nodejs:node.js:8.1.4:*:*:*:*:*:*:*

cpe:2.3:a:nodejs:node.js:8.2.0:*:*:*:*:*:*:*

cpe:2.3:a:nodejs:node.js:8.2.1:*:*:*:*:*:*:*

cpe:2.3:a:nodejs:node.js:8.3.0:*:*:*:*:*:*:*

cpe:2.3:a:nodejs:node.js:8.4.0:*:*:*:*:*:*:*

cpe:2.3:a:nodejs:node.js:8.5.0:*:*:*:*:*:*:*

cpe:2.3:a:nodejs:node.js:8.6.0:*:*:*:*:*:*:*

cpe:2.3:a:nodejs:node.js:8.7.0:*:*:*:*:*:*:*

Tenable Plugins

View all (6 total)

ID	Name	Product	Family	Severity
120014	SUSE SLES12 Security Update : nodejs6 (SUSE-SU-2018:0293-1)	Nessus	SuSE Local Security Checks	medium
120012	SUSE SLES12 Security Update : nodejs4 (SUSE-SU-2018:0002-1)	Nessus	SuSE Local Security Checks	medium
106547	openSUSE Security Update : nodejs6 (openSUSE-2018-116)	Nessus	SuSE Local Security Checks	medium
105638	openSUSE Security Update : nodejs4 (openSUSE-2018-5)	Nessus	SuSE Local Security Checks	medium
104450	Fedora 25 : 1:nodejs (2017-c582c1e728)	Nessus	Fedora Local Security Checks	medium
104198	FreeBSD : Node.js -- remote DOS security vulnerability (d7d1cc94-b971-11e7-af3a-f1035dd0da62)	Nessus	FreeBSD Local Security Checks	medium