CVE-2018-12121

high
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers (almost 80 KB per connection), and carefully timed completion of the headers, it is possible to cause the HTTP server to abort from heap allocation failure. Attack potential is mitigated by the use of a load balancer or other proxy layer.

References

http://www.securityfocus.com/bid/106043

https://access.redhat.com/errata/RHSA-2019:1821

https://access.redhat.com/errata/RHSA-2019:2258

https://access.redhat.com/errata/RHSA-2019:3497

https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/

https://security.gentoo.org/glsa/202003-48

Details

Source: MITRE

Published: 2018-11-28

Updated: 2020-03-20

Type: CWE-400

Risk Information

CVSS v2

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Impact Score: 3.6

Exploitability Score: 3.9

Severity: HIGH

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:joyent:node.js:*:*:*:*:*:*:*:* versions from 11.0.0 to 11.3.0 (inclusive)

cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:* versions from 6.0.0 to 6.15.0 (inclusive)

cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:* versions from 8.0.0 to 8.14.0 (inclusive)

cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:* versions from 10.0.0 to 10.14.0 (inclusive)

Tenable Plugins

View all (25 total)

IDNameProductFamilySeverity
145594CentOS 8 : http-parser (CESA-2019:3497)NessusCentOS Local Security Checks
high
144260Virtuozzo 7 : http-parser / http-parser-devel (VZLSA-2019-2258)NessusVirtuozzo Local Security Checks
medium
137494EulerOS 2.0 SP2 : http-parser (EulerOS-SA-2020-1652)NessusHuawei Local Security Checks
medium
135935Amazon Linux AMI : http-parser (ALAS-2020-1359)NessusAmazon Linux Local Security Checks
critical
135648EulerOS Virtualization 3.0.2.2 : http-parser (EulerOS-SA-2020-1486)NessusHuawei Local Security Checks
medium
134776GLSA-202003-48 : Node.js: Multiple vulnerabilitiesNessusGentoo Local Security Checks
critical
134487EulerOS Virtualization for ARM 64 3.0.2.0 : http-parser (EulerOS-SA-2020-1198)NessusHuawei Local Security Checks
medium
132525Photon OS 1.0: Nodejs PHSA-2019-1.0-0257NessusPhotonOS Local Security Checks
high
132435NewStart CGSL CORE 5.05 / MAIN 5.05 : http-parser Multiple Vulnerabilities (NS-SA-2019-0257)NessusNewStart CGSL Local Security Checks
medium
130867EulerOS 2.0 SP5 : http-parser (EulerOS-SA-2019-2158)NessusHuawei Local Security Checks
medium
130700EulerOS 2.0 SP3 : http-parser (EulerOS-SA-2019-2238)NessusHuawei Local Security Checks
medium
130545RHEL 8 : http-parser (RHSA-2019:3497)NessusRed Hat Local Security Checks
high
130219Amazon Linux 2 : http-parser (ALAS-2019-1322)NessusAmazon Linux Local Security Checks
medium
129916NewStart CGSL CORE 5.04 / MAIN 5.04 : http-parser Multiple Vulnerabilities (NS-SA-2019-0208)NessusNewStart CGSL Local Security Checks
medium
129016CentOS 7 : http-parser (CESA-2019:2258)NessusCentOS Local Security Checks
medium
128222Scientific Linux Security Update : http-parser on SL7.x x86_64 (20190806)NessusScientific Linux Local Security Checks
medium
127700RHEL 7 : http-parser (RHSA-2019:2258)NessusRed Hat Local Security Checks
medium
122418openSUSE Security Update : nodejs6 (openSUSE-2019-234)NessusSuSE Local Security Checks
high
122230SUSE SLES12 Security Update : nodejs6 (SUSE-SU-2019:0395-1)NessusSuSE Local Security Checks
high
121428openSUSE Security Update : nodejs8 (openSUSE-2019-89)NessusSuSE Local Security Checks
high
121415openSUSE Security Update : nodejs4 (openSUSE-2019-88)NessusSuSE Local Security Checks
high
121293SUSE SLES15 Security Update : nodejs8 (SUSE-SU-2019:0118-1)NessusSuSE Local Security Checks
high
121292SUSE SLES12 Security Update : nodejs4 (SUSE-SU-2019:0117-1)NessusSuSE Local Security Checks
high
119938Node.js Multiple Vulnerabilities (November 2018 Security Releases)NessusMisc.
high
119511FreeBSD : node.js -- multiple vulnerabilities (2a86f45a-fc3c-11e8-a414-00155d006b02)NessusFreeBSD Local Security Checks
high