Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMF16B3A89EA98D337204D8D66B417380BF85E50A9F36154B635729BE502EBCA11
HistoryAug 03, 2018 - 4:23 a.m.

Security Bulletin: Multiple vulnerabilities in modules from the IBM SDK for Node.js affect the Cordova tools packaged in Rational Developer for i Modernization Tools Java Edition and Rational Developer for AIX and Linux (CVE-2014-7191 and CVE-2014-7192)

2018-08-0304:23:43
www.ibm.com
8

0.254 Low

EPSS

Percentile

96.7%

JSON

Summary

Security vulnerabilities have been discovered in the syntax-error and qs modules packaged in the IBM SDK for Node.js and Cordova platform packaged in Rational Developer for i Modernization Tools Java Edition and Rational Developer for AIX and Linux. The fix upgrades IBM SDK for Node.js to 1.1.0.9.

Vulnerability Details

| Subscribe to My Notifications to be notified of important product support alerts like this.

  • Follow this link for more information (requires login with your IBM ID)
    —|—

CVEID: CVE-2014-7191

Description: Node.js is vulnerable to a denial of service, caused by an error in the qs module when parsing a string representing a deeply nested object. An attacker could exploit this vulnerability to block the event loop for an extended period of time and cause a denial of service.

CVSS Base Score: 5 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/96729&gt; for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2014-7192

Description: A vulnerability in the Node.js syntax-error module could allow a remote attacker to execute arbitrary code on the system, caused by the improper validation of input prior to being used in an eval() call. An attacker could exploit this vulnerability to inject and execute arbitrary script on the system.

CVSS Base Score: 7.5 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/96728&gt; for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Affected Products and Versions

Product Name

| Versions Affected
—|—
IBM Rational Developer for i, RPG and COBOL + Modernization Tools, Java Edition| 9.1
Rational Developer for AIX and Linux, AIX COBOL Edition| 9.1
Rational Developer for AIX and Linux, C/C++ Edition| 9.1

Remediation/Fixes

Update the product to the 9.1.1 level to address this vulnerability:

Product VRMF Remediation/First Fix
IBM Rational Developer for i, RPG and COBOL + Modernization Tools, Java Edition 9.1

  • Update the currently installed product using Installation Manager. ** **For instructions on installing this update using Installation Manager, review the topic Updating Installed Product Packages in the IBM Knowledge Center.

  • Or, you can optionally download the update manually and apply Rational Developer for i 9.1.1
    Rational Developer for AIX and Linux, AIX COBOL Edition or C/C++ Edition| 9.1|

  • For all client versions, update the currently installed product using Installation Manager. For instructions on installing this update using Installation Manager, review the topic Updating Installed Product Packages in the IBM Knowledge Center.

  • For server updates or to manually download and apply the client updates see Rational Developer for AIX and Linux 9.1.1

Workarounds and Mitigations

None

Related

osv 2
cvelist 2
prion 2
nessus 2
redhat 1
debiancve 2
ubuntucve 2
checkpoint_advisories 1
nodejs 2
github 2
fedora 2
ibm 6
openvas 2
veracode 1
nvd 2
cve 2
osv
osv
Denial-of-Service Memory Exhaustion in qs
2017-10-24 18:33:36
Potential for Script Injection in syntax-error
2017-10-24 18:33:36
cvelist
cvelist
CVE-2014-7191
2014-10-19 01:00:00
CVE-2014-7192
2014-12-11 11:00:00
prion
prion
Design/Logic Flaw
2014-10-19 01:55:00
Design/Logic Flaw
2014-12-11 11:59:00
nessus
nessus
Fedora 19 : nodejs-qs-0.6.6-3.fc19 (2014-11399)
2014-10-06 00:00:00
Fedora 20 : nodejs-qs-0.6.6-3.fc20 (2014-11376)
2014-10-06 00:00:00
redhat
redhat
(RHSA-2016:1380) Moderate: nodejs010-node-gyp and nodejs010-nodejs-qs security and bug fix update
2016-07-05 05:53:09
debiancve
debiancve
CVE-2014-7191
2014-10-19 01:55:21
CVE-2014-7192
2014-12-11 11:59:00
ubuntucve
ubuntucve
CVE-2014-7192
2014-12-11 00:00:00
CVE-2014-7191
2014-10-19 00:00:00
checkpoint_advisories
checkpoint_advisories
Browserify Node.js Remote Code Execution (CVE-2014-7192)
2015-01-21 00:00:00
nodejs
nodejs
Potential for Script Injection
2015-10-17 19:41:46
Denial-of-Service Memory Exhaustion
2015-10-17 19:41:46
github
github
Potential for Script Injection in syntax-error
2017-10-24 18:33:36
Denial-of-Service Memory Exhaustion in qs
2017-10-24 18:33:36
fedora
fedora
[SECURITY] Fedora 19 Update: nodejs-qs-0.6.6-3.fc19
2014-10-06 05:04:26
[SECURITY] Fedora 20 Update: nodejs-qs-0.6.6-3.fc20
2014-10-06 05:04:59
ibm
ibm
Security Bulletin: Current Release of IBM® SDK for Node.js™ is affected by CVE-2014-7191
2018-08-09 04:20:36
Security Bulletin: Security vulnerabilities in Node.js modules affect IBM Business Process Manager (BPM) Configuration Editor (CVE-2014-6394, CVE-2014-7191)
2018-06-15 07:01:52
Security Bulletin: qs (QueryString) package in the Service Portal of IBM Control Desk is vulnerable (CVE-2014-7191 and CVE-2017-1000048)
2022-09-09 13:15:39
openvas
openvas
Fedora Update for nodejs-qs FEDORA-2014-11376
2014-10-07 00:00:00
Fedora Update for nodejs-qs FEDORA-2014-11399
2014-10-07 00:00:00
veracode
veracode
Denial Of Service (DoS) Memory Consumption
2019-01-15 09:12:08
nvd
nvd
CVE-2014-7191
2014-10-19 01:55:21
CVE-2014-7192
2014-12-11 11:59:11
cve
cve
CVE-2014-7192
2014-12-11 11:59:11
CVE-2014-7191
2014-10-19 01:55:21

0.254 Low

EPSS

Percentile

96.7%

JSON
Related for F16B3A89EA98D337204D8D66B417380BF85E50A9F36154B635729BE502EBCA11
osv2cvelist2prion2nessus2redhat1debiancve2ubuntucve2checkpoint_advisories1nodejs2github2fedora2ibm6openvas2veracode1nvd2cve2