5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.014 Low
EPSS
Percentile
86.5%
Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0:
Denial of Service with large HTTP headers: By using a combination of many
requests with maximum sized headers (almost 80 KB per connection), and
carefully timed completion of the headers, it is possible to cause the HTTP
server to abort from heap allocation failure. Attack potential is mitigated
by the use of a load balancer or other proxy layer.
Author | Note |
---|---|
msalvatore | RedHat found that the patch from the november-2018 security release caused some regressions. The patches below are perhapse a better approach to resolving this CVE. http-parser must be patched. I’m deferring this until a http-parser v2.9.0 makes it into the archive. |
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.014 Low
EPSS
Percentile
86.5%