CVE-2018-12121
Published: 28 November 2018
Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers (almost 80 KB per connection), and carefully timed completion of the headers, it is possible to cause the HTTP server to abort from heap allocation failure. Attack potential is mitigated by the use of a load balancer or other proxy layer.
Notes
Author | Note |
---|---|
msalvatore | RedHat found that the patch from the november-2018 security release caused some regressions. The patches below are perhapse a better approach to resolving this CVE. http-parser must be patched. I'm deferring this until a http-parser v2.9.0 makes it into the archive. |
Priority
Status
Package | Release | Status |
---|---|---|
nodejs Launchpad, Ubuntu, Debian |
bionic |
Deferred
(2019-05-01)
|
cosmic |
Ignored
(end of life)
|
|
disco |
Not vulnerable
(10.15.1~dfsg-5)
|
|
eoan |
Not vulnerable
(10.15.1~dfsg-5)
|
|
focal |
Not vulnerable
(10.15.1~dfsg-5)
|
|
groovy |
Not vulnerable
(10.15.1~dfsg-5)
|
|
hirsute |
Not vulnerable
(10.15.1~dfsg-5)
|
|
impish |
Not vulnerable
(10.15.1~dfsg-5)
|
|
jammy |
Not vulnerable
(10.15.1~dfsg-5)
|
|
kinetic |
Not vulnerable
(10.15.1~dfsg-5)
|
|
lunar |
Not vulnerable
(10.15.1~dfsg-5)
|
|
mantic |
Not vulnerable
(10.15.1~dfsg-5)
|
|
noble |
Not vulnerable
(10.15.1~dfsg-5)
|
|
trusty |
Deferred
(2019-05-01)
|
|
upstream |
Released
(8.14.0, 10.14.0)
|
|
xenial |
Deferred
(2019-05-01)
|
|
Patches: upstream: https://github.com/nodejs/node/commit/693e362175 upstream: https://github.com/nodejs/http-parser/commit/0ae8d93f |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.5 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | None |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |