IM
IronMonkey Threat Research

CVE-2017-14919 HIGH

Published: 2017-10-30 | Last Modified: 2026-07-14 | Status: Modified

Description

Node.js before 4.8.5, 6.x before 6.11.5, and 8.x before 8.8.0 allows remote attackers to cause a denial of service (uncaught exception and crash) by leveraging a change in the zlib module 1.2.9 making 8 an invalid value for the windowBits parameter.

Additional Descriptions (1)

Node.js en versiones anteriores a la 4.8.5, las versiones 6.x anteriores a la 6.11.5 y las versiones 8.x anteriores a la 8.8.0 permiten que atacantes remotos provoquen una denegación de servicio (excepción no detectada y cierre inesperado) aprovechando un cambio en el módulo zlib, versión 1.2.9, que hace que 8 sea un valor no válido para el parámetro windowsBits.

CVSS Metrics

Base Score: 5.0 (MEDIUM)

AV:N/AC:L/Au:N/C:N/I:N/A:P

Access VectorNETWORK
Access ComplexityLOW
AuthenticationNONE
Confidentiality ImpactNONE
Integrity ImpactNONE
Availability ImpactPARTIAL

Source: [email protected]

Type: Primary

Exploitability Score: 10.0

Impact Score: 2.9

Weaknesses

Source Type Description
[email protected] Primary
en CWE-20

Affected Products

Vendor Product Version Update Type
nodejs node.js 4.8.2 <built-in method update of dict object at 0x702bdd6ad540> Application
nodejs node.js 4.8.3 <built-in method update of dict object at 0x702bdd6ad240> Application
nodejs node.js 4.8.4 <built-in method update of dict object at 0x702bdd6f5c80> Application
nodejs node.js 6.10.2 <built-in method update of dict object at 0x702bdd6ac600> Application
nodejs node.js 6.10.3 <built-in method update of dict object at 0x702bdd6af780> Application
nodejs node.js 6.11.0 <built-in method update of dict object at 0x702bdd6aef00> Application
nodejs node.js 6.11.1 <built-in method update of dict object at 0x702b80610fc0> Application
nodejs node.js 6.11.2 <built-in method update of dict object at 0x702bdd6ac900> Application
nodejs node.js 6.11.3 <built-in method update of dict object at 0x702bdd6ac880> Application
nodejs node.js 6.11.4 <built-in method update of dict object at 0x702bdd6ae640> Application
nodejs node.js 8.0.0 <built-in method update of dict object at 0x702b80610dc0> Application
nodejs node.js 8.1.0 <built-in method update of dict object at 0x702bdd6ada40> Application
nodejs node.js 8.1.1 <built-in method update of dict object at 0x702bdd12ab00> Application
nodejs node.js 8.1.2 <built-in method update of dict object at 0x702ba7d64840> Application
nodejs node.js 8.1.3 <built-in method update of dict object at 0x702b80611580> Application
nodejs node.js 8.1.4 <built-in method update of dict object at 0x702bfc4209c0> Application
nodejs node.js 8.2.0 <built-in method update of dict object at 0x702bdd6ae240> Application
nodejs node.js 8.2.1 <built-in method update of dict object at 0x702ba7d67580> Application
nodejs node.js 8.3.0 <built-in method update of dict object at 0x702b80612d80> Application
nodejs node.js 8.4.0 <built-in method update of dict object at 0x702bdd307240> Application
nodejs node.js 8.5.0 <built-in method update of dict object at 0x702bdd6f5900> Application
nodejs node.js 8.6.0 <built-in method update of dict object at 0x702bdd6ad100> Application
nodejs node.js 8.7.0 <built-in method update of dict object at 0x702bdc60ca00> Application

Affected Configurations

Operator: OR

Vulnerable CPE
Yes cpe:2.3:a:nodejs:node.js:4.8.2:*:*:*:*:*:*:*
Yes cpe:2.3:a:nodejs:node.js:4.8.3:*:*:*:*:*:*:*
Yes cpe:2.3:a:nodejs:node.js:4.8.4:*:*:*:*:*:*:*
Yes cpe:2.3:a:nodejs:node.js:6.10.2:*:*:*:*:*:*:*
Yes cpe:2.3:a:nodejs:node.js:6.10.3:*:*:*:*:*:*:*
Yes cpe:2.3:a:nodejs:node.js:6.11.0:*:*:*:*:*:*:*
Yes cpe:2.3:a:nodejs:node.js:6.11.1:*:*:*:*:*:*:*
Yes cpe:2.3:a:nodejs:node.js:6.11.2:*:*:*:*:*:*:*
Yes cpe:2.3:a:nodejs:node.js:6.11.3:*:*:*:*:*:*:*
Yes cpe:2.3:a:nodejs:node.js:6.11.4:*:*:*:*:*:*:*
Yes cpe:2.3:a:nodejs:node.js:8.0.0:*:*:*:*:*:*:*
Yes cpe:2.3:a:nodejs:node.js:8.1.0:*:*:*:*:*:*:*
Yes cpe:2.3:a:nodejs:node.js:8.1.1:*:*:*:*:*:*:*
Yes cpe:2.3:a:nodejs:node.js:8.1.2:*:*:*:*:*:*:*
Yes cpe:2.3:a:nodejs:node.js:8.1.3:*:*:*:*:*:*:*
Yes cpe:2.3:a:nodejs:node.js:8.1.4:*:*:*:*:*:*:*
Yes cpe:2.3:a:nodejs:node.js:8.2.0:*:*:*:*:*:*:*
Yes cpe:2.3:a:nodejs:node.js:8.2.1:*:*:*:*:*:*:*
Yes cpe:2.3:a:nodejs:node.js:8.3.0:*:*:*:*:*:*:*
Yes cpe:2.3:a:nodejs:node.js:8.4.0:*:*:*:*:*:*:*
Yes cpe:2.3:a:nodejs:node.js:8.5.0:*:*:*:*:*:*:*
Yes cpe:2.3:a:nodejs:node.js:8.6.0:*:*:*:*:*:*:*
Yes cpe:2.3:a:nodejs:node.js:8.7.0:*:*:*:*:*:*:*

References

Notification
Message here