Main Vulnerability Database SB2018033043

SB2018033043 - Resource exhaustion in nodejs-current (Alpine package)

Published: March 30, 2018

Security Bulletin ID SB2018033043

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Resource exhaustion (CVE-ID: CVE-2018-7158)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in the splitPathRe regular expression used in the core Node.js path module for POSIX path parsing functions due to resource exhaustion. A remote attacker can cause the service to crash by taking a non-trivial amount of time to parse the value against the RegEx.

Remediation

Install update from vendor's website.

References

https://git.alpinelinux.org/aports/commit/?id=d30e50323c5f1784719c4be7a9c21388b2ac6dcb
https://git.alpinelinux.org/aports/commit/?id=1aa8e874f9c4fdb5cfcfc5d7352d208b585e511a
https://git.alpinelinux.org/aports/commit/?id=cd513848ae0073ddc8e9977440cb3342e1cc0cad