7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Slowloris HTTP Denial of Service: An attacker can cause a Denial of Service (DoS) by sending headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time.
Recent assessments:
SherlockSec at March 09, 2020 9:11pm UTC reported:
This is a Denial of Service CVE, but with a twist. Normally, denial of service attacks consist of flooding a server with enough traffic so that it ceases to operate. This CVE is different, as it is a Slowloris DoS. Slowloris DoS attacks hang a server by opening as many threads as possible before waiting the max amount of time that they can before sending data. When they finally send data, they send as small of an amount of data as the server will allow. This keeps all the threads open for as long as possible, meaning no new connections can be opened, thus causing a denial of service. For a more detailed explanation of a Slowloris attack, please see the following video: <https://www.youtube.com/watch?v=XiFkyR35v2Y> .
This particular CVE affects all versions of Node.JS prior to 6.15.0, 8.14.0, 10.14.0 and 11.3.0. Node patched this by applying a 40 second timeout to servers receiving HTTP headers, and can be customized. As a patch has been released, please patch accordingly.
Assessed Attacker Value: 3
Assessed Attacker Value: 3Assessed Attacker Value: 3
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P