K000139532 : Node.js vulnerability CVE-2024-27983

2024-05-0700:00:00

my.f5.com

node.js

http/2

dos

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

7.9 High

AI Score

Confidence

High

6.4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:P/A:P

0.0004 Low

EPSS

Percentile

14.6%

JSON

Security Advisory Description

An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition. (CVE-2024-27983)

Impact

An attacker may be able to cause a denial-of-service (DoS) by sending a small amount of HTTP/2 frame packets with a few HTTP/2 frames inside.

VendorProductVersionCPE
f5big\-ip_next20.0.1cpe:2.3:a:f5:big\-ip_next:20.0.1:*:*:*:*:*:*:*
f5big\-ip_next20.0.2cpe:2.3:a:f5:big\-ip_next:20.0.2:*:*:*:*:*:*:*
f5big\-ip_next20.1.0cpe:2.3:a:f5:big\-ip_next:20.1.0:*:*:*:*:*:*:*
f5big\-ip_next20.1.1cpe:2.3:a:f5:big\-ip_next:20.1.1:*:*:*:*:*:*:*
f5big\-ip_next20.2.0cpe:2.3:a:f5:big\-ip_next:20.2.0:*:*:*:*:*:*:*
f5big\-ip_next1.1.0cpe:2.3:a:f5:big\-ip_next:1.1.0:*:*:*:*:*:*:*
f5big\-ip_next1.1.1cpe:2.3:a:f5:big\-ip_next:1.1.1:*:*:*:*:*:*:*
f5big\-ip_next1.2.0cpe:2.3:a:f5:big\-ip_next:1.2.0:*:*:*:*:*:*:*
f5big\-ip_next1.2.1cpe:2.3:a:f5:big\-ip_next:1.2.1:*:*:*:*:*:*:*
f5big\-ip_next1.3.0cpe:2.3:a:f5:big\-ip_next:1.3.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
f5	big\-ip_next	20.0.1	cpe:2.3:a:f5:big\-ip_next:20.0.1:::::::*
f5	big\-ip_next	20.0.2	cpe:2.3:a:f5:big\-ip_next:20.0.2:::::::*
f5	big\-ip_next	20.1.0	cpe:2.3:a:f5:big\-ip_next:20.1.0:::::::*
f5	big\-ip_next	20.1.1	cpe:2.3:a:f5:big\-ip_next:20.1.1:::::::*
f5	big\-ip_next	20.2.0	cpe:2.3:a:f5:big\-ip_next:20.2.0:::::::*
f5	big\-ip_next	1.1.0	cpe:2.3:a:f5:big\-ip_next:1.1.0:::::::*
f5	big\-ip_next	1.1.1	cpe:2.3:a:f5:big\-ip_next:1.1.1:::::::*
f5	big\-ip_next	1.2.0	cpe:2.3:a:f5:big\-ip_next:1.2.0:::::::*
f5	big\-ip_next	1.2.1	cpe:2.3:a:f5:big\-ip_next:1.2.1:::::::*
f5	big\-ip_next	1.3.0	cpe:2.3:a:f5:big\-ip_next:1.3.0:::::::*