Lucene search

GitHub Advisory DatabaseGHSA-QX2F-477C-35RQ

HistoryJul 24, 2018 - 8:06 p.m.

method-override ReDoS when untrusted user input passed into X-HTTP-Method-Override header

2018-07-2420:06:04

CWE-400

GitHub Advisory Database

github.com

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

44.8%

JSON

Affected versions of method-override are vulnerable to a regular expression denial of service vulnerability when untrusted user input is passed into the X-HTTP-Method-Override header.

Recommendation

Update to version 2.3.10 or later

Affected configurations

Vulners

Node

methodoverrideRange<2.3.10

methodoverrideMatch1.0.2

CPENameOperatorVersion
method-overridelt2.3.10
method-overrideeq1.0.2

CPE	Name	Operator	Version
	method-override	lt	2.3.10
	method-override	eq	1.0.2

References

github.com/advisories/GHSA-qx2f-477c-35rq

github.com/expressjs/method-override/commit/4c58835a61fdf7a8e070d6f8ecd5379a961d0987

nvd.nist.gov/vuln/detail/CVE-2017-16136

www.npmjs.com/advisories/538

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

44.8%

JSON

Related for GHSA-QX2F-477C-35RQ