Lucene search

K
ubuntucveUbuntu.comUB:CVE-2018-7158
HistoryMay 17, 2018 - 12:00 a.m.

CVE-2018-7158

2018-05-1700:00:00
ubuntu.com
ubuntu.com
17
node.js
path module
redos
denial of service
cve-2018-7158
vulnerability

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

49.1%

The 'path' module in the Node.js 4.x release line contains a potential
regular expression denial of service (ReDoS) vector. The code in question
was replaced in Node.js 6.x and later so this vulnerability only impacts
all versions of Node.js 4.x. The regular expression, splitPathRe, used
within the 'path' module for the various path parsing functions,
including path.dirname(), path.extname() and path.parse() was
structured in such a way as to allow an attacker to craft a string, that
when passed through one of these functions, could take a significant amount
of time to evaluate, potentially leading to a full denial of service.

OSVersionArchitecturePackageVersionFilename
ubuntu14.04noarchnodejs< anyUNKNOWN
ubuntu16.04noarchnodejs< anyUNKNOWN

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

49.1%