skywalking-backend-js is vulnerable to denial of service. An attacker can crash the application by providing a malicious SkyWalking
header to the from
function of ContextCarrier.ts
, which improperly validates the sw8
headers and causes OAP
to be unhealthy and the downstream service’s agent to be unable to establish the connection.
CPE | Name | Operator | Version |
---|---|---|---|
skywalking-backend-js | le | 0.5.0 | |
skywalking-backend-js | le | 0.5.0 |
www.openwall.com/lists/oss-security/2022/07/18/1
github.com/advisories/GHSA-8gpg-466c-5cpj
github.com/apache/skywalking-nodejs/commit/75afb3ec7a40263ce9317d9e535ce46b296b546a
github.com/apache/skywalking-nodejs/pull/90
github.com/apache/skywalking/issues/7505
lists.apache.org/thread/x238wo4r5goy39dxdjcmlofp6gcdnqr3
www.openwall.com/lists/oss-security/2022/07/18/1