oss-sec mailing list archives
Re: CVE request: various NodeJS module vulnerabilities
From: cve-assign () mitre org
Date: Tue, 30 Sep 2014 00:53:42 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
qs Denial-of-Service Memory Exhaustion https://nodesecurity.io/advisories/qs_dos_memory_exhaustion
The description seems to suggest that there should be an arbitrary limit on the index value. That, by itself, might not be considered a vulnerability report; however, omitting the call to the compact function can probably be considered a security problem. Use CVE-2014-7191 for the https://github.com/raymondfeng/node-querystring/commit/43a604b7847e56bba49d0ce3e222fe89569354d8 commit.
qs Denial-of-Service Extended Event Loop Blocking https://nodesecurity.io/advisories/qs_dos_extended_event_loop_blocking
This has no references to the specific code changes, and the discussion suggests that this is a security enhancement -- adding new resource-limit functionality that hadn't existed before 1.0.0 -- not a fix to the implementation of existing functionality. Accordingly, no CVE ID is currently being assigned.
syntax-error potential for script injection https://nodesecurity.io/advisories/syntax-error-potential-script-injection
This seems to have multiple possible interpretations of where the vulnerability is. "In node 0.10, Function() seems to be implemented in terms of eval(), so malicious code can execute even if the function returned by Function() was never called" doesn't seem to be a statement of an eval injection vulnerability affecting all 0.10.x versions. Instead, https://nodesecurity.io/advisories/syntax-error-potential-script-injection seems to be only about the https://github.com/substack/node-syntax-error/commit/9aa4e66eb90ec595d2dba55e6f9c2dd9a668b309 commit. The affected product is only the syntax-error package from the http://www.npmjs.org/package/syntax-error web site. Use CVE-2014-7192.
send Directory Traversal https://nodesecurity.io/advisories/send-directory-traversal
The CVE ID is already listed on that web page.
Crumb CORS Token Disclosure https://nodesecurity.io/advisories/crumb_cors_token_disclosure
Use CVE-2014-7193.
Arbitrary JavaScript Execution in Bassmaster https://nodesecurity.io/advisories/bassmaster_js_injection
Use CVE-2014-7205. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJUKjayAAoJEKllVAevmvmsyGUIAIn3usYJEiGNn1bV2MKMLViU SPZjEGB94Uq3CbJHnAFXUGveRwANkdaePoyBDGB8xWDGcPsCBsBIcxD1W31LCNOf x4R7hEB/+AmGtiZI+AiwxMlOzG508ymEygK/YgP3RUT8HwJhDmfT9Gs9S1hC83XN 5BcmBojhEZuESm5w7V/jV+xTUgb9KEEDNldiNRpyn/iFy++5TArtiYF6ldfllpFL VQBiC3npo+eJUABFkFWZxm9e7GcI8asYpVdhXE1z5lvc2/4x43auKUcDLOXZJP6h O7liLJ44g/phRRhal53FUxG8rO1mzP8zcmHKVKnm1lnNSFBwRbMA/nG16gKUhh8= =oKCI -----END PGP SIGNATURE-----
Current thread:
- CVE request: various NodeJS module vulnerabilities Paul Wise (Sep 23)
- Re: CVE request: various NodeJS module vulnerabilities cve-assign (Sep 29)
- <Possible follow-ups>
- CVE request: various NodeJS module vulnerabilities Paul Wise (Sep 28)