Risk | Low |
Patch available | YES |
Number of vulnerabilities | 1 |
CVE-ID | CVE-2018-12122 |
CWE-ID | CWE-400 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
nodejs-current (Alpine package) Operating systems & Components / Operating system package or component |
Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one low risk vulnerability.
EUVDB-ID: #VU16169
Risk: Low
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-12122
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists due to the socket is destroyed on the next received chunk when headers are not completely received within this period. A remote attacker can send headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time, consume excessive resources and cause the service to crash.
MitigationInstall update from vendor's website.
Vulnerable software versionsnodejs-current (Alpine package): 11.1.0-r0
External linkshttp://git.alpinelinux.org/aports/commit/?id=bd2573712de1614fdb052e833bc6ab037c54997b
http://git.alpinelinux.org/aports/commit/?id=ef901440524286c30fa8a9bc9d3cef3f36339d9f
http://git.alpinelinux.org/aports/commit/?id=8cdc1514a48e59f1229d3c5f3cf136dc0eabfe16
http://git.alpinelinux.org/aports/commit/?id=1b6fe87123809adb71d7a3a11c0633972d70beed
http://git.alpinelinux.org/aports/commit/?id=d30e50323c5f1784719c4be7a9c21388b2ac6dcb
http://git.alpinelinux.org/aports/commit/?id=9506edbe44db07fc65aab5d444e7e02ca3767187
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.