Vulnerability Details : CVE-2015-9242
Certain input strings when passed to new Date() or Date.parse() in ecstatic node module before 1.4.0 will cause v8 to raise an exception. This leads to a crash and denial of service in ecstatic when this input is passed into the server via the If-Modified-Since header.
Vulnerability category: Input validationDenial of service
Products affected by CVE-2015-9242
- cpe:2.3:a:ecstatic_project:ecstatic:*:*:*:*:*:node.js:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-9242
0.50%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 65 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-9242
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
|
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2015-9242
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
-
The product does not properly control the allocation and maintenance of a limited resource.Assigned by: support@hackerone.com (Secondary)
References for CVE-2015-9242
-
https://github.com/jfhbrook/node-ecstatic/pull/179
Illegal access crash from if-modified-since header by substack · Pull Request #179 · jfhbrook/node-ecstatic · GitHubIssue Tracking;Third Party Advisory
-
https://bugs.chromium.org/p/v8/issues/detail?id=4640
4640 - illegal access exception from Date strings - v8 - MonorailIssue Tracking;Third Party Advisory
-
https://nodesecurity.io/advisories/64
npmThird Party Advisory
Jump to