Vulnerability Details : CVE-2016-1000232
NodeJS Tough-Cookie version 2.2.2 contains a Regular Expression Parsing vulnerability in HTTP request Cookie Header parsing that can result in Denial of Service. This attack appear to be exploitable via Custom HTTP header passed by client. This vulnerability appears to have been fixed in 2.3.0.
Vulnerability category: Input validationDenial of service
Products affected by CVE-2016-1000232
- cpe:2.3:a:ibm:api_connect:*:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:api_connect:*:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:api_connect:5.0.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openshift_container_platform:3.3:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openshift_container_platform:3.1:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openshift_container_platform:3.2:*:*:*:*:*:*:*
- Salesforce » Tough-cookie » For Node.jsVersions from including (>=) 0.9.7 and up to, including, (<=) 2.2.2cpe:2.3:a:salesforce:tough-cookie:*:*:*:*:*:node.js:*:*
Exploit prediction scoring system (EPSS) score for CVE-2016-1000232
0.71%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 81 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-1000232
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
5.3
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
3.9
|
1.4
|
NIST |
CWE ids for CVE-2016-1000232
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-1000232
-
https://www.npmjs.com/advisories/130
npmThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2017:2912
RHSA-2017:2912 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://github.com/salesforce/tough-cookie/commit/e4fc2e0f9ee1b7a818d68f0ac7ea696f377b1534
Reduce parse time for many semicolons. · salesforce/tough-cookie@e4fc2e0 · GitHubPatch;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2016:2101
RHSA-2016:2101 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://github.com/salesforce/tough-cookie/commit/615627206357d997d5e6ff9da158997de05235ae
Merge pull request #68 from SalesforceEng/fix-too-many-semicolons · salesforce/tough-cookie@6156272 · GitHubPatch;Third Party Advisory
-
https://access.redhat.com/security/cve/cve-2016-1000232
CVE-2016-1000232 - Red Hat Customer PortalThird Party Advisory
-
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connect-is-affected-by-node-js-tough-cookie-module-vulnerability-to-a-denial-of-service-cve-2016-1000232/
IBM Security Bulletin: IBM API Connect is affected by Node.js tough-cookie module vulnerability to a denial of service (CVE-2016-1000232) - IBM PSIRT BlogThird Party Advisory
Jump to