Vulnerability Details : CVE-2022-21208
The package node-opcua before 2.74.0 are vulnerable to Denial of Service (DoS) due to a missing limitation on the number of received chunks - per single session or in total for all concurrent sessions. An attacker can exploit this vulnerability by sending an unlimited number of huge chunks (e.g. 2GB each) without sending the Final closing chunk.
Vulnerability category: Denial of service
Products affected by CVE-2022-21208
- cpe:2.3:a:node-opcua_project:node-opcua:*:*:*:*:*:node.js:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-21208
0.10%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 29 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-21208
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST | |
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
Snyk |
CWE ids for CVE-2022-21208
-
The product does not properly control the allocation and maintenance of a limited resource.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-21208
-
https://security.snyk.io/vuln/SNYK-JS-NODEOPCUA-2988723
Denial of Service (DoS) in node-opcua | CVE-2022-21208 | SnykThird Party Advisory
-
https://github.com/node-opcua/node-opcua/pull/1149
Feature/mm by erossignon · Pull Request #1149 · node-opcua/node-opcua · GitHubPatch;Third Party Advisory
-
https://github.com/node-opcua/node-opcua/commit/33ca3bab4ab781392a2f8d8f5a14de9a0aa0e410
fix message chunk overflow detection · node-opcua/node-opcua@33ca3ba · GitHubPatch;Third Party Advisory
-
https://github.com/node-opcua/node-opcua/commit/dbcb5d5191118c22ee9c89332a94b94e6553d76b
PacketAssembler add chunksize verification & refactor · node-opcua/node-opcua@dbcb5d5 · GitHubPatch;Third Party Advisory
Jump to