Vulnerability Details : CVE-2019-5737
In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1, an attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep-alive mode and by sending headers very slowly. This keeps the connection and associated resources alive for a long period of time. Potential attacks are mitigated by the use of a load balancer or other proxy layer. This vulnerability is an extension of CVE-2018-12121, addressed in November and impacts all active Node.js release lines including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1.
Vulnerability category: Denial of service
Products affected by CVE-2019-5737
- cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*
- cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
- cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
- cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
- cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-5737
38.83%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 97 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-5737
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2019-5737
-
The product does not properly control the allocation and maintenance of a limited resource.Assigned by: cve-request@iojs.org (Secondary)
-
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-5737
-
https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/
February 2019 Security Releases | Node.jsThird Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00059.html
[security-announce] openSUSE-SU-2019:1211-1: moderate: Security update fMailing List;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html
[security-announce] openSUSE-SU-2019:1173-1: moderate: Security update fMailing List;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html
[security-announce] openSUSE-SU-2019:1076-1: moderate: Security update fMailing List;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:1821
RHSA-2019:1821 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://security.netapp.com/advisory/ntap-20190502-0008/
April 2019 Node.js Vulnerabilities in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://security.gentoo.org/glsa/202003-48
Node.js: Multiple vulnerabilities (GLSA 202003-48) — Gentoo securityThird Party Advisory
Jump to