Allocation of Resources Without Limits or Throttling Affecting nodejs package, versions <10.15.3-r0
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-ALPINE39-NODEJS-588196
- published 1 Mar 2019
- disclosed 28 Mar 2019
How to fix?
Upgrade Alpine:3.9 nodejs to version 10.15.3-r0 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream nodejs package and not the nodejs package as distributed by Alpine.
See How to fix? for Alpine:3.9 relevant fixed versions and status.
In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1, an attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep-alive mode and by sending headers very slowly. This keeps the connection and associated resources alive for a long period of time. Potential attacks are mitigated by the use of a load balancer or other proxy layer. This vulnerability is an extension of CVE-2018-12121, addressed in November and impacts all active Node.js release lines including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5737
- https://security-tracker.debian.org/tracker/CVE-2019-5737
- https://security.gentoo.org/glsa/202003-48
- https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/
- https://security.netapp.com/advisory/ntap-20190502-0008/
- http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00059.html
- https://access.redhat.com/errata/RHSA-2019:1821
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-5737