Homepage
About Snyk

Resource Exhaustion Affecting mountebank package, versions <2.3.1

Severity

 Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-MOUNTEBANK-1014529
  • published 30 Sep 2020
  • disclosed 30 Sep 2020
  • credit Unknown
Report a new vulnerability Found a mistake?

Introduced: 30 Sep 2020

CVE NOT AVAILABLE CWE-772 Open this link in a new tab

How to fix?

Upgrade mountebank to version 2.3.1 or higher.

Overview

mountebank is an Over the wire test doubles

Affected versions of this package are vulnerable to Resource Exhaustion. IP whitelisting CLI parameters (--localOnly and --ipWhiteList) were not killing the server end of the socket. In practice, this meant that even though the client connection was killed, the server operation (e.g. creating an imposter) would still succeed. This release ensures that both ends of the socket are immediately closed if the connection originates from an invalid IP address.

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
7.3 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    Low
  • Integrity (I)
    Low
  • Availability (A)
    Low