{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "dateAssigned": "2018-09-03T00:00:00", "datePublic": "2016-07-22T00:00:00", "descriptions": [{"lang": "en", "value": "NodeJS Tough-Cookie version 2.2.2 contains a Regular Expression Parsing vulnerability in HTTP request Cookie Header parsing that can result in Denial of Service. This attack appear to be exploitable via Custom HTTP header passed by client. This vulnerability appears to have been fixed in 2.3.0."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-09-06T09:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "RHSA-2016:2101", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2016:2101"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connect-is-affected-by-node-js-tough-cookie-module-vulnerability-to-a-denial-of-service-cve-2016-1000232/"}, {"name": "RHSA-2017:2912", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2017:2912"}, {"tags": ["x_refsource_MISC"], "url": "https://www.npmjs.com/advisories/130"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/salesforce/tough-cookie/commit/615627206357d997d5e6ff9da158997de05235ae"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://access.redhat.com/security/cve/cve-2016-1000232"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/salesforce/tough-cookie/commit/e4fc2e0f9ee1b7a818d68f0ac7ea696f377b1534"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "DATE_ASSIGNED": "2018-09-03T16:07:16.985208", "DATE_REQUESTED": "2016-10-28T00:00:00", "ID": "CVE-2016-1000232", "REQUESTER": "kurt@seifried.org", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "NodeJS Tough-Cookie version 2.2.2 contains a Regular Expression Parsing vulnerability in HTTP request Cookie Header parsing that can result in Denial of Service. This attack appear to be exploitable via Custom HTTP header passed by client. This vulnerability appears to have been fixed in 2.3.0."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "RHSA-2016:2101", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2016:2101"}, {"name": "https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connect-is-affected-by-node-js-tough-cookie-module-vulnerability-to-a-denial-of-service-cve-2016-1000232/", "refsource": "CONFIRM", "url": "https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connect-is-affected-by-node-js-tough-cookie-module-vulnerability-to-a-denial-of-service-cve-2016-1000232/"}, {"name": "RHSA-2017:2912", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2017:2912"}, {"name": "https://www.npmjs.com/advisories/130", "refsource": "MISC", "url": "https://www.npmjs.com/advisories/130"}, {"name": "https://github.com/salesforce/tough-cookie/commit/615627206357d997d5e6ff9da158997de05235ae", "refsource": "CONFIRM", "url": "https://github.com/salesforce/tough-cookie/commit/615627206357d997d5e6ff9da158997de05235ae"}, {"name": "https://access.redhat.com/security/cve/cve-2016-1000232", "refsource": "CONFIRM", "url": "https://access.redhat.com/security/cve/cve-2016-1000232"}, {"name": "https://github.com/salesforce/tough-cookie/commit/e4fc2e0f9ee1b7a818d68f0ac7ea696f377b1534", "refsource": "CONFIRM", "url": "https://github.com/salesforce/tough-cookie/commit/e4fc2e0f9ee1b7a818d68f0ac7ea696f377b1534"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T03:55:27.288Z"}, "title": "CVE Program Container", "references": [{"name": "RHSA-2016:2101", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2016:2101"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connect-is-affected-by-node-js-tough-cookie-module-vulnerability-to-a-denial-of-service-cve-2016-1000232/"}, {"name": "RHSA-2017:2912", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2017:2912"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.npmjs.com/advisories/130"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/salesforce/tough-cookie/commit/615627206357d997d5e6ff9da158997de05235ae"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://access.redhat.com/security/cve/cve-2016-1000232"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/salesforce/tough-cookie/commit/e4fc2e0f9ee1b7a818d68f0ac7ea696f377b1534"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2016-1000232", "datePublished": "2018-09-05T17:00:00", "dateReserved": "2016-10-28T00:00:00", "dateUpdated": "2024-08-06T03:55:27.288Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:salesforce:tough-cookie:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "9B7EC26C-C544-47C3-B87E-2971A5DB375B", "versionEndIncluding": "2.2.2", "versionStartIncluding": "0.9.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ibm:api_connect:*:*:*:*:*:*:*:*", "matchCriteriaId": "A3CA4E58-A2AE-4C86-AB58-207672DF824B", "versionEndIncluding": "5.0.6.5", "versionStartIncluding": "5.0.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:api_connect:*:*:*:*:*:*:*:*", "matchCriteriaId": "7D9A18C2-9C5D-4C3D-9552-FF45BC4C55F4", "versionEndIncluding": "5.0.7.2", "versionStartIncluding": "5.0.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:api_connect:5.0.8.0:*:*:*:*:*:*:*", "matchCriteriaId": "3282F566-5B1F-4F9C-97BE-5DCD2204F7D0", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openshift_container_platform:3.1:*:*:*:*:*:*:*", "matchCriteriaId": "93E3194E-7082-4E21-867B-FB4ECF482A07", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openshift_container_platform:3.2:*:*:*:*:*:*:*", "matchCriteriaId": "C10044B3-FBB1-4031-9060-D3A2915B164C", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openshift_container_platform:3.3:*:*:*:*:*:*:*", "matchCriteriaId": "EA3ADA26-2B9E-4ABA-A224-910BD75CCE00", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "NodeJS Tough-Cookie version 2.2.2 contains a Regular Expression Parsing vulnerability in HTTP request Cookie Header parsing that can result in Denial of Service. This attack appear to be exploitable via Custom HTTP header passed by client. This vulnerability appears to have been fixed in 2.3.0."}, {"lang": "es", "value": "NodeJS Tough-Cookie 2.2.2 contiene una vulnerabilidad de an\u00e1lisis de expresiones regulares en el an\u00e1lisis de la cabecera de cookie de petici\u00f3n HTTP que puede resultar en una denegaci\u00f3n de servicio (DoS). Este ataque parece ser explotable mediante una cabecera HTTP personalizada pasada por el cliente. La vulnerabilidad parece haber sido solucionada en la versi\u00f3n 2.3.0."}], "id": "CVE-2016-1000232", "lastModified": "2018-10-31T15:02:32.663", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-09-05T17:29:00.373", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2016:2101"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2017:2912"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/security/cve/cve-2016-1000232"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/salesforce/tough-cookie/commit/615627206357d997d5e6ff9da158997de05235ae"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/salesforce/tough-cookie/commit/e4fc2e0f9ee1b7a818d68f0ac7ea696f377b1534"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connect-is-affected-by-node-js-tough-cookie-module-vulnerability-to-a-denial-of-service-cve-2016-1000232/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.npmjs.com/advisories/130"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2016:2101", "cpe": "cpe:/a:redhat:openshift:3.2::el7", "package": "nodejs-0:0.10.47-2.el7", "product_name": "Red Hat OpenShift Container Platform 3.2", "release_date": "2016-10-27T00:00:00Z"}, {"advisory": "RHSA-2016:2101", "cpe": "cpe:/a:redhat:openshift:3.2::el7", "package": "nodejs-tough-cookie-0:2.3.1-1.el7", "product_name": "Red Hat OpenShift Container Platform 3.2", "release_date": "2016-10-27T00:00:00Z"}, {"advisory": "RHSA-2016:2101", "cpe": "cpe:/a:redhat:openshift:3.3::el7", "package": "nodejs-0:0.10.47-2.el7", "product_name": "Red Hat OpenShift Container Platform 3.3", "release_date": "2016-10-27T00:00:00Z"}, {"advisory": "RHSA-2016:2101", "cpe": "cpe:/a:redhat:openshift:3.3::el7", "package": "nodejs-tough-cookie-0:2.3.1-1.el7", "product_name": "Red Hat OpenShift Container Platform 3.3", "release_date": "2016-10-27T00:00:00Z"}, {"advisory": "RHSA-2016:2101", "cpe": "cpe:/a:redhat:openshift:3.1::el7", "package": "nodejs-0:0.10.47-2.el7", "product_name": "Red Hat OpenShift Enterprise 3.1", "release_date": "2016-10-27T00:00:00Z"}, {"advisory": "RHSA-2016:2101", "cpe": "cpe:/a:redhat:openshift:3.1::el7", "package": "nodejs-tough-cookie-0:2.3.1-1.el7", "product_name": "Red Hat OpenShift Enterprise 3.1", "release_date": "2016-10-27T00:00:00Z"}, {"advisory": "RHSA-2017:2912", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "rh-nodejs4-nodejs-tough-cookie-0:2.3.3-2.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2017-10-18T00:00:00Z"}, {"advisory": "RHSA-2017:2912", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "rh-nodejs4-nodejs-tough-cookie-0:2.3.3-2.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS", "release_date": "2017-10-18T00:00:00Z"}, {"advisory": "RHSA-2017:2912", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "rh-nodejs4-nodejs-tough-cookie-0:2.3.3-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2017-10-18T00:00:00Z"}, {"advisory": "RHSA-2017:2912", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "rh-nodejs4-nodejs-tough-cookie-0:2.3.3-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS", "release_date": "2017-10-18T00:00:00Z"}], "bugzilla": {"description": "nodejs-tough-cookie: regular expression DoS via Cookie header with many semicolons", "id": "1359818", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1359818"}, "csaw": false, "cvss": {"cvss_base_score": "4.3", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "status": "verified"}, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "verified"}, "cwe": "CWE-400", "details": ["NodeJS Tough-Cookie version 2.2.2 contains a Regular Expression Parsing vulnerability in HTTP request Cookie Header parsing that can result in Denial of Service. This attack appear to be exploitable via Custom HTTP header passed by client. This vulnerability appears to have been fixed in 2.3.0.", "A regular expression denial of service flaw was found in Tough-Cookie. An attacker able to make an application using Touch-Cookie to parse an HTTP header with many semicolons could cause the application to consume an excessive amount of CPU."], "name": "CVE-2016-1000232", "package_state": [{"cpe": "cpe:/a:redhat:rhel_software_collections:2", "fix_state": "Will not fix", "package_name": "nodejs010-nodejs-tough-cookie", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:2", "fix_state": "Not affected", "package_name": "rh-nodejs6-nodejs-tough-cookie", "product_name": "Red Hat Software Collections"}], "public_date": "2016-07-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2016-1000232\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-1000232\nhttps://nodesecurity.io/advisories/130"], "threat_severity": "Moderate", "upstream_fix": "nodejs-tough-cookie 2.3.0"}