CVE-2017-15871 - OpenCVE

The deserialize function in serialize-to-js through 1.1.1 allows attackers to cause a denial of service via vectors involving an Immediately Invoked Function Expression "function()" substring, as demonstrated by a "function(){console.log(" call or a simple infinite loop. NOTE: the vendor agrees that denial of service can occur but notes that deserialize is explicitly listed as "harmful" within the README.md file

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Serialize-to-js Project	Serialize-to-js

Configuration 1 [-]

cpe:2.3:a:serialize-to-js_project:serialize-to-js:*:*:*:*:*:node.js:*:*

No data.

References

Link	Providers
https://github.com/commenthol/serialize-to-js/issues/3
https://kay-malwarebenchmark.github.io/blog/cve-2017-15871-dos-through-iife/

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2017-10-24T20:00:00

Updated: 2024-08-05T20:04:50.509Z

Reserved: 2017-10-24T00:00:00

Link: CVE-2017-15871

Vulnrichment

No data.

NVD

Status : Modified

Published: 2017-10-24T20:29:00.203

Modified: 2024-08-05T20:15:33.070

Link: CVE-2017-15871

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-10-24T00:00:00", "descriptions": [{"lang": "en", "value": "The deserialize function in serialize-to-js through 1.1.1 allows attackers to cause a denial of service via vectors involving an Immediately Invoked Function Expression \"function()\" substring, as demonstrated by a \"function(){console.log(\" call or a simple infinite loop. NOTE: the vendor agrees that denial of service can occur but notes that deserialize is explicitly listed as \"harmful\" within the README.md file"}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-11-16T20:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://kay-malwarebenchmark.github.io/blog/cve-2017-15871-dos-through-iife/"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/commenthol/serialize-to-js/issues/3"}], "tags": ["disputed"], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-15871", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "** DISPUTED ** The deserialize function in serialize-to-js through 1.1.1 allows attackers to cause a denial of service via vectors involving an Immediately Invoked Function Expression \"function()\" substring, as demonstrated by a \"function(){console.log(\" call or a simple infinite loop. NOTE: the vendor agrees that denial of service can occur but notes that deserialize is explicitly listed as \"harmful\" within the README.md file."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://kay-malwarebenchmark.github.io/blog/cve-2017-15871-dos-through-iife/", "refsource": "MISC", "url": "https://kay-malwarebenchmark.github.io/blog/cve-2017-15871-dos-through-iife/"}, {"name": "https://github.com/commenthol/serialize-to-js/issues/3", "refsource": "MISC", "url": "https://github.com/commenthol/serialize-to-js/issues/3"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T20:04:50.509Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://kay-malwarebenchmark.github.io/blog/cve-2017-15871-dos-through-iife/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/commenthol/serialize-to-js/issues/3"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-15871", "datePublished": "2017-10-24T20:00:00", "dateReserved": "2017-10-24T00:00:00", "dateUpdated": "2024-08-05T20:04:50.509Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:serialize-to-js_project:serialize-to-js:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "B15C493D-01B9-4575-A4BD-390437BB3842", "versionEndIncluding": "1.1.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "cve@mitre.org", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "The deserialize function in serialize-to-js through 1.1.1 allows attackers to cause a denial of service via vectors involving an Immediately Invoked Function Expression \"function()\" substring, as demonstrated by a \"function(){console.log(\" call or a simple infinite loop. NOTE: the vendor agrees that denial of service can occur but notes that deserialize is explicitly listed as \"harmful\" within the README.md file"}, {"lang": "es", "value": "** EN DISPUTA ** La funci\u00f3n deserialize en serialize-to-js hasta la versi\u00f3n 1.1.1 permite a los atacantes provocar una denegaci\u00f3n de servicio (DoS) mediante vectores que involucren una subcadena de una funci\u00f3n IIFE (Immediately Invoked Function Expression), tal y como se demuestra en una llamada \"function(){console.log(\" o un simple bucle infinito. NOTA: el fabricante est\u00e1 de acuerdo con que puede ocurrir la denegaci\u00f3n de servicio, pero puntualiza que la funci\u00f3n deserialize est\u00e1 expl\u00edcitamente listada como \"da\u00f1ina\" en el archivo README.md."}], "id": "CVE-2017-15871", "lastModified": "2024-08-05T20:15:33.070", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-10-24T20:29:00.203", "references": [{"source": "cve@mitre.org", "tags": ["Broken Link", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/commenthol/serialize-to-js/issues/3"}, {"source": "cve@mitre.org", "tags": ["Broken Link", "Exploit", "Third Party Advisory"], "url": "https://kay-malwarebenchmark.github.io/blog/cve-2017-15871-dos-through-iife/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-835"}], "source": "nvd@nist.gov", "type": "Primary"}]}