CVE-2017-16119 - Vulnerability Details - OpenCVE

Fresh is a module used by the Express.js framework for HTTP response freshness testing. It is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00328.

Key SSVC decision points have not yet been added.

Vendors	Products
Fresh Project	Fresh

Configuration 1 [-]

cpe:2.3:a:fresh_project:fresh:*:*:*:*:*:node.js:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2018-0256	Fresh is a module used by the Express.js framework for HTTP response freshness testing. It is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.
Github GHSA	GHSA-9qj9-36jm-prpv	Regular Expression Denial of Service in fresh

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://nodesecurity.io/advisories/526
https://nvd.nist.gov/vuln/detail/CVE-2017-16119
https://www.cve.org/CVERecord?id=CVE-2017-16119

History

No history.

MITRE

Status: PUBLISHED

Assigner: hackerone

Published: 2018-06-07T02:00:00Z

Updated: 2024-09-17T01:52:08.005Z

Reserved: 2017-10-29T00:00:00

Link: CVE-2017-16119

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-06-07T02:29:02.987

Modified: 2024-11-21T03:15:51.530

Link: CVE-2017-16119

Redhat

Severity : Moderate

Publid Date: 2018-06-07T00:00:00Z

Links: CVE-2017-16119 - Bugzilla

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "fresh node module", "vendor": "HackerOne", "versions": [{"status": "affected", "version": "< 0.5.2"}]}], "datePublic": "2018-04-26T00:00:00", "descriptions": [{"lang": "en", "value": "Fresh is a module used by the Express.js framework for HTTP response freshness testing. It is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "Denial of Service (CWE-400)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-06-07T01:57:01", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://nodesecurity.io/advisories/526"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "support@hackerone.com", "DATE_PUBLIC": "2018-04-26T00:00:00", "ID": "CVE-2017-16119", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "fresh node module", "version": {"version_data": [{"version_value": "< 0.5.2"}]}}]}, "vendor_name": "HackerOne"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Fresh is a module used by the Express.js framework for HTTP response freshness testing. It is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Denial of Service (CWE-400)"}]}]}, "references": {"reference_data": [{"name": "https://nodesecurity.io/advisories/526", "refsource": "MISC", "url": "https://nodesecurity.io/advisories/526"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T20:13:07.207Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://nodesecurity.io/advisories/526"}]}]}, "cveMetadata": {"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2017-16119", "datePublished": "2018-06-07T02:00:00Z", "dateReserved": "2017-10-29T00:00:00", "dateUpdated": "2024-09-17T01:52:08.005Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fresh_project:fresh:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "9BB3B576-C56A-4C4F-A0EF-F295392C4285", "versionEndExcluding": "0.5.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Fresh is a module used by the Express.js framework for HTTP response freshness testing. It is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition."}, {"lang": "es", "value": "Fresh es un m\u00f3dulo empleado por el framework Express.js para las pruebas de \"frescura\" de las respuestas HTTP. Es vulnerable a una denegaci\u00f3n de servicio (DoS) por expresiones regulares cuando se le pasan entradas especialmente manipuladas para su an\u00e1lisis. Esto provoca que el bucle de eventos se bloquee, provocando una condici\u00f3n de denegaci\u00f3n de servicio (DoS)."}], "id": "CVE-2017-16119", "lastModified": "2024-11-21T03:15:51.530", "metrics": {"cvssMetricV2": [{"acInsufInfo": true, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-06-07T02:29:02.987", "references": [{"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://nodesecurity.io/advisories/526"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://nodesecurity.io/advisories/526"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "support@hackerone.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "nvd@nist.gov", "type": "Primary"}]}