CVE-2017-16137 - OpenCVE

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Debug Project	Debug
Redhat	Quay

Configuration 1 [-]

OR	cpe:2.3:a:debug_project:debug::::::node.js::*
	cpe:2.3:a:debug_project:debug::::::node.js::*

Package	CPE	Advisory	Released Date
Red Hat Quay 3
quay/quay-rhel8:v3.6.0-62	cpe:/a:redhat:quay:3::el8	RHSA-2021:3917	2021-10-19T00:00:00Z

References

Link	Providers
https://github.com/visionmedia/debug/issues/501
https://github.com/visionmedia/debug/pull/504
https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3%40%3Ccommits.netbeans.apache.org%3E
https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63%40%3Cnotifications.netbeans.apache.org%3E
https://nodesecurity.io/advisories/534
https://nvd.nist.gov/vuln/detail/CVE-2017-16137
https://www.cve.org/CVERecord?id=CVE-2017-16137

History

No history.

MITRE

Status: PUBLISHED

Assigner: hackerone

Published: 2018-06-07T02:00:00Z

Updated: 2024-09-16T19:00:36.638Z

Reserved: 2017-10-29T00:00:00

Link: CVE-2017-16137

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-06-07T02:29:03.817

Modified: 2023-11-07T02:40:28.130

Link: CVE-2017-16137

Redhat

Severity : Moderate

Publid Date: 2017-09-05T00:00:00Z

Links: CVE-2017-16137 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "debug node module", "vendor": "HackerOne", "versions": [{"status": "affected", "version": "<= 2.6.8 || >= 3.0.0 <= 3.0.1"}]}], "datePublic": "2018-04-26T00:00:00", "descriptions": [{"lang": "en", "value": "The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "Denial of Service (CWE-400)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-04-30T00:06:23", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/visionmedia/debug/pull/504"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/visionmedia/debug/issues/501"}, {"tags": ["x_refsource_MISC"], "url": "https://nodesecurity.io/advisories/534"}, {"name": "[netbeans-commits] 20200429 [jira] [Created] (NETBEANS-4280) cleanup potential security breaches", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3%40%3Ccommits.netbeans.apache.org%3E"}, {"name": "[netbeans-notifications] 20200429 [GitHub] [netbeans] BradWalker opened a new pull request #2110: [NETBEANS-4280] - cleanup potential security breaches", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63%40%3Cnotifications.netbeans.apache.org%3E"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "support@hackerone.com", "DATE_PUBLIC": "2018-04-26T00:00:00", "ID": "CVE-2017-16137", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "debug node module", "version": {"version_data": [{"version_value": "<= 2.6.8 || >= 3.0.0 <= 3.0.1"}]}}]}, "vendor_name": "HackerOne"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Denial of Service (CWE-400)"}]}]}, "references": {"reference_data": [{"name": "https://github.com/visionmedia/debug/pull/504", "refsource": "MISC", "url": "https://github.com/visionmedia/debug/pull/504"}, {"name": "https://github.com/visionmedia/debug/issues/501", "refsource": "MISC", "url": "https://github.com/visionmedia/debug/issues/501"}, {"name": "https://nodesecurity.io/advisories/534", "refsource": "MISC", "url": "https://nodesecurity.io/advisories/534"}, {"name": "[netbeans-commits] 20200429 [jira] [Created] (NETBEANS-4280) cleanup potential security breaches", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E"}, {"name": "[netbeans-notifications] 20200429 [GitHub] [netbeans] BradWalker opened a new pull request #2110: [NETBEANS-4280] - cleanup potential security breaches", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T20:13:07.261Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/visionmedia/debug/pull/504"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/visionmedia/debug/issues/501"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://nodesecurity.io/advisories/534"}, {"name": "[netbeans-commits] 20200429 [jira] [Created] (NETBEANS-4280) cleanup potential security breaches", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3%40%3Ccommits.netbeans.apache.org%3E"}, {"name": "[netbeans-notifications] 20200429 [GitHub] [netbeans] BradWalker opened a new pull request #2110: [NETBEANS-4280] - cleanup potential security breaches", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63%40%3Cnotifications.netbeans.apache.org%3E"}]}]}, "cveMetadata": {"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2017-16137", "datePublished": "2018-06-07T02:00:00Z", "dateReserved": "2017-10-29T00:00:00", "dateUpdated": "2024-09-16T19:00:36.638Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:debug_project:debug:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "F2573252-A4FF-4CEF-8A11-0CAC9DEA9C1F", "versionEndExcluding": "2.6.9", "versionStartIncluding": "2.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:debug_project:debug:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "99ADECFD-F975-432D-A043-217796B14EA5", "versionEndExcluding": "3.1.0", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue."}, {"lang": "es", "value": "El m\u00f3dulo debug es vulnerable a una denegaci\u00f3n de servicio (DoS) por expresiones regulares cuando se le pasan entradas de usuario no fiables en el formateador o. Son necesarios alrededor de 50.000 caracteres para bloquear durante 2 segundos, por lo que este es un problema de baja gravedad."}], "id": "CVE-2017-16137", "lastModified": "2023-11-07T02:40:28.130", "metrics": {"cvssMetricV2": [{"acInsufInfo": true, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-06-07T02:29:03.817", "references": [{"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://github.com/visionmedia/debug/issues/501"}, {"source": "support@hackerone.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/visionmedia/debug/pull/504"}, {"source": "support@hackerone.com", "url": "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3%40%3Ccommits.netbeans.apache.org%3E"}, {"source": "support@hackerone.com", "url": "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63%40%3Cnotifications.netbeans.apache.org%3E"}, {"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://nodesecurity.io/advisories/534"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "support@hackerone.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2021:3917", "cpe": "cpe:/a:redhat:quay:3::el8", "impact": "low", "package": "quay/quay-rhel8:v3.6.0-62", "product_name": "Red Hat Quay 3", "release_date": "2021-10-19T00:00:00Z"}], "bugzilla": {"description": "nodejs-debug: Regular expression Denial of Service", "id": "1500705", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1500705"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "verified"}, "cwe": "CWE-20", "details": ["The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue."], "name": "CVE-2017-16137", "package_state": [{"cpe": "cpe:/a:redhat:mobile_application_platform:4", "fix_state": "Not affected", "package_name": "rhmap-fh-aaa-docker", "product_name": "Red Hat Mobile Application Platform 4"}, {"cpe": "cpe:/a:redhat:mobile_application_platform:4", "fix_state": "Not affected", "package_name": "rhmap-fh-appstore-docker", "product_name": "Red Hat Mobile Application Platform 4"}, {"cpe": "cpe:/a:redhat:mobile_application_platform:4", "fix_state": "Not affected", "package_name": "rhmap-fh-mbaas-docker", "product_name": "Red Hat Mobile Application Platform 4"}, {"cpe": "cpe:/a:redhat:mobile_application_platform:4", "fix_state": "Not affected", "package_name": "rhmap-fh-messaging-docker", "product_name": "Red Hat Mobile Application Platform 4"}, {"cpe": "cpe:/a:redhat:mobile_application_platform:4", "fix_state": "Not affected", "package_name": "rhmap-fh-metrics-docker", "product_name": "Red Hat Mobile Application Platform 4"}, {"cpe": "cpe:/a:redhat:mobile_application_platform:4", "fix_state": "Not affected", "package_name": "rhmap-fh-ngui-docker", "product_name": "Red Hat Mobile Application Platform 4"}, {"cpe": "cpe:/a:redhat:mobile_application_platform:4", "fix_state": "Not affected", "package_name": "rhmap-fh-scm-docker", "product_name": "Red Hat Mobile Application Platform 4"}, {"cpe": "cpe:/a:redhat:mobile_application_platform:4", "fix_state": "Not affected", "package_name": "rhmap-fh-statsd-docker", "product_name": "Red Hat Mobile Application Platform 4"}, {"cpe": "cpe:/a:redhat:mobile_application_platform:4", "fix_state": "Not affected", "package_name": "rhmap-fh-supercore-docker", "product_name": "Red Hat Mobile Application Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:3", "fix_state": "Will not fix", "package_name": "nodejs-debug", "product_name": "Red Hat OpenShift Enterprise 3"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "rh-nodejs4-nodejs-debug", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "rh-nodejs6-nodejs-debug", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "rh-nodejs8-nodejs-debug", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/o:redhat:rhev_hypervisor:4", "fix_state": "Out of support scope", "package_name": "ovirt-engine-api-explorer", "product_name": "Red Hat Virtualization 4"}, {"cpe": "cpe:/o:redhat:rhev_hypervisor:4", "fix_state": "Not affected", "package_name": "ovirt-engine-dashboard", "product_name": "Red Hat Virtualization 4"}, {"cpe": "cpe:/o:redhat:rhev_hypervisor:4", "fix_state": "Not affected", "package_name": "ovirt-engine-ui-extensions", "product_name": "Red Hat Virtualization 4"}], "public_date": "2017-09-05T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2017-16137\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-16137"], "statement": "This issue affects the versions of rh-nodejs4-nodejs-debug, rh-nodejs6-nodejs-debug, and rh-nodejs8-nodejs-debug as shipped with Red Hat Software Collections 3. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.\nRed Hat Virtualization 4.2 EUS includes a vulnerable version of nodejs-debug as a part of the ovirt-engine-api-explorer package. This package is removed in Red Hat Virtualization 4.3.\nRed Hat Quay includes the debug library as a dependency of karma-webpack. It is only used at build time, and not runtime so its impact is reduce to low in Red Hat Quay.", "threat_severity": "Moderate", "upstream_fix": "nodejs-debug 2.6.9, nodejs-debug 3.1.0"}