{"containers": {"cna": {"affected": [{"product": "nodejs-http-proxy-agent", "vendor": "n/a", "versions": [{"status": "affected", "version": "prior to nodejs-http-proxy-agent 2.1.0"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in http-proxy-agent, prior to version 2.1.0. It was discovered http-proxy-agent passes an auth option to the Buffer constructor without proper sanitization. This could result in a Denial of Service through the usage of all available CPU resources and data exposure through an uninitialized memory leak in setups where an attacker could submit typed input to the auth parameter."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-665", "description": "CWE-665", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-03-19T19:22:17", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1567245"}, {"tags": ["x_refsource_MISC"], "url": "https://www.npmjs.com/advisories/607"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2019-10196", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "nodejs-http-proxy-agent", "version": {"version_data": [{"version_value": "prior to nodejs-http-proxy-agent 2.1.0"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A flaw was found in http-proxy-agent, prior to version 2.1.0. It was discovered http-proxy-agent passes an auth option to the Buffer constructor without proper sanitization. This could result in a Denial of Service through the usage of all available CPU resources and data exposure through an uninitialized memory leak in setups where an attacker could submit typed input to the auth parameter."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-665"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1567245", "refsource": "MISC", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1567245"}, {"name": "https://www.npmjs.com/advisories/607", "refsource": "MISC", "url": "https://www.npmjs.com/advisories/607"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T22:17:18.934Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1567245"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.npmjs.com/advisories/607"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2019-10196", "datePublished": "2021-03-19T19:22:17", "dateReserved": "2019-03-27T00:00:00", "dateUpdated": "2024-08-04T22:17:18.934Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:http-proxy-agent_project:http-proxy-agent:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "73C4F548-6ACD-4D24-8A0D-2185CA08FE11", "versionEndExcluding": "2.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:27:*:*:*:*:*:*:*", "matchCriteriaId": "DBEACBFF-6D05-4B69-BF7A-F7E539D9BF6E", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:software_collections:-:*:*:*:*:*:*:*", "matchCriteriaId": "749804DA-4B27-492A-9ABA-6BB562A6B3AC", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in http-proxy-agent, prior to version 2.1.0. It was discovered http-proxy-agent passes an auth option to the Buffer constructor without proper sanitization. This could result in a Denial of Service through the usage of all available CPU resources and data exposure through an uninitialized memory leak in setups where an attacker could submit typed input to the auth parameter."}, {"lang": "es", "value": "Se encontr\u00f3 un fallo en http-proxy-agent, versiones anteriores a 2.1.0. Se detect\u00f3 que http-proxy-agent pasa una opci\u00f3n de autenticaci\u00f3n al constructor de Buffer sin un saneamiento apropiado. Esto podr\u00eda resultar en una Denegaci\u00f3n de Servicio mediante el uso de todos los recursos de CPU disponibles y la exposici\u00f3n de datos por medio de una p\u00e9rdida de memoria no inicializada en configuraciones donde un atacante podr\u00eda enviar una entrada escrita hacia el par\u00e1metro auth"}], "id": "CVE-2019-10196", "lastModified": "2021-03-25T19:21:06.447", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 8.5, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-03-19T20:15:13.097", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1567245"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://www.npmjs.com/advisories/607"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-665"}], "source": "secalert@redhat.com", "type": "Primary"}]}

{"bugzilla": {"description": "nodejs-http-proxy-agent: Denial of Service and data leak due to improper buffer sanitization", "id": "1567245", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1567245"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.3", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "status": "draft"}, "cwe": "CWE-665", "details": ["A flaw was found in http-proxy-agent, prior to version 2.1.0. It was discovered http-proxy-agent passes an auth option to the Buffer constructor without proper sanitization. This could result in a Denial of Service through the usage of all available CPU resources and data exposure through an uninitialized memory leak in setups where an attacker could submit typed input to the auth parameter.", "A flaw was found in http-proxy-agent, prior to version 2.1.0. It was discovered http-proxy-agent passes an auth option to the Buffer constructor without proper sanitization. This could result in a Denial of Service through the usage of all available CPU resources and data exposure through an uninitialized memory leak in setups where an attacker could submit typed input to the auth parameter."], "name": "CVE-2019-10196", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "nodejs:10/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:mobile_application_platform:4", "fix_state": "Out of support scope", "package_name": "nodejs-http-proxy-agent", "product_name": "Red Hat Mobile Application Platform 4"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-nodejs10-npm", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "rh-nodejs8-npm", "product_name": "Red Hat Software Collections"}], "public_date": "2018-04-05T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-10196\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-10196\nhttps://www.npmjs.com/advisories/607"], "statement": "This issue did not affect the versions of nodejs as shipped with Red Hat Enterprise Linux 8 as they already include the patched code.\nThis issue did not affect the versions of rh-nodejs10-nodejs as shipped with Red Hat Software Collections 3 as they already include the patched code.", "threat_severity": "Moderate", "upstream_fix": "nodejs-http-proxy-agent 2.1.0"}