CVE-2022-36313 - OpenCVE

An issue was discovered in the file-type package before 16.5.4 and 17.x before 17.1.3 for Node.js. A malformed MKV file could cause the file type detector to get caught in an infinite loop. This would make the application become unresponsive and could be used to cause a DoS attack.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
File-type Project	File-type
Redhat	Jboss Data Grid

Configuration 1 [-]

OR	cpe:2.3:a:file-type_project:file-type::::::node.js::*
	cpe:2.3:a:file-type_project:file-type::::::node.js::*

Package	CPE	Advisory	Released Date
Red Hat Data Grid 8.4.1
file-type	cpe:/a:redhat:jboss_data_grid:8	RHSA-2023:0713	2023-02-09T00:00:00Z

References

Link	Providers
https://github.com/sindresorhus/file-type/releases/tag/v16.5.4
https://github.com/sindresorhus/file-type/releases/tag/v17.1.3
https://nvd.nist.gov/vuln/detail/CVE-2022-36313
https://security.netapp.com/advisory/ntap-20220909-0005/
https://www.cve.org/CVERecord?id=CVE-2022-36313
https://www.npmjs.com/package/file-type

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2022-07-21T15:31:27

Updated: 2024-08-03T10:00:04.274Z

Reserved: 2022-07-20T00:00:00

Link: CVE-2022-36313

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-07-21T16:15:09.297

Modified: 2022-10-27T13:25:12.297

Link: CVE-2022-36313

Redhat

Severity : Moderate

Publid Date: 2022-07-21T00:00:00Z

Links: CVE-2022-36313 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in the file-type package before 16.5.4 and 17.x before 17.1.3 for Node.js. A malformed MKV file could cause the file type detector to get caught in an infinite loop. This would make the application become unresponsive and could be used to cause a DoS attack."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-09-09T17:06:19", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.npmjs.com/package/file-type"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sindresorhus/file-type/releases/tag/v17.1.3"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sindresorhus/file-type/releases/tag/v16.5.4"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20220909-0005/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2022-36313", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in the file-type package before 16.5.4 and 17.x before 17.1.3 for Node.js. A malformed MKV file could cause the file type detector to get caught in an infinite loop. This would make the application become unresponsive and could be used to cause a DoS attack."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.npmjs.com/package/file-type", "refsource": "MISC", "url": "https://www.npmjs.com/package/file-type"}, {"name": "https://github.com/sindresorhus/file-type/releases/tag/v17.1.3", "refsource": "CONFIRM", "url": "https://github.com/sindresorhus/file-type/releases/tag/v17.1.3"}, {"name": "https://github.com/sindresorhus/file-type/releases/tag/v16.5.4", "refsource": "CONFIRM", "url": "https://github.com/sindresorhus/file-type/releases/tag/v16.5.4"}, {"name": "https://security.netapp.com/advisory/ntap-20220909-0005/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20220909-0005/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T10:00:04.274Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.npmjs.com/package/file-type"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/sindresorhus/file-type/releases/tag/v17.1.3"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/sindresorhus/file-type/releases/tag/v16.5.4"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20220909-0005/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2022-36313", "datePublished": "2022-07-21T15:31:27", "dateReserved": "2022-07-20T00:00:00", "dateUpdated": "2024-08-03T10:00:04.274Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:file-type_project:file-type:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "BE2B24AA-4945-4F53-ABF0-823C6579253A", "versionEndExcluding": "16.5.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:file-type_project:file-type:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "4B4A5553-EF4B-48F2-8380-502D125691AB", "versionEndExcluding": "17.1.3", "versionStartIncluding": "17.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in the file-type package before 16.5.4 and 17.x before 17.1.3 for Node.js. A malformed MKV file could cause the file type detector to get caught in an infinite loop. This would make the application become unresponsive and could be used to cause a DoS attack."}, {"lang": "es", "value": "Se ha detectado un problema en el paquete file-type versiones anteriores a 16.5.4 y 17.x anteriores a 17.1.3 para Node.js. Un archivo MKV malformado pod\u00eda causar que el detector de tipo de archivo quedara atrapado en un bucle infinito. Esto har\u00eda que la aplicaci\u00f3n dejara de responder y podr\u00eda usarse para causar un ataque DoS"}], "id": "CVE-2022-36313", "lastModified": "2022-10-27T13:25:12.297", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-07-21T16:15:09.297", "references": [{"source": "cve@mitre.org", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/sindresorhus/file-type/releases/tag/v16.5.4"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/sindresorhus/file-type/releases/tag/v17.1.3"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20220909-0005/"}, {"source": "cve@mitre.org", "tags": ["Product", "Third Party Advisory"], "url": "https://www.npmjs.com/package/file-type"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-835"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2023:0713", "cpe": "cpe:/a:redhat:jboss_data_grid:8", "package": "file-type", "product_name": "Red Hat Data Grid 8.4.1", "release_date": "2023-02-09T00:00:00Z"}], "bugzilla": {"description": "file-type: a malformed MKV file could cause the file type detector to get caught in an infinite loop", "id": "2159682", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2159682"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-835", "details": ["An issue was discovered in the file-type package before 16.5.4 and 17.x before 17.1.3 for Node.js. A malformed MKV file could cause the file type detector to get caught in an infinite loop. This would make the application become unresponsive and could be used to cause a DoS attack.", "A flaw was found in the file-type npm package. A malformed MKV file could lead the file type detector to a denial of Service. This issue allows an attacker to input a malicious file and make the server unresponsive."], "name": "CVE-2022-36313", "package_state": [{"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2", "fix_state": "Affected", "package_name": "migration-toolkit-virtualization/mtv-ui-rhel8", "product_name": "Migration Toolkit for Virtualization"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:3", "fix_state": "Affected", "package_name": "advanced-cluster-security/rhacs-central-db-rhel8", "product_name": "Red Hat Advanced Cluster Security 3"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:3", "fix_state": "Affected", "package_name": "advanced-cluster-security/rhacs-docs-rhel8", "product_name": "Red Hat Advanced Cluster Security 3"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:3", "fix_state": "Will not fix", "package_name": "advanced-cluster-security/rhacs-main-rhel8", "product_name": "Red Hat Advanced Cluster Security 3"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:3", "fix_state": "Affected", "package_name": "advanced-cluster-security/rhacs-rhel8-operator", "product_name": "Red Hat Advanced Cluster Security 3"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:3", "fix_state": "Affected", "package_name": "advanced-cluster-security/rhacs-roxctl-rhel8", "product_name": "Red Hat Advanced Cluster Security 3"}, {"cpe": "cpe:/a:redhat:service_registry:2", "fix_state": "Not affected", "package_name": "file-type", "product_name": "Red Hat build of Apicurio Registry"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Will not fix", "package_name": "file-type", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3::el8", "fix_state": "Affected", "package_name": "devspaces/code-rhel8", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3::el8", "fix_state": "Not affected", "package_name": "devspaces/idea-rhel8", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3::el8", "fix_state": "Will not fix", "package_name": "devspaces-theia-endpoint-rhel8-container", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3::el8", "fix_state": "Will not fix", "package_name": "devspaces-theia-rhel8-container", "product_name": "Red Hat OpenShift Dev Spaces"}], "public_date": "2022-07-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-36313\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-36313"], "threat_severity": "Moderate", "upstream_fix": "file-type 16.5.4, file-type 17.1.3, file-type 18.0.0"}