{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-22019", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "state": "PUBLISHED", "assignerShortName": "hackerone", "dateReserved": "2024-01-04T01:04:06.574Z", "datePublished": "2024-02-20T01:31:08.092Z", "dateUpdated": "2024-08-01T22:35:34.700Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like timeouts and body size limits."}], "affected": [{"defaultStatus": "unaffected", "vendor": "Node.js", "product": "Node.js", "versions": [{"version": "21.6.1", "status": "affected", "lessThanOrEqual": "21.6.1", "versionType": "semver"}]}], "references": [{"url": "https://hackerone.com/reports/2233486"}, {"url": "https://security.netapp.com/advisory/ntap-20240315-0004/"}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/11/1"}], "metrics": [{"cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2024-02-20T01:31:08.092Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-22019", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-20T16:07:59.638704Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:52:49.946Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:35:34.700Z"}, "title": "CVE Program Container", "references": [{"url": "https://hackerone.com/reports/2233486", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240315-0004/", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/11/1", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://hackerone.com/reports/2233486", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240315-0004/", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/11/1", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:35:34.700Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-22019", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-20T16:07:59.638704Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:11.710Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"metrics": [{"cvssV3_0": {"version": "3.0", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}}], "affected": [{"vendor": "Node.js", "product": "Node.js", "versions": [{"status": "affected", "version": "21.6.1", "versionType": "semver", "lessThanOrEqual": "21.6.1"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://hackerone.com/reports/2233486"}, {"url": "https://security.netapp.com/advisory/ntap-20240315-0004/"}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/11/1"}], "descriptions": [{"lang": "en", "value": "A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like timeouts and body size limits."}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2024-02-20T01:31:08.092Z"}}}, "cveMetadata": {"cveId": "CVE-2024-22019", "state": "PUBLISHED", "dateUpdated": "2024-08-01T22:35:34.700Z", "dateReserved": "2024-01-04T01:04:06.574Z", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "datePublished": "2024-02-20T01:31:08.092Z", "assignerShortName": "hackerone"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like timeouts and body size limits."}, {"lang": "es", "value": "Una vulnerabilidad en los servidores HTTP de Node.js permite a un atacante enviar una solicitud HTTP especialmente manipulada con codificaci\u00f3n fragmentada, lo que provoca el agotamiento de los recursos y la denegaci\u00f3n de servicio (DoS). El servidor lee una cantidad ilimitada de bytes de una \u00fanica conexi\u00f3n, aprovechando la falta de limitaciones en los bytes de extensi\u00f3n de fragmentos. El problema puede provocar el agotamiento del ancho de banda de la CPU y de la red, pasando por alto salvaguardas est\u00e1ndar como tiempos de espera y l\u00edmites de tama\u00f1o corporal."}], "id": "CVE-2024-22019", "lastModified": "2024-05-01T18:15:13.800", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "support@hackerone.com", "type": "Secondary"}]}, "published": "2024-02-20T02:15:50.983", "references": [{"source": "support@hackerone.com", "url": "http://www.openwall.com/lists/oss-security/2024/03/11/1"}, {"source": "support@hackerone.com", "url": "https://hackerone.com/reports/2233486"}, {"source": "support@hackerone.com", "url": "https://security.netapp.com/advisory/ntap-20240315-0004/"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Awaiting Analysis"}

{"affected_release": [{"advisory": "RHSA-2024:1444", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "nodejs:16-8090020240315081818.a75119d5", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-03-20T00:00:00Z"}, {"advisory": "RHSA-2024:1510", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "nodejs:18-8090020240301110609.a75119d5", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-03-26T00:00:00Z"}, {"advisory": "RHSA-2024:1687", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "nodejs:20-8090020240228165436.a75119d5", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-04-08T00:00:00Z"}, {"advisory": "RHSA-2024:2793", "cpe": "cpe:/a:redhat:rhel_eus:8.6", "package": "nodejs:16-8060020240318185600.ad008a3a", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2024-05-09T00:00:00Z"}, {"advisory": "RHSA-2024:1880", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "nodejs:18-8080020240322102042.63b34585", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-04-18T00:00:00Z"}, {"advisory": "RHSA-2024:2651", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "nodejs:16-8080020240318185426.63b34585", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-05-02T00:00:00Z"}, {"advisory": "RHSA-2024:1438", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "nodejs-1:16.20.2-4.el9_3", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-03-20T00:00:00Z"}, {"advisory": "RHSA-2024:1503", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "nodejs:18-9030020240301111035.rhel9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-03-25T00:00:00Z"}, {"advisory": "RHSA-2024:1688", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "nodejs:20-9030020240229115828.rhel9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-04-08T00:00:00Z"}, {"advisory": "RHSA-2024:1424", "cpe": "cpe:/a:redhat:rhel_eus:9.0", "package": "nodejs-1:16.20.2-4.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Extended Update Support", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1678", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "nodejs-1:16.20.2-4.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-04-04T00:00:00Z"}, {"advisory": "RHSA-2024:1932", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "nodejs:18-9020020240322155241.rhel9", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-04-22T00:00:00Z"}, {"advisory": "RHSA-2024:1354", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs14-nodejs-0:14.21.3-6.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2024-03-18T00:00:00Z"}], "bugzilla": {"description": "nodejs: reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks", "id": "2264574", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2264574"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-400", "details": ["A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like timeouts and body size limits.", "A flaw was found in Node.js due to a lack of safeguards on chunk extension bytes. The server may read an unbounded number of bytes from a single connection, which can allow an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and a denial of service."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-22019", "package_state": [{"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/mcg-core-rhel8", "product_name": "Red Hat Openshift Data Foundation 4"}], "public_date": "2024-02-16T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-22019\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-22019"], "statement": "While this vulnerability in Node.js HTTP servers poses a significant risk to system stability and availability, it is classified as a important severity issue rather than a critical one due to several factors. Firstly, while the vulnerability can lead to denial of service (DoS) attacks by causing resource exhaustion, it does not directly compromise the confidentiality or integrity of data stored or processed by the server. Additionally, the exploit requires the attacker to send specially crafted HTTP requests, which may limit the ease and scope of potential attacks compared to more critical vulnerabilities that can be exploited remotely without specific conditions.", "threat_severity": "Important", "upstream_fix": "node 18.19.1"}