CVE-2024-45590 - Vulnerability Details

body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Expressjs	Body-parser
Openjsf	Body-parser
Redhat	Advanced Cluster Security Discovery Network Observ Optr Openshift Openshift Data Foundation Openshift Distributed Tracing Openshift Gitops Rhdh Rhmt Service Mesh Trusted Profile Analyzer

Configuration 1 [-]

cpe:2.3:a:openjsf:body-parser:*:*:*:*:*:node.js:*:*

Package	CPE	Advisory	Released Date
Discovery 1 for RHEL 9
discovery/discovery-server-rhel9:1.12.0-1	cpe:/o:redhat:discovery:1.0::el9	RHSA-2025:1249	2025-02-10T00:00:00Z
discovery/discovery-ui-rhel9:1.12.0-1	cpe:/o:redhat:discovery:1.0::el9	RHSA-2025:1249	2025-02-10T00:00:00Z
NETWORK-OBSERVABILITY-1.7.0-RHEL-9
network-observability/network-observability-cli-rhel9:v1.7.0-67	cpe:/a:redhat:network_observ_optr:1.7.0::el9	RHSA-2024:8014	2024-10-22T00:00:00Z
network-observability/network-observability-console-plugin-rhel9:v1.7.0-67	cpe:/a:redhat:network_observ_optr:1.7.0::el9	RHSA-2024:8014	2024-10-22T00:00:00Z
network-observability/network-observability-ebpf-agent-rhel9:v1.7.0-67	cpe:/a:redhat:network_observ_optr:1.7.0::el9	RHSA-2024:8014	2024-10-22T00:00:00Z
network-observability/network-observability-flowlogs-pipeline-rhel9:v1.7.0-67	cpe:/a:redhat:network_observ_optr:1.7.0::el9	RHSA-2024:8014	2024-10-22T00:00:00Z
network-observability/network-observability-operator-bundle:1.7.0-86	cpe:/a:redhat:network_observ_optr:1.7.0::el9	RHSA-2024:8014	2024-10-22T00:00:00Z
network-observability/network-observability-rhel9-operator:v1.7.0-67	cpe:/a:redhat:network_observ_optr:1.7.0::el9	RHSA-2024:8014	2024-10-22T00:00:00Z
Red Hat Advanced Cluster Security 4.4
advanced-cluster-security/rhacs-main-rhel8:4.4.6-2	cpe:/a:redhat:advanced_cluster_security:4.4::el8	RHSA-2024:9583	2024-11-13T00:00:00Z
Red Hat Advanced Cluster Security 4.5
advanced-cluster-security/rhacs-main-rhel8:4.5.5-3	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2024:10186	2024-11-22T00:00:00Z
Red Hat Developer Hub 1.3 on RHEL 9
rhdh/rhdh-hub-rhel9:1.3-124	cpe:/a:redhat:rhdh:1.3::el9	RHBA-2024:9054	2024-11-11T00:00:00Z
Red Hat Migration Toolkit for Containers 1.8
rhmtc/openshift-migration-ui-rhel8:v1.8.5-7	cpe:/a:redhat:rhmt:1.8::el8	RHSA-2024:10906	2024-12-10T00:00:00Z
Red Hat OpenShift Container Platform 4.17
openshift4/nmstate-console-plugin-rhel9:v4.17.0-202501301204.p0.gcffdc60.assembly.stream.el9	cpe:/a:redhat:openshift:4.17::el9	RHSA-2025:0875	2025-02-05T00:00:00Z
Red Hat OpenShift GitOps 1.12
openshift-gitops-1/argocd-rhel8:v1.12.6-2	cpe:/a:redhat:openshift_gitops:1.12::el8	RHSA-2024:8677	2024-10-30T00:00:00Z
openshift-gitops-1/argo-rollouts-rhel8:v1.12.6-2	cpe:/a:redhat:openshift_gitops:1.12::el8	RHSA-2024:8677	2024-10-30T00:00:00Z
openshift-gitops-1/console-plugin-rhel8:v1.12.6-2	cpe:/a:redhat:openshift_gitops:1.12::el8	RHSA-2024:8677	2024-10-30T00:00:00Z
openshift-gitops-1/dex-rhel8:v1.12.6-2	cpe:/a:redhat:openshift_gitops:1.12::el8	RHSA-2024:8677	2024-10-30T00:00:00Z
openshift-gitops-1/gitops-operator-bundle:v1.12.6-2	cpe:/a:redhat:openshift_gitops:1.12::el8	RHSA-2024:8677	2024-10-30T00:00:00Z
openshift-gitops-1/gitops-rhel8:v1.12.6-2	cpe:/a:redhat:openshift_gitops:1.12::el8	RHSA-2024:8677	2024-10-30T00:00:00Z
openshift-gitops-1/gitops-rhel8-operator:v1.12.6-2	cpe:/a:redhat:openshift_gitops:1.12::el8	RHSA-2024:8677	2024-10-30T00:00:00Z
openshift-gitops-1/kam-delivery-rhel8:v1.12.6-2	cpe:/a:redhat:openshift_gitops:1.12::el8	RHSA-2024:8677	2024-10-30T00:00:00Z
openshift-gitops-1/must-gather-rhel8:v1.12.6-2	cpe:/a:redhat:openshift_gitops:1.12::el8	RHSA-2024:8677	2024-10-30T00:00:00Z
Red Hat OpenShift GitOps 1.12 - RHEL 9
openshift-gitops-argocd-rhel9-container-v1.12.6-1	cpe:/a:redhat:openshift_gitops:1.12::el9	RHSA-2024:8677	2024-10-30T00:00:00Z
Red Hat OpenShift GitOps 1.13
openshift-gitops-1/argocd-rhel8:v1.13.2-4	cpe:/a:redhat:openshift_gitops:1.13::el8	RHSA-2024:8581	2024-10-29T00:00:00Z
openshift-gitops-1/argo-rollouts-rhel8:v1.13.2-4	cpe:/a:redhat:openshift_gitops:1.13::el8	RHSA-2024:8581	2024-10-29T00:00:00Z
openshift-gitops-1/console-plugin-rhel8:v1.13.2-4	cpe:/a:redhat:openshift_gitops:1.13::el8	RHSA-2024:8581	2024-10-29T00:00:00Z
openshift-gitops-1/dex-rhel8:v1.13.2-4	cpe:/a:redhat:openshift_gitops:1.13::el8	RHSA-2024:8581	2024-10-29T00:00:00Z
openshift-gitops-1/gitops-operator-bundle:v1.13.2-4	cpe:/a:redhat:openshift_gitops:1.13::el8	RHSA-2024:8581	2024-10-29T00:00:00Z
openshift-gitops-1/gitops-rhel8:v1.13.2-4	cpe:/a:redhat:openshift_gitops:1.13::el8	RHSA-2024:8581	2024-10-29T00:00:00Z
openshift-gitops-1/gitops-rhel8-operator:v1.13.2-4	cpe:/a:redhat:openshift_gitops:1.13::el8	RHSA-2024:8581	2024-10-29T00:00:00Z
openshift-gitops-1/kam-delivery-rhel8:v1.13.2-4	cpe:/a:redhat:openshift_gitops:1.13::el8	RHSA-2024:8581	2024-10-29T00:00:00Z
openshift-gitops-1/must-gather-rhel8:v1.13.2-4	cpe:/a:redhat:openshift_gitops:1.13::el8	RHSA-2024:8581	2024-10-29T00:00:00Z
openshift-gitops-argocd-rhel9-container-v1.13.2-5	cpe:/a:redhat:openshift_gitops:1.13::el8	RHSA-2024:8581	2024-10-29T00:00:00Z
Red Hat OpenShift Service Mesh 2.5 for RHEL 8
openshift-service-mesh/grafana-rhel8:2.5.5-3	cpe:/a:redhat:service_mesh:2.5::el8	RHSA-2024:7725	2024-10-07T00:00:00Z
openshift-service-mesh/istio-cni-rhel8:2.5.5-4	cpe:/a:redhat:service_mesh:2.5::el8	RHSA-2024:7725	2024-10-07T00:00:00Z
openshift-service-mesh/istio-must-gather-rhel8:2.5.5-4	cpe:/a:redhat:service_mesh:2.5::el8	RHSA-2024:7725	2024-10-07T00:00:00Z
openshift-service-mesh/kiali-ossmc-rhel8:1.73.14-3	cpe:/a:redhat:service_mesh:2.5::el8	RHSA-2024:7725	2024-10-07T00:00:00Z
openshift-service-mesh/kiali-rhel8:1.73.15-3	cpe:/a:redhat:service_mesh:2.5::el8	RHSA-2024:7725	2024-10-07T00:00:00Z
openshift-service-mesh/pilot-rhel8:2.5.5-4	cpe:/a:redhat:service_mesh:2.5::el8	RHSA-2024:7725	2024-10-07T00:00:00Z
openshift-service-mesh/proxyv2-rhel8:2.5.5-6	cpe:/a:redhat:service_mesh:2.5::el8	RHSA-2024:7725	2024-10-07T00:00:00Z
openshift-service-mesh/ratelimit-rhel8:2.5.5-3	cpe:/a:redhat:service_mesh:2.5::el8	RHSA-2024:7725	2024-10-07T00:00:00Z
Red Hat OpenShift Service Mesh 2.6 for RHEL 8
openshift-service-mesh/grafana-rhel8:2.6.2-3	cpe:/a:redhat:service_mesh:2.6::el8	RHSA-2024:7726	2024-10-07T00:00:00Z
openshift-service-mesh/istio-cni-rhel8:2.6.2-5	cpe:/a:redhat:service_mesh:2.6::el8	RHSA-2024:7726	2024-10-07T00:00:00Z
openshift-service-mesh/istio-must-gather-rhel8:2.6.2-4	cpe:/a:redhat:service_mesh:2.6::el8	RHSA-2024:7726	2024-10-07T00:00:00Z
openshift-service-mesh/istio-rhel8-operator:2.6.2-5	cpe:/a:redhat:service_mesh:2.6::el8	RHSA-2024:7726	2024-10-07T00:00:00Z
openshift-service-mesh/kiali-ossmc-rhel8:1.89.2-3	cpe:/a:redhat:service_mesh:2.6::el8	RHSA-2024:7726	2024-10-07T00:00:00Z
openshift-service-mesh/kiali-rhel8:1.89.4-3	cpe:/a:redhat:service_mesh:2.6::el8	RHSA-2024:7726	2024-10-07T00:00:00Z
openshift-service-mesh/kiali-rhel8-operator:1.89.6-1	cpe:/a:redhat:service_mesh:2.6::el8	RHSA-2024:7726	2024-10-07T00:00:00Z
openshift-service-mesh/pilot-rhel8:2.6.2-5	cpe:/a:redhat:service_mesh:2.6::el8	RHSA-2024:7726	2024-10-07T00:00:00Z
openshift-service-mesh/ratelimit-rhel8:2.6.2-3	cpe:/a:redhat:service_mesh:2.6::el8	RHSA-2024:7726	2024-10-07T00:00:00Z
Red Hat OpenShift Service Mesh 2.6 for RHEL 9
openshift-service-mesh/proxyv2-rhel9:2.6.2-7	cpe:/a:redhat:service_mesh:2.6::el9	RHSA-2024:7726	2024-10-07T00:00:00Z
RHODF-4.16-RHEL-9
odf4/mcg-core-rhel9:v4.16.3-1	cpe:/a:redhat:openshift_data_foundation:4.16::el9	RHSA-2024:8113	2024-10-15T00:00:00Z
RHODF-4.17-RHEL-9
odf4/mcg-core-rhel9:v4.17.0-69	cpe:/a:redhat:openshift_data_foundation:4.17::el9	RHSA-2024:8676	2024-10-30T00:00:00Z
Red Hat Developer Hub (RHDH) 1.4
registry.redhat.io/rhdh/rhdh-hub-rhel9:sha256:48edcf6f736e17f33d3630ce2fddc19e95316b7824a7af24e9f0df48ac4f4fe3	cpe:/a:redhat:rhdh:1.4::el9	RHBA-2024:11265	2024-12-17T00:00:00Z
Red Hat OpenShift distributed tracing 3.4
registry.redhat.io/rhosdt/jaeger-query-rhel8:sha256:7ce3c91962c904cffc5446c0ba6263124ea4b8a17963fbbefabacac73daf4851	cpe:/a:redhat:openshift_distributed_tracing:3.4::el8	RHSA-2024:10917	2024-12-10T00:00:00Z
registry.redhat.io/rhosdt/jaeger-query-rhel8:sha256:8d0e9eb0894de1289dfa9556cf9411874df3111f3e84471256de6b2d75ecd829	cpe:/a:redhat:openshift_distributed_tracing:3.4::el8	RHSA-2024:10962	2024-12-11T00:00:00Z
Red Hat Trusted Profile Analyzer 1.2
registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9:sha256:c1a20911cb6cc59707f517f6203c2f8cb26644ee25dd0ed967393c5f57194464	cpe:/a:redhat:trusted_profile_analyzer:1.2::el9	RHSA-2024:9884	2024-11-18T00:00:00Z
registry.redhat.io/rhtpa/rhtpa-guac-rhel9:sha256:6911d51ce44779ef1a5f3428486698d19779da9316d799e0968047f01cef37f7	cpe:/a:redhat:trusted_profile_analyzer:1.2::el9	RHSA-2024:9885	2024-11-18T00:00:00Z

References

Link	Providers
https://github.com/expressjs/body-parser/commit/b2695c4450f06ba3b0ccf48d872a229bb41c9bce
https://github.com/expressjs/body-parser/security/advisories/GHSA-qwcr-r2fm-qrc7
https://nvd.nist.gov/vuln/detail/CVE-2024-45590
https://www.cve.org/CVERecord?id=CVE-2024-45590

History

Thu, 20 Mar 2025 15:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:rhdh:1.3::el9

Fri, 14 Feb 2025 02:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhdh
CPEs		cpe:/a:redhat:rhdh:1.4::el9
Vendors & Products		Redhat rhdh

Thu, 13 Feb 2025 00:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat discovery Redhat openshift
CPEs		cpe:/a:redhat:openshift:4.17::el9 cpe:/o:redhat:discovery:1.0::el9
Vendors & Products		Redhat discovery Redhat openshift

Thu, 12 Dec 2024 02:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat openshift Distributed Tracing
CPEs		cpe:/a:redhat:openshift_distributed_tracing:3.4::el8
Vendors & Products		Redhat openshift Distributed Tracing

Tue, 10 Dec 2024 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhmt
CPEs		cpe:/a:redhat:rhmt:1.8::el8
Vendors & Products		Redhat rhmt

Mon, 02 Dec 2024 02:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:advanced_cluster_security:4.5::el8

Fri, 22 Nov 2024 15:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat trusted Profile Analyzer
CPEs		cpe:/a:redhat:trusted_profile_analyzer:1.2::el9
Vendors & Products		Redhat trusted Profile Analyzer

Thu, 14 Nov 2024 02:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat advanced Cluster Security
CPEs		cpe:/a:redhat:advanced_cluster_security:4.4::el8
Vendors & Products		Redhat advanced Cluster Security

Thu, 31 Oct 2024 02:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:openshift_data_foundation:4.17::el9 cpe:/a:redhat:openshift_gitops:1.12::el8 cpe:/a:redhat:openshift_gitops:1.12::el9

Wed, 30 Oct 2024 02:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat openshift Gitops
CPEs		cpe:/a:redhat:openshift_gitops:1.13::el8
Vendors & Products		Redhat openshift Gitops

Tue, 22 Oct 2024 14:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat network Observ Optr
CPEs		cpe:/a:redhat:network_observ_optr:1.7.0::el9
Vendors & Products		Redhat network Observ Optr

Wed, 16 Oct 2024 02:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat openshift Data Foundation
CPEs		cpe:/a:redhat:openshift_data_foundation:4.16::el9
Vendors & Products		Redhat openshift Data Foundation

Tue, 08 Oct 2024 02:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat Redhat service Mesh
CPEs		cpe:/a:redhat:service_mesh:2.5::el8 cpe:/a:redhat:service_mesh:2.6::el8 cpe:/a:redhat:service_mesh:2.6::el9
Vendors & Products		Redhat Redhat service Mesh

Fri, 20 Sep 2024 16:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Openjsf Openjsf body-parser
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:a:openjsf:body-parser::::::node.js::*
Vendors & Products		Openjsf Openjsf body-parser

Tue, 10 Sep 2024 21:30:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2024-45590 https://www.cve.org/CVERecord?id=CVE-2024-45590
Metrics	threat_severity `None`	threat_severity `Important`

Tue, 10 Sep 2024 19:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Expressjs Expressjs body-parser
CPEs		cpe:2.3:a:expressjs:body-parser::::::::
Vendors & Products		Expressjs Expressjs body-parser
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 10 Sep 2024 16:15:00 +0000

Type	Values Removed	Values Added
Description		body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3.
Title		body-parser vulnerable to denial of service when url encoding is enabled
Weaknesses		CWE-405
References		https://github.com/expressjs/body-parser/commit/b2695c4450f06ba3b0ccf48d872a229bb41c9bce https://github.com/expressjs/body-parser/security/advisories/GHSA-qwcr-r2fm-qrc7
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-09-10T15:54:02.330Z

Updated: 2024-09-10T18:47:22.965Z

Reserved: 2024-09-02T16:00:02.422Z

Link: CVE-2024-45590

Vulnrichment

Updated: 2024-09-10T18:45:10.928Z

NVD

Status : Analyzed

Published: 2024-09-10T16:15:21.083

Modified: 2024-09-20T16:26:44.977

Link: CVE-2024-45590

Redhat

Severity : Important

Publid Date: 2024-09-10T16:15:21Z

Links: CVE-2024-45590 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-45590", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-09-02T16:00:02.422Z", "datePublished": "2024-09-10T15:54:02.330Z", "dateUpdated": "2024-09-10T18:47:22.965Z"}, "containers": {"cna": {"title": "body-parser vulnerable to denial of service when url encoding is enabled", "problemTypes": [{"descriptions": [{"cweId": "CWE-405", "lang": "en", "description": "CWE-405: Asymmetric Resource Consumption (Amplification)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/expressjs/body-parser/security/advisories/GHSA-qwcr-r2fm-qrc7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/expressjs/body-parser/security/advisories/GHSA-qwcr-r2fm-qrc7"}, {"name": "https://github.com/expressjs/body-parser/commit/b2695c4450f06ba3b0ccf48d872a229bb41c9bce", "tags": ["x_refsource_MISC"], "url": "https://github.com/expressjs/body-parser/commit/b2695c4450f06ba3b0ccf48d872a229bb41c9bce"}], "affected": [{"vendor": "expressjs", "product": "body-parser", "versions": [{"version": "< 1.20.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-09-10T15:54:02.330Z"}, "descriptions": [{"lang": "en", "value": "body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3."}], "source": {"advisory": "GHSA-qwcr-r2fm-qrc7", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "expressjs", "product": "body-parser", "cpes": ["cpe:2.3:a:expressjs:body-parser:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "1.20.3", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-10T18:42:41.773305Z", "id": "CVE-2024-45590", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-10T18:47:22.965Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-45590", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T18:42:41.773305Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:expressjs:body-parser:*:*:*:*:*:*:*:*"], "vendor": "expressjs", "product": "body-parser", "versions": [{"status": "affected", "version": "0", "lessThan": "1.20.3", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-10T18:45:10.928Z"}}], "cna": {"title": "body-parser vulnerable to denial of service when url encoding is enabled", "source": {"advisory": "GHSA-qwcr-r2fm-qrc7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "expressjs", "product": "body-parser", "versions": [{"status": "affected", "version": "< 1.20.3"}]}], "references": [{"url": "https://github.com/expressjs/body-parser/security/advisories/GHSA-qwcr-r2fm-qrc7", "name": "https://github.com/expressjs/body-parser/security/advisories/GHSA-qwcr-r2fm-qrc7", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/expressjs/body-parser/commit/b2695c4450f06ba3b0ccf48d872a229bb41c9bce", "name": "https://github.com/expressjs/body-parser/commit/b2695c4450f06ba3b0ccf48d872a229bb41c9bce", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-405", "description": "CWE-405: Asymmetric Resource Consumption (Amplification)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-09-10T15:54:02.330Z"}}}, "cveMetadata": {"cveId": "CVE-2024-45590", "state": "PUBLISHED", "dateUpdated": "2024-09-10T18:47:22.965Z", "dateReserved": "2024-09-02T16:00:02.422Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-09-10T15:54:02.330Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openjsf:body-parser:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "42A6B188-985D-4F15-B31B-46D67F4E3F07", "versionEndExcluding": "1.20.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3."}, {"lang": "es", "value": "body-parser es un middleware de an\u00e1lisis de cuerpo de Node.js. body-parser en versiones anteriores a la 1.20.3 es vulnerable a la denegaci\u00f3n de servicio cuando la codificaci\u00f3n de URL est\u00e1 habilitada. Un actor malintencionado que utilice un payload especialmente manipulado podr\u00eda inundar el servidor con una gran cantidad de solicitudes, lo que provocar\u00eda una denegaci\u00f3n de servicio. Este problema se solucion\u00f3 en la versi\u00f3n 1.20.3."}], "id": "CVE-2024-45590", "lastModified": "2024-09-20T16:26:44.977", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-09-10T16:15:21.083", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/expressjs/body-parser/commit/b2695c4450f06ba3b0ccf48d872a229bb41c9bce"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/expressjs/body-parser/security/advisories/GHSA-qwcr-r2fm-qrc7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-405"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2025:1249", "cpe": "cpe:/o:redhat:discovery:1.0::el9", "package": "discovery/discovery-server-rhel9:1.12.0-1", "product_name": "Discovery 1 for RHEL 9", "release_date": "2025-02-10T00:00:00Z"}, {"advisory": "RHSA-2025:1249", "cpe": "cpe:/o:redhat:discovery:1.0::el9", "package": "discovery/discovery-ui-rhel9:1.12.0-1", "product_name": "Discovery 1 for RHEL 9", "release_date": "2025-02-10T00:00:00Z"}, {"advisory": "RHSA-2024:8014", "cpe": "cpe:/a:redhat:network_observ_optr:1.7.0::el9", "package": "network-observability/network-observability-cli-rhel9:v1.7.0-67", "product_name": "NETWORK-OBSERVABILITY-1.7.0-RHEL-9", "release_date": "2024-10-22T00:00:00Z"}, {"advisory": "RHSA-2024:8014", "cpe": "cpe:/a:redhat:network_observ_optr:1.7.0::el9", "package": "network-observability/network-observability-console-plugin-rhel9:v1.7.0-67", "product_name": "NETWORK-OBSERVABILITY-1.7.0-RHEL-9", "release_date": "2024-10-22T00:00:00Z"}, {"advisory": "RHSA-2024:8014", "cpe": "cpe:/a:redhat:network_observ_optr:1.7.0::el9", "package": "network-observability/network-observability-ebpf-agent-rhel9:v1.7.0-67", "product_name": "NETWORK-OBSERVABILITY-1.7.0-RHEL-9", "release_date": "2024-10-22T00:00:00Z"}, {"advisory": "RHSA-2024:8014", "cpe": "cpe:/a:redhat:network_observ_optr:1.7.0::el9", "package": "network-observability/network-observability-flowlogs-pipeline-rhel9:v1.7.0-67", "product_name": "NETWORK-OBSERVABILITY-1.7.0-RHEL-9", "release_date": "2024-10-22T00:00:00Z"}, {"advisory": "RHSA-2024:8014", "cpe": "cpe:/a:redhat:network_observ_optr:1.7.0::el9", "package": "network-observability/network-observability-operator-bundle:1.7.0-86", "product_name": "NETWORK-OBSERVABILITY-1.7.0-RHEL-9", "release_date": "2024-10-22T00:00:00Z"}, {"advisory": "RHSA-2024:8014", "cpe": "cpe:/a:redhat:network_observ_optr:1.7.0::el9", "package": "network-observability/network-observability-rhel9-operator:v1.7.0-67", "product_name": "NETWORK-OBSERVABILITY-1.7.0-RHEL-9", "release_date": "2024-10-22T00:00:00Z"}, {"advisory": "RHSA-2024:9583", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.4::el8", "package": "advanced-cluster-security/rhacs-main-rhel8:4.4.6-2", "product_name": "Red Hat Advanced Cluster Security 4.4", "release_date": "2024-11-13T00:00:00Z"}, {"advisory": "RHSA-2024:10186", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-main-rhel8:4.5.5-3", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2024-11-22T00:00:00Z"}, {"advisory": "RHBA-2024:9054", "cpe": "cpe:/a:redhat:rhdh:1.3::el9", "package": "rhdh/rhdh-hub-rhel9:1.3-124", "product_name": "Red Hat Developer Hub 1.3 on RHEL 9", "release_date": "2024-11-11T00:00:00Z"}, {"advisory": "RHSA-2024:10906", "cpe": "cpe:/a:redhat:rhmt:1.8::el8", "package": "rhmtc/openshift-migration-ui-rhel8:v1.8.5-7", "product_name": "Red Hat Migration Toolkit for Containers 1.8", "release_date": "2024-12-10T00:00:00Z"}, {"advisory": "RHSA-2025:0875", "cpe": "cpe:/a:redhat:openshift:4.17::el9", "package": "openshift4/nmstate-console-plugin-rhel9:v4.17.0-202501301204.p0.gcffdc60.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.17", "release_date": "2025-02-05T00:00:00Z"}, {"advisory": "RHSA-2024:8677", "cpe": "cpe:/a:redhat:openshift_gitops:1.12::el8", "package": "openshift-gitops-1/argocd-rhel8:v1.12.6-2", "product_name": "Red Hat OpenShift GitOps 1.12", "release_date": "2024-10-30T00:00:00Z"}, {"advisory": "RHSA-2024:8677", "cpe": "cpe:/a:redhat:openshift_gitops:1.12::el8", "package": "openshift-gitops-1/argo-rollouts-rhel8:v1.12.6-2", "product_name": "Red Hat OpenShift GitOps 1.12", "release_date": "2024-10-30T00:00:00Z"}, {"advisory": "RHSA-2024:8677", "cpe": "cpe:/a:redhat:openshift_gitops:1.12::el8", "package": "openshift-gitops-1/console-plugin-rhel8:v1.12.6-2", "product_name": "Red Hat OpenShift GitOps 1.12", "release_date": "2024-10-30T00:00:00Z"}, {"advisory": "RHSA-2024:8677", "cpe": "cpe:/a:redhat:openshift_gitops:1.12::el8", "package": "openshift-gitops-1/dex-rhel8:v1.12.6-2", "product_name": "Red Hat OpenShift GitOps 1.12", "release_date": "2024-10-30T00:00:00Z"}, {"advisory": "RHSA-2024:8677", "cpe": "cpe:/a:redhat:openshift_gitops:1.12::el8", "package": "openshift-gitops-1/gitops-operator-bundle:v1.12.6-2", "product_name": "Red Hat OpenShift GitOps 1.12", "release_date": "2024-10-30T00:00:00Z"}, {"advisory": "RHSA-2024:8677", "cpe": "cpe:/a:redhat:openshift_gitops:1.12::el8", "package": "openshift-gitops-1/gitops-rhel8:v1.12.6-2", "product_name": "Red Hat OpenShift GitOps 1.12", "release_date": "2024-10-30T00:00:00Z"}, {"advisory": "RHSA-2024:8677", "cpe": "cpe:/a:redhat:openshift_gitops:1.12::el8", "package": "openshift-gitops-1/gitops-rhel8-operator:v1.12.6-2", "product_name": "Red Hat OpenShift GitOps 1.12", "release_date": "2024-10-30T00:00:00Z"}, {"advisory": "RHSA-2024:8677", "cpe": "cpe:/a:redhat:openshift_gitops:1.12::el8", "package": "openshift-gitops-1/kam-delivery-rhel8:v1.12.6-2", "product_name": "Red Hat OpenShift GitOps 1.12", "release_date": "2024-10-30T00:00:00Z"}, {"advisory": "RHSA-2024:8677", "cpe": "cpe:/a:redhat:openshift_gitops:1.12::el8", "package": "openshift-gitops-1/must-gather-rhel8:v1.12.6-2", "product_name": "Red Hat OpenShift GitOps 1.12", "release_date": "2024-10-30T00:00:00Z"}, {"advisory": "RHSA-2024:8677", "cpe": "cpe:/a:redhat:openshift_gitops:1.12::el9", "package": "openshift-gitops-argocd-rhel9-container-v1.12.6-1", "product_name": "Red Hat OpenShift GitOps 1.12 - RHEL 9", "release_date": "2024-10-30T00:00:00Z"}, {"advisory": "RHSA-2024:8581", "cpe": "cpe:/a:redhat:openshift_gitops:1.13::el8", "package": "openshift-gitops-1/argocd-rhel8:v1.13.2-4", "product_name": "Red Hat OpenShift GitOps 1.13", "release_date": "2024-10-29T00:00:00Z"}, {"advisory": "RHSA-2024:8581", "cpe": "cpe:/a:redhat:openshift_gitops:1.13::el8", "package": "openshift-gitops-1/argo-rollouts-rhel8:v1.13.2-4", "product_name": "Red Hat OpenShift GitOps 1.13", "release_date": "2024-10-29T00:00:00Z"}, {"advisory": "RHSA-2024:8581", "cpe": "cpe:/a:redhat:openshift_gitops:1.13::el8", "package": "openshift-gitops-1/console-plugin-rhel8:v1.13.2-4", "product_name": "Red Hat OpenShift GitOps 1.13", "release_date": "2024-10-29T00:00:00Z"}, {"advisory": "RHSA-2024:8581", "cpe": "cpe:/a:redhat:openshift_gitops:1.13::el8", "package": "openshift-gitops-1/dex-rhel8:v1.13.2-4", "product_name": "Red Hat OpenShift GitOps 1.13", "release_date": "2024-10-29T00:00:00Z"}, {"advisory": "RHSA-2024:8581", "cpe": "cpe:/a:redhat:openshift_gitops:1.13::el8", "package": "openshift-gitops-1/gitops-operator-bundle:v1.13.2-4", "product_name": "Red Hat OpenShift GitOps 1.13", "release_date": "2024-10-29T00:00:00Z"}, {"advisory": "RHSA-2024:8581", "cpe": "cpe:/a:redhat:openshift_gitops:1.13::el8", "package": "openshift-gitops-1/gitops-rhel8:v1.13.2-4", "product_name": "Red Hat OpenShift GitOps 1.13", "release_date": "2024-10-29T00:00:00Z"}, {"advisory": "RHSA-2024:8581", "cpe": "cpe:/a:redhat:openshift_gitops:1.13::el8", "package": "openshift-gitops-1/gitops-rhel8-operator:v1.13.2-4", "product_name": "Red Hat OpenShift GitOps 1.13", "release_date": "2024-10-29T00:00:00Z"}, {"advisory": "RHSA-2024:8581", "cpe": "cpe:/a:redhat:openshift_gitops:1.13::el8", "package": "openshift-gitops-1/kam-delivery-rhel8:v1.13.2-4", "product_name": "Red Hat OpenShift GitOps 1.13", "release_date": "2024-10-29T00:00:00Z"}, {"advisory": "RHSA-2024:8581", "cpe": "cpe:/a:redhat:openshift_gitops:1.13::el8", "package": "openshift-gitops-1/must-gather-rhel8:v1.13.2-4", "product_name": "Red Hat OpenShift GitOps 1.13", "release_date": "2024-10-29T00:00:00Z"}, {"advisory": "RHSA-2024:8581", "cpe": "cpe:/a:redhat:openshift_gitops:1.13::el8", "package": "openshift-gitops-argocd-rhel9-container-v1.13.2-5", "product_name": "Red Hat OpenShift GitOps 1.13", "release_date": "2024-10-29T00:00:00Z"}, {"advisory": "RHSA-2024:7725", "cpe": "cpe:/a:redhat:service_mesh:2.5::el8", "package": "openshift-service-mesh/grafana-rhel8:2.5.5-3", "product_name": "Red Hat OpenShift Service Mesh 2.5 for RHEL 8", "release_date": "2024-10-07T00:00:00Z"}, {"advisory": "RHSA-2024:7725", "cpe": "cpe:/a:redhat:service_mesh:2.5::el8", "package": "openshift-service-mesh/istio-cni-rhel8:2.5.5-4", "product_name": "Red Hat OpenShift Service Mesh 2.5 for RHEL 8", "release_date": "2024-10-07T00:00:00Z"}, {"advisory": "RHSA-2024:7725", "cpe": "cpe:/a:redhat:service_mesh:2.5::el8", "package": "openshift-service-mesh/istio-must-gather-rhel8:2.5.5-4", "product_name": "Red Hat OpenShift Service Mesh 2.5 for RHEL 8", "release_date": "2024-10-07T00:00:00Z"}, {"advisory": "RHSA-2024:7725", "cpe": "cpe:/a:redhat:service_mesh:2.5::el8", "package": "openshift-service-mesh/kiali-ossmc-rhel8:1.73.14-3", "product_name": "Red Hat OpenShift Service Mesh 2.5 for RHEL 8", "release_date": "2024-10-07T00:00:00Z"}, {"advisory": "RHSA-2024:7725", "cpe": "cpe:/a:redhat:service_mesh:2.5::el8", "package": "openshift-service-mesh/kiali-rhel8:1.73.15-3", "product_name": "Red Hat OpenShift Service Mesh 2.5 for RHEL 8", "release_date": "2024-10-07T00:00:00Z"}, {"advisory": "RHSA-2024:7725", "cpe": "cpe:/a:redhat:service_mesh:2.5::el8", "package": "openshift-service-mesh/pilot-rhel8:2.5.5-4", "product_name": "Red Hat OpenShift Service Mesh 2.5 for RHEL 8", "release_date": "2024-10-07T00:00:00Z"}, {"advisory": "RHSA-2024:7725", "cpe": "cpe:/a:redhat:service_mesh:2.5::el8", "package": "openshift-service-mesh/proxyv2-rhel8:2.5.5-6", "product_name": "Red Hat OpenShift Service Mesh 2.5 for RHEL 8", "release_date": "2024-10-07T00:00:00Z"}, {"advisory": "RHSA-2024:7725", "cpe": "cpe:/a:redhat:service_mesh:2.5::el8", "package": "openshift-service-mesh/ratelimit-rhel8:2.5.5-3", "product_name": "Red Hat OpenShift Service Mesh 2.5 for RHEL 8", "release_date": "2024-10-07T00:00:00Z"}, {"advisory": "RHSA-2024:7726", "cpe": "cpe:/a:redhat:service_mesh:2.6::el8", "package": "openshift-service-mesh/grafana-rhel8:2.6.2-3", "product_name": "Red Hat OpenShift Service Mesh 2.6 for RHEL 8", "release_date": "2024-10-07T00:00:00Z"}, {"advisory": "RHSA-2024:7726", "cpe": "cpe:/a:redhat:service_mesh:2.6::el8", "package": "openshift-service-mesh/istio-cni-rhel8:2.6.2-5", "product_name": "Red Hat OpenShift Service Mesh 2.6 for RHEL 8", "release_date": "2024-10-07T00:00:00Z"}, {"advisory": "RHSA-2024:7726", "cpe": "cpe:/a:redhat:service_mesh:2.6::el8", "package": "openshift-service-mesh/istio-must-gather-rhel8:2.6.2-4", "product_name": "Red Hat OpenShift Service Mesh 2.6 for RHEL 8", "release_date": "2024-10-07T00:00:00Z"}, {"advisory": "RHSA-2024:7726", "cpe": "cpe:/a:redhat:service_mesh:2.6::el8", "package": "openshift-service-mesh/istio-rhel8-operator:2.6.2-5", "product_name": "Red Hat OpenShift Service Mesh 2.6 for RHEL 8", "release_date": "2024-10-07T00:00:00Z"}, {"advisory": "RHSA-2024:7726", "cpe": "cpe:/a:redhat:service_mesh:2.6::el8", "package": "openshift-service-mesh/kiali-ossmc-rhel8:1.89.2-3", "product_name": "Red Hat OpenShift Service Mesh 2.6 for RHEL 8", "release_date": "2024-10-07T00:00:00Z"}, {"advisory": "RHSA-2024:7726", "cpe": "cpe:/a:redhat:service_mesh:2.6::el8", "package": "openshift-service-mesh/kiali-rhel8:1.89.4-3", "product_name": "Red Hat OpenShift Service Mesh 2.6 for RHEL 8", "release_date": "2024-10-07T00:00:00Z"}, {"advisory": "RHSA-2024:7726", "cpe": "cpe:/a:redhat:service_mesh:2.6::el8", "package": "openshift-service-mesh/kiali-rhel8-operator:1.89.6-1", "product_name": "Red Hat OpenShift Service Mesh 2.6 for RHEL 8", "release_date": "2024-10-07T00:00:00Z"}, {"advisory": "RHSA-2024:7726", "cpe": "cpe:/a:redhat:service_mesh:2.6::el8", "package": "openshift-service-mesh/pilot-rhel8:2.6.2-5", "product_name": "Red Hat OpenShift Service Mesh 2.6 for RHEL 8", "release_date": "2024-10-07T00:00:00Z"}, {"advisory": "RHSA-2024:7726", "cpe": "cpe:/a:redhat:service_mesh:2.6::el8", "package": "openshift-service-mesh/ratelimit-rhel8:2.6.2-3", "product_name": "Red Hat OpenShift Service Mesh 2.6 for RHEL 8", "release_date": "2024-10-07T00:00:00Z"}, {"advisory": "RHSA-2024:7726", "cpe": "cpe:/a:redhat:service_mesh:2.6::el9", "package": "openshift-service-mesh/proxyv2-rhel9:2.6.2-7", "product_name": "Red Hat OpenShift Service Mesh 2.6 for RHEL 9", "release_date": "2024-10-07T00:00:00Z"}, {"advisory": "RHSA-2024:8113", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.16::el9", "package": "odf4/mcg-core-rhel9:v4.16.3-1", "product_name": "RHODF-4.16-RHEL-9", "release_date": "2024-10-15T00:00:00Z"}, {"advisory": "RHSA-2024:8676", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.17::el9", "package": "odf4/mcg-core-rhel9:v4.17.0-69", "product_name": "RHODF-4.17-RHEL-9", "release_date": "2024-10-30T00:00:00Z"}, {"advisory": "RHBA-2024:11265", "cpe": "cpe:/a:redhat:rhdh:1.4::el9", "package": "registry.redhat.io/rhdh/rhdh-hub-rhel9:sha256:48edcf6f736e17f33d3630ce2fddc19e95316b7824a7af24e9f0df48ac4f4fe3", "product_name": "Red Hat Developer Hub (RHDH) 1.4", "release_date": "2024-12-17T00:00:00Z"}, {"advisory": "RHSA-2024:10917", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:3.4::el8", "package": "registry.redhat.io/rhosdt/jaeger-query-rhel8:sha256:7ce3c91962c904cffc5446c0ba6263124ea4b8a17963fbbefabacac73daf4851", "product_name": "Red Hat OpenShift distributed tracing 3.4", "release_date": "2024-12-10T00:00:00Z"}, {"advisory": "RHSA-2024:10962", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:3.4::el8", "package": "registry.redhat.io/rhosdt/jaeger-query-rhel8:sha256:8d0e9eb0894de1289dfa9556cf9411874df3111f3e84471256de6b2d75ecd829", "product_name": "Red Hat OpenShift distributed tracing 3.4", "release_date": "2024-12-11T00:00:00Z"}, {"advisory": "RHSA-2024:9884", "cpe": "cpe:/a:redhat:trusted_profile_analyzer:1.2::el9", "package": "registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9:sha256:c1a20911cb6cc59707f517f6203c2f8cb26644ee25dd0ed967393c5f57194464", "product_name": "Red Hat Trusted Profile Analyzer 1.2", "release_date": "2024-11-18T00:00:00Z"}, {"advisory": "RHSA-2024:9885", "cpe": "cpe:/a:redhat:trusted_profile_analyzer:1.2::el9", "package": "registry.redhat.io/rhtpa/rhtpa-guac-rhel9:sha256:6911d51ce44779ef1a5f3428486698d19779da9316d799e0968047f01cef37f7", "product_name": "Red Hat Trusted Profile Analyzer 1.2", "release_date": "2024-11-18T00:00:00Z"}], "bugzilla": {"description": "body-parser: Denial of Service Vulnerability in body-parser", "id": "2311171", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2311171"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-405", "details": ["body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3.", "A flaw was found in body-parser. This vulnerability causes denial of service via a specially crafted payload when the URL encoding is enabled."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-45590", "package_state": [{"cpe": "cpe:/a:redhat:cryostat:3", "fix_state": "Affected", "package_name": "body-parser", "product_name": "Cryostat 3"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/kibana6-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/logging-view-plugin-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:migration_toolkit_applications:7", "fix_state": "Affected", "package_name": "mta/mta-cli-rhel9", "product_name": "Migration Toolkit for Applications 7"}, {"cpe": "cpe:/a:redhat:migration_toolkit_applications:7", "fix_state": "Affected", "package_name": "mta/mta-ui-rhel9", "product_name": "Migration Toolkit for Applications 7"}, {"cpe": "cpe:/a:redhat:migration_toolkit_runtimes:1", "fix_state": "Affected", "package_name": "body-parser", "product_name": "Migration Toolkit for Runtimes"}, {"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2", "fix_state": "Not affected", "package_name": "migration-toolkit-virtualization/mtv-console-plugin-rhel9", "product_name": "Migration Toolkit for Virtualization"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Not affected", "package_name": "multicluster-engine/console-mce-rhel9", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Not affected", "package_name": "multicluster-engine/multicluster-engine-console-mce-rhel9", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:workload_availability_node_healthcheck", "fix_state": "Will not fix", "package_name": "workload-availability/node-remediation-console-rhel8", "product_name": "Node HealthCheck Operator"}, {"cpe": "cpe:/a:redhat:openshift_lightspeed", "fix_state": "Affected", "package_name": "openshift-lightspeed-beta/lightspeed-console-plugin-rhel9", "product_name": "OpenShift Lightspeed"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Affected", "package_name": "openshift-pipelines-console-plugin-rhel8-container", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Will not fix", "package_name": "openshift-pipelines/pipelines-hub-api-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Will not fix", "package_name": "openshift-pipelines/pipelines-hub-db-migration-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Will not fix", "package_name": "openshift-pipelines/pipelines-hub-ui-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Will not fix", "package_name": "body-parser", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Affected", "package_name": "3scale-amp-system-container", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/console-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Not affected", "package_name": "advanced-cluster-security/rhacs-central-db-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Not affected", "package_name": "advanced-cluster-security/rhacs-rhel8-operator", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Not affected", "package_name": "advanced-cluster-security/rhacs-roxctl-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Not affected", "package_name": "advanced-cluster-security/rhacs-scanner-v4-db-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Not affected", "package_name": "advanced-cluster-security/rhacs-scanner-v4-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Will not fix", "package_name": "aap-cloud-ui-container", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "ansible-automation-platform-24/lightspeed-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "automation-controller", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "automation-eda-controller", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:rhboac_hawtio:4", "fix_state": "Not affected", "package_name": "body-parser", "product_name": "Red Hat build of Apache Camel - HawtIO 4"}, {"cpe": "cpe:/a:redhat:service_registry:2", "fix_state": "Not affected", "package_name": "body-parser", "product_name": "Red Hat build of Apicurio Registry 2"}, {"cpe": "cpe:/a:redhat:optaplanner:::el6", "fix_state": "Will not fix", "package_name": "body-parser", "product_name": "Red Hat build of OptaPlanner 8"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Will not fix", "package_name": "body-parser", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Not affected", "package_name": "rhdh-operator-container", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Will not fix", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "mozjs60", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "pcs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "gjs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "pcs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "polkit", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Will not fix", "package_name": "body-parser", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Will not fix", "package_name": "body-parser", "product_name": "Red Hat Integration Camel K 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "body-parser", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "body-parser", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "body-parser", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "odh-dashboard-container", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "odh-operator-container", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Will not fix", "package_name": "openshift3/ose-console", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-console", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-monitoring-plugin-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-networking-console-plugin-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Affected", "package_name": "ocs4/mcg-core-rhel8", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/ocs-client-console-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/odf-console-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/odf-multicluster-console-rhel8", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_science", "fix_state": "Affected", "package_name": "rhods/odh-dashboard-rhel8", "product_name": "Red Hat OpenShift Data Science (RHODS)"}, {"cpe": "cpe:/a:redhat:openshift_data_science", "fix_state": "Not affected", "package_name": "rhods/odh-operator-rhel8", "product_name": "Red Hat OpenShift Data Science (RHODS)"}, {"cpe": "cpe:/a:redhat:openshift_data_science", "fix_state": "Not affected", "package_name": "rhods/odh-rhel8-operator", "product_name": "Red Hat OpenShift Data Science (RHODS)"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Not affected", "package_name": "devspaces/traefik-rhel8", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Not affected", "package_name": "rhosdt/jaeger-agent-rhel8", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Not affected", "package_name": "rhosdt/jaeger-collector-rhel8", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Not affected", "package_name": "rhosdt/jaeger-es-index-cleaner-rhel8", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Not affected", "package_name": "rhosdt/jaeger-es-rollover-rhel8", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Not affected", "package_name": "rhosdt/jaeger-ingester-rhel8", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Affected", "package_name": "rhosdt/jaeger-query-rhel8", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Will not fix", "package_name": "container-native-virtualization/kubevirt-console-plugin", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Will not fix", "package_name": "container-native-virtualization/kubevirt-console-plugin-rhel9", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Will not fix", "package_name": "body-parser", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Affected", "package_name": "quay/quay-rhel8", "product_name": "Red Hat Quay 3"}], "public_date": "2024-09-10T16:15:21Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-45590\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-45590\nhttps://github.com/expressjs/body-parser/commit/b2695c4450f06ba3b0ccf48d872a229bb41c9bce\nhttps://github.com/expressjs/body-parser/security/advisories/GHSA-qwcr-r2fm-qrc7"], "threat_severity": "Important"}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object