Vulnerability Name:

CVE-2013-4450 (CCN-88171)

Assigned:2013-10-19
Published:2013-10-19
Updated:2018-08-13
Summary:The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of service (memory and CPU consumption) by sending a large number of pipelined requests without reading the response.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
4.3 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
4.3 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
Vulnerability Type:CWE-20
Vulnerability Consequences:Denial of Service
References:Source: CONFIRM
Type: Patch
http://blog.nodejs.org/2013/10/18/node-v0-10-21-stable/

Source: CONFIRM
Type: Patch
http://blog.nodejs.org/2013/10/18/node-v0-8-26-maintenance/

Source: MITRE
Type: CNA
CVE-2013-4450

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2013:1863

Source: CCN
Type: Node.js Web site
node.js

Source: REDHAT
Type: UNKNOWN
RHSA-2013:1842

Source: CCN
Type: oss-sec Mailing List, Sat, 19 Oct 2013 22:25:52 -0600
Re: CVE Request: Node.js HTTP Pipelining DoS

Source: CCN
Type: SA54873
Node.js Pipelined HTTP Requests Handling Denial of Service Vulnerability

Source: MLIST
Type: UNKNOWN
[oss-security] 20131019 Re: CVE Request: Node.js HTTP Pipelining DoS

Source: BID
Type: UNKNOWN
63229

Source: CCN
Type: BID-63229
Node.js CVE-2013-4450 Denial of Service Vulnerability

Source: XF
Type: UNKNOWN
nodejs-cve20134450-dos(88171)

Source: CONFIRM
Type: UNKNOWN
https://github.com/joyent/node/issues/6214

Source: MISC
Type: Exploit
https://github.com/rapid7/metasploit-framework/pull/2548

Source: MISC
Type: UNKNOWN
https://groups.google.com/forum/#!topic/nodejs/NEbweYB0ei0

Source: CONFIRM
Type: UNKNOWN
https://kb.juniper.net/JSA10783

Vulnerable Configuration:Configuration 1:
  • cpe:/a:nodejs:nodejs:0.8.0:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.8.1:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.8.2:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.8.3:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.8.4:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.8.5:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.8.6:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.8.7:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.8.8:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.8.9:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.8.10:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.8.11:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.8.12:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.8.13:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.8.14:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.8.15:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.8.16:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.8.17:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.8.18:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.8.19:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.8.20:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.8.21:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.8.22:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.8.23:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.8.24:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.8.25:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.10.0:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.10.1:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.10.2:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.10.3:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.10.4:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.10.5:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.10.6:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.10.7:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.10.8:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.10.9:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.10.10:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.10.11:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.10.12:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.10.13:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.10.14:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.10.15:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.10.16:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.10.17:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.10.18:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.10.19:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.10.20:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:nodejs:node.js:0.10.18:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:node.js:0.8.25:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20134450
    V
    		CVE-2013-4450
    2017-03-01
    oval:com.ubuntu.precise:def:20134450000
    V
    		CVE-2013-4450 on Ubuntu 12.04 LTS (precise) - medium.
    2013-10-21
    oval:com.ubuntu.xenial:def:201344500000000
    V
    		CVE-2013-4450 on Ubuntu 16.04 LTS (xenial) - medium.
    2013-10-21
    oval:com.ubuntu.trusty:def:20134450000
    V
    		CVE-2013-4450 on Ubuntu 14.04 LTS (trusty) - medium.
    2013-10-21
    oval:com.ubuntu.xenial:def:20134450000
    V
    		CVE-2013-4450 on Ubuntu 16.04 LTS (xenial) - medium.
    2013-10-21
    BACK
    nodejs nodejs 0.8.0
    nodejs nodejs 0.8.1
    nodejs nodejs 0.8.2
    nodejs nodejs 0.8.3
    nodejs nodejs 0.8.4
    nodejs nodejs 0.8.5
    nodejs nodejs 0.8.6
    nodejs nodejs 0.8.7
    nodejs nodejs 0.8.8
    nodejs nodejs 0.8.9
    nodejs nodejs 0.8.10
    nodejs nodejs 0.8.11
    nodejs nodejs 0.8.12
    nodejs nodejs 0.8.13
    nodejs nodejs 0.8.14
    nodejs nodejs 0.8.15
    nodejs nodejs 0.8.16
    nodejs nodejs 0.8.17
    nodejs nodejs 0.8.18
    nodejs nodejs 0.8.19
    nodejs nodejs 0.8.20
    nodejs nodejs 0.8.21
    nodejs nodejs 0.8.22
    nodejs nodejs 0.8.23
    nodejs nodejs 0.8.24
    nodejs nodejs 0.8.25
    nodejs nodejs 0.10.0
    nodejs nodejs 0.10.1
    nodejs nodejs 0.10.2
    nodejs nodejs 0.10.3
    nodejs nodejs 0.10.4
    nodejs nodejs 0.10.5
    nodejs nodejs 0.10.6
    nodejs nodejs 0.10.7
    nodejs nodejs 0.10.8
    nodejs nodejs 0.10.9
    nodejs nodejs 0.10.10
    nodejs nodejs 0.10.11
    nodejs nodejs 0.10.12
    nodejs nodejs 0.10.13
    nodejs nodejs 0.10.14
    nodejs nodejs 0.10.15
    nodejs nodejs 0.10.16
    nodejs nodejs 0.10.17
    nodejs nodejs 0.10.18
    nodejs nodejs 0.10.19
    nodejs nodejs 0.10.20
    nodejs node.js 0.10.18
    nodejs node.js 0.8.25