| Vulnerability Name: | CVE-2014-7191 (CCN-96729) | ||||||||||||||||||||||||||||||||||||||||
| Assigned: | 2014-09-30 | ||||||||||||||||||||||||||||||||||||||||
| Published: | 2014-09-30 | ||||||||||||||||||||||||||||||||||||||||
| Updated: | 2017-09-08 | ||||||||||||||||||||||||||||||||||||||||
| Summary: | The qs module before 1.0.0 in Node.js does not call the compact function for array data, which allows remote attackers to cause a denial of service (memory consumption) by using a large index value to create a sparse array. | ||||||||||||||||||||||||||||||||||||||||
| CVSS v3 Severity: | 5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
| ||||||||||||||||||||||||||||||||||||||||
| CVSS v2 Severity: | 5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P) 3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)
| ||||||||||||||||||||||||||||||||||||||||
| Vulnerability Type: | CWE-399 | ||||||||||||||||||||||||||||||||||||||||
| Vulnerability Consequences: | Denial of Service | ||||||||||||||||||||||||||||||||||||||||
| References: | Source: MITRE Type: CNA CVE-2014-7191 Source: CCN Type: Node.js Web site node.js Source: CCN Type: RHSA-2016-1380 Moderate: nodejs010-node-gyp and nodejs010-nodejs-qs security and bug fix update Source: SECUNIA Type: UNKNOWN 60026 Source: SECUNIA Type: UNKNOWN 62170 Source: CONFIRM Type: UNKNOWN http://www-01.ibm.com/support/docview.wss?uid=swg21685987 Source: CONFIRM Type: UNKNOWN http://www-01.ibm.com/support/docview.wss?uid=swg21687263 Source: CONFIRM Type: UNKNOWN http://www-01.ibm.com/support/docview.wss?uid=swg21687928 Source: CCN Type: IBM Security Bulletin 1690815 Multiple vulnerabilities in modules from the IBM SDK for Node.js affect the Cordova tools in IBM Rational Application Developer (CVE-2014-7191 and CVE-2014-7192) Source: CCN Type: IBM Security Bulletin 1685987 Current Release of IBM SDK for Node.js is affected by CVE-2014-7191 Source: CCN Type: IBM Security Bulletin 1686792 Multiple vulnerabilities affecting the Cordova platform and IBM SDK Node.js packaged with Rational Software Architect and Rational Software Architect for WebSphere Software Source: CCN Type: IBM Security Bulletin 1687263 Security vulnerabilities in Node.js modules affect IBM Business Process Manager (BPM) Configuration Editor (CVE-2014-6394, CVE-2014-7191) Source: CCN Type: IBM Security Bulletin 1687928 urrent Release of IBM SDK for Node.js in IBM Bluemix is affected by (CVE-2014-7191) Source: CCN Type: IBM Security Bulletin 1692460 Multiple vulnerabilities in modules from the IBM SDK for Node.js affect the Cordova tools packaged in Rational Developer for i Modernization Tools Java Edition and Rational Developer for AIX and Linux (CVE-2014-7191 and CVE-2014-7192) Source: CCN Type: oss-security Mailing List, Tue, 30 Sep 2014 00:53:42 -0400 (EDT) Re: CVE request: various NodeJS module vulnerabilities Source: CCN Type: BID-70113 Node.js qs Module Denial of Service Vulnerability Source: REDHAT Type: UNKNOWN RHSA-2016:1380 Source: XF Type: UNKNOWN nodejs-cve20147191-dos(96729) Source: XF Type: UNKNOWN nodejs-cve20147191-dos(96729) Source: CONFIRM Type: Patch https://github.com/raymondfeng/node-querystring/commit/43a604b7847e56bba49d0ce3e222fe89569354d8 Source: CONFIRM Type: UNKNOWN https://github.com/visionmedia/node-querystring/issues/104 Source: CCN Type: Node Security Web site qs Denial-of-Service Extended Event Loop Blocking Source: CONFIRM Type: UNKNOWN https://nodesecurity.io/advisories/qs_dos_memory_exhaustion | ||||||||||||||||||||||||||||||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||||||||||||||||||||||||||||||
| Oval Definitions | |||||||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||||||
| BACK | |||||||||||||||||||||||||||||||||||||||||