Vulnerability Name:

CVE-2020-15168 (CCN-188155)

Assigned:2020-09-10
Published:2020-09-10
Updated:2020-09-17
Summary:node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.
CVSS v3 Severity:5.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
4.6 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
Vulnerability Type:CWE-770
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2020-15168

Source: XF
Type: UNKNOWN
nodejs-cve202015168-dos(188155)

Source: CCN
Type: node-fetch GIT Repository
The size option isn't honored after following a redirect

Source: CONFIRM
Type: Third Party Advisory
https://github.com/node-fetch/node-fetch/security/advisories/GHSA-w7rc-rwvf-8q5r

Source: CCN
Type: IBM Security Bulletin 6350659 (Cloud Pak for Multicloud Management)
A security vulnerability in Node.js node-fetch module affects IBM Cloud Pak for Multicloud Management Infrastructure Management and Managed Service.

Source: CCN
Type: IBM Security Bulletin 6364969 (Watson Discovery)
IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Node.js

Source: CCN
Type: IBM Security Bulletin 6369151 (App Connect Enterprise Certified Container)
App Connect Enterprise Certified Container Dashboard is vulnerable to (CVE-2020-15168)

Source: CCN
Type: IBM Security Bulletin 6373026 (Cloud Automation Manager)
A security vulnerability in Node.js node-fetch module affects IBM Cloud Automation Manager

Source: CCN
Type: IBM Security Bulletin 6382878 (Cloud Pak for Automation)
Multiple vulnerabilities in middleware software affect IBM Cloud Pak for Automation

Source: CCN
Type: IBM Security Bulletin 6397690 (App Connect Enterprise)
Vulnerabilities in Node.js affect IBM App Connect Enterprise (CVE-2020-15168)

Source: CCN
Type: IBM Security Bulletin 6403463 (Security Guardium Insights)
IBM Security Guardium Insights is affected by multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6438031 (Cloud Transformation Advisor)
IBM Cloud Transformation Advisor is affected by Node.js vulnerability

Source: CCN
Type: IBM Security Bulletin 6505283 (Cloud Pak for Security)
IBM Security Risk Manager on CP4S is affected by multiple vulnerabilities (CVE-2020-15168, CVE-2021-29912)

Source: CCN
Type: IBM Security Bulletin 6529200 (Cloud Pak for Security)
Cloud Pak for Security uses packages that are vulnerable to CVEs

Source: CCN
Type: IBM Security Bulletin 6575667 (Spectrum Discover)
High severity vulnerabilities in libraries used by IBM Spectrum Discover (libraries of libraries)

Source: CCN
Type: IBM Security Bulletin 6589581 (Security QRadar Analyst Workflow)
Node.js as used by IBM Security QRadar Analyst Workflow App for IBM QRadar SIEM is vulnerable to multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6590981 (QRadar Data Synchronization App)
IBM QRadar Data Synchronization App for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6825871 (Tivoli Netcool/OMNIbus_GUI)
Multiple vulnerabilities in React, webpack and Node.js modules affect Tivoli Netcool/OMNIbus WebGUI

Source: CCN
Type: IBM Security Bulletin 6838293 (QRadar Assistant)
IBM QRadar Assistant app for IBM QRadar SIEM includes components with multiple known vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6848225 (Netcool Operations Insight)
Netcool Operations Insight v1.6.7 contains fixes for multiple security vulnerabilities.

Source: CCN
Type: IBM Security Bulletin 6956539 (MobileFirst Platform Foundation)
Multiple vulnerabilities found with third-party libraries used by IBM MobileFirst Platform

Source: CCN
Type: IBM Security Bulletin 6980799 (QRadar Data Synchronization App)
IBM QRadar Data Synchronization App for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6988633 (InfoSphere Information Server)
IBM InfoSphere Information Server is affected by multiple vulnerabilities in Node.js (CVE-2022-0235,CVE-2020-15168)

Source: CCN
Type: IBM Security Bulletin 6997107 (Engineering Requirements Quality Assistant)
There are multiple vulnerabilites that affect IBM Engineering Requirements Quality Assistant On-Premises

Source: CCN
Type: NPM Web site
node-fetch

Source: MISC
Type: Product, Third Party Advisory
https://www.npmjs.com/package/node-fetch

Vulnerable Configuration:Configuration 1:
  • cpe:/a:node-fetch_project:node-fetch:*:*:*:*:*:node.js:*:* (Version < 2.6.1)
  • OR cpe:/a:node-fetch_project:node-fetch:3.0.0:beta1:*:*:*:node.js:*:*
  • OR cpe:/a:node-fetch_project:node-fetch:3.0.0:beta5:*:*:*:node.js:*:*
  • OR cpe:/a:node-fetch_project:node-fetch:3.0.0:beta6:*:*:*:node.js:*:*
  • OR cpe:/a:node-fetch_project:node-fetch:3.0.0:beta7:*:*:*:node.js:*:*
  • OR cpe:/a:node-fetch_project:node-fetch:3.0.0:beta8:*:*:*:node.js:*:*

    • Configuration CCN 1:
  • cpe:/a:nodejs:node.js:*:*:*:*:-:*:*:*
  • OR cpe:/a:ibm:infosphere_information_server:11.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect:11.0.0.0:*:*:*:enterprise:*:*:*
  • OR cpe:/a:ibm:watson_discovery:2.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:mobilefirst_platform_foundation:8.0.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_automation:20.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:1.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:1.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:1.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:1.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise:11.0.0.10:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:1.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:watson_discovery:2.1.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium_insights:2.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_transformation_advisor:2.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.7.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.7.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.7.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_qradar_analyst_workflow:1.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:202015168
    V
    		CVE-2020-15168
    2022-05-22
    oval:org.opensuse.security:def:67344
    P
    		Security update for brotli (Moderate)
    2021-12-06
    oval:org.opensuse.security:def:67348
    P
    		Security update for openssh (Important)
    2021-12-06
    oval:org.opensuse.security:def:67447
    P
    		Security update for SUSE Manager Server 4.1 (Important)
    2020-12-01
    oval:org.opensuse.security:def:67443
    P
    		Security update for SUSE Manager Proxy 4.1 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:95968
    P
    		Security update for SUSE Manager Proxy 4.1 (Moderate)
    2020-11-06
    oval:org.opensuse.security:def:95974
    P
    		Security update for SUSE Manager Server 4.1 (Important)
    2020-11-06
    BACK
    node-fetch_project node-fetch *
    node-fetch_project node-fetch 3.0.0 beta1
    node-fetch_project node-fetch 3.0.0 beta5
    node-fetch_project node-fetch 3.0.0 beta6
    node-fetch_project node-fetch 3.0.0 beta7
    node-fetch_project node-fetch 3.0.0 beta8
    nodejs node.js *
    ibm infosphere information server 11.7
    ibm app connect 11.0.0.0
    ibm watson discovery 2.0.0
    ibm mobilefirst platform foundation 8.0.0.0
    ibm cloud pak for automation 20.0.1
    ibm app connect enterprise certified container 1.0.0
    ibm app connect enterprise certified container 1.0.1
    ibm app connect enterprise certified container 1.0.2
    ibm app connect enterprise certified container 1.0.3
    ibm app connect enterprise 11.0.0.10
    ibm app connect enterprise certified container 1.0.4
    ibm watson discovery 2.1.4
    ibm security guardium insights 2.0.2
    ibm cloud transformation advisor 2.4.1
    ibm cloud pak for security 1.7.0.0
    ibm cloud pak for security 1.7.1.0
    ibm cloud pak for security 1.7.2.0
    ibm security qradar analyst workflow 1.0