Candidate: CVE-2014-7191 PublicDate: 2014-10-19 01:55:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7191 https://github.com/raymondfeng/node-querystring/commit/43a604b7847e56bba49d0ce3e222fe89569354d8 https://nodesecurity.io/advisories/qs_dos_memory_exhaustion Description: The qs module before 1.0.0 in Node.js does not call the compact function for array data, which allows remote attackers to cause a denial of service (memory consumption) by using a large index value to create a sparse array. Ubuntu-Description: It was discovered that the qs module in Node.js incorrectly handled inputs. A remote attacker could possibly use this issue to cause a denial of service. Notes: ebarretto> This issue is actually for node-querystring. ebarretto> Somewhere along the line node-qs was born or forked from ebarretto> node-querystring which was deprecated. But now there are again ebarretto> new projects called querystring. Be careful when updating. ebarretto> Trusty's version is actually based on node-querystring. Bugs: Priority: medium Discovered-by: Assigned-to: CVSS: Patches_node-qs: upstream: https://github.com/tj/node-querystring/pull/114/commits/43a604b7847e56bba49d0ce3e222fe89569354d8 upstream_node-qs: released (1.0.0) lucid_node-qs: DNE precise_node-qs: DNE precise/esm_node-qs: DNE trusty_node-qs: ignored (out of standard support) trusty/esm_node-qs: needed utopic_node-qs: ignored (reached end-of-life) vivid_node-qs: ignored (reached end-of-life) vivid/stable-phone-overlay_node-qs: DNE vivid/ubuntu-core_node-qs: DNE wily_node-qs: ignored (reached end-of-life) xenial_node-qs: not-affected (2.2.4-1) yakkety_node-qs: ignored (reached end-of-life) zesty_node-qs: ignored (reached end-of-life) artful_node-qs: ignored (reached end-of-life) bionic_node-qs: not-affected (2.2.4-1) cosmic_node-qs: not-affected (2.2.4-1) disco_node-qs: not-affected (2.2.4-1) eoan_node-qs: not-affected (2.2.4-1) focal_node-qs: not-affected (2.2.4-1) groovy_node-qs: not-affected (2.2.4-1) hirsute_node-qs: not-affected (2.2.4-1) impish_node-qs: not-affected (2.2.4-1) jammy_node-qs: not-affected (2.2.4-1) devel_node-qs: not-affected (2.2.4-1)