Candidate: CVE-2017-16129
PublicDate: 2018-06-07 02:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16129
 https://github.com/visionmedia/superagent/issues/1259
 https://nodesecurity.io/advisories/479
Description:
 The HTTP client module superagent is vulnerable to ZIP bomb attacks. In a
 ZIP bomb attack, the HTTP server replies with a compressed response that
 becomes several magnitudes larger once uncompressed. If a client does not
 take special care when processing such responses, it may result in
 excessive CPU and/or memory consumption. An attacker might exploit such a
 weakness for a DoS attack. To exploit this the attacker must control the
 location (URL) that superagent makes a request to.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by: Kornel Lesiński
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H [5.9 MEDIUM]


Patches_node-superagent:
upstream_node-superagent: released (1.8.0-beta.1)
precise/esm_node-superagent: DNE
trusty_node-superagent: ignored (out of standard support)
trusty/esm_node-superagent: DNE
xenial_node-superagent: ignored (end of standard support, was needed)
bionic_node-superagent: needed
focal_node-superagent: not-affected (5.2.2-1)
groovy_node-superagent: not-affected
hirsute_node-superagent: not-affected
impish_node-superagent: not-affected
jammy_node-superagent: not-affected
devel_node-superagent: not-affected