CVE-2014-7191

Priority
Description
The qs module before 1.0.0 in Node.js does not call the compact function
for array data, which allows remote attackers to cause a denial of service
(memory consumption) by using a large index value to create a sparse array.
Ubuntu-Description
It was discovered that the qs module in Node.js incorrectly handled inputs. A
remote attacker could possibly use this issue to cause a denial of service.
Notes
ebarrettoThis issue is actually for node-querystring.
Somewhere along the line node-qs was born or forked from
node-querystring which was deprecated. But now there are again
new projects called querystring. Be careful when updating.
Trusty's version is actually based on node-querystring.
Package
Upstream:released (1.0.0)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):needed
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (2.2.4-1)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (2.2.4-1)
Ubuntu 19.10 (Eoan Ermine):not-affected (2.2.4-1)
Ubuntu 20.04 (Focal Fossa):not-affected (2.2.4-1)
Patches:
Upstream:https://github.com/tj/node-querystring/pull/114/commits/43a604b7847e56bba49d0ce3e222fe89569354d8
More Information

Updated: 2020-04-24 03:17:23 UTC (commit d3f8a6ed481830fb100109a132bef581fc4176fe)