CVE-2019-5737
Published: 28 March 2019
In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1, an attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep-alive mode and by sending headers very slowly. This keeps the connection and associated resources alive for a long period of time. Potential attacks are mitigated by the use of a load balancer or other proxy layer. This vulnerability is an extension of CVE-2018-12121, addressed in November and impacts all active Node.js release lines including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1.
From the Ubuntu Security Team
Marco Pracucci discovered that Node.js mishandled HTTP and HTTPS connections. An attacker could use this vulnerability to cause a denial of service.
Priority
Status
Package | Release | Status |
---|---|---|
nodejs Launchpad, Ubuntu, Debian |
cosmic |
Ignored
(end of life)
|
disco |
Released
(10.15.2~dfsg-1)
|
|
eoan |
Not vulnerable
(10.15.2~dfsg-1)
|
|
focal |
Not vulnerable
(10.15.2~dfsg-1)
|
|
trusty |
Not vulnerable
(code not present)
|
|
upstream |
Released
(10.15.2~dfsg-1)
|
|
xenial |
Needed
|
|
bionic |
Released
(8.10.0~dfsg-2ubuntu0.4+esm1)
Available with Ubuntu Pro |
|
groovy |
Not vulnerable
(10.15.2~dfsg-1)
|
|
hirsute |
Not vulnerable
(10.15.2~dfsg-1)
|
|
impish |
Not vulnerable
(10.15.2~dfsg-1)
|
|
jammy |
Not vulnerable
(10.15.2~dfsg-1)
|
|
kinetic |
Not vulnerable
(10.15.2~dfsg-1)
|
|
lunar |
Not vulnerable
(10.15.2~dfsg-1)
|
|
mantic |
Not vulnerable
(10.15.2~dfsg-1)
|
|
Patches: upstream: https://github.com/nodejs/node/commit/b13b4a9ffb |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.5 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | None |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |