cnvd - cnvd-2018-25045

CNVD-2018-25045

Vulnerability from cnvd - Published: 2018-12-11

Title

Useragent拒绝服务漏洞

Description

Useragent是一款通过使用专用的正则表达式进行浏览器匹配从而解析用户代理字符串的用户代理解析器。 Useragent 2.1.12及之前版本中存在安全漏洞，该漏洞源于程序使用正则表达式来解析用户代理包头。攻击者可通过将其自己的包头编辑成任意长度的用户代理字符串利用该漏洞造成拒绝服务。

Severity

中

Patch Name

Useragent拒绝服务漏洞的补丁

Patch Description

Useragent是一款通过使用专用的正则表达式进行浏览器匹配从而解析用户代理字符串的用户代理解析器。 Useragent 2.1.12及之前版本中存在安全漏洞，该漏洞源于程序使用正则表达式来解析用户代理包头。攻击者可通过将其自己的包头编辑成任意长度的用户代理字符串利用该漏洞造成拒绝服务。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，详情请关注厂商主页： https://www.npmjs.com/package/useragent

Reference

https://nodesecurity.io/advisories/312

Impacted products

Name
Useragent Useragent <2.1.12

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-16030",
      "cveUrl": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16030"
    }
  },
  "description": "Useragent\u662f\u4e00\u6b3e\u901a\u8fc7\u4f7f\u7528\u4e13\u7528\u7684\u6b63\u5219\u8868\u8fbe\u5f0f\u8fdb\u884c\u6d4f\u89c8\u5668\u5339\u914d\u4ece\u800c\u89e3\u6790\u7528\u6237\u4ee3\u7406\u5b57\u7b26\u4e32\u7684\u7528\u6237\u4ee3\u7406\u89e3\u6790\u5668\u3002\n\nUseragent 2.1.12\u53ca\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u4f7f\u7528\u6b63\u5219\u8868\u8fbe\u5f0f\u6765\u89e3\u6790\u7528\u6237\u4ee3\u7406\u5305\u5934\u3002\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u5c06\u5176\u81ea\u5df1\u7684\u5305\u5934\u7f16\u8f91\u6210\u4efb\u610f\u957f\u5ea6\u7684\u7528\u6237\u4ee3\u7406\u5b57\u7b26\u4e32\u5229\u7528\u8be5\u6f0f\u6d1e\u9020\u6210\u62d2\u7edd\u670d\u52a1\u3002",
  "discovererName": "unknwon",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8be6\u60c5\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\uff1a\r\nhttps://www.npmjs.com/package/useragent",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-25045",
  "openTime": "2018-12-11",
  "patchDescription": "Useragent\u662f\u4e00\u6b3e\u901a\u8fc7\u4f7f\u7528\u4e13\u7528\u7684\u6b63\u5219\u8868\u8fbe\u5f0f\u8fdb\u884c\u6d4f\u89c8\u5668\u5339\u914d\u4ece\u800c\u89e3\u6790\u7528\u6237\u4ee3\u7406\u5b57\u7b26\u4e32\u7684\u7528\u6237\u4ee3\u7406\u89e3\u6790\u5668\u3002\r\n\r\nUseragent 2.1.12\u53ca\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u4f7f\u7528\u6b63\u5219\u8868\u8fbe\u5f0f\u6765\u89e3\u6790\u7528\u6237\u4ee3\u7406\u5305\u5934\u3002\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u5c06\u5176\u81ea\u5df1\u7684\u5305\u5934\u7f16\u8f91\u6210\u4efb\u610f\u957f\u5ea6\u7684\u7528\u6237\u4ee3\u7406\u5b57\u7b26\u4e32\u5229\u7528\u8be5\u6f0f\u6d1e\u9020\u6210\u62d2\u7edd\u670d\u52a1\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Useragent\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Useragent Useragent \u003c2.1.12"
  },
  "referenceLink": "https://nodesecurity.io/advisories/312",
  "serverity": "\u4e2d",
  "submitTime": "2018-06-15",
  "title": "Useragent\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e"
}

CVE-2017-16030 (GCVE-0-2017-16030)

Vulnerability from cvelistv5 – Published: 2018-06-04 19:00 – Updated: 2024-09-17 00:41

Summary

Useragent is used to parse useragent headers. It uses several regular expressions to accomplish this. An attacker could edit their own headers, creating an arbitrarily long useragent string, causing the event loop and server to block. This affects Useragent 2.1.12 and earlier.

Severity ?

No CVSS data available.

CWE

CWE-400 - Denial of Service (CWE-400)

Assigner

hackerone

References

URL

Tags

https://nodesecurity.io/advisories/312

x_refsource_MISC

Impacted products

	Vendor	Product	Version
	HackerOne	useragent node module	Affected: <=2.1.12

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T20:13:06.694Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://nodesecurity.io/advisories/312"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "useragent node module",
          "vendor": "HackerOne",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c=2.1.12"
            }
          ]
        }
      ],
      "datePublic": "2018-04-26T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Useragent is used to parse useragent headers. It uses several regular expressions to accomplish this. An attacker could edit their own headers, creating an arbitrarily long useragent string, causing the event loop and server to block. This affects Useragent 2.1.12 and earlier."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "Denial of Service (CWE-400)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-06-04T18:57:01",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://nodesecurity.io/advisories/312"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "support@hackerone.com",
          "DATE_PUBLIC": "2018-04-26T00:00:00",
          "ID": "CVE-2017-16030",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "useragent node module",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c=2.1.12"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "HackerOne"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Useragent is used to parse useragent headers. It uses several regular expressions to accomplish this. An attacker could edit their own headers, creating an arbitrarily long useragent string, causing the event loop and server to block. This affects Useragent 2.1.12 and earlier."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Denial of Service (CWE-400)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://nodesecurity.io/advisories/312",
              "refsource": "MISC",
              "url": "https://nodesecurity.io/advisories/312"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2017-16030",
    "datePublished": "2018-06-04T19:00:00Z",
    "dateReserved": "2017-10-29T00:00:00",
    "dateUpdated": "2024-09-17T00:41:28.696Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2018-25045

CVE-2017-16030 (GCVE-0-2017-16030)

Tags

Sightings

Nomenclature