CVE-2024-21536 (GCVE-0-2024-21536)

Vulnerability from cvelistv5 – Published: 2024-10-19 05:00 – Updated: 2024-10-21 16:31
VLAI?
Summary
Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to certain paths.
Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P
CWE
  • CWE-400 - Denial of Service (DoS)
Assigner
References
Impacted products
Vendor Product Version
n/a http-proxy-middleware Affected: 0 , < 2.0.7 (semver)
Affected: 3.0.0 , < 3.0.3 (semver)
Credits
Marc Hassan
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:chimurai:http-proxy-middleware:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "http-proxy-middleware",
            "vendor": "chimurai",
            "versions": [
              {
                "lessThan": "2.0.7",
                "status": "affected",
                "version": "0",
                "versionType": "semver"
              },
              {
                "lessThan": "3.0.3",
                "status": "affected",
                "version": "3.0.0",
                "versionType": "semver"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-21536",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-21T15:20:45.568615Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-21T16:31:29.125Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "http-proxy-middleware",
          "vendor": "n/a",
          "versions": [
            {
              "lessThan": "2.0.7",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "3.0.3",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Marc Hassan"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to certain paths."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "Denial of Service (DoS)",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-10-21T11:22:36.064Z",
        "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
        "shortName": "snyk"
      },
      "references": [
        {
          "url": "https://security.snyk.io/vuln/SNYK-JS-HTTPPROXYMIDDLEWARE-8229906"
        },
        {
          "url": "https://gist.github.com/mhassan1/28be67266d82a53708ed59ce5dc3c94a"
        },
        {
          "url": "https://github.com/chimurai/http-proxy-middleware/commit/788b21e4aff38332d6319557d4a5b1b13b1f9a22"
        },
        {
          "url": "https://github.com/chimurai/http-proxy-middleware/commit/0b4274e8cc9e9a2c5a06f35fbf456ccfcebc55a5"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
    "assignerShortName": "snyk",
    "cveId": "CVE-2024-21536",
    "datePublished": "2024-10-19T05:00:04.056Z",
    "dateReserved": "2023-12-22T12:33:20.123Z",
    "dateUpdated": "2024-10-21T16:31:29.125Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:chimurai:http-proxy-middleware:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"2.0.7\", \"matchCriteriaId\": \"A1C31D2C-0CB7-4D28-8658-42632A65F7F3\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:chimurai:http-proxy-middleware:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"3.0.0\", \"versionEndExcluding\": \"3.0.3\", \"matchCriteriaId\": \"A89EB4F5-1978-4172-A52D-8504F87E110E\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to certain paths.\"}, {\"lang\": \"es\", \"value\": \"Las versiones del paquete http-proxy-middleware anteriores a la 2.0.7, a la 3.0.0 y a la 3.0.3 es vulnerable a un ataque de denegaci\\u00f3n de servicio (DoS) debido a un error UnhandledPromiseRejection generado por micromatch. Un atacante podr\\u00eda matar el proceso Node.js y bloquear el servidor al realizar solicitudes a determinadas rutas.\"}]",
      "id": "CVE-2024-21536",
      "lastModified": "2024-11-01T18:03:15.897",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"report@snyk.io\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}]}",
      "published": "2024-10-19T05:15:13.097",
      "references": "[{\"url\": \"https://gist.github.com/mhassan1/28be67266d82a53708ed59ce5dc3c94a\", \"source\": \"report@snyk.io\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/chimurai/http-proxy-middleware/commit/0b4274e8cc9e9a2c5a06f35fbf456ccfcebc55a5\", \"source\": \"report@snyk.io\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/chimurai/http-proxy-middleware/commit/788b21e4aff38332d6319557d4a5b1b13b1f9a22\", \"source\": \"report@snyk.io\", \"tags\": [\"Patch\"]}, {\"url\": \"https://security.snyk.io/vuln/SNYK-JS-HTTPPROXYMIDDLEWARE-8229906\", \"source\": \"report@snyk.io\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "report@snyk.io",
      "vulnStatus": "Analyzed",
      "weaknesses": "[{\"source\": \"report@snyk.io\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-400\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-noinfo\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-21536\",\"sourceIdentifier\":\"report@snyk.io\",\"published\":\"2024-10-19T05:15:13.097\",\"lastModified\":\"2024-11-01T18:03:15.897\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to certain paths.\"},{\"lang\":\"es\",\"value\":\"Las versiones del paquete http-proxy-middleware anteriores a la 2.0.7, a la 3.0.0 y a la 3.0.3 es vulnerable a un ataque de denegaci\u00f3n de servicio (DoS) debido a un error UnhandledPromiseRejection generado por micromatch. Un atacante podr\u00eda matar el proceso Node.js y bloquear el servidor al realizar solicitudes a determinadas rutas.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"report@snyk.io\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"report@snyk.io\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:chimurai:http-proxy-middleware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.0.7\",\"matchCriteriaId\":\"A1C31D2C-0CB7-4D28-8658-42632A65F7F3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:chimurai:http-proxy-middleware:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.0.0\",\"versionEndExcluding\":\"3.0.3\",\"matchCriteriaId\":\"A89EB4F5-1978-4172-A52D-8504F87E110E\"}]}]}],\"references\":[{\"url\":\"https://gist.github.com/mhassan1/28be67266d82a53708ed59ce5dc3c94a\",\"source\":\"report@snyk.io\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/chimurai/http-proxy-middleware/commit/0b4274e8cc9e9a2c5a06f35fbf456ccfcebc55a5\",\"source\":\"report@snyk.io\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/chimurai/http-proxy-middleware/commit/788b21e4aff38332d6319557d4a5b1b13b1f9a22\",\"source\":\"report@snyk.io\",\"tags\":[\"Patch\"]},{\"url\":\"https://security.snyk.io/vuln/SNYK-JS-HTTPPROXYMIDDLEWARE-8229906\",\"source\":\"report@snyk.io\",\"tags\":[\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-21536\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-21T15:20:45.568615Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:chimurai:http-proxy-middleware:*:*:*:*:*:*:*:*\"], \"vendor\": \"chimurai\", \"product\": \"http-proxy-middleware\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"2.0.7\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"3.0.0\", \"lessThan\": \"3.0.3\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-21T15:47:24.380Z\"}}], \"cna\": {\"credits\": [{\"lang\": \"en\", \"value\": \"Marc Hassan\"}], \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"n/a\", \"product\": \"http-proxy-middleware\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"2.0.7\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"3.0.0\", \"lessThan\": \"3.0.3\", \"versionType\": \"semver\"}]}], \"references\": [{\"url\": \"https://security.snyk.io/vuln/SNYK-JS-HTTPPROXYMIDDLEWARE-8229906\"}, {\"url\": \"https://gist.github.com/mhassan1/28be67266d82a53708ed59ce5dc3c94a\"}, {\"url\": \"https://github.com/chimurai/http-proxy-middleware/commit/788b21e4aff38332d6319557d4a5b1b13b1f9a22\"}, {\"url\": \"https://github.com/chimurai/http-proxy-middleware/commit/0b4274e8cc9e9a2c5a06f35fbf456ccfcebc55a5\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to certain paths.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"cweId\": \"CWE-400\", \"description\": \"Denial of Service (DoS)\"}]}], \"providerMetadata\": {\"orgId\": \"bae035ff-b466-4ff4-94d0-fc9efd9e1730\", \"shortName\": \"snyk\", \"dateUpdated\": \"2024-10-21T11:22:36.064Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-21536\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-10-21T16:31:29.125Z\", \"dateReserved\": \"2023-12-22T12:33:20.123Z\", \"assignerOrgId\": \"bae035ff-b466-4ff4-94d0-fc9efd9e1730\", \"datePublished\": \"2024-10-19T05:00:04.056Z\", \"assignerShortName\": \"snyk\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.