CVE-2015-8858 - The uglify-js package before 2.6.0 for Node.js allows attackers to cause a denial of service (CPU co

CVE-2015-8858

Summary

The uglify-js package before 2.6.0 for Node.js allows attackers to cause a denial of service (CPU consumption) via crafted input in a parse call, aka a "regular expression denial of service (ReDoS)."

References

http://www.openwall.com/lists/oss-security/2016/04/20/11
http://www.securityfocus.com/bid/96409
https://nodesecurity.io/advisories/48

Vulnerable Configurations

cpe:2.3:a:uglifyjs_project:uglifyjs:*:*:*:*:*:node.js:*:*
cpe:2.3:a:uglifyjs_project:uglifyjs:*:*:*:*:*:node.js:*:*

CVSS

Base:	7.8 (as of 02-03-2017 - 02:59)
Impact:
Exploitability:

CWE

CWE-399

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
NONE	NONE	COMPLETE

cvss-vector via4

AV:N/AC:L/Au:N/C:N/I:N/A:C

refmap via4

bid	96409
confirm	https://nodesecurity.io/advisories/48
mlist	[oss-security] 20160420 various vulnerabilities in Node.js packages

Last major update

02-03-2017 - 02:59

Published

23-01-2017 - 21:59

Last modified

02-03-2017 - 02:59