Vulnerabilites related to salesforce - tough-cookie
Vulnerability from fkie_nvd
Published
2023-07-01 05:15
Modified
2024-11-21 07:50
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| salesforce | tough-cookie | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:salesforce:tough-cookie:*:*:*:*:*:node.js:*:*", matchCriteriaId: "805B31A6-800B-42D8-80A1-91E31F7D69CA", versionEndExcluding: "4.1.3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.", }, ], id: "CVE-2023-26136", lastModified: "2024-11-21T07:50:51.107", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 2.5, source: "report@snyk.io", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-07-01T05:15:16.103", references: [ { source: "report@snyk.io", tags: [ "Patch", ], url: "https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e", }, { source: "report@snyk.io", tags: [ "Exploit", "Issue Tracking", "Vendor Advisory", ], url: "https://github.com/salesforce/tough-cookie/issues/282", }, { source: "report@snyk.io", tags: [ "Release Notes", ], url: "https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3", }, { source: "report@snyk.io", url: "https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html", }, { source: "report@snyk.io", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/", }, { source: "report@snyk.io", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/", }, { source: "report@snyk.io", url: "https://security.netapp.com/advisory/ntap-20240621-0006/", }, { source: "report@snyk.io", tags: [ "Exploit", "Technical Description", "Third Party Advisory", ], url: "https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Issue Tracking", "Vendor Advisory", ], url: "https://github.com/salesforce/tough-cookie/issues/282", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", ], url: "https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://security.netapp.com/advisory/ntap-20240621-0006/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Technical Description", "Third Party Advisory", ], url: "https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873", }, ], sourceIdentifier: "report@snyk.io", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-1321", }, ], source: "report@snyk.io", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-1321", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2017-10-04 01:29
Modified
2024-11-21 03:13
Severity ?
Summary
A ReDoS (regular expression denial of service) flaw was found in the tough-cookie module before 2.3.3 for Node.js. An attacker that is able to make an HTTP request using a specially crafted cookie may cause the application to consume an excessive amount of CPU.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| salesforce | tough-cookie | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:salesforce:tough-cookie:*:*:*:*:*:node.js:*:*", matchCriteriaId: "F06572BE-8433-4322-9E3A-4090793D5371", versionEndIncluding: "2.3.2", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "A ReDoS (regular expression denial of service) flaw was found in the tough-cookie module before 2.3.3 for Node.js. An attacker that is able to make an HTTP request using a specially crafted cookie may cause the application to consume an excessive amount of CPU.", }, { lang: "es", value: "Se detectó una vulnerabilidad de denegación de servicio con expresiones regulares (ReDoS) en el módulo tough-cookie en versiones anteriores a la 2.3.3 para Node.js. Un atacante que sea capaz de realizar una petición HTTP utilizando una cookie especialmente manipulada podría hacer que la aplicación consuma una cantidad excesiva de recursos de CPU.", }, ], id: "CVE-2017-15010", lastModified: "2024-11-21T03:13:55.787", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2017-10-04T01:29:03.403", references: [ { source: "cve@mitre.org", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/101185", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:2912", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:2913", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2018:1263", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2018:1264", }, { source: "cve@mitre.org", tags: [ "Issue Tracking", "Vendor Advisory", ], url: "https://github.com/salesforce/tough-cookie/issues/92", }, { source: "cve@mitre.org", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6VEBDTGNHVM677SLZDEHMWOP3ISMZSFT/", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://nodesecurity.io/advisories/525", }, { source: "cve@mitre.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://snyk.io/vuln/npm:tough-cookie:20170905", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/101185", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:2912", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:2913", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2018:1263", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2018:1264", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Vendor Advisory", ], url: "https://github.com/salesforce/tough-cookie/issues/92", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6VEBDTGNHVM677SLZDEHMWOP3ISMZSFT/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://nodesecurity.io/advisories/525", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://snyk.io/vuln/npm:tough-cookie:20170905", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-400", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2018-09-05 17:29
Modified
2024-11-21 02:43
Severity ?
Summary
NodeJS Tough-Cookie version 2.2.2 contains a Regular Expression Parsing vulnerability in HTTP request Cookie Header parsing that can result in Denial of Service. This attack appear to be exploitable via Custom HTTP header passed by client. This vulnerability appears to have been fixed in 2.3.0.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| salesforce | tough-cookie | * | |
| ibm | api_connect | * | |
| ibm | api_connect | * | |
| ibm | api_connect | 5.0.8.0 | |
| redhat | openshift_container_platform | 3.1 | |
| redhat | openshift_container_platform | 3.2 | |
| redhat | openshift_container_platform | 3.3 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:salesforce:tough-cookie:*:*:*:*:*:node.js:*:*", matchCriteriaId: "9B7EC26C-C544-47C3-B87E-2971A5DB375B", versionEndIncluding: "2.2.2", versionStartIncluding: "0.9.7", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:ibm:api_connect:*:*:*:*:*:*:*:*", matchCriteriaId: "A3CA4E58-A2AE-4C86-AB58-207672DF824B", versionEndIncluding: "5.0.6.5", versionStartIncluding: "5.0.6.0", vulnerable: true, }, { criteria: "cpe:2.3:a:ibm:api_connect:*:*:*:*:*:*:*:*", matchCriteriaId: "7D9A18C2-9C5D-4C3D-9552-FF45BC4C55F4", versionEndIncluding: "5.0.7.2", versionStartIncluding: "5.0.7.0", vulnerable: true, }, { criteria: "cpe:2.3:a:ibm:api_connect:5.0.8.0:*:*:*:*:*:*:*", matchCriteriaId: "3282F566-5B1F-4F9C-97BE-5DCD2204F7D0", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform:3.1:*:*:*:*:*:*:*", matchCriteriaId: "93E3194E-7082-4E21-867B-FB4ECF482A07", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform:3.2:*:*:*:*:*:*:*", matchCriteriaId: "C10044B3-FBB1-4031-9060-D3A2915B164C", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform:3.3:*:*:*:*:*:*:*", matchCriteriaId: "EA3ADA26-2B9E-4ABA-A224-910BD75CCE00", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "NodeJS Tough-Cookie version 2.2.2 contains a Regular Expression Parsing vulnerability in HTTP request Cookie Header parsing that can result in Denial of Service. This attack appear to be exploitable via Custom HTTP header passed by client. This vulnerability appears to have been fixed in 2.3.0.", }, { lang: "es", value: "NodeJS Tough-Cookie 2.2.2 contiene una vulnerabilidad de análisis de expresiones regulares en el análisis de la cabecera de cookie de petición HTTP que puede resultar en una denegación de servicio (DoS). Este ataque parece ser explotable mediante una cabecera HTTP personalizada pasada por el cliente. La vulnerabilidad parece haber sido solucionada en la versión 2.3.0.", }, ], id: "CVE-2016-1000232", lastModified: "2024-11-21T02:43:01.457", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.0", }, exploitabilityScore: 3.9, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2018-09-05T17:29:00.373", references: [ { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2016:2101", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:2912", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/security/cve/cve-2016-1000232", }, { source: "cve@mitre.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/salesforce/tough-cookie/commit/615627206357d997d5e6ff9da158997de05235ae", }, { source: "cve@mitre.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/salesforce/tough-cookie/commit/e4fc2e0f9ee1b7a818d68f0ac7ea696f377b1534", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connect-is-affected-by-node-js-tough-cookie-module-vulnerability-to-a-denial-of-service-cve-2016-1000232/", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://www.npmjs.com/advisories/130", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2016:2101", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:2912", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/security/cve/cve-2016-1000232", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/salesforce/tough-cookie/commit/615627206357d997d5e6ff9da158997de05235ae", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/salesforce/tough-cookie/commit/e4fc2e0f9ee1b7a818d68f0ac7ea696f377b1534", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connect-is-affected-by-node-js-tough-cookie-module-vulnerability-to-a-denial-of-service-cve-2016-1000232/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.npmjs.com/advisories/130", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-20", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
cve-2017-15010
Vulnerability from cvelistv5
Published
2017-10-03 16:00
Modified
2024-08-05 19:42
Severity ?
EPSS score ?
Summary
A ReDoS (regular expression denial of service) flaw was found in the tough-cookie module before 2.3.3 for Node.js. An attacker that is able to make an HTTP request using a specially crafted cookie may cause the application to consume an excessive amount of CPU.
References
| ▼ | URL | Tags |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2017:2913 | vendor-advisory, x_refsource_REDHAT | |
| https://nodesecurity.io/advisories/525 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/101185 | vdb-entry, x_refsource_BID | |
| https://access.redhat.com/errata/RHSA-2018:1264 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2017:2912 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2018:1263 | vendor-advisory, x_refsource_REDHAT | |
| https://github.com/salesforce/tough-cookie/issues/92 | x_refsource_CONFIRM | |
| https://snyk.io/vuln/npm:tough-cookie:20170905 | x_refsource_CONFIRM | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6VEBDTGNHVM677SLZDEHMWOP3ISMZSFT/ | vendor-advisory, x_refsource_FEDORA |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T19:42:22.357Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "RHSA-2017:2913", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:2913", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://nodesecurity.io/advisories/525", }, { name: "101185", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/101185", }, { name: "RHSA-2018:1264", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2018:1264", }, { name: "RHSA-2017:2912", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:2912", }, { name: "RHSA-2018:1263", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2018:1263", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/salesforce/tough-cookie/issues/92", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://snyk.io/vuln/npm:tough-cookie:20170905", }, { name: "FEDORA-2019-76f1b57c1c", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6VEBDTGNHVM677SLZDEHMWOP3ISMZSFT/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2017-10-03T00:00:00", descriptions: [ { lang: "en", value: "A ReDoS (regular expression denial of service) flaw was found in the tough-cookie module before 2.3.3 for Node.js. An attacker that is able to make an HTTP request using a specially crafted cookie may cause the application to consume an excessive amount of CPU.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2019-06-12T16:06:06", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { name: "RHSA-2017:2913", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:2913", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://nodesecurity.io/advisories/525", }, { name: "101185", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/101185", }, { name: "RHSA-2018:1264", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2018:1264", }, { name: "RHSA-2017:2912", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:2912", }, { name: "RHSA-2018:1263", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2018:1263", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/salesforce/tough-cookie/issues/92", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://snyk.io/vuln/npm:tough-cookie:20170905", }, { name: "FEDORA-2019-76f1b57c1c", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6VEBDTGNHVM677SLZDEHMWOP3ISMZSFT/", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2017-15010", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "A ReDoS (regular expression denial of service) flaw was found in the tough-cookie module before 2.3.3 for Node.js. An attacker that is able to make an HTTP request using a specially crafted cookie may cause the application to consume an excessive amount of CPU.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "RHSA-2017:2913", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:2913", }, { name: "https://nodesecurity.io/advisories/525", refsource: "CONFIRM", url: "https://nodesecurity.io/advisories/525", }, { name: "101185", refsource: "BID", url: "http://www.securityfocus.com/bid/101185", }, { name: "RHSA-2018:1264", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2018:1264", }, { name: "RHSA-2017:2912", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:2912", }, { name: "RHSA-2018:1263", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2018:1263", }, { name: "https://github.com/salesforce/tough-cookie/issues/92", refsource: "CONFIRM", url: "https://github.com/salesforce/tough-cookie/issues/92", }, { name: "https://snyk.io/vuln/npm:tough-cookie:20170905", refsource: "CONFIRM", url: "https://snyk.io/vuln/npm:tough-cookie:20170905", }, { name: "FEDORA-2019-76f1b57c1c", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6VEBDTGNHVM677SLZDEHMWOP3ISMZSFT/", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2017-15010", datePublished: "2017-10-03T16:00:00", dateReserved: "2017-10-03T00:00:00", dateUpdated: "2024-08-05T19:42:22.357Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-26136
Vulnerability from cvelistv5
Published
2023-07-01 05:00
Modified
2025-02-13 16:44
Severity ?
EPSS score ?
Summary
Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | tough-cookie |
Version: 0 ≤ |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T11:39:06.610Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873", }, { tags: [ "x_transferred", ], url: "https://github.com/salesforce/tough-cookie/issues/282", }, { tags: [ "x_transferred", ], url: "https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e", }, { tags: [ "x_transferred", ], url: "https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3", }, { tags: [ "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/", }, { tags: [ "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20240621-0006/", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-26136", options: [ { Exploitation: "poc", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-12-03T15:18:13.241267Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-12-03T15:20:09.362Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "tough-cookie", vendor: "n/a", versions: [ { lessThan: "4.1.3", status: "affected", version: "0", versionType: "semver", }, ], }, ], credits: [ { lang: "en", value: "Kokorin Vsevolod", }, ], descriptions: [ { lang: "en", value: "Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-1321", description: "Prototype Pollution", lang: "en", }, ], }, ], providerMetadata: { dateUpdated: "2024-06-21T19:06:40.941Z", orgId: "bae035ff-b466-4ff4-94d0-fc9efd9e1730", shortName: "snyk", }, references: [ { url: "https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873", }, { url: "https://github.com/salesforce/tough-cookie/issues/282", }, { url: "https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e", }, { url: "https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3", }, { url: "https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/", }, { url: "https://security.netapp.com/advisory/ntap-20240621-0006/", }, ], }, }, cveMetadata: { assignerOrgId: "bae035ff-b466-4ff4-94d0-fc9efd9e1730", assignerShortName: "snyk", cveId: "CVE-2023-26136", datePublished: "2023-07-01T05:00:01.115Z", dateReserved: "2023-02-20T10:28:48.926Z", dateUpdated: "2025-02-13T16:44:51.621Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2016-1000232
Vulnerability from cvelistv5
Published
2018-09-05 17:00
Modified
2024-08-06 03:55
Severity ?
EPSS score ?
Summary
NodeJS Tough-Cookie version 2.2.2 contains a Regular Expression Parsing vulnerability in HTTP request Cookie Header parsing that can result in Denial of Service. This attack appear to be exploitable via Custom HTTP header passed by client. This vulnerability appears to have been fixed in 2.3.0.
References
| ▼ | URL | Tags |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2016:2101 | vendor-advisory, x_refsource_REDHAT | |
| https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connect-is-affected-by-node-js-tough-cookie-module-vulnerability-to-a-denial-of-service-cve-2016-1000232/ | x_refsource_CONFIRM | |
| https://access.redhat.com/errata/RHSA-2017:2912 | vendor-advisory, x_refsource_REDHAT | |
| https://www.npmjs.com/advisories/130 | x_refsource_MISC | |
| https://github.com/salesforce/tough-cookie/commit/615627206357d997d5e6ff9da158997de05235ae | x_refsource_CONFIRM | |
| https://access.redhat.com/security/cve/cve-2016-1000232 | x_refsource_CONFIRM | |
| https://github.com/salesforce/tough-cookie/commit/e4fc2e0f9ee1b7a818d68f0ac7ea696f377b1534 | x_refsource_CONFIRM |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T03:55:27.288Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "RHSA-2016:2101", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2016:2101", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connect-is-affected-by-node-js-tough-cookie-module-vulnerability-to-a-denial-of-service-cve-2016-1000232/", }, { name: "RHSA-2017:2912", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:2912", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.npmjs.com/advisories/130", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/salesforce/tough-cookie/commit/615627206357d997d5e6ff9da158997de05235ae", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://access.redhat.com/security/cve/cve-2016-1000232", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/salesforce/tough-cookie/commit/e4fc2e0f9ee1b7a818d68f0ac7ea696f377b1534", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], dateAssigned: "2018-09-03T00:00:00", datePublic: "2016-07-22T00:00:00", descriptions: [ { lang: "en", value: "NodeJS Tough-Cookie version 2.2.2 contains a Regular Expression Parsing vulnerability in HTTP request Cookie Header parsing that can result in Denial of Service. This attack appear to be exploitable via Custom HTTP header passed by client. This vulnerability appears to have been fixed in 2.3.0.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-09-06T09:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { name: "RHSA-2016:2101", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2016:2101", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connect-is-affected-by-node-js-tough-cookie-module-vulnerability-to-a-denial-of-service-cve-2016-1000232/", }, { name: "RHSA-2017:2912", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:2912", }, { tags: [ "x_refsource_MISC", ], url: "https://www.npmjs.com/advisories/130", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/salesforce/tough-cookie/commit/615627206357d997d5e6ff9da158997de05235ae", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://access.redhat.com/security/cve/cve-2016-1000232", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/salesforce/tough-cookie/commit/e4fc2e0f9ee1b7a818d68f0ac7ea696f377b1534", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", DATE_ASSIGNED: "2018-09-03T16:07:16.985208", DATE_REQUESTED: "2016-10-28T00:00:00", ID: "CVE-2016-1000232", REQUESTER: "kurt@seifried.org", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "NodeJS Tough-Cookie version 2.2.2 contains a Regular Expression Parsing vulnerability in HTTP request Cookie Header parsing that can result in Denial of Service. This attack appear to be exploitable via Custom HTTP header passed by client. This vulnerability appears to have been fixed in 2.3.0.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "RHSA-2016:2101", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2016:2101", }, { name: "https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connect-is-affected-by-node-js-tough-cookie-module-vulnerability-to-a-denial-of-service-cve-2016-1000232/", refsource: "CONFIRM", url: "https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connect-is-affected-by-node-js-tough-cookie-module-vulnerability-to-a-denial-of-service-cve-2016-1000232/", }, { name: "RHSA-2017:2912", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:2912", }, { name: "https://www.npmjs.com/advisories/130", refsource: "MISC", url: "https://www.npmjs.com/advisories/130", }, { name: "https://github.com/salesforce/tough-cookie/commit/615627206357d997d5e6ff9da158997de05235ae", refsource: "CONFIRM", url: "https://github.com/salesforce/tough-cookie/commit/615627206357d997d5e6ff9da158997de05235ae", }, { name: "https://access.redhat.com/security/cve/cve-2016-1000232", refsource: "CONFIRM", url: "https://access.redhat.com/security/cve/cve-2016-1000232", }, { name: "https://github.com/salesforce/tough-cookie/commit/e4fc2e0f9ee1b7a818d68f0ac7ea696f377b1534", refsource: "CONFIRM", url: "https://github.com/salesforce/tough-cookie/commit/e4fc2e0f9ee1b7a818d68f0ac7ea696f377b1534", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2016-1000232", datePublished: "2018-09-05T17:00:00", dateReserved: "2016-10-28T00:00:00", dateUpdated: "2024-08-06T03:55:27.288Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }