| Title | Node.js における入力確認に関する脆弱性 |
|---|---|
| Summary | Node.js には、入力確認に関する脆弱性が存在します。 |
| Possible impacts | サービス運用妨害 (DoS) 状態にされる可能性があります。 |
| Solution | ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。 |
| Publication Date | March 21, 2018, midnight |
| Registration Date | July 13, 2018, 5:44 p.m. |
| Last Update | July 13, 2018, 5:44 p.m. |
| CVSS3.0 : 重要 | |
| Score | 7.5 |
|---|---|
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| CVSS2.0 : 警告 | |
| Score | 5 |
|---|---|
| Vector | AV:N/AC:L/Au:N/C:N/I:N/A:P |
| Node.js Foundation |
| Node.js |
| No | Changed Details | Date of change |
|---|---|---|
| 1 | [2018年07月13日] 掲載 |
July 13, 2018, 5:44 p.m. |
| Summary | The `'path'` module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. The code in question was replaced in Node.js 6.x and later so this vulnerability only impacts all versions of Node.js 4.x. The regular expression, `splitPathRe`, used within the `'path'` module for the various path parsing functions, including `path.dirname()`, `path.extname()` and `path.parse()` was structured in such a way as to allow an attacker to craft a string, that when passed through one of these functions, could take a significant amount of time to evaluate, potentially leading to a full denial of service. |
|---|---|
| Publication Date | May 17, 2018, 11:29 p.m. |
| Registration Date | March 1, 2021, 7:37 p.m. |
| Last Update | Nov. 21, 2024, 1:11 p.m. |
| Configuration1 | or higher | or less | more than | less than | |
| cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* | 4.0.0 | 4.1.2 | |||
| cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:* | 4.2.0 | 4.9.1 | |||