fkie_cve-2024-21536
Vulnerability from fkie_nvd
Published
2024-10-19 05:15
Modified
2024-11-01 18:03
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to certain paths.
References
report@snyk.iohttps://gist.github.com/mhassan1/28be67266d82a53708ed59ce5dc3c94aExploit, Third Party Advisory
report@snyk.iohttps://github.com/chimurai/http-proxy-middleware/commit/0b4274e8cc9e9a2c5a06f35fbf456ccfcebc55a5Patch
report@snyk.iohttps://github.com/chimurai/http-proxy-middleware/commit/788b21e4aff38332d6319557d4a5b1b13b1f9a22Patch
report@snyk.iohttps://security.snyk.io/vuln/SNYK-JS-HTTPPROXYMIDDLEWARE-8229906Third Party Advisory
Impacted products
Vendor Product Version
chimurai http-proxy-middleware *
chimurai http-proxy-middleware *


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:chimurai:http-proxy-middleware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A1C31D2C-0CB7-4D28-8658-42632A65F7F3",
              "versionEndExcluding": "2.0.7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:chimurai:http-proxy-middleware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A89EB4F5-1978-4172-A52D-8504F87E110E",
              "versionEndExcluding": "3.0.3",
              "versionStartIncluding": "3.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to certain paths."
    },
    {
      "lang": "es",
      "value": "Las versiones del paquete http-proxy-middleware anteriores a la 2.0.7, a la 3.0.0 y a la 3.0.3 es vulnerable a un ataque de denegaci\u00f3n de servicio (DoS) debido a un error UnhandledPromiseRejection generado por micromatch. Un atacante podr\u00eda matar el proceso Node.js y bloquear el servidor al realizar solicitudes a determinadas rutas."
    }
  ],
  "id": "CVE-2024-21536",
  "lastModified": "2024-11-01T18:03:15.897",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "report@snyk.io",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-10-19T05:15:13.097",
  "references": [
    {
      "source": "report@snyk.io",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://gist.github.com/mhassan1/28be67266d82a53708ed59ce5dc3c94a"
    },
    {
      "source": "report@snyk.io",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/chimurai/http-proxy-middleware/commit/0b4274e8cc9e9a2c5a06f35fbf456ccfcebc55a5"
    },
    {
      "source": "report@snyk.io",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/chimurai/http-proxy-middleware/commit/788b21e4aff38332d6319557d4a5b1b13b1f9a22"
    },
    {
      "source": "report@snyk.io",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.snyk.io/vuln/SNYK-JS-HTTPPROXYMIDDLEWARE-8229906"
    }
  ],
  "sourceIdentifier": "report@snyk.io",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-400"
        }
      ],
      "source": "report@snyk.io",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.