CVE-2017-16129

{"id": "CVE-2017-16129", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.1, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "COMPLETE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 6.9, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.2}]}, "published": "2018-06-07T02:29:03.457", "references": [{"url": "https://github.com/visionmedia/superagent/issues/1259", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "source": "support@hackerone.com"}, {"url": "https://nodesecurity.io/advisories/479", "tags": ["Third Party Advisory"], "source": "support@hackerone.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-400"}]}, {"type": "Secondary", "source": "support@hackerone.com", "description": [{"lang": "en", "value": "CWE-409"}]}], "descriptions": [{"lang": "en", "value": "The HTTP client module superagent is vulnerable to ZIP bomb attacks. In a ZIP bomb attack, the HTTP server replies with a compressed response that becomes several magnitudes larger once uncompressed. If a client does not take special care when processing such responses, it may result in excessive CPU and/or memory consumption. An attacker might exploit such a weakness for a DoS attack. To exploit this the attacker must control the location (URL) that superagent makes a request to."}, {"lang": "es", "value": "El m\u00f3dulo HTTP del cliente superagent es vulnerable a ataques de bomba ZIP. En un ataque de bomba ZIP, el servidor HTTP responde con una respuesta comprimida que se agranda significativamente una vez descomprimida. Si un cliente no toma las suficientes precauciones al procesar tales respuestas, podr\u00eda resultar en un consumo excesivo de CPU y/o memoria. Un atacante podr\u00eda explotar una debilidad como esa para un ataque DoS. Para explotarla, el atacante debe controlar la ubicaci\u00f3n (URL) a la que superagent realiza una petici\u00f3n."}], "lastModified": "2019-10-09T23:24:49.017", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:superagent_project:superagent:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "8A86D4C2-09BE-45F0-985E-8AB163C926E0", "versionEndExcluding": "3.7.0"}], "operator": "OR"}]}], "sourceIdentifier": "support@hackerone.com"}