Bugzilla – Bug 948602
VUL-0: CVE-2015-7384: nodejs: HTTP Denial of Service Vulnerability
Last modified: 2019-12-11 20:31:19 UTC
public at https://groups.google.com/d/msg/nodejs-sec/fSNEQiuof6I/Jac2wzGgBgAJ A bug exists in Node.js versions 4.0.0 to 4.1.1 whereby an external attacker can cause a denial of service. The severity of this issue is high (see CVSS scoring below) and users of the affected versions should plan to upgrade when a fix is made available. * Versions 0.10 and 0.12 of Node.js are ***not affected***. * Versions 4.0.0, 4.1.0 and 4.1.1 of Node.js are ***vulnerable***. * Versions 1 and 2 of io.js are ***not affected*** but remain unsupported and users of these versions are encouraged to migrate to Node.js v4 at their earliest convenience. * Version 3 of io.js is ***vulnerable*** and while io.js v3 is unsupported, a patch release with a fix will be made available some time next week. Users of io.js v3 are encouraged to migrate to Node.js v4 as a matter of priority. Full details of this vulnerability are embargoed until a new v4.x release is made available on **Monday the 5th of October 2015**, UTC. Common Vulnerability Scoring System (CVSS) v3 Base Score: | Metric | Score | |-----------------------------|----------------------------| | **Base Score:** | **5.9 (Medium)** | | **Base Vector:** | [CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) | **Attack Vector:** | Network (AV:N) | | **Attack Complexity:** | Medium (AC:H) | | **Privileges Required:** | None (PR:N) | | **User Interaction:** | None (UI:N) | | **Scope of Impact:** | Unchanged (S:U) | | **Confidentiality Impact:** | None (C:N) | | **Integrity Impact:** | None (I:N) | | **Availability Impact:** | High (A:H) | Complete CVSS v3 Vector: [CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C/CR:L/IR:L/AR:M/MAV:N/MAC:H/MPR:N/MUI:N/MS:U/MC:N/MI:N/MA:H](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C/CR:L/IR:L/AR:M/MAV:N/MAC:H/MPR:N/MUI:N/MS:U/MC:N/MI:N/MA:H). Refer to the [CVSS v3 Specification](https://www.first.org/cvss/specification-document) for details on the meanings and application of the vector components. CVE-2015-7384 is listed on the [MITRE CVE dictionary](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7384) and [NIST NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7384). ## Action and updates A new v4.x release on **Monday the 5th of October 2015** will be made available with appropriate fixes for this vulnerability along with disclosure of the details of the bug to allow for complete impact assessment by users. A new io.js v3.x release will be made on or after Monday the 5th of October 2015 for users having trouble migrating to Node.js v4, however this release does not indicate continued official support of io.js release lines. ## Contact and future updates Please contact secu...@nodejs.org if you wish to report a vulnerability in Node.js. Please subscribe to the low-volume announcement-only **nodejs-sec** mailing list at https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date with security vulnerabilities in Node.js and the projects maintained in the **nodejs** [GitHub organisation](http://github.com/nodejs/). References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7384 http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-7384.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7384
bugbot adjusting priority
openSUSE-SU-2015:1825-1: An update that solves one vulnerability and has one errata is now available. Category: security (low) Bug References: 948045,948602 CVE References: CVE-2015-7384 Sources used: openSUSE 13.2 (src): nodejs-4.2.1-2.6.1 openSUSE 13.1 (src): nodejs-4.2.1-3.10.1
openSUSE-SU-2015:1825-2: An update that solves one vulnerability and has one errata is now available. Category: security (low) Bug References: 948045,948602 CVE References: CVE-2015-7384 Sources used: openSUSE Leap 42.1 (src): nodejs-4.2.1-6.1
All done.
This is an autogenerated message for OBS integration: This bug (948602) was mentioned in https://build.opensuse.org/request/show/636889 42.3+Backports:SLE-12 / nodejs8
This is an autogenerated message for OBS integration: This bug (948602) was mentioned in https://build.opensuse.org/request/show/642571 42.3+Backports:SLE-12 / nodejs8
This is an autogenerated message for OBS integration: This bug (948602) was mentioned in https://build.opensuse.org/request/show/649577 Backports:SLE-12-SP2 / nodejs8
SUSE-SU-2019:14246-1: An update that fixes 118 vulnerabilities is now available. Category: security (important) Bug References: 1000036,1001652,1025108,1029377,1029902,1040164,104105,1042670,1043008,1044946,1047925,1047936,1048299,1049186,1050653,1056058,1058013,1066242,1066953,1070738,1070853,1072320,1072322,1073796,1073798,1073799,1073803,1073808,1073818,1073823,1073829,1073830,1073832,1073846,1074235,1077230,1079761,1081750,1082318,1087453,1087459,1087463,1088573,1091764,1094814,1097158,1097375,1097401,1097404,1097748,1104841,1105019,1107030,1109465,1117473,1117626,1117627,1117629,1117630,1120644,1122191,1123482,1124525,1127532,1129346,1130694,1130840,1133452,1133810,1134209,1138459,1140290,1140868,1141853,1144919,1145665,1146090,1146091,1146093,1146094,1146095,1146097,1146099,1146100,1149323,1153423,1154738,1447070,1447409,744625,744629,845955,865853,905528,917607,935856,937414,947747,948045,948602,955142,957814,957815,961254,962297,966076,966077,985201,986541,991344,998743 CVE References: CVE-2013-2882,CVE-2013-6639,CVE-2013-6640,CVE-2013-6668,CVE-2014-0224,CVE-2015-3193,CVE-2015-3194,CVE-2015-5380,CVE-2015-7384,CVE-2016-2086,CVE-2016-2178,CVE-2016-2183,CVE-2016-2216,CVE-2016-5172,CVE-2016-5325,CVE-2016-6304,CVE-2016-6306,CVE-2016-7052,CVE-2016-7099,CVE-2017-1000381,CVE-2017-10686,CVE-2017-11111,CVE-2017-11499,CVE-2017-14228,CVE-2017-14849,CVE-2017-14919,CVE-2017-15896,CVE-2017-15897,CVE-2017-17810,CVE-2017-17811,CVE-2017-17812,CVE-2017-17813,CVE-2017-17814,CVE-2017-17815,CVE-2017-17816,CVE-2017-17817,CVE-2017-17818,CVE-2017-17819,CVE-2017-17820,CVE-2017-18207,CVE-2017-3735,CVE-2017-3736,CVE-2017-3738,CVE-2018-0732,CVE-2018-1000168,CVE-2018-12115,CVE-2018-12116,CVE-2018-12121,CVE-2018-12122,CVE-2018-12123,CVE-2018-20406,CVE-2018-20852,CVE-2018-7158,CVE-2018-7159,CVE-2018-7160,CVE-2018-7161,CVE-2018-7167,CVE-2019-10160,CVE-2019-11709,CVE-2019-11710,CVE-2019-11711,CVE-2019-11712,CVE-2019-11713,CVE-2019-11714,CVE-2019-11715,CVE-2019-11716,CVE-2019-11717,CVE-2019-11718,CVE-2019-11719,CVE-2019-11720,CVE-2019-11721,CVE-2019-11723,CVE-2019-11724,CVE-2019-11725,CVE-2019-11727,CVE-2019-11728,CVE-2019-11729,CVE-2019-11730,CVE-2019-11733,CVE-2019-11735,CVE-2019-11736,CVE-2019-11738,CVE-2019-11740,CVE-2019-11742,CVE-2019-11743,CVE-2019-11744,CVE-2019-11746,CVE-2019-11747,CVE-2019-11748,CVE-2019-11749,CVE-2019-11750,CVE-2019-11751,CVE-2019-11752,CVE-2019-11753,CVE-2019-11757,CVE-2019-11758,CVE-2019-11759,CVE-2019-11760,CVE-2019-11761,CVE-2019-11762,CVE-2019-11763,CVE-2019-11764,CVE-2019-13173,CVE-2019-15903,CVE-2019-5010,CVE-2019-5737,CVE-2019-9511,CVE-2019-9512,CVE-2019-9513,CVE-2019-9514,CVE-2019-9515,CVE-2019-9516,CVE-2019-9517,CVE-2019-9518,CVE-2019-9636,CVE-2019-9811,CVE-2019-9812,CVE-2019-9947 Sources used: SUSE Linux Enterprise Server 11-SP4-LTSS (src): MozillaFirefox-68.2.0-78.51.4, MozillaFirefox-branding-SLED-68-21.9.8, firefox-atk-2.26.1-2.8.4, firefox-cairo-1.15.10-2.13.4, firefox-gcc5-5.3.1+r233831-14.1, firefox-gcc8-8.2.1+r264010-2.5.1, firefox-gdk-pixbuf-2.36.11-2.8.4, firefox-glib2-2.54.3-2.14.7, firefox-gtk3-3.10.9-2.15.3, firefox-harfbuzz-1.7.5-2.7.4, firefox-libffi-3.2.1.git259-2.3.3, firefox-libffi-gcc5-5.3.1+r233831-14.1, firefox-pango-1.40.14-2.7.4, mozilla-nspr-4.21-29.6.1, mozilla-nss-3.45-38.9.3 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.