Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-10196

A flaw was found in http-proxy-agent, prior to version 2.1.0. It was discovered http-proxy-agent passes an auth option to the Buffer constructor without proper sanitization. This could result in a Denial of Service through the usage of all available CPU resources and data exposure through an uninitialized memory leak in setups where an attacker could submit typed input to the auth parameter.

Published

2021-03-19T20:15:13.097

Last Modified

2024-11-21T04:18:37.977

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 9.8 (CRITICAL)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:P/A:C

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: COMPLETE

Exploitability Score

10.0

Impact Score

8.5

Weaknesses

Type: Primary
CWE-665

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	http-proxy-agent_project	http-proxy-agent	< 2.1.0	Yes
Operating System	fedoraproject	fedora	27	Yes
Application	redhat	software_collections	-	Yes
Operating System	redhat	enterprise_linux	7.0	Yes

References

https://bugzilla.redhat.com/show_bug.cgi?id=1567245 Issue Tracking, Patch, Third Party Advisory ([email protected])
https://www.npmjs.com/advisories/607 Third Party Advisory ([email protected])
https://bugzilla.redhat.com/show_bug.cgi?id=1567245 Issue Tracking, Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.npmjs.com/advisories/607 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)