Escanear gratis

Esta página aún no ha sido traducida a tu idioma. Mostrando contenido en inglés mientras trabajamos en ello.

💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.

HIGHCVE-2017-16118CVSS 7.5

CVE-2017-16118: DoS in forwarded Go Package

Plataforma

nodejs

Componente

forwarded

Corregido en

0.1.2

Ver en NVD
Guardar
Traduciendo a tu idioma…

CVE-2017-16118 describes a Denial of Service (DoS) vulnerability within the forwarded Go package. This vulnerability arises from the package's handling of regular expressions when parsing user input, allowing an attacker to trigger a denial of service. Affected versions are those prior to 0.1.2. A fix is available in version 0.1.2.

Impacto y Escenarios de Ataquetraduciendo…

An attacker can exploit this vulnerability by sending specially crafted input to applications utilizing the forwarded package. This malicious input triggers a computationally expensive regular expression match, effectively exhausting server resources and leading to a denial of service. The impact can range from temporary service unavailability to complete system crashes, disrupting operations and potentially impacting user access. The blast radius extends to any application relying on the vulnerable forwarded package, particularly those handling external user input without proper sanitization.

Contexto de Explotacióntraduciendo…

CVE-2017-16118 was published on July 24, 2018. There is no indication of active exploitation campaigns targeting this vulnerability. The EPSS score is likely low given the lack of public exploits and the relatively straightforward mitigation (package upgrade). No known KEV status.

Inteligencia de Amenazas

Estado del Exploit

Prueba de ConceptoDesconocido
CISA KEVNO
Exposición en InternetAlta

EPSS

0.60% (69% percentil)

Vector CVSS

INTELIGENCIA DE AMENAZAS· CVSS 3.1CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H7.5HIGHAttack VectorNetworkCómo el atacante alcanza el objetivoAttack ComplexityLowCondiciones necesarias para explotarPrivileges RequiredNoneNivel de autenticación requeridoUser InteractionNoneSi la víctima debe realizar una acciónScopeUnchangedImpacto más allá del componente afectadoConfidentialityNoneRiesgo de exposición de datos sensiblesIntegrityNoneRiesgo de modificación no autorizada de datosAvailabilityHighRiesgo de interrupción del servicionextguardhq.com · Puntuación Base CVSS v3.1
¿Qué significan estas métricas?
Attack Vector
Red — explotable remotamente por internet. Sin acceso físico ni local. Mayor superficie de ataque.
Attack Complexity
Baja — sin condiciones especiales. El atacante puede explotar de forma confiable sin configuraciones raras.
Privileges Required
Ninguno — sin autenticación. No se necesitan credenciales para explotar.
User Interaction
Ninguna — el ataque es automático y silencioso. La víctima no hace nada.
Scope
Sin cambio — el impacto se limita al componente vulnerable.
Confidentiality
Ninguno — sin impacto en confidencialidad.
Integrity
Ninguno — sin impacto en integridad.
Availability
Alto — caída completa o agotamiento de recursos. Denegación de servicio total.

Cronología

  1. Publicada
  2. Modificada
  3. EPSS actualizado

Mitigación y Workaroundstraduciendo…

The primary mitigation for CVE-2017-16118 is to upgrade the forwarded Go package to version 0.1.2 or later. If upgrading is not immediately feasible, consider implementing input validation and sanitization to prevent the injection of malicious regular expressions. Specifically, restrict the characters allowed in the X-Forwarded-For header or other relevant fields. While not a complete solution, this can reduce the likelihood of exploitation. After upgrading, confirm the fix by sending a test payload containing a known malicious regular expression and verifying that the application does not crash or exhibit performance degradation.

Cómo corregirlotraduciendo…

Sin parche oficial disponible. Busca alternativas o monitorea actualizaciones.

Preguntas frecuentestraduciendo…

What is CVE-2017-16118 — DoS in forwarded Go Package?

CVE-2017-16118 is a denial-of-service vulnerability in the forwarded Go package. A crafted input can trigger a resource-intensive regular expression, leading to service disruption.

Am I affected by CVE-2017-16118 in forwarded Go Package?

You are affected if you are using a version of the forwarded Go package prior to 0.1.2 in your Go applications.

How do I fix CVE-2017-16118 in forwarded Go Package?

Upgrade the forwarded Go package to version 0.1.2 or later. Implement input validation as a temporary workaround if upgrading is not immediately possible.

Is CVE-2017-16118 being actively exploited?

There is currently no evidence of active exploitation campaigns targeting CVE-2017-16118.

Where can I find the official forwarded advisory for CVE-2017-16118?

Refer to the GitHub repository for the forwarded package for updates and advisories: https://github.com/posener/forwarded

¿Tu proyecto está afectado?

Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.

Escanear gratisBuscar CVEs
liveescaneo gratuito

Pruébalo ahora — sin cuenta

Sube cualquier manifiesto (composer.lock, package-lock.json, lista de plugins WordPress…) o pega tu lista de componentes. Recibís un reporte de vulnerabilidades al instante. Subir un archivo es solo el primer paso: con una cuenta tenés monitoreo continuo, alertas en tu canal, multi-proyecto y reportes white-label.

Escaneo manualAlertas en Slack/emailMonitoreo continuoReportes white-label

Arrastra y suelta tu archivo de dependencias

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...