このページはまだあなたの言語に翻訳されていません。翻訳作業中のため、英語でコンテンツを表示しています。
💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.
CVE-2017-16118: DoS in forwarded Go Package
翻訳中…プラットフォーム
nodejs
コンポーネント
forwarded
修正版
0.1.2
CVE-2017-16118 describes a Denial of Service (DoS) vulnerability within the forwarded Go package. This vulnerability arises from the package's handling of regular expressions when parsing user input, allowing an attacker to trigger a denial of service. Affected versions are those prior to 0.1.2. A fix is available in version 0.1.2.
影響と攻撃シナリオ翻訳中…
An attacker can exploit this vulnerability by sending specially crafted input to applications utilizing the forwarded package. This malicious input triggers a computationally expensive regular expression match, effectively exhausting server resources and leading to a denial of service. The impact can range from temporary service unavailability to complete system crashes, disrupting operations and potentially impacting user access. The blast radius extends to any application relying on the vulnerable forwarded package, particularly those handling external user input without proper sanitization.
悪用の状況翻訳中…
CVE-2017-16118 was published on July 24, 2018. There is no indication of active exploitation campaigns targeting this vulnerability. The EPSS score is likely low given the lack of public exploits and the relatively straightforward mitigation (package upgrade). No known KEV status.
脅威インテリジェンス
エクスプロイト状況
EPSS
0.60% (69% パーセンタイル)
CVSS ベクトル
これらのメトリクスの意味は?
- Attack Vector
- ネットワーク — インターネット経由でリモートから悪用可能。物理・ローカルアクセス不要。
- Attack Complexity
- 低 — 特別な条件不要。安定して悪用可能。
- Privileges Required
- なし — 認証不要。資格情報なしで悪用可能。
- User Interaction
- なし — 自動かつ無音の攻撃。被害者は何もしない。
- Scope
- 変化なし — 影響は脆弱なコンポーネントのみ。
- Confidentiality
- なし — 機密性への影響なし。
- Integrity
- なし — 完全性への影響なし。
- Availability
- 高 — 完全なクラッシュまたはリソース枯渇。完全なサービス拒否。
タイムライン
- 公開日
- 更新日
- EPSS 更新日
緩和策と回避策翻訳中…
The primary mitigation for CVE-2017-16118 is to upgrade the forwarded Go package to version 0.1.2 or later. If upgrading is not immediately feasible, consider implementing input validation and sanitization to prevent the injection of malicious regular expressions. Specifically, restrict the characters allowed in the X-Forwarded-For header or other relevant fields. While not a complete solution, this can reduce the likelihood of exploitation. After upgrading, confirm the fix by sending a test payload containing a known malicious regular expression and verifying that the application does not crash or exhibit performance degradation.
修正方法翻訳中…
公式パッチはありません。回避策を確認するか、アップデートを監視してください。
よくある質問翻訳中…
What is CVE-2017-16118 — DoS in forwarded Go Package?
CVE-2017-16118 is a denial-of-service vulnerability in the forwarded Go package. A crafted input can trigger a resource-intensive regular expression, leading to service disruption.
Am I affected by CVE-2017-16118 in forwarded Go Package?
You are affected if you are using a version of the forwarded Go package prior to 0.1.2 in your Go applications.
How do I fix CVE-2017-16118 in forwarded Go Package?
Upgrade the forwarded Go package to version 0.1.2 or later. Implement input validation as a temporary workaround if upgrading is not immediately possible.
Is CVE-2017-16118 being actively exploited?
There is currently no evidence of active exploitation campaigns targeting CVE-2017-16118.
Where can I find the official forwarded advisory for CVE-2017-16118?
Refer to the GitHub repository for the forwarded package for updates and advisories: https://github.com/posener/forwarded
今すぐ試す — アカウント不要
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
依存関係ファイルをドラッグ&ドロップ
composer.lock、package-lock.json、requirements.txt、Gemfile.lock、pubspec.lock、Dockerfile...