Gratis scannen

Deze pagina is nog niet vertaald naar uw taal. We werken eraan — de inhoud wordt voorlopig in het Engels weergegeven.

💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.

HIGHCVE-2017-16119CVSS 7.5

CVE-2017-16119: DoS in fresh Command-Line Tool

Platform

nodejs

Component

fresh

Opgelost in

0.5.2

Bekijk op NVD
Opslaan
Wordt vertaald naar uw taal…

CVE-2017-16119 represents a Denial of Service (DoS) vulnerability within the fresh command-line tool. This vulnerability arises from improper handling of user input, specifically when parsing regular expressions. An attacker can exploit this flaw by providing specially crafted input, leading to a denial of service condition, rendering the tool unresponsive. Affected versions include those prior to 0.5.2; an update to version 0.5.2 or later resolves the issue.

Impact en Aanvalsscenarioswordt vertaald…

The primary impact of CVE-2017-16119 is a denial of service. An attacker can craft malicious input designed to trigger an excessive resource consumption within the fresh tool's regular expression engine. This can lead to the tool becoming unresponsive, preventing legitimate users from utilizing it. The blast radius is limited to the system running the fresh tool, but repeated or widespread exploitation could impact multiple systems if the tool is deployed across an organization. While not directly leading to data exfiltration, the disruption of service can significantly impact workflows and productivity.

Uitbuitingscontextwordt vertaald…

CVE-2017-16119 has been publicly disclosed and a proof-of-concept (POC) is likely available, though no active campaigns have been definitively linked to this specific vulnerability. Its CVSS score of 7.5 (HIGH) indicates a significant potential for exploitation. The vulnerability was published on July 24, 2018. While not listed on KEV or EPSS, the ease of exploitation associated with regular expression DoS vulnerabilities warrants careful attention and prompt remediation.

Dreigingsinformatie

Exploit Status

Proof of ConceptOnbekend
CISA KEVNO
InternetblootstellingHoog

EPSS

0.33% (56% percentiel)

CVSS-vector

DREIGINGSINFORMATIE· CVSS 3.1CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H7.5HIGHAttack VectorNetworkHoe de aanvaller het doel bereiktAttack ComplexityLowVereiste omstandigheden om te exploiterenPrivileges RequiredNoneVereist authenticatieniveau voor aanvalUser InteractionNoneOf het slachtoffer actie moet ondernemenScopeUnchangedImpact buiten het getroffen onderdeelConfidentialityNoneRisico op blootstelling van gevoelige dataIntegrityNoneRisico op ongeautoriseerde gegevenswijzigingAvailabilityHighRisico op verstoring van dienstennextguardhq.com · CVSS v3.1 Basisscore
Wat betekenen deze metrics?
Attack Vector
Netwerk — op afstand uitbuitbaar via internet. Geen fysieke of lokale toegang vereist.
Attack Complexity
Laag — geen speciale voorwaarden vereist. Betrouwbaar uitbuitbaar.
Privileges Required
Geen — geen authenticatie vereist om te exploiteren.
User Interaction
Geen — automatische en stille aanval. Slachtoffer doet niets.
Scope
Ongewijzigd — impact beperkt tot het kwetsbare component.
Confidentiality
Geen — geen vertrouwelijkheidsimpact.
Integrity
Geen — geen integriteitsimpact.
Availability
Hoog — volledige crash of uitputting van resources. Totale denial of service.

Tijdlijn

  1. Gepubliceerd
  2. Gewijzigd
  3. EPSS bijgewerkt

Mitigatie en Workaroundswordt vertaald…

The recommended mitigation for CVE-2017-16119 is to immediately upgrade to version 0.5.2 or later of the fresh tool. If upgrading is not immediately feasible due to compatibility concerns or system downtime constraints, consider implementing input validation to sanitize user-provided data before it is processed by the regular expression engine. This could involve limiting the complexity of allowed regular expressions or employing a whitelist approach to permitted input patterns. There are no specific WAF or proxy rules applicable to this vulnerability as it resides within the application itself. After upgrading, confirm the fix by attempting to process a known malicious input string and verifying that the tool remains responsive.

Hoe te verhelpenwordt vertaald…

Geen officiële patch beschikbaar. Zoek naar tijdelijke oplossingen of monitor updates.

Veelgestelde vragenwordt vertaald…

What is CVE-2017-16119 — DoS in fresh Command-Line Tool?

CVE-2017-16119 is a denial-of-service vulnerability in the fresh command-line tool. Specially crafted user input can trigger a regular expression denial of service, causing the tool to become unresponsive.

Am I affected by CVE-2017-16119 in fresh Command-Line Tool?

You are affected if you are using a version of fresh prior to 0.5.2. Check your version using fresh --version.

How do I fix CVE-2017-16119 in fresh Command-Line Tool?

Upgrade to version 0.5.2 or later of fresh. This resolves the regular expression denial of service vulnerability.

Is CVE-2017-16119 being actively exploited?

While no active campaigns have been definitively linked, the vulnerability is publicly disclosed and a POC is likely available, warranting prompt remediation.

Where can I find the official fresh advisory for CVE-2017-16119?

Refer to the project's release notes or repository for information regarding the fix. Search for 'fresh 0.5.2 release notes' for details.

Is jouw project getroffen?

Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.

Gratis scannenCVEs zoeken
livefree scan

Probeer het nu — geen account

Upload een manifest (composer.lock, package-lock.json, WordPress pluginlijst…) of plak uw componentenlijst. U ontvangt direct een kwetsbaarheidsrapport. Een bestand uploaden is slechts het begin: met een account krijgt u continue monitoring, Slack/e-mail alerts, multi-project en white-label rapporten.

Manual scanSlack/email alertsscanZone.capMonitorWhite-label reports

Sleep uw afhankelijkheidsbestand hierheen

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...