Plataforma
nodejs
Componente
content
Corrigido em
3.0.7
CVE-2017-16111 describes a denial-of-service (DoS) vulnerability within the content component. This vulnerability arises from improper handling of regular expressions when parsing malicious Content-Type and Content-Disposition headers, potentially leading to service disruption. Affected versions are those prior to 3.0.7, and a fix is available in version 3.0.7.
An attacker could exploit this vulnerability by sending specially crafted HTTP requests containing malicious Content-Type and Content-Disposition headers. This could exhaust server resources, leading to a denial of service, preventing legitimate users from accessing the application. The impact is particularly severe for systems handling a high volume of HTTP requests, as a single malicious request could disrupt service for many users. The blast radius extends to any user attempting to access the affected application, effectively rendering it unavailable.
CVE-2017-16111 was published on July 24, 2018. While no active campaigns targeting this specific vulnerability have been publicly reported, DoS vulnerabilities are frequently targeted. The vulnerability's ease of exploitation (requiring only the crafting of HTTP headers) means it remains a potential risk. Severity is HIGH, indicating a significant potential for disruption.
Status do Exploit
EPSS
0.33% (percentil 56%)
Vetor CVSS
The primary mitigation for CVE-2017-16111 is to upgrade the content component to version 3.0.7 or later. If an immediate upgrade is not feasible, consider implementing input validation on the server-side to sanitize Content-Type and Content-Disposition headers before parsing. Web application firewalls (WAFs) configured to detect and block requests with suspicious header patterns can also provide a temporary layer of protection. After upgrading, confirm the fix by sending a test request with a known malicious header and verifying that the application does not crash or exhibit performance degradation.
Nenhum patch oficial disponível. Procure alternativas ou monitore atualizações.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2017-16111 is a denial-of-service vulnerability in the Content Management System, allowing attackers to crash the service with malicious headers. It has a CVSS score of 7.5 (HIGH).
You are affected if you are using a version of Content Management System prior to 3.0.7. Check your version and upgrade immediately.
Upgrade to version 3.0.7 or later. As a temporary workaround, implement input validation for Content-Type and Content-Disposition headers.
While no active campaigns have been publicly reported, DoS vulnerabilities are frequently targeted, so vigilance is advised.
Refer to the Content Management System's official security advisories and release notes for details on this vulnerability and the fix.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.