此页面尚未翻译为您的语言。我们正在努力翻译,目前显示英文内容。
💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.
CVE-2017-16119 represents a Denial of Service (DoS) vulnerability within the fresh command-line tool. This vulnerability arises from improper handling of user input, specifically when parsing regular expressions. An attacker can exploit this flaw by providing specially crafted input, leading to a denial of service condition, rendering the tool unresponsive. Affected versions include those prior to 0.5.2; an update to version 0.5.2 or later resolves the issue.
影响与攻击场景翻译中…
The primary impact of CVE-2017-16119 is a denial of service. An attacker can craft malicious input designed to trigger an excessive resource consumption within the fresh tool's regular expression engine. This can lead to the tool becoming unresponsive, preventing legitimate users from utilizing it. The blast radius is limited to the system running the fresh tool, but repeated or widespread exploitation could impact multiple systems if the tool is deployed across an organization. While not directly leading to data exfiltration, the disruption of service can significantly impact workflows and productivity.
利用背景翻译中…
CVE-2017-16119 has been publicly disclosed and a proof-of-concept (POC) is likely available, though no active campaigns have been definitively linked to this specific vulnerability. Its CVSS score of 7.5 (HIGH) indicates a significant potential for exploitation. The vulnerability was published on July 24, 2018. While not listed on KEV or EPSS, the ease of exploitation associated with regular expression DoS vulnerabilities warrants careful attention and prompt remediation.
威胁情报
漏洞利用状态
EPSS
0.33% (56% 百分位)
CVSS 向量
这些指标意味着什么?
- Attack Vector
- 网络 — 可通过互联网远程利用,无需物理或本地访问。攻击面最大。
- Attack Complexity
- 低 — 无需特殊条件,可以稳定地利用漏洞。
- Privileges Required
- 无 — 无需认证,无需凭证即可利用。
- User Interaction
- 无 — 攻击自动且无声,受害者无需任何操作。
- Scope
- 未改变 — 影响仅限于脆弱组件本身。
- Confidentiality
- 无 — 无机密性影响。
- Integrity
- 无 — 无完整性影响。
- Availability
- 高 — 完全崩溃或资源耗尽,完全拒绝服务。
时间线
- 发布日期
- 修改日期
- EPSS 更新日期
缓解措施和替代方案翻译中…
The recommended mitigation for CVE-2017-16119 is to immediately upgrade to version 0.5.2 or later of the fresh tool. If upgrading is not immediately feasible due to compatibility concerns or system downtime constraints, consider implementing input validation to sanitize user-provided data before it is processed by the regular expression engine. This could involve limiting the complexity of allowed regular expressions or employing a whitelist approach to permitted input patterns. There are no specific WAF or proxy rules applicable to this vulnerability as it resides within the application itself. After upgrading, confirm the fix by attempting to process a known malicious input string and verifying that the tool remains responsive.
修复方法翻译中…
暂无官方补丁。请查找临时解决方案或持续关注更新。
常见问题翻译中…
What is CVE-2017-16119 — DoS in fresh Command-Line Tool?
CVE-2017-16119 is a denial-of-service vulnerability in the fresh command-line tool. Specially crafted user input can trigger a regular expression denial of service, causing the tool to become unresponsive.
Am I affected by CVE-2017-16119 in fresh Command-Line Tool?
You are affected if you are using a version of fresh prior to 0.5.2. Check your version using fresh --version.
How do I fix CVE-2017-16119 in fresh Command-Line Tool?
Upgrade to version 0.5.2 or later of fresh. This resolves the regular expression denial of service vulnerability.
Is CVE-2017-16119 being actively exploited?
While no active campaigns have been definitively linked, the vulnerability is publicly disclosed and a POC is likely available, warranting prompt remediation.
Where can I find the official fresh advisory for CVE-2017-16119?
Refer to the project's release notes or repository for information regarding the fix. Search for 'fresh 0.5.2 release notes' for details.
立即试用 — 无需账户
上传任何清单文件 (composer.lock, package-lock.json, WordPress 插件列表…) 或粘贴您的组件列表。您立即获得一份漏洞报告。上传文件只是开始:拥有账户后,您将获得持续监控、Slack/电子邮件警报、多项目和白标报告。
拖放您的依赖文件
composer.lock、package-lock.json、requirements.txt、Gemfile.lock、pubspec.lock、Dockerfile...