CVE-2016-1000232 — Improper Input Validation in Tough-cookie

CWE-20 — Improper Input Validation CWE-400 — Uncontrolled Resource Consumption CWE-1333 — Regex Denial of Service7 documents6 sources

Severity

5.3MEDIUMNVD

EPSS

0.9%

top 24.00%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Salesforce Tough-cookie IBM API Connect Redhat Openshift Container Platform

Timeline

PublishedSep 5

Latest updateOct 10

Description

NodeJS Tough-Cookie version 2.2.2 contains a Regular Expression Parsing vulnerability in HTTP request Cookie Header parsing that can result in Denial of Service. This attack appear to be exploitable via Custom HTTP header passed by client. This vulnerability appears to have been fixed in 2.3.0.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶npmsalesforce/tough-cookie< 2.3.0

▶NVDsalesforce/tough-cookie0.9.7 — 2.2.2

▶NVDibm/api_connect5.0.6.0 — 5.0.6.5+2

Also affects: Openshift Container Platform 3.1, 3.2, 3.3

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

ReDoS via long string of semicolons in tough-cookie↗2018-10-10

▶

GHSA

ReDoS via long string of semicolons in tough-cookie↗2018-10-10

▶

CVEList

CVE-2016-1000232: NodeJS Tough-Cookie version 2↗2018-09-05

▶

📋Vendor Advisories

Red Hat

nodejs-tough-cookie: regular expression DoS via Cookie header with many semicolons↗2016-07-22

▶

💬Community

Bugzilla

CVE-2016-1000232 nodejs-tough-cookie: Denial of service via long string of semicolons [fedora-all]↗2016-07-25

▶

Bugzilla

CVE-2016-1000232 nodejs-tough-cookie: regular expression DoS via Cookie header with many semicolons↗2016-07-25

▶