Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2012-2330

Overview

Vulnerability Score 6.4 6.4
CVE Id CVE-2012-2330
Last Modified 22 Aug 2012 12:00:00
Published 13 Aug 2012 07:55:01
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2012-2330

Summary

The Update method in src/node_http_parser.cc in Node.js before 0.6.17 and 0.7 before 0.7.8 does not properly check the length of a string, which allows remote attackers to obtain sensitive information (request header contents) and possibly spoof HTTP headers via a zero length string.

Vulnerable Systems

Application

  • Nodejs 0.6.16

  • Nodejs 0.7.0

  • Nodejs 0.7.1

  • Nodejs 0.7.2

  • Nodejs 0.7.3

  • Nodejs 0.7.4

  • Nodejs 0.7.5

  • Nodejs 0.7.6

  • Nodejs 0.7.7


References

CONFIRM - https://github.com/joyent/node/commit/c9a231d

CONFIRM - https://github.com/joyent/node/commit/7b3fb22

MLIST - [oss-security] 20120508 Re: CVE request: node.js <0.6.17/0.7.8 HTTP server information disclosure

MLIST - [oss-security] 20120508 CVE request: node.js <0.6.17/0.7.8 HTTP server information disclosure

SECUNIA - 49066

CONFIRM - http://blog.nodejs.org/2012/05/04/version-0-6-17-stable/


Last Updated: 27 May 2016 10:51:40