#VU38700 Input validation error in qs - CVE-2017-1000048

Cybersecurity Help s.r.o.

Published: 2017-07-17 | Updated: 2020-08-08

Vulnerability identifier: #VU38700

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2017-1000048

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
qs
Web applications / JS libraries

Vendor: npm Inc.

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.

Mitigation
Install update from vendor's website.

Vulnerable software versions

qs: 1.0.0 - 6.3.1

External links
https://access.redhat.com/errata/RHSA-2017:2672
https://github.com/ljharb/qs/issues/200

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Planning Analytics Workspace

Multiple vulnerabilities in IBM Security Verify Governance

Multiple vulnerabilities in IBM Watson Machine Learning Accelerator on Cloud Pak for Data

Multiple vulnerabilities in Netcool Operations Insight

Multiple vulnerabilities in IBM Engineering Requirements Quality Assistant On-Premises

Input validation error in npm qs