CVE-2017-16129 Vulnerability Details

  /     /     /  

CVE-2017-16129 Metadata Quick Info

CVE Published: 07/06/2018 | CVE Updated: 16/09/2024 | CVE Year: 2017
Source: hackerone | Vendor: HackerOne | Product: superagent node module
Status : PUBLISHED

---

CVE-2017-16129 Description

The HTTP client module superagent is vulnerable to ZIP bomb attacks. In a ZIP bomb attack, the HTTP server replies with a compressed response that becomes several magnitudes larger once uncompressed. If a client does not take special care when processing such responses, it may result in excessive CPU and/or memory consumption. An attacker might exploit such a weakness for a DoS attack. To exploit this the attacker must control the location (URL) that superagent makes a request to.

Metrics

CVSS Version: 3.1 | Base Score: n/a
Vector: n/a

l➤ Exploitability Metrics:
    Attack Vector (AV)*
    Attack Complexity (AC)*
    Privileges Required (PR)*
    User Interaction (UI)*
    Scope (S)*

l➤ Impact Metrics:
    Confidentiality Impact (C)*
    Integrity Impact (I)*
    Availability Impact (A)*

Weakness Enumeration (CWE)

CWE-ID: CWE-409
CWE Name: Improper Handling of Highly Compressed Data (Data Amplification) (CWE-409)
Source: HackerOne

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description:


Source: NVD (National Vulnerability Database).