CVE-2018-21270
Public on
Last Modified:
Description
A flaw was found in nodejs-stringstream. Node.js stringstream module is vulnerable to an out-of-bounds read because of allocation of uninitialized buffers when a number is passed in the input stream.
Statement
Red Hat Quay include stringstream as a dependency of Karma. Karma is only used at build time, and not at runtime reducing the impact of this vulnerability to low.
Additional information
- Bugzilla 1927293: nodejs-stringstream: out-of-bounds read leading to uninitialized memory exposure
- (CWE-125|CWE-400): Out-of-bounds Read or Uncontrolled Resource Consumption
- FAQ: Frequently asked questions about CVE-2018-21270
Common Vulnerability Scoring System (CVSS) Score Details
Important note
CVSS scores for open source components depend on vendor-specific factors (e.g. version or build chain). Therefore, Red Hat's score and impact rating can be different from NVD and other vendors. Red Hat remains the authoritative CVE Naming Authority (CNA) source for its products and services (see Red Hat classifications).
| Red Hat | NVD | |
|---|---|---|
CVSS v3 Base Score | 6.5 | 6.5 |
Attack Vector | Network | Network |
Attack Complexity | High | High |
Privileges Required | None | None |
User Interaction | None | None |
Scope | Unchanged | Unchanged |
Confidentiality Impact | Low | Low |
Integrity Impact | None | None |
Availability Impact | High | High |
CVSS v3 Vector
Red Hat: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H
NVD: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H
Red Hat CVSS v3 Score Explanation
Proposed changes to NIST's current CVSSv3 scoring: AC:L -> AC:H C:H -> C:L
To successfully exploit this vulnerability a potential attacker needs pass a large number to the stream and that is unlikely to be under attacker control, but still is possible, hence proposing a change to Attack Complexity (AC) from Low to High. An attacker could extract sensitive data from uninitialized memory, but does not have any control over what information is obtained. Therefore the Confidentiality (C) should be changed from High to Low.
Understanding the Weakness (CWE)
Confidentiality
Technical Impact: Read Memory
An attacker could get secret values such as cryptographic keys, PII, memory addresses, or other information that could be used in additional attacks.
Confidentiality
Technical Impact: Bypass Protection Mechanism
Out-of-bounds memory could contain memory addresses or other information that can be used to bypass ASLR and other protection mechanisms in order to improve the reliability of exploiting a separate weakness for code execution.
Availability
Technical Impact: DoS: Crash, Exit, or Restart
An attacker could cause a segmentation fault or crash by causing memory to be read outside of the bounds of the buffer. This is especially likely when the code reads a variable amount of data and assumes that a sentinel exists to stop the read operation, such as a NUL in a string.
Other
Technical Impact: Varies by Context
The read operation could produce other undefined or unexpected results.
Availability
Technical Impact: DoS: Crash, Exit, or Restart; DoS: Resource Consumption (CPU); DoS: Resource Consumption (Memory); DoS: Resource Consumption (Other)
If an attacker can trigger the allocation of the limited resources, but the number or size of the resources is not controlled, then the most common result is denial of service. This would prevent valid users from accessing the product, and it could potentially have an impact on the surrounding environment, i.e., the product may slow down, crash due to unhandled errors, or lock out legitimate users. For example, a memory exhaustion attack against an application could slow down the application as well as its host operating system.
Access Control,Other
Technical Impact: Bypass Protection Mechanism; Other
In some cases it may be possible to force the product to "fail open" in the event of resource exhaustion. The state of the product -- and possibly the security functionality - may then be compromised.
Frequently Asked Questions
Why is Red Hat's CVSS v3 score or Impact different from other vendors?
My product is listed as "Under investigation" or "Affected", when will Red Hat release a fix for this vulnerability?
What can I do if my product is listed as "Will not fix"?
What can I do if my product is listed as "Fix deferred"?
What is a mitigation?
I have a Red Hat product but it is not in the above list, is it affected?
Why is my security scanner reporting my product as vulnerable to this vulnerability even though my product version is fixed or not affected?
Not sure what something means? Check out our Security Glossary.
Want to get errata notifications? Sign up here.
