1500711 – (CVE-2017-16136) CVE-2017-16136 nodejs-method-override: Regular expression Denial of Service

Bug 1500711 (CVE-2017-16136) - CVE-2017-16136 nodejs-method-override: Regular expression Denial of Service

Summary: CVE-2017-16136 nodejs-method-override: Regular expression Denial of Service

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2017-16136
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1500725 1500712 1500713 1500726
Blocks:	1500716
TreeView+	depends on / blocked

Reported:	2017-10-11 11:16 UTC by Andrej Nemec
Modified:	2020-11-05 10:32 UTC (History)
CC List:	12 users (show)
Fixed In Version:	nodejs-method-override 2.3.10
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-10-23 06:09:20 UTC
Embargoed:

Attachments	(Terms of Use)

Description Andrej Nemec 2017-10-11 11:16:33 UTC

method-override is a module used by the Express.js framework to let you use HTTP verbs such as PUT or DELETE in places where the client doesn't support it.

method-override is vulnerable to a regular expression denial of service vulnerability when specially crafted input is passed in to be parsed via the X-HTTP-Method-Override header.

Upstream patch:

https://github.com/expressjs/method-override/commit/4c58835a61fdf7a8e070d6f8ecd5379a961d0987

Comment 1 Andrej Nemec 2017-10-11 11:17:00 UTC

Created nodejs-mime tracking bugs for this issue:

Affects: epel-all [bug 1500712]
Affects: fedora-all [bug 1500713]

Comment 2 Andrej Nemec 2017-10-11 11:40:30 UTC

Created nodejs-method-override tracking bugs for this issue:

Affects: epel-all [bug 1500725]
Affects: fedora-all [bug 1500726]

Note You need to log in before you can comment on or make changes to this bug.