https-proxy-agent before 2.2.0 passes auth option to the Buffer constructor without proper sanitization, resulting in DoS and uninitialized memory leak in setups where an attacker could submit typed input to the 'auth' parameter (e.g. JSON). References: https://nodesecurity.io/advisories/593 https://hackerone.com/reports/319532
Created nodejs-https-proxy-agent tracking bugs for this issue: Affects: epel-7 [bug 1727314]
*** Bug 1576651 has been marked as a duplicate of this bug. ***
Upstream patch: https://github.com/TooTallNate/node-https-proxy-agent/commit/1c24219df87524e6ed973127e81f30801d658f07
Lowering Impact to Medium as the attacker needs to submit a number as the `auth` parameter and because in NodeJS version >= 8 the buffer is initialized to 0, so there is no real leak of sensitive data. The Impact is Denial Of Service (DoS) through consumption of CPU resources or data exposure, though in both NodeJS v8 and v10 (shipped in Red Hat Software Collections and Red Hat Enterprise Linux 8) the data exposure cannot be triggered.
External References: https://www.npmjs.com/advisories/593
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-3739
Statement: This issue did not affect the versions of nodejs as shipped with Red Hat Enterprise Linux 8 as they already include the patched code. This issue did not affect the versions of rh-nodejs10-nodejs as shipped with Red Hat Software Collections 3 as they already include the patched code. Red Hat Quay uses nodejs-https-proxy-agent, but only as a development dependency, it is not used at runtime. Therefore we rated this issue as having a low impact for Red Hat Quay.