Bug 1588833 (CVE-2017-16026) - CVE-2017-16026 nodejs-request: Remote Memory Exposure when a multipart request is made
Summary: CVE-2017-16026 nodejs-request: Remote Memory Exposure when a multipart reques...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2017-16026
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1588834 1588835 1588836
Blocks: 1588837
TreeView+ depends on / blocked
 
Reported: 2018-06-07 23:21 UTC by Laura Pardo
Modified: 2020-11-05 10:32 UTC (History)
22 users (show)

Fixed In Version: nodejs-request 2.68.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-10 10:28:24 UTC
Embargoed:

Attachments (Terms of Use)

Description Laura Pardo 2018-06-07 23:21:07 UTC 
A flaw was found in Request >=2.2.6 <2.47.0 || >2.51.0 <=2.67.0. Affected versions of request will disclose local system memory to remote systems in certain circumstances. When a multipart request is made, and the type of body is number, then a buffer of that size will be allocated and sent to the remote server as the body.


References:
https://github.com/request/request/issues/1904
https://nodesecurity.io/advisories/309

Patch:
https://github.com/request/request/pull/2018
Comment 1 Laura Pardo 2018-06-07 23:21:39 UTC 
Created nodejs-request tracking bugs for this issue:

Affects: epel-all [bug 1588834]
Affects: fedora-all [bug 1588836]
Comment 3 Pedro Yóssis Silva Barbosa 2018-06-13 15:15:04 UTC 
The current version (2.75.0) of request shipped in Red Hat Software Collections is not affected.
Note You need to log in before you can comment on or make changes to this bug.