Think you have a false positive on this rule?

Sid 1-37028

Message

PROTOCOL-OTHER Websocket upgrade request without a client key detected

Summary

Node.js 0.12.x before 0.12.9, 4.x before 4.2.3, and 5.x before 5.1.1 does not ensure the availability of a parser for each HTTP socket, which allows remote attackers to cause a denial of service (uncaughtException and service outage) via a pipelined HTTP request.

Impact

CVSS base score 7.5 CVSS impact score 3.6 CVSS exploitability score 3.9 confidentialityImpact NONE integrityImpact NONE availabilityImpact NONE

CVE-2015-8027:

CVSS base score 7.5

CVSS impact score 3.6

CVSS exploitability score 3.9

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Detailed information

CVE-2015-8027: Node.js 0.12.x before 0.12.9, 4.x before 4.2.3, and 5.x before 5.1.1 does not ensure the availability of a parser for each HTTP socket, which allows remote attackers to cause a denial of service (uncaughtException and service outage) via a pipelined HTTP request.

Affected systems

  • nodejs node.js 0.12.0
  • nodejs node.js 0.12.1
  • nodejs node.js 0.12.2
  • nodejs node.js 0.12.3
  • nodejs node.js 0.12.4
  • nodejs node.js 0.12.5
  • nodejs node.js 0.12.6
  • nodejs node.js 0.12.7
  • nodejs node.js 0.12.8
  • nodejs node.js 4.2.0
  • nodejs node.js 4.2.1
  • nodejs node.js 4.2.2
  • nodejs node.js 5.0.0
  • nodejs node.js 5.1.0

Ease of attack

CVE-2015-8027:

Access Vector

Access Complexity

Authentication

False positives

None known

False negatives

None known

Corrective action

Upgrade to the latest non-affected version of the software.

Apply the appropriate vendor supplied patches.

Contributors

  • Talos research team.
  • This document was generated from data supplied by the national vulnerability database, a product of the national institute of standards and technology.
  • For more information see nvd.

Additional References