MGASA-2023-0053

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2023-0053.html

Import Source

https://advisories.mageia.org/MGASA-2023-0053.json

JSON Data

https://api.test.osv.dev/v1/vulns/MGASA-2023-0053

Related

CVE-2022-24999

Published

2023-02-20T21:25:36Z

Modified

2023-02-20T20:19:02Z

Summary

Updated nodejs-qs packages fix security vulnerability

Details

nodejs qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an _ proto_ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. (CVE-2022-24999)

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:8 / nodejs-qs

Package

Name: nodejs-qs
Purl: pkg:rpm/mageia/nodejs-qs?distro=mageia-8

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.5.3-1.mga8

Ecosystem specific

{
    "section": "core"
}