Home

CVE-2018-7158

Description

The path module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. The code in question was replaced in Node.js 6.x and later so this vulnerability only impacts all versions of Node.js 4.x. The regular expression, splitPathRe, used within the path module for the various path parsing functions, including path.dirname(), path.extname() and path.parse() was structured in such a way as to allow an attacker to craft a string, that when passed through one of these functions, could take a significant amount of time to evaluate, potentially leading to a full denial of service.

Risk Information

Base Score
7.5
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score
Exploitation Probability
1.772

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2018-0739,CVE-2018-7160,CVE-2018-7158,CVE-2018-7159 are fixed in Node.js 10 (10.24.1)Windows
Vulnerabilities CVE-2018-0739,CVE-2018-7160,CVE-2018-7158,CVE-2018-7159 are fixed in Node.js 16 (x64) (16.14.0)Windows
Vulnerabilities CVE-2018-0739,CVE-2018-7160,CVE-2018-7158,CVE-2018-7159 are fixed in Node.js 16 (16.14.0)Windows
Vulnerabilities CVE-2018-0739,CVE-2018-7160,CVE-2018-7158,CVE-2018-7159 are fixed in Node.js 8 8.11.0Windows
Vulnerabilities CVE-2018-0739,CVE-2018-7160,CVE-2018-7158,CVE-2018-7159 are fixed in Node.js 8 (x64) 8.11.0Windows
Vulnerabilities CVE-2018-0739,CVE-2018-7160,CVE-2018-7158,CVE-2018-7159 are fixed in Node.js 9.10.0Windows
Vulnerabilities CVE-2018-0739,CVE-2018-7160,CVE-2018-7158,CVE-2018-7159 are fixed in Node.js 4.9.0Windows
Multiple Vulnerabilities are affected in IBM Planning Analytics Local 2.0Windows

Patch Details

Click to see the patches provided by ManageEngine for this CVE
Patch IDPatch Description
PATCH-319042Node.js 10 (10.24.1)
PATCH-332182Node.js 16 (x64) (16.20.2)
PATCH-332181Node.js 16 (16.20.2)
PATCH-319042Node.js 10 (10.24.1)
PATCH-319042Node.js 10 (10.24.1)

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234