CVE-2022-25231

The package node-opcua before 2.74.0 are vulnerable to Denial of Service (DoS) by sending a specifically crafted OPC UA message with a special OPC UA NodeID, when the requested memory allocation exceeds the v8’s memory limit.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/node-opcua/node-opcua/commit/7b5044b3f5866fbedc3efabd05e407352c07bd2f	Patch Third Party Advisory
https://github.com/node-opcua/node-opcua/pull/1182	Patch Third Party Advisory
https://security.snyk.io/vuln/SNYK-JS-NODEOPCUA-2988724	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:node-opcua_project:node-opcua:*:*:*:*:*:node.js:*:*

History

No history.

Information

Published : 2022-08-23 05:15

Updated : 2022-08-26 13:01

NVD link : CVE-2022-25231

Mitre link : CVE-2022-25231

CVE.ORG link : CVE-2022-25231

JSON object : View

Products Affected

node-opcua_project

node-opcua

CWE

CWE-770

Allocation of Resources Without Limits or Throttling

{"id": "CVE-2022-25231", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "report@snyk.io", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2022-08-23T05:15:07.873", "references": [{"url": "https://github.com/node-opcua/node-opcua/commit/7b5044b3f5866fbedc3efabd05e407352c07bd2f", "tags": ["Patch", "Third Party Advisory"], "source": "report@snyk.io"}, {"url": "https://github.com/node-opcua/node-opcua/pull/1182", "tags": ["Patch", "Third Party Advisory"], "source": "report@snyk.io"}, {"url": "https://security.snyk.io/vuln/SNYK-JS-NODEOPCUA-2988724", "tags": ["Third Party Advisory"], "source": "report@snyk.io"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-770"}]}], "descriptions": [{"lang": "en", "value": "The package node-opcua before 2.74.0 are vulnerable to Denial of Service (DoS) by sending a specifically crafted OPC UA message with a special OPC UA NodeID, when the requested memory allocation exceeds the v8\u2019s memory limit."}, {"lang": "es", "value": "El paquete node-opcua versiones anteriores a 2.74.0, es vulnerable a una Denegaci\u00f3n de Servicio (DoS) mediante el env\u00edo de un mensaje OPC UA espec\u00edficamente dise\u00f1ado con un NodeID OPC UA especial, cuando la asignaci\u00f3n de memoria solicitada excede el l\u00edmite de memoria de v8."}], "lastModified": "2022-08-26T13:01:18.860", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:node-opcua_project:node-opcua:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "900AECE1-5AD5-4065-AE88-E02D6885B83C", "versionEndExcluding": "2.74.0"}], "operator": "OR"}]}], "sourceIdentifier": "report@snyk.io"}