Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWdnNm0tZmhxdi1oZzU2
Denial of Service in yar
Versions of yar prior to 2.2.0 are affected by a denial of service vulnerability related to an invalid encrypted session cookie value.
When an invalid encryped session cookie value is provided, the process will crash.
Recommendation
Update to version 2.2.0 or later.
Permalink: https://github.com/advisories/GHSA-gg6m-fhqv-hg56JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWdnNm0tZmhxdi1oZzU2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 4 years ago
Updated: about 2 years ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-gg6m-fhqv-hg56, CVE-2014-4179
References:
- https://github.com/spumko/yar/issues/34
- https://www.npmjs.com/advisories/44
- https://nvd.nist.gov/vuln/detail/CVE-2014-4179
- https://github.com/advisories/GHSA-gg6m-fhqv-hg56
Blast Radius: 18.0
Affected Packages
npm:yar
Dependent packages: 38Dependent repositories: 253
Downloads: 4,592 last month
Affected Version Ranges: < 2.2.0
Fixed in: 2.2.0
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.2.0, 0.3.0, 0.3.1, 0.4.0, 0.4.1, 1.0.0, 1.1.0, 2.0.0, 2.1.0
All unaffected versions: 2.2.0, 2.3.1, 2.3.2, 2.4.0, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 4.0.0, 4.1.0, 4.2.0, 5.0.0, 5.0.1, 6.0.0, 7.0.0, 7.0.1, 7.0.2, 8.0.0, 8.1.0, 8.1.1, 8.1.2, 9.0.0, 9.0.1, 9.0.2, 9.1.0