Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXY2Y2otcjg4cC05MnJt
Buffer Overflow in centra
Denial of Service
Impact
Affected Centra versions will, when not in stream mode, buffer responses to requests into memory with no size limit. This issue affects anyone requesting content from untrusted sources.
Patches
Version 2.4.0 resolves the issue by limiting the size of buffered response body.
Workarounds
Attempting workarounds isn't recommended. Updating is preferred.
For more information
If you have any questions or comments about this advisory, open an issue in ethanent/centra.
Permalink: https://github.com/advisories/GHSA-v6cj-r88p-92rmJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXY2Y2otcjg4cC05MnJt
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 4 years ago
Updated: over 1 year ago
CVSS Score: 7.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Identifiers: GHSA-v6cj-r88p-92rm
References:
- https://github.com/ethanent/centra/security/advisories/GHSA-v6cj-r88p-92rm
- https://github.com/advisories/GHSA-v6cj-r88p-92rm
- https://snyk.io/vuln/SNYK-JS-CENTRA-536073
Blast Radius: 24.3
Affected Packages
npm:centra
Dependent packages: 62Dependent repositories: 2,108
Downloads: 773,262 last month
Affected Version Ranges: < 2.4.0
Fixed in: 2.4.0
All affected versions: 1.0.0, 1.0.1, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.2.0, 2.2.1, 2.2.2, 2.3.0
All unaffected versions: 2.4.0, 2.4.1, 2.4.2, 2.5.0, 2.6.0, 2.7.0