diff --git a/advisories/github-reviewed/2023/05/GHSA-mj6p-3pc9-wf5m/GHSA-mj6p-3pc9-wf5m.json b/advisories/github-reviewed/2023/05/GHSA-mj6p-3pc9-wf5m/GHSA-mj6p-3pc9-wf5m.json index 1862ac94360fa..eb9cdad7802e8 100644 --- a/advisories/github-reviewed/2023/05/GHSA-mj6p-3pc9-wf5m/GHSA-mj6p-3pc9-wf5m.json +++ b/advisories/github-reviewed/2023/05/GHSA-mj6p-3pc9-wf5m/GHSA-mj6p-3pc9-wf5m.json @@ -1,64 +1,78 @@ { - "schema_version": "1.4.0", - "id": "GHSA-mj6p-3pc9-wf5m", - "modified": "2023-06-06T01:52:50Z", - "published": "2023-05-30T18:30:23Z", - "aliases": [ - "CVE-2023-2968" - ], - "summary": "proxy denial of service vulnerability", - "details": "A remote attacker can trigger a denial of service in the `socket.remoteAddress` variable, by sending a crafted HTTP request. Usage of the undefined variable raises a TypeError exception.\n\n", - "severity": [], - "affected": [ - { - "package": { - "ecosystem": "npm", - "name": "proxy" - }, - "ranges": [ + "schema_version": "1.4.0", + "id": "GHSA-mj6p-3pc9-wf5m", + "modified": "2026-05-06T00:00:00Z", + "published": "2023-05-30T18:30:23Z", + "aliases": [ + "CVE-2023-2968" + ], + "summary": "proxy denial of service vulnerability", + "details": "A remote attacker can trigger a denial of service in the `proxy` package by sending a crafted HTTP request that causes `socket.remoteAddress` to be `undefined`. When this undefined value is consumed without a null check, a `TypeError` exception is raised, crashing the proxy server process.\n\nThe vulnerable code path in versions >= 2.0.0, < 2.1.1 reads `socket.remoteAddress` directly without guarding against the case where the socket has already been destroyed or the remote address is unavailable. An attacker with the ability to send a specially crafted HTTP request can exploit this to take down the proxy server.\n\nThe issue was fixed in version 2.1.1 by adding a guard that checks `socket.remoteAddress` before use.", + "severity": [ { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "2.0.0" + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "npm", + "name": "proxy" }, - { - "fixed": "2.1.1" - } - ] + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.0.0" + }, + { + "fixed": "2.1.1" + } + ] + } + ] } - ] - } - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2968" - }, - { - "type": "WEB", - "url": "https://github.com/TooTallNate/proxy-agents/pull/178" - }, - { - "type": "WEB", - "url": "https://github.com/TooTallNate/proxy-agents/commit/25e0c931390eb8f41c5ceaca72820de9198ece39" - }, - { - "type": "PACKAGE", - "url": "https://github.com/TooTallNate/proxy-agents" - }, - { - "type": "WEB", - "url": "https://research.jfrog.com/vulnerabilities/undefined-variable-usage-in-proxy-leads-to-remote-denial-of-service-xray-520917" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-232" ], - "severity": "MODERATE", - "github_reviewed": true, - "github_reviewed_at": "2023-06-06T01:52:50Z", - "nvd_published_at": "2023-05-30T18:15:09Z" - } -} \ No newline at end of file + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2968" + }, + { + "type": "WEB", + "url": "https://github.com/TooTallNate/proxy-agents/pull/178" + }, + { + "type": "WEB", + "url": "https://github.com/TooTallNate/proxy-agents/commit/25e0c931390eb8f41c5ceaca72820de9198ece39" + }, + { + "type": "PACKAGE", + "url": "https://github.com/TooTallNate/proxy-agents" + }, + { + "type": "WEB", + "url": "https://research.jfrog.com/vulnerabilities/undefined-variable-usage-in-proxy-leads-to-remote-denial-of-service-xray-520917" + } + ], + "credits": [ + { + "name": "Cutter Bruce", + "contact": [ + "https://github.com/TheeCryptoChad" + ], + "type": "ANALYST" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-232" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2023-06-06T01:52:50Z", + "nvd_published_at": "2023-05-30T18:15:09Z" + } +}