Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No CVE - medium detected in tunnel-agent #222

Closed
github-actions bot opened this issue May 11, 2022 · 1 comment
Closed

No CVE - medium detected in tunnel-agent #222

github-actions bot opened this issue May 11, 2022 · 1 comment

Comments

@github-actions
Copy link

Package Name: tunnel-agent
Package Version: ['0.4.3']
Package Manager: npm
Target File: package.json
Severity Level: medium
Snyk ID: npm:tunnel-agent:20170305
Snyk CVE: No CVE
Snyk CWE: CWE-201
Link to issue in Snyk: https://app.snyk.io/org/rhicksiii91/project/93ddcac2-4d2c-43e7-b383-b47b30846d11

Snyk Description: ## Overview
tunnel-agent is HTTP proxy tunneling agent. Affected versions of the package are vulnerable to Uninitialized Memory Exposure.

A possible memory disclosure vulnerability exists when a value of type number is used to set the proxy.auth option of a request request and results in a possible uninitialized memory exposures in the request body.

This is a result of unobstructed use of the Buffer constructor, whose insecure default constructor increases the odds of memory leakage.

Details

Constructing a Buffer class with integer N creates a Buffer of length N with raw (not "zero-ed") memory.

In the following example, the first call would allocate 100 bytes of memory, while the second example will allocate the memory needed for the string "100":

// uninitialized Buffer of length 100
x = new Buffer(100);
// initialized Buffer with value of '100'
x = new Buffer('100');

tunnel-agent's request construction uses the default Buffer constructor as-is, making it easy to append uninitialized memory to an existing list. If the value of the buffer list is exposed to users, it may expose raw server side memory, potentially holding secrets, private data and code. This is a similar vulnerability to the infamous Heartbleed flaw in OpenSSL.

Proof of concept by ChALkeR

require('request')({
  method: 'GET',
  uri: 'http://www.example.com',
  tunnel: true,
  proxy:{
      protocol: 'http:',
      host:"127.0.0.1",
      port:8080,
      auth:80
  }
});

You can read more about the insecure Buffer behavior on our blog.

Similar vulnerabilities were discovered in request, mongoose, ws and sequelize.

Remediation

Upgrade tunnel-agent to version 0.6.0 or higher.
Note This is vulnerable only for Node <=4

References
@snyk-bot snyk-bot mentioned this issue May 13, 2022
Closed
@snyk-bot snyk-bot mentioned this issue Jun 24, 2022
Closed
@github-actions github-actions bot closed this as completed Aug 1, 2022
@github-actions
Copy link
Author

github-actions bot commented Aug 1, 2022

auto-closed by snyk_scm_issues_to_gh_issues
reason: snyk project no longer exists

@rhicksiii91 rhicksiii91 mentioned this issue Sep 22, 2022
Closed
This was referenced Sep 24, 2022
Closed
Closed
@rhicksiii91 rhicksiii91 mentioned this issue Sep 25, 2022
Closed
This was referenced Sep 26, 2022
Closed
Closed
This was referenced Sep 29, 2022
Closed
Closed
Closed
This was referenced Oct 3, 2022
Closed
Closed
This was referenced Oct 5, 2022
Closed
Closed
Closed
Closed
@snyk-bot snyk-bot mentioned this issue Oct 7, 2022
Closed
@rhicksiii91 rhicksiii91 mentioned this issue Oct 8, 2022
Closed
This was referenced Jan 27, 2023
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
0 participants