VDB
CVE-2018-3739
CVE-2018-3739
PUBLISHED
CVSS 9.100000381469727 CRITICAL
https-proxy-agent before 2.1.1 passes auth option to the Buffer constructor without proper sanitization, resulting in DoS and uninitialized memory leak in setups where an attacker could submit typed input to the 'auth' parameter (e.g. JSON).
EPSS 0.43% · 63.0th percentile
Risk Scores
CVSS v3.0
9.100000381469727
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
EPSS Score
0.43%
63.0th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| HackerOne | https-proxy-agent node module | Versions before 2.1.1 |
| npm | https-proxy-agent | 0 |
| https-proxy-agent_project | https-proxy-agent | 0 |
Timeline
- Jun 7, 2018 CVE Published
- Oct 9, 2019 CVE Updated
- Apr 14, 2021 EPSS Score
- Jun 22, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Oct 25, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Feb 27, 2022 EPSS Score
- May 1, 2022 EPSS Score
- Jul 2, 2022 EPSS Score
- Nov 5, 2022 EPSS Score
- Jan 7, 2023 EPSS Score
References
- https://hackerone.com/reports/319532 url
- https://nvd.nist.gov/vuln/detail/CVE-2018-3736 advisory
- https://github.com/TooTallNate/node-https-proxy-agent/commit/1c24219df87524e6ed973127e81f30801d658f07 url
- https://github.com/TooTallNate/node-https-proxy-agent package
- https://github.com/advisories/GHSA-8g7p-74h8-hg48 advisory
- https://www.npmjs.com/advisories/593 url