CVE-2014-7191: Medium severity ibm security verify governance - identity manager vulnerability
Node.js is vulnerable to a denial of service, caused by an error in the qs module when parsing a string representing a deeply nested object. An attacker could exploit this vulnerability to block the event loop for an extended period of time and cause a denial of service.
Other sources
The qs module before 1.0.0 in Node.js does not call the compact function for array data, which allows remote attackers to cause a denial of service (memory consumption) by using a large index value to create a sparse array.
— MITRE
The qs module has the ability to create sparse arrays during parsing. By specifying a high index it is possible to create a large array that will eventually take up all the allocated memory of the running process, resulting in a crash.
More information: https://github.com/visionmedia/node-querystring/issues/104 CVE request: http://seclists.org/oss-sec/2014/q3/640
— Red Hat
Affected Software
Remediation
Event History
Frequently Asked Questions
What is CVE-2014-7191?
CVE-2014-7191 is a vulnerability in Node.js that can be exploited to cause a denial of service.
How does CVE-2014-7191 affect IBM Security Verify Governance?
IBM Security Verify Governance version 10.0 is affected by CVE-2014-7191.
What is the severity of CVE-2014-7191?
CVE-2014-7191 has a severity level of medium.
How can CVE-2014-7191 be exploited?
An attacker can exploit CVE-2014-7191 by parsing a string representing a deeply nested object in the qs module, causing a denial of service.
Is there a fix available for CVE-2014-7191?
No specific fix information is available for CVE-2014-7191. Please refer to the IBM Security Verify Governance documentation and support channels for updates and patches.