CVE-2024-22019

一、漏洞信息
漏洞编号：CVE-2024-22019
漏洞归属组件：hetu-core
漏洞归属的版本：0.193
CVSS V3.0分值：
BaseScore：7.5 High
Vector：CVSS：3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
漏洞简述：
A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like timeouts and body size limits.
漏洞公开时间：2024-02-20 10:15:50
漏洞创建时间：2024-02-20 12:45:13
漏洞详情参考链接：
https://nvd.nist.gov/vuln/detail/CVE-2024-22019

更多参考(点击展开)

参考来源	参考链接	来源链接
support.hackerone.com	http://www.openwall.com/lists/oss-security/2024/03/11/1
support.hackerone.com	https://hackerone.com/reports/2233486
support.hackerone.com	https://security.netapp.com/advisory/ntap-20240315-0004/
redhat_bugzilla	https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/#reading-unprocessed-http-request-with-unbounded-chunk-extension-allows-dos-attacks-cve-2024-22019---high	https://bugzilla.redhat.com/show_bug.cgi?id=2264574
redhat_bugzilla	https://nodejs.org/en/blog/release/v18.19.1	https://bugzilla.redhat.com/show_bug.cgi?id=2264574
redhat_bugzilla	https://access.redhat.com/errata/RHSA-2024:1354	https://bugzilla.redhat.com/show_bug.cgi?id=2264574
redhat_bugzilla	https://access.redhat.com/errata/RHSA-2024:1424	https://bugzilla.redhat.com/show_bug.cgi?id=2264574
redhat_bugzilla	https://access.redhat.com/errata/RHSA-2024:1438	https://bugzilla.redhat.com/show_bug.cgi?id=2264574
redhat_bugzilla	https://access.redhat.com/errata/RHSA-2024:1444	https://bugzilla.redhat.com/show_bug.cgi?id=2264574
redhat_bugzilla	https://access.redhat.com/errata/RHSA-2024:1510	https://bugzilla.redhat.com/show_bug.cgi?id=2264574
redhat_bugzilla	https://access.redhat.com/errata/RHSA-2024:1678	https://bugzilla.redhat.com/show_bug.cgi?id=2264574
redhat_bugzilla	https://access.redhat.com/errata/RHSA-2024:1688	https://bugzilla.redhat.com/show_bug.cgi?id=2264574
redhat_bugzilla	https://access.redhat.com/errata/RHSA-2024:1687	https://bugzilla.redhat.com/show_bug.cgi?id=2264574
redhat_bugzilla	https://access.redhat.com/errata/RHSA-2024:1880	https://bugzilla.redhat.com/show_bug.cgi?id=2264574
redhat_bugzilla	https://access.redhat.com/errata/RHSA-2024:1932	https://bugzilla.redhat.com/show_bug.cgi?id=2264574
redhat_bugzilla	https://access.redhat.com/errata/RHSA-2024:2651	https://bugzilla.redhat.com/show_bug.cgi?id=2264574
redhat_bugzilla	https://access.redhat.com/errata/RHSA-2024:2793	https://bugzilla.redhat.com/show_bug.cgi?id=2264574
debian		https://security-tracker.debian.org/tracker/CVE-2024-22019
anolis		https://anas.openanolis.cn/cves/detail/CVE-2024-22019
nodejs	https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/	https://github.com/nodejs/security-wg/blob/main/vuln/core/135.json
cve_search		https://hackerone.com/reports/2233486
cve_search		https://security.netapp.com/advisory/ntap-20240315-0004/
mageia		http://advisories.mageia.org/MGASA-2024-0046.html
amazon_linux_explore	https://access.redhat.com/security/cve/CVE-2024-22019	https://explore.alas.aws.amazon.com/CVE-2024-22019.html
amazon_linux_explore	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22019	https://explore.alas.aws.amazon.com/CVE-2024-22019.html
snyk	https://github.com/nodejs/node/commit/6155a1ffaf	https://security.snyk.io/vuln/SNYK-UPSTREAM-NODE-6252328
snyk	https://github.com/nodejs/node/commit/77ac7c3153	https://security.snyk.io/vuln/SNYK-UPSTREAM-NODE-6252328
snyk	https://github.com/nodejs/node/commit/911cb33cda	https://security.snyk.io/vuln/SNYK-UPSTREAM-NODE-6252328
snyk	https://bugzilla.redhat.com/show_bug.cgi?id=2264574	https://security.snyk.io/vuln/SNYK-UPSTREAM-NODE-6252328
ubuntu	https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/#reading-unprocessed-http-request-with-unbounded-chunk-extension-allows-dos-attacks-cve-2024-22019---high	https://ubuntu.com/security/CVE-2024-22019
ubuntu	https://www.cve.org/CVERecord?id=CVE-2024-22019	https://ubuntu.com/security/CVE-2024-22019
ubuntu	https://nvd.nist.gov/vuln/detail/CVE-2024-22019	https://ubuntu.com/security/CVE-2024-22019
ubuntu	https://launchpad.net/bugs/cve/CVE-2024-22019	https://ubuntu.com/security/CVE-2024-22019
ubuntu	https://security-tracker.debian.org/tracker/CVE-2024-22019	https://ubuntu.com/security/CVE-2024-22019
ubuntu	http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064055	https://ubuntu.com/security/CVE-2024-22019
ubuntu	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22019	https://ubuntu.com/security/CVE-2024-22019

漏洞分析指导链接：
https://gitee.com/openlookeng/community/blob/master/security/cve/doc/md/manual.md
漏洞数据来源:
其它
漏洞补丁信息：

详情(点击展开)

影响的包	修复版本	修复补丁	问题引入补丁	来源
		https://github.com/nodejs/node/commit/6155a1ffaf		snyk
		https://github.com/nodejs/node/commit/77ac7c3153		snyk
		https://github.com/nodejs/node/commit/911cb33cda		snyk

二、漏洞分析结构反馈
影响性分析说明：

openLooKeng评分：
7.5
Vector：CVSS：3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
受影响版本排查(受影响/不受影响)：
1.1.9.0:
2.master:

@tushengxia
issue处理注意事项:
1. 当前issue受影响的分支提交pr时, 须在pr描述中填写当前issue编号进行关联, 否则无法关闭当前issue;
2. 模板内容需要填写完整, 无论是受影响或者不受影响都需要填写完整内容,未引入的分支不需要填写, 否则无法关闭当前issue;
3. 以下为模板中需要填写完整的内容, 请复制到评论区回复, 注: 内容的标题名称(影响性分析说明, openLooKeng评分, 受影响版本排查(受影响/不受影响))不能省略,省略后cve-manager将无法正常解析填写内容.

影响性分析说明:

openLooKeng评分: (评分和向量)

受影响版本排查(受影响/不受影响):
1.1.9.0:
2.master:

issue处理具体操作请参考:
https://gitee.com/openlookeng/community/blob/master/security/cve/doc/md/manual.md
pr关联issue具体操作请参考:
https://gitee.com/help/articles/4142

@majun-bot , Please select a milestone for the issue. Then, you can use the /check-milestone command to remove the needs-milestone label.

openLooKeng / hetu-core

内容风险标识

评论 (2)

openLooKeng / hetu-core .gitee-modal { width: 500px !important; }

内容风险标识

CVE-2024-22019

评论 (2)

搜索帮助

openLooKeng / hetu-core