CVE-2021-29486

{"id": "CVE-2021-29486", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2021-04-30T18:15:07.530", "references": [{"url": "https://github.com/DrPaulBrewer/cumulative-distribution-function/issues/7", "tags": ["Exploit", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/DrPaulBrewer/cumulative-distribution-function/pull/8", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/DrPaulBrewer/cumulative-distribution-function/security/advisories/GHSA-58qp-5328-v7mh", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://www.npmjs.com/package/cumulative-distribution-function", "tags": ["Product", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/DrPaulBrewer/cumulative-distribution-function/issues/7", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/DrPaulBrewer/cumulative-distribution-function/pull/8", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/DrPaulBrewer/cumulative-distribution-function/security/advisories/GHSA-58qp-5328-v7mh", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.npmjs.com/package/cumulative-distribution-function", "tags": ["Product", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-835"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "cumulative-distribution-function is an open source npm library used which calculates statistical cumulative distribution function from data array of x values. In versions prior to 2.0.0 apps using this library on improper data may crash or go into an infinite-loop. In the case of a nodejs server-app using this library to act on invalid non-numeric data, the nodejs server may crash. This may affect other users of this server and/or require the server to be rebooted for proper operation. In the case of a browser app using this library to act on invalid non-numeric data, that browser may crash or lock up. A flaw enabling an infinite-loop was discovered in the code for evaluating the cumulative-distribution-function of input data. Although the documentation explains that numeric data is required, some users may confuse an array of strings like [\"1\",\"2\",\"3\",\"4\",\"5\"] for numeric data [1,2,3,4,5] when it is in fact string data. An infinite loop is possible when the cumulative-distribution-function is evaluated for a given point when the input data is string data rather than type `number`. This vulnerability enables an infinite-cpu-loop denial-of-service-attack on any app using npm:cumulative-distribution-function v1.0.3 or earlier if the attacker can supply malformed data to the library. The vulnerability could also manifest if a data source to be analyzed changes data type from Arrays of number (proper) to Arrays of string (invalid, but undetected by earlier version of the library). Users should upgrade to at least v2.0.0, or the latest version. Tests for several types of invalid data have been created, and version 2.0.0 has been tested to reject this invalid data by throwing a `TypeError()` instead of processing it. Developers using this library may wish to adjust their app's code slightly to better tolerate or handle this TypeError. Apps performing proper numeric data validation before sending data to this library should be mostly unaffected by this patch. The vulnerability can be mitigated in older versions by ensuring that only finite numeric data of type `Array[number]` or `number` is passed to `cumulative-distribution-function` and its `f(x)` function, respectively."}, {"lang": "es", "value": "cumulative-distribution-function es una biblioteca npm de c\u00f3digo abierto usada que calcula la funci\u00f3n statistical cumulative distribution a partir de una matriz de datos de valores x. En versiones anteriores a la 2.0.0, las aplicaciones que utilizan esta biblioteca con datos malformados pueden presentar un fallo o entrar en un bucle infinito. En el caso de una aplicaci\u00f3n de servidor de nodejs que use esta biblioteca para actuar sobre datos no num\u00e9ricos no v\u00e1lidos, el servidor de nodejs puede bloquearse. Esto puede afectar a otros usuarios de este servidor y/o requerir que el servidor sea reiniciado para que funcione apropiadamente. En el caso de una aplicaci\u00f3n de navegador que utilice esta biblioteca para actuar sobre datos no num\u00e9ricos no v\u00e1lidos, ese navegador puede bloquearse o suspenderse. Se detect\u00f3 un fallo que permite un bucle infinito en el c\u00f3digo para evaluar la cumulative-distribution-function de los datos de la entrada. Aunque la documentaci\u00f3n explica que se requieren datos num\u00e9ricos, algunos usuarios pueden confundir una matriz de cadenas como [\"1\",\"2\",\"3\",\"4\",\"5\"] para datos num\u00e9ricos [1,2,3,4,5] cuando es en efecto una cadena de datos. Un bucle infinito es posible cuando la cumulative-distribution-function es evaluada para un punto espec\u00edfico cuando el dato de la entrada es una cadena de datos en vez de un tipo \u201cnumber\u201d. Esta vulnerabilidad habilita un ataque de denegaci\u00f3n de servicio en el bucle cpu infinito en cualquier aplicaci\u00f3n que utilice npm: cumulative-distribution-function versiones v1.0.3 o anteriores si el atacante puede suministrar datos malformados a la biblioteca. La vulnerabilidad tambi\u00e9n podr\u00eda manifestarse si una fuente de datos a analizar cambia el tipo de datos de Matrices de n\u00fameros (propiamente dichos) a Matrices de cadenas (no v\u00e1lidas, pero no detectadas por una versi\u00f3n anterior de la biblioteca). Los usuarios deben actualizar al menos a la versi\u00f3n v2.0.0 o la \u00faltima versi\u00f3n. Se han creado pruebas para varios tipos de datos no v\u00e1lidos, y se ha probado la versi\u00f3n 2.0.0 para rechazar estos datos no v\u00e1lidos lanzando un \u201cTypebug()\u201d en lugar de procesarlos. Los desarrolladores que utilizan esta biblioteca pueden desear ajustar ligeramente el c\u00f3digo de su aplicaci\u00f3n para tolerar o manejar mejor este Typebug. Las aplicaciones que llevan a cabo una comprobaci\u00f3n de datos num\u00e9rica apropiada antes de enviar datos a esta biblioteca no deber\u00edan estar afectadas en su mayor\u00eda por este parche. La vulnerabilidad puede ser mitigada en versiones anteriores asegur\u00e1ndose de que solo se pasen datos num\u00e9ricos finitos de tipo \u201cArray[number]\u201d o \u201cnumber\u201d a la \"cumulative-distribution-function\" y su funci\u00f3n f(x), respectivamente."}], "lastModified": "2024-11-21T06:01:14.300", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cumulative-distribution-function_project:cumulative-distribution-function:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "5AA93801-1297-4AA6-90FB-F655A0E459E3", "versionEndExcluding": "2.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}