Vulnerabilities > CVE-2014-10064 - Resource Management Errors vulnerability in QS Project QS

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

HIGH

network

low complexity

qs-project

CWE-399

NVD

Published: 2018-05-31

Updated: 2019-10-09

Summary

The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service condition, for example, in a web application, other requests would not be processed while this blocking is occurring.

Vulnerable Configurations

Part	Description	Count
Application	Qs_Project QS Project QS 0.0.1 QS Project QS 0.0.2 QS Project QS 0.0.3 QS Project QS 0.0.4 QS Project QS 0.0.5 QS Project QS 0.0.6 QS Project QS 0.0.7 QS Project QS 0.1.0 QS Project QS 0.2.0 QS Project QS 0.3.0 QS Project QS 0.3.1 QS Project QS 0.3.2 QS Project QS 0.4.0 QS Project QS 0.4.1 QS Project QS 0.4.2 QS Project QS 0.5.0 QS Project QS 0.5.1 QS Project QS 0.5.2 QS Project QS 0.5.3 QS Project QS 0.5.4 QS Project QS 0.5.5 QS Project QS 0.5.6 QS Project QS 0.6.0 QS Project QS 0.6.1 QS Project QS 0.6.2 QS Project QS 0.6.3 QS Project QS 0.6.4 QS Project QS 0.6.5 QS Project QS 0.6.6	29

Common Weakness Enumeration (CWE)

CWE-399 - Resource Management Errors

References

https://nodesecurity.io/advisories/28