Description
node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.
Analysis
Analysis and contextual insights are available on OpenCVE Cloud.
Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).
| Vendor | Product | Default status | Versions | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| node-fetch | node-fetch | affected |
|
Configuration 1 [-]
|
| Package | CPE | Advisory | Released Date |
|---|---|---|---|
| Red Hat Advanced Cluster Management for Kubernetes 2 | |||
| acmesolver-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| acm-must-gather-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| acm-operator-bundle-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| application-ui-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| cainjector-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| cert-manager-controller-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| cert-manager-webhook-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| cert-policy-controller-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| clusterlifecycle-state-metrics-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| configmap-watcher-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| config-policy-controller-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| console-api-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| console-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| console-header-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| console-ui-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| endpoint-component-operator-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| endpoint-monitoring-operator-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| endpoint-operator-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| governance-policy-propagator-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| governance-policy-spec-sync-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| governance-policy-status-sync-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| governance-policy-template-sync-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| grafana-dashboard-loader-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| grc-ui-api-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| grc-ui-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| iam-policy-controller-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| klusterlet-addon-lease-controller-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| klusterlet-operator-bundle-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| kui-web-terminal-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| management-ingress-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| mcm-topology-api-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| mcm-topology-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| memcached-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| memcached-exporter-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| metrics-collector-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| multicloud-manager-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| multiclusterhub-operator-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| multiclusterhub-repo-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| multicluster-observability-operator-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| multicluster-operators-application-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| multicluster-operators-channel-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| multicluster-operators-deployable-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| multicluster-operators-placementrule-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| multicluster-operators-subscription-operator-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| multicluster-operators-subscription-release-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| observatorium-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| observatorium-operator-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| openshift-hive-operator-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| rbac-query-proxy-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| rcm-controller-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| redisgraph-tls-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| registration-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| registration-operator-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| search-aggregator-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| search-api-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| search-collector-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| search-operator-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| search-ui-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| submariner-addon-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| thanos-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| thanos-receive-controller-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
| work-container | cpe:/a:redhat:acm:2.2::el7 | RHEA-2021:0729 | 2021-03-04T00:00:00Z |
No data available yet.
Remediation
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
Advisories
| Source | ID | Title |
|---|---|---|
 EUVD |
EUVD-2020-1335 | node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing. |
 Github GHSA |
GHSA-w7rc-rwvf-8q5r | The `size` option isn't honored after following a redirect in node-fetch |
References
History
Sun, 08 Sep 2024 18:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Redhat
Redhat acm |
|
| CPEs | cpe:/a:redhat:acm:2.2::el7 | |
| Vendors & Products |
Redhat
Redhat acm |
Mon, 19 Aug 2024 22:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| CPEs | cpe:/a:redhat:acm:2.2::el8 |
|
| Vendors & Products |
Redhat
Redhat acm |
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2024-08-04T13:08:22.463Z
Reserved: 2020-06-25T00:00:00.000Z
Link: CVE-2020-15168
Vulnrichment
No data.
NVD
Status : Modified
Published: 2020-09-10T19:15:13.490
Modified: 2024-11-21T05:04:59.510
Link: CVE-2020-15168
Redhat
OpenCVE Enrichment
No data.