Denial of Service in yar · CVE-2014-4179 · GitHub Advisory Database · GitHub

Denial of Service in yar

High severity GitHub Reviewed Published Sep 1, 2020 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

yar (npm)

Affected versions

< 2.2.0

Patched versions

2.2.0

Description

Versions of yar prior to 2.2.0 are affected by a denial of service vulnerability related to an invalid encrypted session cookie value.

When an invalid encryped session cookie value is provided, the process will crash.

Recommendation

Update to version 2.2.0 or later.

References

Reviewed Aug 31, 2020

Published to the GitHub Advisory Database Sep 1, 2020

Last updated Jan 9, 2023

Severity

High

7.5

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H