Vulnerability-Lookup

CNVD-2021-47661

Vulnerability from cnvd - Published: 2021-07-05

Title

cumulative-distribution-function存在未明漏洞

Description

cumulative-distribution-function是一个应用软件。从x值的数据数组计算统计累积分布函数。 cumulative-distribution-function 2.0.0之前版本存在安全漏洞，该漏洞源于应用程序在不正确的数据上使用这个库可能会崩溃或进入无限循环。攻击者可利用该漏洞造成拒绝服务。

Severity

中

Patch Name

cumulative-distribution-function存在未明漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://github.com/DrPaulBrewer/cumulative-distribution-function/security/advisories/GHSA-58qp-5328-v7mh

Reference

https://github.com/DrPaulBrewer/cumulative-distribution-function/issues/7

Impacted products

Name
cumulative-distribution-function cumulative-distribution-function <2.0.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-29486",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-29486"
    }
  },
  "description": "cumulative-distribution-function\u662f\u4e00\u4e2a\u5e94\u7528\u8f6f\u4ef6\u3002\u4ecex\u503c\u7684\u6570\u636e\u6570\u7ec4\u8ba1\u7b97\u7edf\u8ba1\u7d2f\u79ef\u5206\u5e03\u51fd\u6570\u3002\n\ncumulative-distribution-function 2.0.0\u4e4b\u524d\u7248\u672c\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5e94\u7528\u7a0b\u5e8f\u5728\u4e0d\u6b63\u786e\u7684\u6570\u636e\u4e0a\u4f7f\u7528\u8fd9\u4e2a\u5e93\u53ef\u80fd\u4f1a\u5d29\u6e83\u6216\u8fdb\u5165\u65e0\u9650\u5faa\u73af\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u9020\u6210\u62d2\u7edd\u670d\u52a1\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://github.com/DrPaulBrewer/cumulative-distribution-function/security/advisories/GHSA-58qp-5328-v7mh",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-47661",
  "openTime": "2021-07-05",
  "patchDescription": "cumulative-distribution-function\u662f\u4e00\u4e2a\u5e94\u7528\u8f6f\u4ef6\u3002\u4ecex\u503c\u7684\u6570\u636e\u6570\u7ec4\u8ba1\u7b97\u7edf\u8ba1\u7d2f\u79ef\u5206\u5e03\u51fd\u6570\u3002\r\n\r\ncumulative-distribution-function 2.0.0\u4e4b\u524d\u7248\u672c\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5e94\u7528\u7a0b\u5e8f\u5728\u4e0d\u6b63\u786e\u7684\u6570\u636e\u4e0a\u4f7f\u7528\u8fd9\u4e2a\u5e93\u53ef\u80fd\u4f1a\u5d29\u6e83\u6216\u8fdb\u5165\u65e0\u9650\u5faa\u73af\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u9020\u6210\u62d2\u7edd\u670d\u52a1\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "cumulative-distribution-function\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "cumulative-distribution-function cumulative-distribution-function \u003c2.0.0"
  },
  "referenceLink": "https://github.com/DrPaulBrewer/cumulative-distribution-function/issues/7",
  "serverity": "\u4e2d",
  "submitTime": "2021-06-11",
  "title": "cumulative-distribution-function\u5b58\u5728\u672a\u660e\u6f0f\u6d1e"
}

CVE-2021-29486 (GCVE-0-2021-29486)

Vulnerability from cvelistv5 – Published: 2021-04-30 17:20 – Updated: 2024-08-03 22:11

Title

Improper Input Validation and Loop with Unreachable Exit Condition ('Infinite Loop') in cumulative-distribution-function

Summary

cumulative-distribution-function is an open source npm library used which calculates statistical cumulative distribution function from data array of x values. In versions prior to 2.0.0 apps using this library on improper data may crash or go into an infinite-loop. In the case of a nodejs server-app using this library to act on invalid non-numeric data, the nodejs server may crash. This may affect other users of this server and/or require the server to be rebooted for proper operation. In the case of a browser app using this library to act on invalid non-numeric data, that browser may crash or lock up. A flaw enabling an infinite-loop was discovered in the code for evaluating the cumulative-distribution-function of input data. Although the documentation explains that numeric data is required, some users may confuse an array of strings like ["1","2","3","4","5"] for numeric data [1,2,3,4,5] when it is in fact string data. An infinite loop is possible when the cumulative-distribution-function is evaluated for a given point when the input data is string data rather than type `number`. This vulnerability enables an infinite-cpu-loop denial-of-service-attack on any app using npm:cumulative-distribution-function v1.0.3 or earlier if the attacker can supply malformed data to the library. The vulnerability could also manifest if a data source to be analyzed changes data type from Arrays of number (proper) to Arrays of string (invalid, but undetected by earlier version of the library). Users should upgrade to at least v2.0.0, or the latest version. Tests for several types of invalid data have been created, and version 2.0.0 has been tested to reject this invalid data by throwing a `TypeError()` instead of processing it. Developers using this library may wish to adjust their app's code slightly to better tolerate or handle this TypeError. Apps performing proper numeric data validation before sending data to this library should be mostly unaffected by this patch. The vulnerability can be mitigated in older versions by ensuring that only finite numeric data of type `Array[number]` or `number` is passed to `cumulative-distribution-function` and its `f(x)` function, respectively.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-20 - {"CWE-20":"Improper Input Validation"}
CWE-835 - {"CWE-835":"Loop with Unreachable Exit Condition ('Infinite Loop')"}

Assigner

GitHub_M

References

URL

Tags

	https://github.com/DrPaulBrewer/cumulative-distri…	x_refsource_CONFIRM
	https://github.com/DrPaulBrewer/cumulative-distri…	x_refsource_MISC
	https://github.com/DrPaulBrewer/cumulative-distri…	x_refsource_MISC
	https://www.npmjs.com/package/cumulative-distribu…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	DrPaulBrewer	cumulative-distribution-function	Affected: < 2.0.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T22:11:05.564Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/DrPaulBrewer/cumulative-distribution-function/security/advisories/GHSA-58qp-5328-v7mh"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/DrPaulBrewer/cumulative-distribution-function/issues/7"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/DrPaulBrewer/cumulative-distribution-function/pull/8"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.npmjs.com/package/cumulative-distribution-function"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "cumulative-distribution-function",
          "vendor": "DrPaulBrewer",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.0.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "cumulative-distribution-function is an open source npm library used which calculates statistical cumulative distribution function from data array of x values. In versions prior to 2.0.0 apps using this library on improper data may crash or go into an infinite-loop. In the case of a nodejs server-app using this library to act on invalid non-numeric data, the nodejs server may crash. This may affect other users of this server and/or require the server to be rebooted for proper operation. In the case of a browser app using this library to act on invalid non-numeric data, that browser may crash or lock up. A flaw enabling an infinite-loop was discovered in the code for evaluating the cumulative-distribution-function of input data. Although the documentation explains that numeric data is required, some users may confuse an array of strings like [\"1\",\"2\",\"3\",\"4\",\"5\"] for numeric data [1,2,3,4,5] when it is in fact string data. An infinite loop is possible when the cumulative-distribution-function is evaluated for a given point when the input data is string data rather than type `number`. This vulnerability enables an infinite-cpu-loop denial-of-service-attack on any app using npm:cumulative-distribution-function v1.0.3 or earlier if the attacker can supply malformed data to the library. The vulnerability could also manifest if a data source to be analyzed changes data type from Arrays of number (proper) to Arrays of string (invalid, but undetected by earlier version of the library). Users should upgrade to at least v2.0.0, or the latest version. Tests for several types of invalid data have been created, and version 2.0.0 has been tested to reject this invalid data by throwing a `TypeError()` instead of processing it. Developers using this library may wish to adjust their app\u0027s code slightly to better tolerate or handle this TypeError. Apps performing proper numeric data validation before sending data to this library should be mostly unaffected by this patch. The vulnerability can be mitigated in older versions by ensuring that only finite numeric data of type `Array[number]` or `number` is passed to `cumulative-distribution-function` and its `f(x)` function, respectively."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "{\"CWE-20\":\"Improper Input Validation\"}",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-835",
              "description": "{\"CWE-835\":\"Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)\"}",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-04-30T17:20:14",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/DrPaulBrewer/cumulative-distribution-function/security/advisories/GHSA-58qp-5328-v7mh"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/DrPaulBrewer/cumulative-distribution-function/issues/7"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/DrPaulBrewer/cumulative-distribution-function/pull/8"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.npmjs.com/package/cumulative-distribution-function"
        }
      ],
      "source": {
        "advisory": "GHSA-58qp-5328-v7mh",
        "discovery": "UNKNOWN"
      },
      "title": "Improper Input Validation and Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027) in cumulative-distribution-function",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-29486",
          "STATE": "PUBLIC",
          "TITLE": "Improper Input Validation and Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027) in cumulative-distribution-function"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "cumulative-distribution-function",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 2.0.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "DrPaulBrewer"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "cumulative-distribution-function is an open source npm library used which calculates statistical cumulative distribution function from data array of x values. In versions prior to 2.0.0 apps using this library on improper data may crash or go into an infinite-loop. In the case of a nodejs server-app using this library to act on invalid non-numeric data, the nodejs server may crash. This may affect other users of this server and/or require the server to be rebooted for proper operation. In the case of a browser app using this library to act on invalid non-numeric data, that browser may crash or lock up. A flaw enabling an infinite-loop was discovered in the code for evaluating the cumulative-distribution-function of input data. Although the documentation explains that numeric data is required, some users may confuse an array of strings like [\"1\",\"2\",\"3\",\"4\",\"5\"] for numeric data [1,2,3,4,5] when it is in fact string data. An infinite loop is possible when the cumulative-distribution-function is evaluated for a given point when the input data is string data rather than type `number`. This vulnerability enables an infinite-cpu-loop denial-of-service-attack on any app using npm:cumulative-distribution-function v1.0.3 or earlier if the attacker can supply malformed data to the library. The vulnerability could also manifest if a data source to be analyzed changes data type from Arrays of number (proper) to Arrays of string (invalid, but undetected by earlier version of the library). Users should upgrade to at least v2.0.0, or the latest version. Tests for several types of invalid data have been created, and version 2.0.0 has been tested to reject this invalid data by throwing a `TypeError()` instead of processing it. Developers using this library may wish to adjust their app\u0027s code slightly to better tolerate or handle this TypeError. Apps performing proper numeric data validation before sending data to this library should be mostly unaffected by this patch. The vulnerability can be mitigated in older versions by ensuring that only finite numeric data of type `Array[number]` or `number` is passed to `cumulative-distribution-function` and its `f(x)` function, respectively."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "{\"CWE-20\":\"Improper Input Validation\"}"
                }
              ]
            },
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "{\"CWE-835\":\"Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)\"}"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/DrPaulBrewer/cumulative-distribution-function/security/advisories/GHSA-58qp-5328-v7mh",
              "refsource": "CONFIRM",
              "url": "https://github.com/DrPaulBrewer/cumulative-distribution-function/security/advisories/GHSA-58qp-5328-v7mh"
            },
            {
              "name": "https://github.com/DrPaulBrewer/cumulative-distribution-function/issues/7",
              "refsource": "MISC",
              "url": "https://github.com/DrPaulBrewer/cumulative-distribution-function/issues/7"
            },
            {
              "name": "https://github.com/DrPaulBrewer/cumulative-distribution-function/pull/8",
              "refsource": "MISC",
              "url": "https://github.com/DrPaulBrewer/cumulative-distribution-function/pull/8"
            },
            {
              "name": "https://www.npmjs.com/package/cumulative-distribution-function",
              "refsource": "MISC",
              "url": "https://www.npmjs.com/package/cumulative-distribution-function"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-58qp-5328-v7mh",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-29486",
    "datePublished": "2021-04-30T17:20:14",
    "dateReserved": "2021-03-30T00:00:00",
    "dateUpdated": "2024-08-03T22:11:05.564Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2021-47661

CVE-2021-29486 (GCVE-0-2021-29486)

Tags

Sightings

Nomenclature