Stay Connected:

CVE-2020-8265

CVE Details

Release Date:2021-01-06
Impact:None What is this?

Description


Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits.

See more information about CVE-2020-8265 from MITRE CVE dictionary and NIST NVD


NOTE: The following CVSS metrics and score provided are preliminary and subject to review.


CVSS v3 metrics

Base Score: 8.1
Vector String: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Version: 3.0
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High

Errata information


PlatformErrataRelease Date
Oracle Linux version 8 (nodejs)ELSA-2021-05482021-02-20
Oracle Linux version 8 (nodejs)ELSA-2021-05492021-02-20
Oracle Linux version 8 (nodejs)ELSA-2021-05512021-02-20
Oracle Linux version 8 (nodejs-nodemon)ELSA-2021-05482021-02-20
Oracle Linux version 8 (nodejs-nodemon)ELSA-2021-05492021-02-20
Oracle Linux version 8 (nodejs-nodemon)ELSA-2021-05512021-02-20
Oracle Linux version 8 (nodejs-packaging)ELSA-2021-05482021-02-20
Oracle Linux version 8 (nodejs-packaging)ELSA-2021-05512021-02-20


This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections:

software.hardware.complete
Subscribe | Careers | Contact Us | Legal Notices | Terms of Use | Your Privacy Rights