Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
archlinuxArchLinuxASA-202101-15
HistoryJan 12, 2021 - 12:00 a.m.

[ASA-202101-15] nodejs-lts-fermium: multiple issues

2021-01-1200:00:00
security.archlinux.org
105

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.008 Low

EPSS

Percentile

81.5%

JSON

Arch Linux Security Advisory ASA-202101-15

Severity: High
Date : 2021-01-12
CVE-ID : CVE-2020-8265 CVE-2020-8287
Package : nodejs-lts-fermium
Type : multiple issues
Remote : No
Link : https://security.archlinux.org/AVG-1401

Summary

The package nodejs-lts-fermium before version 14.15.4-1 is vulnerable
to multiple issues including arbitrary code execution and url request
injection.

Resolution

Upgrade to 14.15.4-1.

pacman -Syu “nodejs-lts-fermium>=14.15.4-1”

The problems have been fixed upstream in version 14.15.4.

Workaround

None.

Description

  • CVE-2020-8265 (arbitrary code execution)

The nodejs release lines 15.x, 14.x, 12.x and 10.x are vulnerable to a
use-after-free bug in its TLS implementation. When writing to a TLS
enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite
with a freshly allocated WriteWrap object as first argument. If the
DoWrite method does not return an error, this object is passed back to
the caller as part of a StreamWriteResult structure. This may be
exploited to corrupt memory leading to a Denial of Service or
potentially other exploits. The issue is fixed in nodejs versions
15.5.1, 14.15.4, 12.20.1 and 10.23.1.

  • CVE-2020-8287 (url request injection)

The nodejs release lines 15.x, 14.x, 12.x and 10.x allow two copies of
a header field in an HTTP request. For example, two Transfer-Encoding
header fields. In this case Node.js identifies the first header field
and ignores the second. This can lead to HTTP Request Smuggling. The
issue is fixed in nodejs versions 15.5.1, 14.15.4, 12.20.1 and 10.23.1.

Impact

A malicious user could achieve data exfiltration through HTTP headers
or execute arbitrary code through poor API usage.

References

https://groups.google.com/g/nodejs-sec/c/kyzmwvQdUfs/m/7mjPCzY2BAAJ
https://github.com/nodejs-private/node-private/issues/227
https://hackerone.com/bugs?subject=nodejs&report_id=988103
https://github.com/nodejs/node/commit/9834ef85a0a549a45a98f04dc51af1782a7126ee
https://github.com/nodejs/node/commit/4f8772f9b731118628256189b73cd202149bbd97
https://github.com/nodejs/node/commit/5b00de7d67a1372aa342115ad28edd3f78268bb6
https://github.com/nodejs/node/commit/7f178663ebffc82c9f8a5a1b6bf2da0c263a30ed
https://github.com/nodejs/node/commit/357e2857c8385c303782ced2ac8b568df06d4326
https://hackerone.com/bugs?report_id=1002188&subject=nodejs
https://github.com/nodejs-private/llhttp-private/pull/3
https://github.com/nodejs/node/commit/e0c9a2285cfe18642d15d5ed9b7122755c6e66e0
https://github.com/nodejs/node/commit/c5dbe831b714b3a98c59ba2406b791fb27016d79
https://github.com/nodejs/node/commit/641f786bb1a1f6eb1ff8750782ed939780f2b31a
https://github.com/nodejs/node/commit/7ecac8143f0a91785ed0bd3b4d9aab5d98419b41
https://github.com/nodejs/node/commit/92d430917a63a567bb528100371263c46e50ee4a
https://github.com/nodejs/node/commit/4a30ac8c755d0701e773831ce22153b66bb36305
https://github.com/nodejs/node/commit/420244e4d9ca6de2612e7f503f5c87e448fbc14b
https://github.com/nodejs/node/commit/fc70ce08f5818a286fb5899a1bc3aff5965a745e
https://github.com/nodejs/node/commit/aa6b97fb99d7528649fadb4c6a894e078fe4323c
https://security.archlinux.org/CVE-2020-8265
https://security.archlinux.org/CVE-2020-8287

OSVersionArchitecturePackageVersionFilename
ArchLinuxanyanynodejs-lts-fermium< 14.15.4-1UNKNOWN

References

Related

archlinux 3
debian 2
nessus 43
ibm 24
mageia 2
osv 14
fedora 2
nodejsblog 1
altlinux 2
suse 5
freebsd 1
ubuntucve 2
cve 2
redhatcve 2
photon 13
alpinelinux 2
hackerone 2
prion 2
veracode 2
debiancve 2
githubexploit 1
ubuntu 2
almalinux 3
oraclelinux 3
redhat 6
rocky 3
ics 5
gentoo 1
oracle 1
archlinux
archlinux
[ASA-202101-13] nodejs-lts-dubnium: multiple issues
2021-01-12 00:00:00
[ASA-202101-16] nodejs: multiple issues
2021-01-12 00:00:00
[ASA-202101-14] nodejs-lts-erbium: multiple issues
2021-01-12 00:00:00
debian
debian
[SECURITY] [DSA 4826-1] nodejs security update
2021-01-06 22:02:35
[SECURITY] [DLA 3224-1] http-parser security update
2022-12-05 13:03:06
nessus
nessus
Debian DSA-4826-1 : nodejs - security update
2021-01-11 00:00:00
SUSE SLES12 Security Update : nodejs14 (SUSE-SU-2021:0107-1)
2021-01-14 00:00:00
Fedora 33 : 1:nodejs (2021-fb1a136393)
2021-01-11 00:00:00
ibm
ibm
Security Bulletin: Vulnerabilities in Node.js in IBM DataPower Gateway
2021-08-16 15:05:23
Security Bulletin: Potential vulnerability with Node.js
2021-07-30 21:10:21
Security Bulletin: IBM Cloud Pak for Integration is vulnerable to Node.js vulnerabilities (CVE-2020-1971, CVE-2020-8265, and CVE-2020-8287)
2021-03-23 15:55:31
mageia
mageia
Updated nodejs packages fix security vulnerabilities
2021-02-05 14:54:53
Updated http-parser packages fix security vulnerability
2022-10-28 09:54:08
osv
osv
nodejs - security update
2021-01-06 00:00:00
CVE-2020-8265
2021-01-06 21:15:14
BIT-node-2020-8265
2024-03-06 11:07:41
fedora
fedora
[SECURITY] Fedora 33 Update: nodejs-14.15.4-1.fc33
2021-01-10 01:28:45
[SECURITY] Fedora 32 Update: nodejs-12.20.1-1.fc32
2021-01-16 01:23:44
nodejsblog
nodejsblog
January 2021 Security Releases
2021-01-04 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 9 package node version 14.15.4-alt1
2021-02-05 00:00:00
Security fix for the ALT Linux 10 package node version 14.15.4-alt1
2021-02-05 00:00:00
suse
suse
Security update for nodejs14 (moderate)
2021-01-15 00:00:00
Security update for nodejs10 (moderate)
2021-01-15 00:00:00
Security update for nodejs10 (moderate)
2021-01-16 00:00:00
freebsd
freebsd
Node.js -- January 2021 Security Releases
2021-01-04 00:00:00
ubuntucve
ubuntucve
CVE-2020-8265
2021-01-06 00:00:00
CVE-2020-8287
2021-01-06 00:00:00
cve
cve
CVE-2020-8265
2021-01-06 21:15:00
CVE-2020-8287
2021-01-06 21:15:00
redhatcve
redhatcve
CVE-2020-8265
2021-01-05 13:14:24
CVE-2020-8287
2021-01-05 14:33:28
photon
photon
Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2021-1.0-0355
2021-01-20 00:00:00
Important Photon OS Security Update - PHSA-2021-0355
2021-01-20 00:00:00
Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2021-2.0-0313
2021-01-25 00:00:00
alpinelinux
alpinelinux
CVE-2020-8265
2021-01-06 21:15:00
CVE-2020-8287
2021-01-06 21:15:00
hackerone
hackerone
Node.js: Node.js: use-after-free in TLSWrap
2020-09-22 12:49:41
Node.js: Potential HTTP Request Smuggling in nodejs
2020-10-08 05:24:20
prion
prion
Design/Logic Flaw
2021-01-06 21:15:00
Design/Logic Flaw
2021-01-06 21:15:00
veracode
veracode
Use After Free
2021-01-07 04:10:07
HTTP Request Smuggling
2021-01-06 04:57:20
debiancve
debiancve
CVE-2020-8265
2021-01-06 21:15:00
CVE-2020-8287
2021-01-06 21:15:00
githubexploit
githubexploit
Exploit for HTTP Request Smuggling in Nodejs Node.Js
2021-01-05 02:09:23
ubuntu
ubuntu
http-parser vulnerability
2022-08-10 00:00:00
Node.js vulnerabilities
2023-09-19 00:00:00
almalinux
almalinux
Moderate: nodejs:12 security update
2021-02-16 07:34:29
Moderate: nodejs:14 security and bug fix update
2021-02-16 07:34:42
Moderate: nodejs:10 security update
2021-02-16 07:34:15
oraclelinux
oraclelinux
nodejs:12 security update
2021-02-20 00:00:00
nodejs:14 security and bug fix update
2021-02-20 00:00:00
nodejs:10 security update
2021-02-20 00:00:00
redhat
redhat
(RHSA-2021:0485) Moderate: rh-nodejs12-nodejs security update
2021-02-11 13:08:55
(RHSA-2021:0549) Moderate: nodejs:12 security update
2021-02-16 07:34:29
(RHSA-2021:0551) Moderate: nodejs:14 security and bug fix update
2021-02-16 07:34:42
rocky
rocky
nodejs:14 security and bug fix update
2021-02-16 07:34:42
nodejs:12 security update
2021-02-16 07:34:29
nodejs:10 security update
2021-02-16 07:34:15
ics
ics
Hitachi Energy Gateway Station (GWS) Product
2022-08-30 12:00:00
Hitachi Energy FACTS Control Platform (FCP) Product
2022-08-30 12:00:00
Hitachi Energy MicroSCADA Pro/X SYS600
2022-04-21 12:00:00
gentoo
gentoo
NodeJS: Multiple vulnerabilities
2021-01-11 00:00:00
oracle
oracle
Oracle Critical Patch Update Advisory - January 2021
2021-01-19 00:00:00

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.008 Low

EPSS

Percentile

81.5%

JSON
Related for ASA-202101-15
archlinux3debian2nessus43ibm24mageia2osv14fedora2nodejsblog1altlinux2suse5freebsd1ubuntucve2cve2redhatcve2photon13alpinelinux2hackerone2prion2veracode2debiancve2githubexploit1ubuntu2almalinux3oraclelinux3redhat6rocky3ics5gentoo1oracle1