Lucene search

[email protected]CVE-2017-15897

HistoryDec 11, 2017 - 9:29 p.m.

CVE-2017-15897

2017-12-1121:29:00

CWE-665

[email protected]

web.nvd.nist.gov

node.js

bug

versions 8.x

9.x

uninitialized buffers

mismatched encodings

cve-2017-15897

nvd

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

3.1 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

4.1 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

21.8%

JSON

Node.js had a bug in versions 8.X and 9.X which caused buffers to not be initialized when the encoding for the fill value did not match the encoding specified. For example, ‘Buffer.alloc(0x100, “This is not correctly encoded”, “hex”);’ The buffer implementation was updated such that the buffer will be initialized to all zeros in these cases.

Affected configurations

NVD

Node

nodejsnode.jsRange8.0.0–8.8.1-

nodejsnode.jsRange8.9.0–8.9.3lts

nodejsnode.jsRange9.0.0–9.2.1-

CPENameOperatorVersion
nodejs:node.jsnodejs node.jsle8.8.1
nodejs:node.jsnodejs node.jslt8.9.3
nodejs:node.jsnodejs node.jslt9.2.1

CPE	Name	Operator	Version
nodejs:node.js	nodejs node.js	le	8.8.1
nodejs:node.js	nodejs node.js	lt	8.9.3
nodejs:node.js	nodejs node.js	lt	9.2.1

CNA Affected

[
  {
    "product": "Node.js",
    "vendor": "The Node.js Project",
    "versions": [
      {
        "status": "affected",
        "version": "8.0 and higher"
      },
      {
        "status": "affected",
        "version": "9.0 and higher"
      }
    ]
  }
]