Lucene search

K
cveHackeroneCVE-2020-8277
HistoryNov 19, 2020 - 1:15 a.m.

CVE-2020-8277

2020-11-1901:15:12
CWE-400
hackerone
web.nvd.nist.gov
300
9
node.js
application
vulnerability
dns
dos
cve-2020-8277
nvd

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.3

Confidence

High

EPSS

0.007

Percentile

81.1%

A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed in 15.2.1, 14.15.1, and 12.19.1.

Affected configurations

Nvd
Vulners
Node
nodejsnode.jsRange12.16.312.19.1lts
OR
nodejsnode.jsRange14.13.014.15.1lts
OR
nodejsnode.jsRange15.0.015.2.1-
Node
fedoraprojectfedoraMatch32
OR
fedoraprojectfedoraMatch33
Node
oracleblockchain_platformRange<21.1.2
OR
oraclegraalvmMatch19.3.4enterprise
OR
oraclegraalvmMatch20.3.0enterprise
OR
oraclejd_edwards_enterpriseone_toolsRange<9.2.6.0
OR
oraclemysql_clusterRange8.0.23
OR
oracleretail_xstore_point_of_serviceMatch16.0.6
OR
oracleretail_xstore_point_of_serviceMatch17.0.4
OR
oracleretail_xstore_point_of_serviceMatch18.0.3
OR
oracleretail_xstore_point_of_serviceMatch19.0.2
Node
c-ares_projectc-aresRange<1.16.0
VendorProductVersionCPE
nodejsnode.js*cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
nodejsnode.js*cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
fedoraprojectfedora32cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
fedoraprojectfedora33cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
oracleblockchain_platform*cpe:2.3:a:oracle:blockchain_platform:*:*:*:*:*:*:*:*
oraclegraalvm19.3.4cpe:2.3:a:oracle:graalvm:19.3.4:*:*:*:enterprise:*:*:*
oraclegraalvm20.3.0cpe:2.3:a:oracle:graalvm:20.3.0:*:*:*:enterprise:*:*:*
oraclejd_edwards_enterpriseone_tools*cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*
oraclemysql_cluster*cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:*
oracleretail_xstore_point_of_service16.0.6cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:*:*:*:*:*:*:*
Rows per page:
1-10 of 141

CNA Affected

[
  {
    "product": "https://github.com/nodejs/node",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "Fixed in 15.2.1, 14.15.1, 12.19.1"
      }
    ]
  }
]

References

Social References

More

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.3

Confidence

High

EPSS

0.007

Percentile

81.1%