CVE-2018-21270

2020-12-0321:15:11

Debian Security Bug Tracker

security-tracker.debian.org

node.js

stringstream module

out-of-bounds read

allocation

uninitialized buffers

input stream

node.js 4.x

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:N/A:P

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H

EPSS

0.002

Percentile

58.7%

JSON

Versions less than 0.0.6 of the Node.js stringstream module are vulnerable to an out-of-bounds read because of allocation of uninitialized buffers when a number is passed in the input stream (when using Node.js 4.x).

OSVersionArchitecturePackageVersionFilename
Debian12allnode-stringstream< 0.0.6-1node-stringstream_0.0.6-1_all.deb
Debian11allnode-stringstream< 0.0.6-1node-stringstream_0.0.6-1_all.deb
Debian999allnode-stringstream< 0.0.6-1node-stringstream_0.0.6-1_all.deb
Debian13allnode-stringstream< 0.0.6-1node-stringstream_0.0.6-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	node-stringstream	< 0.0.6-1	node-stringstream_0.0.6-1_all.deb
Debian	11	all	node-stringstream	< 0.0.6-1	node-stringstream_0.0.6-1_all.deb
Debian	999	all	node-stringstream	< 0.0.6-1	node-stringstream_0.0.6-1_all.deb
Debian	13	all	node-stringstream	< 0.0.6-1	node-stringstream_0.0.6-1_all.deb