Lucene search

K
ibmIBM1119303B8319599145604A9A6BE49858F5B1EBDE75E0E27647D393CA6266C7F6
HistoryNov 05, 2020 - 9:09 a.m.

Security Bulletin: Vulnerabilities in Node.js affect IBM Spectrum Control (CVE-2020-8201, CVE-2020-8252)

2020-11-0509:09:59
www.ibm.com
18
node.js
ibm spectrum control
http request smuggling
buffer overflow
cve-2020-8201
cve-2020-8252
vulnerability
web cache
firewall
xss attacks
libuv's fs.realpath.native
denial of service
ibm spectrum control 5.3.0.1-5.4.0
fix
mitigation

EPSS

0.003

Percentile

71.6%

Summary

Node.js is vulnerable to HTTP request smuggling and to a buffer overflow which can affect IBM Spectrum Control.

Vulnerability Details

CVEID:CVE-2020-8201
**DESCRIPTION:**Node.js is vulnerable to HTTP request smuggling, caused by CR-to-Hyphen conversion. By sending specially crafted HTTP request headers, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/188591 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

CVEID:CVE-2020-8252
**DESCRIPTION:**Node.js is vulnerable to a buffer overflow, caused by improper bounds checking by the libuv’s fs.realpath.native. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause a denial of service.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/188593 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Spectrum Control 5.3.0.1-5.4.0

Remediation/Fixes

Release First Fixing VRM Level ** Link to Fix**
5.4.1 5.4.1 <http://www.ibm.com/support/docview.wss?uid=swg21320822#53_0&gt;

Workarounds and Mitigations

None