CVE-2020-8172
First published: Tue Jun 02 2020(Updated: )
TLS session reuse can lead to host certificate verification bypass in node version < 12.18.0 and < 14.4.0.
Credit: support@hackerone.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/nodejs | <12.18.0 | 12.18.0 |
| redhat/nodejs | <14.4.0 | 14.4.0 |
| redhat/rh-nodejs12-nodejs | <0:12.18.2-1.el7 | 0:12.18.2-1.el7 |
| debian/nodejs | 10.24.0~dfsg-1~deb10u1 10.24.0~dfsg-1~deb10u3 12.22.12~dfsg-1~deb11u4 18.13.0+dfsg1-1 | |
| Nodejs Node.js | >=12.0.0<12.18.0 | |
| Nodejs Node.js | >=14.0.0<14.4.0 | |
| Oracle Banking Extensibility Workbench | =14.3.0 | |
| Oracle Banking Extensibility Workbench | =14.4.0 | |
| Oracle Blockchain Platform | <21.1.2 | |
| Oracle GraalVM | =19.3.2 | |
| Oracle GraalVM | =20.1.0 | |
| Oracle MySQL Cluster | <=7.3.30 | |
| Oracle MySQL Cluster | >=7.4.0<=7.4.29 | |
| Oracle MySQL Cluster | >=7.5.0<=7.5.19 | |
| Oracle MySQL Cluster | >=7.6.0<=7.6.15 | |
| Oracle MySQL Cluster | >=8.0.0<=8.0.21 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://hackerone.com/reports/811502
- https://nodejs.org/en/blog/vulnerability/june-2020-security-releases/
- https://security.gentoo.org/glsa/202101-07
- https://security.netapp.com/advisory/ntap-20200625-0002/
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1845254
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1845248
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1845249
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1845250
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1845251
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1845252
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1845253
- https://github.com/nodejs/node/commit/2e1b41a708a71ee127a5db9c750760f74db494e4
- https://github.com/nodejs/node/commit/0932309af2d9d66611cf5387f2cc925a80cb441f
- https://access.redhat.com/errata/RHSA-2020:2847
- https://access.redhat.com/errata/RHSA-2020:2852
- https://access.redhat.com/security/cve/cve-2020-8172
- https://access.redhat.com/errata/RHSA-2020:2895
- https://bugzilla.redhat.com/show_bug.cgi?id=1845247
- https://www.cve.org/CVERecord?id=CVE-2020-8172 https://nvd.nist.gov/vuln/detail/CVE-2020-8172
- https://nodejs.org/en/blog/vulnerability/june-2020-security-releases/#tls-session-reuse-can-lead-to-host-certificate-verification-bypass-high-cve-2020-8172
- https://security-tracker.debian.org/tracker/CVE-2020-8172
Parent vulnerabilities
(Appears in the following advisories)
- collector/redhat-cve
- collector/security-tracker-debian
- collector/nvd-index
- agent/type
- agent/remedy
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- agent/author
- agent/severity
- agent/references
- agent/weakness
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-8172
- agent/software-canonical-lookup
- agent/tags
- agent/event
- collector/mitre-cve
- source/MITRE
- package-manager/redhat
- package-manager/debian
- vendor/nodejs
- canonical/nodejs node.js
- version/nodejs node.js/12.0.0
- version/nodejs node.js/14.0.0
- vendor/oracle
- canonical/oracle banking extensibility workbench
- version/oracle banking extensibility workbench/14.3.0
- version/oracle banking extensibility workbench/14.4.0
- canonical/oracle blockchain platform
- canonical/oracle graalvm
- version/oracle graalvm/19.3.2
- version/oracle graalvm/20.1.0
- canonical/oracle mysql cluster
- version/oracle mysql cluster/7.3.30
- version/oracle mysql cluster/7.4.0
- version/oracle mysql cluster/7.4.29
- version/oracle mysql cluster/7.5.0
- version/oracle mysql cluster/7.5.19
- version/oracle mysql cluster/7.6.0
- version/oracle mysql cluster/7.6.15
- version/oracle mysql cluster/8.0.0
- version/oracle mysql cluster/8.0.21