First published: Sun Aug 30 2020(Updated: )
A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1, <2.2.1, and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.
Credit: support@hackerone.com
Affected Software | Affected Version | How to fix |
---|---|---|
IBM Security Guardium Insights | <=2.0.2 | |
Bufferlist Project Bufferlist | <1.2.3 | |
Bufferlist Project Bufferlist | >=2.0.0<2.2.1 | |
Bufferlist Project Bufferlist | >=3.0.0<3.0.1 | |
Bufferlist Project Bufferlist | >=4.0.0<4.0.3 | |
Debian Debian Linux | =9.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-8244 is a buffer over-read vulnerability in the bl module of Node.js.
IBM Security Guardium Insights versions 2.0.2 and earlier are affected by CVE-2020-8244.
An attacker can exploit CVE-2020-8244 by supplying user input that can become negative and corrupt the BufferList state to expose uninitialized memory.
CVE-2020-8244 has a severity rating of 8.2 (High).
To fix CVE-2020-8244, upgrade to a version of bl module that is not affected, such as versions 4.0.3, 3.0.1, 2.2.1, or 1.2.3.