First published: Mon Jan 04 2021(Updated: )
A flaw was found in nodejs. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits.
Credit: support@hackerone.com support@hackerone.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/rh-nodejs14-nodejs | <0:14.15.4-2.el7 | 0:14.15.4-2.el7 |
redhat/rh-nodejs12-nodejs | <0:12.20.1-1.el7 | 0:12.20.1-1.el7 |
redhat/rh-nodejs12-nodejs-nodemon | <0:2.0.3-1.el7 | 0:2.0.3-1.el7 |
redhat/rh-nodejs10-nodejs | <0:10.23.1-2.el7 | 0:10.23.1-2.el7 |
Nodejs Node.js | >=10.0.0<10.23.1 | |
Nodejs Node.js | >=12.0.0<12.20.1 | |
Nodejs Node.js | >=14.0.0<14.15.4 | |
Nodejs Node.js | >=15.0.0<15.5.1 | |
Debian Debian Linux | =10.0 | |
Fedoraproject Fedora | =32 | |
Fedoraproject Fedora | =33 | |
Oracle GraalVM | =19.3.4 | |
Oracle GraalVM | =20.3.0 | |
Siemens Sinec Infrastructure Network Services | <1.0.1.1 | |
IBM Cloud Pak for Security (CP4S) | <=1.6.0.1 | |
IBM Cloud Pak for Security (CP4S) | <=1.6.0.0 | |
IBM Cloud Pak for Security (CP4S) | <=1.5.0.1 | |
IBM Cloud Pak for Security (CP4S) | <=1.5.0.0 | |
IBM Cloud Pak for Security (CP4S) | <=1.4.0.0 | |
redhat/node | <10.23.1 | 10.23.1 |
redhat/node | <12.20.1 | 12.20.1 |
redhat/node | <14.15.4 | 14.15.4 |
redhat/node | <15.5.1 | 15.5.1 |
ubuntu/nodejs | <8.10.0~dfsg-2ubuntu0.4+ | 8.10.0~dfsg-2ubuntu0.4+ |
ubuntu/nodejs | <10.19.0~dfsg-3ubuntu1.1 | 10.19.0~dfsg-3ubuntu1.1 |
ubuntu/nodejs | <4.2.6~dfsg-1ubuntu4.2+ | 4.2.6~dfsg-1ubuntu4.2+ |
debian/nodejs | 10.24.0~dfsg-1~deb10u1 10.24.0~dfsg-1~deb10u4 12.22.12~dfsg-1~deb11u4 18.13.0+dfsg1-1 18.19.0+dfsg-6~deb12u1 18.20.1+dfsg-4 20.13.1+dfsg-2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2020-8265 is a vulnerability in Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 that allows for a use-after-free bug in its TLS implementation.
CVE-2020-8265 has a severity rating of 8.1 (High).
CVE-2020-8265 affects Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1.
To fix CVE-2020-8265, you should update your Node.js installation to version 10.23.1, 12.20.1, 14.15.4, or 15.5.1.
You can find more information about CVE-2020-8265 on the CVE website, NIST Vulnerability Database, and the Red Hat Bugzilla and Errata.