First published: Thu Nov 12 2020(Updated: )
A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed in 15.2.1, 14.15.1, and 12.19.1.
Credit: support@hackerone.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/rh-nodejs12-nodejs | <0:12.19.1-2.el7 | 0:12.19.1-2.el7 |
redhat/rh-nodejs14-nodejs | <0:14.15.4-2.el7 | 0:14.15.4-2.el7 |
Nodejs Node.js | >=12.16.3<12.19.1 | |
Nodejs Node.js | >=14.13.0<14.15.1 | |
Nodejs Node.js | >=15.0.0<15.2.1 | |
Fedoraproject Fedora | =32 | |
Fedoraproject Fedora | =33 | |
Oracle Blockchain Platform | <21.1.2 | |
Oracle GraalVM | =19.3.4 | |
Oracle GraalVM | =20.3.0 | |
Oracle Jd Edwards Enterpriseone Tools | <9.2.6.0 | |
Oracle MySQL Cluster | <=8.0.23 | |
Oracle Retail Xstore Point of Service | =16.0.6 | |
Oracle Retail Xstore Point of Service | =17.0.4 | |
Oracle Retail Xstore Point of Service | =18.0.3 | |
Oracle Retail Xstore Point of Service | =19.0.2 | |
C-ares Project C-ares | <1.16.0 | |
redhat/c-ares | <1.17.0 | 1.17.0 |
<=1.6.0.1 | ||
<=1.6.0.0 | ||
<=1.5.0.1 | ||
<=1.5.0.0 | ||
<=1.4.0.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2020-8277 is a vulnerability in Node.js that allows an attacker to trigger a Denial of Service by getting the application to resolve a DNS record with a larger number of responses.
Versions < 15.2.1, < 14.15.1, and < 12.19.1 of Node.js are affected by CVE-2020-8277.
To fix CVE-2020-8277, update your Node.js installation to version 15.2.1, 14.15.1, or 12.19.1 or higher.
CVE-2020-8277 has a severity of 7.5 (high).
More information about CVE-2020-8277 can be found on the GitHub page and the Red Hat Bugzilla page.