CVE-2018-7167
Severity
7.5HIGH
EPSS
0.8%
top 26.74%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJun 13
Latest updateMay 13
Description
Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a hang which could result in a Denial of Service. In order to address this vulnerability, the implementations of Buffer.alloc() and Buffer.fill() were updated so that they zero fill instead of hanging in these cases. All versions of Node.js 6.x (LTS "Boron"), 8.x (LTS "Carbon"), and 9.x are vulnerable. All versions of Node.js 10.x (Current) are NOT vulnerable.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6
Affected Packages3 packages
🔴Vulnerability Details
3📋Vendor Advisories
4Microsoft▶
Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a hang which could result in a Denial of Service. In order to address this vulnerability the implementations of Buffer.alloc() ↗2018-06-12
Red Hat▶
nodejs: Denial of Service by calling Buffer.fill() or Buffer.alloc() with specially crafted parameters↗2018-06-12
Debian▶
CVE-2018-7167: nodejs - Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a hang ...↗2018
💬Community
3Bugzilla▶
CVE-2018-7167 nodejs: Denial of Service by calling Buffer.fill() or Buffer.alloc() with specially crafted parameters↗2018-06-13
Bugzilla▶
CVE-2018-7167 nodejs: Denial of Service by calling Buffer.fill() or Buffer.alloc() with specially crafted parameters [fedora-all]↗2018-06-13
Bugzilla▶
CVE-2018-7167 nodejs: Denial of Service by calling Buffer.fill() or Buffer.alloc() with specially crafted parameters [epel-all]↗2018-06-13