cbcvebase.
CVE-2020-8265
published 2021-01-06

CVE-2020-8265: Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled…

high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits.

Affected

30 ranges· showing 25
VendorProductVersion rangeFixed in
debiandebian_linux
debiannodejs< nodejs 12.20.1~dfsg-1 (bookworm)nodejs 12.20.1~dfsg-1 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
nodejsnode>= 10.0 < 10.23.110.23.1
nodejsnode>= 11.0 < 11.*11.*
nodejsnode>= 12.0 < 12.20.112.20.1
nodejsnode>= 13.0 < 13.*13.*
nodejsnode>= 14.0 < 14.15.414.15.4
nodejsnode>= 15.0 < 15.5.115.5.1
nodejsnode>= 4.0 < 4.*4.*
nodejsnode>= 5.0 < 5.*5.*
nodejsnode>= 6.0 < 6.*6.*
nodejsnode>= 7.0 < 7.*7.*
nodejsnode>= 8.0 < 8.*8.*
nodejsnode>= 9.0 < 9.*9.*
nodejsnode.js>= 10.0.0 < 10.23.110.23.1
nodejsnode.js>= 12.0.0 < 12.20.112.20.1
nodejsnode.js>= 14.0.0 < 14.15.414.15.4
nodejsnode.js>= 15.0.0 < 15.5.115.5.1
nodejsnodejs>= 0 < 12.20.1~dfsg-112.20.1~dfsg-1
nodejsnodejs>= 0 < 12.20.1~dfsg-112.20.1~dfsg-1
nodejsnodejs>= 0 < 12.20.1~dfsg-112.20.1~dfsg-1
nodejsnodejs>= 0 < 12.20.1~dfsg-112.20.1~dfsg-1
nodejsnodejs>= 0 < 10.19.0~dfsg-3ubuntu1.110.19.0~dfsg-3ubuntu1.1

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
osv8.1HIGH