CVE-2020-8265

CWE-416 — Use After Free7 documents7 sources

Severity

8.1HIGH

EPSS

0.8%

top 26.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nodejs Node Nodejs Node.js Siemens Sinec Infrastructure Network Services +3 more

Timeline

PublishedJan 6

Latest updateSep 19

Description

Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other e…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages5 packages

▶CVEListV5nodejs/node4.0 — 4.*+11

▶NVDnodejs/node.js10.0.0 — 10.23.1+3

▶Debiannodejs< 12.20.1~dfsg-1+3

▶NVDsiemens/sinec_infrastructure_network_services< 1.0.1.1

▶NVDoracle/graalvm19.3.4, 20.3.0+1

Also affects: Debian Linux 10.0, Fedora 32, 33

Patches

Patch: cert-portal.siemens.com ↗Patch: hackerone.com ↗Patch: nodejs.org ↗

🔴Vulnerability Details

GHSA

GHSA-879w-9vpf-9pw9: Node↗2022-05-24

▶

OSV

CVE-2020-8265: Node↗2021-01-06

▶

CVEList

CVE-2020-8265: Node↗2021-01-06

▶

📋Vendor Advisories

Ubuntu

Node.js vulnerabilities↗2023-09-19

▶

Red Hat

nodejs: use-after-free in the TLS implementation↗2021-01-04

▶

Debian

CVE-2020-8265: nodejs - Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a us...↗2020

▶