CVE-2020-8277: A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, <…

high7.5CVSS 3.1

AVNACLPRNUINSUCNINAH

A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed in 15.2.1, 14.15.1, and 12.19.1.

Affected

35 ranges· showing 25

Vendor	Product	Version range	Fixed in
c-ares	c-ares	>= 0 < 1.17.1-1	1.17.1-1
c-ares	c-ares	>= 0 < 1.17.1-1	1.17.1-1
c-ares	c-ares	>= 0 < 1.17.1-1	1.17.1-1
c-ares	c-ares	>= 0 < 1.17.1-1	1.17.1-1
c-ares_project	c-ares	< 1.16.0	1.16.0
debian	c-ares	< c-ares 1.17.1-1 (bookworm)	c-ares 1.17.1-1 (bookworm)
fedoraproject	fedora	—	—
fedoraproject	fedora	—	—
msrc	cbl2_python-gevent_21.1.2-3_on_cbl_mariner_2.0	—	—
msrc	cbl_mariner_1.0_arm	—	—
msrc	cbl_mariner_1.0_x64	—	—
msrc	cm1_c-ares_1.17.1-1_on_cbl_mariner_1.0	—	—
nodejs	node	>= 11.0 < 11.*	11.*
nodejs	node	>= 12.0 < 12.19.1	12.19.1
nodejs	node	>= 13.0 < 13.*	13.*
nodejs	node	>= 14.0 < 14.15.1	14.15.1
nodejs	node	>= 15.0 < 15.2.1	15.2.1
nodejs	node	>= 4.0 < 4.*	4.*
nodejs	node	>= 5.0 < 5.*	5.*
nodejs	node	>= 6.0 < 6.*	6.*
nodejs	node	>= 7.0 < 7.*	7.*
nodejs	node	>= 8.0 < 8.*	8.*
nodejs	node	>= 9.0 < 9.*	9.*
nodejs	node.js	>= 12.16.3 < 12.19.1	12.19.1
nodejs	node.js	>= 14.13.0 < 14.15.1	14.15.1

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

osv7.5HIGH