VDB
CVE-2018-7167
CVE-2018-7167
PUBLISHED
Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a hang which could result in a Denial of Service. In order to address this vulnerability, the implementations of Buffer.alloc() and Buffer.fill() were updated so that they zero fill instead of hanging in these cases. All versions of Node.js 6.x (LTS "Boron"), 8.x (LTS "Carbon"), and 9.x are vulnerable. All versions of Node.js 10.x (Current) are NOT vulnerable.
EPSS 0.76% · 73.7th percentile
Risk Scores
EPSS Score
0.76%
73.7th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:Pro:16.04:LTS | nodejs | *, 4.2.4~dfsg-1ubuntu1, 4.2.4~dfsg-2 |
| Ubuntu:Pro:18.04:LTS | nodejs | 6.11.4~dfsg-1ubuntu1, 6.12.0~dfsg-1ubuntu1, 6.12.0~dfsg-2ubuntu1 |
Timeline
- Jun 13, 2018 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Oct 26, 2021 EPSS Score
- Feb 28, 2022 EPSS Score
- May 2, 2022 EPSS Score
- Jul 3, 2022 EPSS Score
- Sep 5, 2022 EPSS Score
- Nov 6, 2022 EPSS Score
- Jan 8, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2018-7167 third-party-advisory
- https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/#calls-to-buffer-fill-and-or-buffer-alloc-may-hang-cve-2018-7167 third-party-advisory
- https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/ third-party-advisory
- https://ubuntu.com/security/notices/USN-4796-1 vendor-advisory
- https://www.cve.org/CVERecord?id=CVE-2018-7167 third-party-advisory