CVE-2020-8265 — Vulnetix

CVE-2020-8265 PUBLISHED CVSS 9.300000190734863 CRITICAL

Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits.

EPSS 0.76% · 73.7th percentile

Risk Scores

CVSS 4.0

9.300000190734863

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS Score

0.76%

73.7th percentile

Affected Products

Vendor	Product	Versions
Bitnami	node	10.0.0, 15.0.0, 14.0.0
Bitnami	node-min	10.0.0, 15.0.0, 14.0.0
Bitnami	node-min	15.0.0, 10.0.0, 10.0.0
Bitnami	node	12.0.0, 14.0.0, 15.0.0

Exploit Intelligence

Node.js: use-after-free in TLSWrap (hackerone)
Node.js: use-after-free in TLSWrap (hackerone)
Node.js: use-after-free in TLSWrap (hackerone)
https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/ (circl)
DSA-4826 (circl)
FEDORA-2021-fb1a136393 (circl)
GLSA-202101-07 (circl)
FEDORA-2021-d5b2c18fe6 (circl)
https://www.oracle.com/security-alerts/cpujan2021.html (circl)
https://security.netapp.com/advisory/ntap-20210212-0003/ (circl)

…and 2 more exploits

Timeline

CVE Published
Jan 5, 2021 PoC Published
Apr 14, 2021 EPSS Score
Jun 23, 2021 EPSS Score
Oct 26, 2021 EPSS Score
Dec 27, 2021 EPSS Score
Jan 6, 2022 EPSS Score
Feb 28, 2022 EPSS Score
Mar 9, 2022 EPSS Score
Apr 1, 2022 EPSS Score
May 1, 2022 EPSS Score
Sep 4, 2022 EPSS Score

References

Open in Interactive Console →