CVE-2020-8265 — Vulnetix

Try Vulnetix Request Demo

CVE-2020-8265 PUBLISHED CVSS 9.300000190734863 CRITICAL

Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits.

EPSS 0.76% · 73.1th percentile

Risk Scores

CVSS v4.0

9.300000190734863

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS Score

0.76%

73.1th percentile

Affected Products

Vendor	Product	Versions
Bitnami	node	15.0.0, 10.0.0, 12.0.0
Bitnami	node-min	10.0.0, 12.0.0, 14.0.0
Bitnami	node-min	15.0.0, 15.0.0, 10.0.0
Bitnami	node	12.0.0, 14.0.0, 15.0.0

Timeline

CVE Published
Jan 5, 2021 PoC Published
Apr 14, 2021 EPSS Score
Jun 22, 2021 EPSS Score
Oct 24, 2021 EPSS Score
Dec 25, 2021 EPSS Score
Jan 6, 2022 EPSS Score
Feb 4, 2022 EPSS Score
Mar 9, 2022 EPSS Score
Apr 1, 2022 EPSS Score
Apr 28, 2022 EPSS Score
Jun 29, 2022 EPSS Score

References

Open in Interactive Console →