CVE-2020-8265

CVE-2020-8265

Name

CVE-2020-8265

Description

Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits.

NVD Severity

high

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
Vendor Advisory	https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/
Exploit	https://hackerone.com/reports/988103
Third Party Advisory	https://www.debian.org/security/2021/dsa-4826
Mailing List	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K4I6MZNC7C7VIDQR267OL4TVCI3ZKAC4/
Third Party Advisory	https://security.gentoo.org/glsa/202101-07
Mailing List	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H472D5HPXN6RRXCNFML3BK5OYC52CXF2/
Third Party Advisory	https://www.oracle.com/security-alerts/cpujan2021.html
Third Party Advisory	https://security.netapp.com/advisory/ntap-20210212-0003/
Patch	https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

Type

URI

Vendor Advisory

https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/

Exploit

https://hackerone.com/reports/988103

Third Party Advisory

https://www.debian.org/security/2021/dsa-4826

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K4I6MZNC7C7VIDQR267OL4TVCI3ZKAC4/

Third Party Advisory

https://security.gentoo.org/glsa/202101-07

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H472D5HPXN6RRXCNFML3BK5OYC52CXF2/

Third Party Advisory

https://www.oracle.com/security-alerts/cpujan2021.html

Third Party Advisory

https://security.netapp.com/advisory/ntap-20210212-0003/

Patch

https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:nodejs:node.js:::::lts:::*`	node.js	>= 10.0.0	< 10.23.1
`cpe:2.3:a:nodejs:node.js:::::lts:::*`	node.js	>= 12.0.0	< 12.20.1
`cpe:2.3:a:nodejs:node.js:::::lts:::*`	node.js	>= 14.0.0	< 14.15.4
`cpe:2.3:a:nodejs:node.js:::::-:::*`	node.js	>= 15.0.0	< 15.5.1
`cpe:2.3:a:nodejs:node.js:::::lts:::*`	nodejs	>= 10.0.0	< 10.23.1
`cpe:2.3:a:nodejs:node.js:::::lts:::*`	nodejs	>= 12.0.0	< 12.20.1
`cpe:2.3:a:nodejs:node.js:::::lts:::*`	nodejs	>= 14.0.0	< 14.15.4
`cpe:2.3:a:nodejs:node.js:::::-:::*`	nodejs	>= 15.0.0	< 15.5.1

CPE URI

Source package

Min version

Max version

cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*

node.js

>= 10.0.0

< 10.23.1

cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*

node.js

>= 12.0.0

< 12.20.1

cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*

node.js

>= 14.0.0

< 14.15.4

cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*

node.js

>= 15.0.0

< 15.5.1

cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*

nodejs

>= 10.0.0

< 10.23.1

cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*

nodejs

>= 12.0.0

< 12.20.1

cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*

nodejs

>= 14.0.0

< 14.15.4

cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*

nodejs

>= 15.0.0

< 15.5.1

References

Match rules

Vulnerable and fixed packages