CVE-2020-8252

CVSS v3.1 7.8 (High)

CVSS v2.0 4.6 (Medium)

EPSS 0.05 % (20^th)

Affected Products 3

Advisories 19

The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes.

Weaknesses

CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

CVE Status: PUBLISHED
CNA: HackerOne
Published Date: 2020-09-18 21:15:13
(4 years ago)
Updated Date: 2023-11-07 03:26:19
(10 months ago)

Affected Products

Configuration #1

	CPE23	From	Up To
Nodejs Node.js from 10.0.0 version and prior 10.22.1 version	cpe:2.3:a:nodejs:node.js::::*:lts	>= 10.0.0	< 10.22.1
Nodejs Node.js from 12.0.0 version and prior 12.18.4 version	cpe:2.3:a:nodejs:node.js::::*:lts	>= 12.0.0	< 12.18.4
Nodejs Node.js from 14.0.0 version and prior 14.9.0 version	cpe:2.3:a:nodejs:node.js::::*:-	>= 14.0.0	< 14.9.0

Configuration #2

		CPE23	From	Up To
	Opensuse Leap 15.2	cpe:2.3:o:opensuse:leap:15.2

Configuration #3

		CPE23	From	Up To
	Fedoraproject Fedora 33	cpe:2.3:o:fedoraproject:fedora:33

Weaknesses

Affected Products

Fedoraproject

Nodejs

Opensuse

Configuration #1

Configuration #2

Configuration #3