1. Home
  2. Vulnerabilities
  3. CVE-2020-8265

CVE-2020-8265

CVSS v3.1 8.1 (High)
81% Progress
CVSS v2.0 6.8 (Medium)
68% Progress
EPSS 0.47 % (76th)
0.47% Progress
Affected Products 5
Advisories 30
Info CVSS EPSS Affected Configurations References Security Advisories Packages & Software OVAL Tools, Exploits & PoC Graph Web & Social Timeline

Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits.

Weaknesses
CWE-416
Use After Free
CVE Status
PUBLISHED
CNA
HackerOne
Published Date
2021-01-06 21:15:14
(3 years ago)
Updated Date
2023-11-07 03:26:19
(10 months ago)

Affected Products

Debian

Fedoraproject

Nodejs

Oracle

Siemens

Configuration #1

    CPE23 From Up To
  Nodejs Node.js from 10.0.0 version and prior 10.23.1 version cpe:2.3:a:nodejs:node.js::*:*:*:lts >= 10.0.0 < 10.23.1
  Nodejs Node.js from 12.0.0 version and prior 12.20.1 version cpe:2.3:a:nodejs:node.js::*:*:*:lts >= 12.0.0 < 12.20.1
  Nodejs Node.js from 14.0.0 version and prior 14.15.4 version cpe:2.3:a:nodejs:node.js::*:*:*:lts >= 14.0.0 < 14.15.4
  Nodejs Node.js from 15.0.0 version and prior 15.5.1 version cpe:2.3:a:nodejs:node.js::*:*:*:- >= 15.0.0 < 15.5.1

Configuration #2

    CPE23 From Up To
  Debian Linux 10.0 cpe:2.3:o:debian:debian_linux:10.0

Configuration #3

    CPE23 From Up To
  Fedoraproject Fedora 32 cpe:2.3:o:fedoraproject:fedora:32
  Fedoraproject Fedora 33 cpe:2.3:o:fedoraproject:fedora:33

Configuration #4

    CPE23 From Up To
  Oracle Graalvm 19.3.4 cpe:2.3:a:oracle:graalvm:19.3.4:*:*:*:enterprise
  Oracle Graalvm 20.3.0 cpe:2.3:a:oracle:graalvm:20.3.0:*:*:*:enterprise

Configuration #5

    CPE23 From Up To
  Siemens Sinec Infrastructure Network Services prior 1.0.1.1 version cpe:2.3:a:siemens:sinec_infrastructure_network_services < 1.0.1.1