CVE-2020-8265

Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*

Configuration 4 (hide)

OR cpe:2.3:a:oracle:graalvm:19.3.4:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:graalvm:20.3.0:*:*:*:enterprise:*:*:*

Configuration 5 (hide)

cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*

History

07 Nov 2023, 03:26

Type Values Removed Values Added
References
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H472D5HPXN6RRXCNFML3BK5OYC52CXF2/', 'name': 'FEDORA-2021-d5b2c18fe6', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'}
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K4I6MZNC7C7VIDQR267OL4TVCI3ZKAC4/', 'name': 'FEDORA-2021-fb1a136393', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'}
  • () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K4I6MZNC7C7VIDQR267OL4TVCI3ZKAC4/ -
  • () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H472D5HPXN6RRXCNFML3BK5OYC52CXF2/ -

06 Apr 2022, 16:26

Type Values Removed Values Added
References (CONFIRM) https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf - (CONFIRM) https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf - Patch, Third Party Advisory
References (MISC) https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/ - Vendor Advisory (MISC) https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/ - Patch, Vendor Advisory
First Time Siemens sinec Infrastructure Network Services
Siemens
CPE cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*

10 Mar 2022, 17:41

Type Values Removed Values Added
References
  • (CONFIRM) https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf -

19 Feb 2021, 18:13

Type Values Removed Values Added
CPE cpe:2.3:a:oracle:graalvm:19.3.4:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:graalvm:20.3.0:*:*:*:enterprise:*:*:*
cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
References (MISC) https://www.oracle.com/security-alerts/cpujan2021.html - (MISC) https://www.oracle.com/security-alerts/cpujan2021.html - Third Party Advisory
References (CONFIRM) https://security.netapp.com/advisory/ntap-20210212-0003/ - (CONFIRM) https://security.netapp.com/advisory/ntap-20210212-0003/ - Third Party Advisory
References (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H472D5HPXN6RRXCNFML3BK5OYC52CXF2/ - (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H472D5HPXN6RRXCNFML3BK5OYC52CXF2/ - Mailing List, Third Party Advisory

12 Feb 2021, 11:15

Type Values Removed Values Added
References
  • (CONFIRM) https://security.netapp.com/advisory/ntap-20210212-0003/ -

20 Jan 2021, 15:15

Type Values Removed Values Added
References
  • (MISC) https://www.oracle.com/security-alerts/cpujan2021.html -

16 Jan 2021, 03:15

Type Values Removed Values Added
References
  • (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H472D5HPXN6RRXCNFML3BK5OYC52CXF2/ -

14 Jan 2021, 20:04

Type Values Removed Values Added
CVSS v2 : 7.5
v3 : 9.8
v2 : 6.8
v3 : 8.1

12 Jan 2021, 17:04

Type Values Removed Values Added
CPE cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
CWE CWE-416
References (GENTOO) https://security.gentoo.org/glsa/202101-07 - (GENTOO) https://security.gentoo.org/glsa/202101-07 - Third Party Advisory
References (DEBIAN) https://www.debian.org/security/2021/dsa-4826 - (DEBIAN) https://www.debian.org/security/2021/dsa-4826 - Third Party Advisory
References (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K4I6MZNC7C7VIDQR267OL4TVCI3ZKAC4/ - (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K4I6MZNC7C7VIDQR267OL4TVCI3ZKAC4/ - Mailing List, Third Party Advisory
References (MISC) https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/ - (MISC) https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/ - Vendor Advisory
References (MISC) https://hackerone.com/reports/988103 - (MISC) https://hackerone.com/reports/988103 - Exploit, Issue Tracking, Patch, Third Party Advisory
CVSS v2 : unknown
v3 : unknown
v2 : 7.5
v3 : 9.8

11 Jan 2021, 11:15

Type Values Removed Values Added
References
  • (GENTOO) https://security.gentoo.org/glsa/202101-07 -

10 Jan 2021, 03:15

Type Values Removed Values Added
References
  • (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K4I6MZNC7C7VIDQR267OL4TVCI3ZKAC4/ -

07 Jan 2021, 16:15

Type Values Removed Values Added
References
  • (DEBIAN) https://www.debian.org/security/2021/dsa-4826 -

06 Jan 2021, 21:15

Type Values Removed Values Added
New CVE

Information

Published : 2021-01-06 21:15

Updated : 2023-12-10 13:41


NVD link : CVE-2020-8265

Mitre link : CVE-2020-8265

CVE.ORG link : CVE-2020-8265


JSON object : View

Products Affected

oracle

  • graalvm

siemens

  • sinec_infrastructure_network_services

nodejs

  • node.js

debian

  • debian_linux

fedoraproject

  • fedora
CWE
CWE-416

Use After Free