CVE-2020-8265 - log back

CVE-2020-8265 edited at 04 Jan 2021 23:52:58
References
https://groups.google.com/g/nodejs-sec/c/kyzmwvQdUfs/m/7mjPCzY2BAAJ
https://github.com/nodejs-private/node-private/issues/227
https://hackerone.com/bugs?subject=nodejs&report_id=988103
https://github.com/nodejs/node/commit/9834ef85a0a549a45a98f04dc51af1782a7126ee
https://github.com/nodejs/node/commit/4f8772f9b731118628256189b73cd202149bbd97
https://github.com/nodejs/node/commit/5b00de7d67a1372aa342115ad28edd3f78268bb6
https://github.com/nodejs/node/commit/7f178663ebffc82c9f8a5a1b6bf2da0c263a30ed
+ https://github.com/nodejs/node/commit/357e2857c8385c303782ced2ac8b568df06d4326
CVE-2020-8265 edited at 04 Jan 2021 23:38:56
References
https://groups.google.com/g/nodejs-sec/c/kyzmwvQdUfs/m/7mjPCzY2BAAJ
https://github.com/nodejs-private/node-private/issues/227
https://hackerone.com/bugs?subject=nodejs&report_id=988103
- https://github.com/nodejs-private/node-private/pull/23
https://github.com/nodejs/node/commit/9834ef85a0a549a45a98f04dc51af1782a7126ee
+ https://github.com/nodejs/node/commit/4f8772f9b731118628256189b73cd202149bbd97
+ https://github.com/nodejs/node/commit/5b00de7d67a1372aa342115ad28edd3f78268bb6
+ https://github.com/nodejs/node/commit/7f178663ebffc82c9f8a5a1b6bf2da0c263a30ed
CVE-2020-8265 edited at 04 Jan 2021 23:29:09
Severity
- Medium
+ High
References
https://groups.google.com/g/nodejs-sec/c/kyzmwvQdUfs/m/7mjPCzY2BAAJ
+ https://github.com/nodejs-private/node-private/issues/227
+ https://hackerone.com/bugs?subject=nodejs&report_id=988103
+ https://github.com/nodejs-private/node-private/pull/23
+ https://github.com/nodejs/node/commit/9834ef85a0a549a45a98f04dc51af1782a7126ee
CVE-2020-8265 edited at 04 Jan 2021 23:24:10
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Local
Type
- Unknown
+ Arbitrary code execution
Description
+ The nodejs release lines 15.x, 14.x, 12.x and 10.x are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits. The issue is fixed in nodejs versions 15.5.1, 14.15.4, 12.20.1 and 10.23.1.
References
+ https://groups.google.com/g/nodejs-sec/c/kyzmwvQdUfs/m/7mjPCzY2BAAJ
Notes
CVE-2020-8265 created at 04 Jan 2021 23:18:41