---

CVE-2020-8265 - log back

CVE-2020-8265 edited at 04 Jan 2021 23:52:58

References

https://groups.google.com/g/nodejs-sec/c/kyzmwvQdUfs/m/7mjPCzY2BAAJ https://github.com/nodejs-private/node-private/issues/227 https://hackerone.com/bugs?subject=nodejs&report_id=988103 https://github.com/nodejs/node/commit/9834ef85a0a549a45a98f04dc51af1782a7126ee https://github.com/nodejs/node/commit/4f8772f9b731118628256189b73cd202149bbd97 https://github.com/nodejs/node/commit/5b00de7d67a1372aa342115ad28edd3f78268bb6 https://github.com/nodejs/node/commit/7f178663ebffc82c9f8a5a1b6bf2da0c263a30ed + https://github.com/nodejs/node/commit/357e2857c8385c303782ced2ac8b568df06d4326

CVE-2020-8265 edited at 04 Jan 2021 23:38:56

References

https://groups.google.com/g/nodejs-sec/c/kyzmwvQdUfs/m/7mjPCzY2BAAJ https://github.com/nodejs-private/node-private/issues/227 https://hackerone.com/bugs?subject=nodejs&report_id=988103 - https://github.com/nodejs-private/node-private/pull/23 https://github.com/nodejs/node/commit/9834ef85a0a549a45a98f04dc51af1782a7126ee + https://github.com/nodejs/node/commit/4f8772f9b731118628256189b73cd202149bbd97 + https://github.com/nodejs/node/commit/5b00de7d67a1372aa342115ad28edd3f78268bb6 + https://github.com/nodejs/node/commit/7f178663ebffc82c9f8a5a1b6bf2da0c263a30ed

CVE-2020-8265 edited at 04 Jan 2021 23:29:09
Severity	- Medium + High
References	https://groups.google.com/g/nodejs-sec/c/kyzmwvQdUfs/m/7mjPCzY2BAAJ + https://github.com/nodejs-private/node-private/issues/227 + https://hackerone.com/bugs?subject=nodejs&report_id=988103 + https://github.com/nodejs-private/node-private/pull/23 + https://github.com/nodejs/node/commit/9834ef85a0a549a45a98f04dc51af1782a7126ee

CVE-2020-8265 edited at 04 Jan 2021 23:24:10
Severity	- Unknown + Medium
Remote	- Unknown + Local
Type	- Unknown + Arbitrary code execution
Description	+ The nodejs release lines 15.x, 14.x, 12.x and 10.x are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits. The issue is fixed in nodejs versions 15.5.1, 14.15.4, 12.20.1 and 10.23.1.
References	+ https://groups.google.com/g/nodejs-sec/c/kyzmwvQdUfs/m/7mjPCzY2BAAJ
Notes

CVE-2020-8265 created at 04 Jan 2021 23:18:41