Detections
Analytics

CVE-2018-7167

high

Description

Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a hang which could result in a Denial of Service. In order to address this vulnerability, the implementations of Buffer.alloc() and Buffer.fill() were updated so that they zero fill instead of hanging in these cases. All versions of Node.js 6.x (LTS "Boron"), 8.x (LTS "Carbon"), and 9.x are vulnerable. All versions of Node.js 10.x (Current) are NOT vulnerable.

References

https://security.gentoo.org/glsa/202003-48

https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/

http://www.securityfocus.com/bid/106363

Details

Source: Mitre, NVD

Published: 2018-06-13

Updated: 2022-08-29

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

Severity: Medium

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Severity: High