CVE-2018-7167

MEDIUM

Description

Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a hang which could result in a Denial of Service. In order to address this vulnerability, the implementations of Buffer.alloc() and Buffer.fill() were updated so that they zero fill instead of hanging in these cases. All versions of Node.js 6.x (LTS "Boron"), 8.x (LTS "Carbon"), and 9.x are vulnerable. All versions of Node.js 10.x (Current) are NOT vulnerable.

References

http://www.securityfocus.com/bid/106363

https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/

https://security.gentoo.org/glsa/202003-48

Details

Source: MITRE

Published: 2018-06-13

Updated: 2020-03-20

Type: CWE-119

Risk Information

CVSS v2.0

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM

CVSS v3.0

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Impact Score: 3.6

Exploitability Score: 3.9

Severity: HIGH

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:* versions up to 6.14.3 (inclusive)

cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:* versions from 8.0.0 to 8.11.3 (inclusive)

cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:* versions from 9.0.0 to 9.11.2 (inclusive)

Tenable Plugins

View all (12 total)

IDNameProductFamilySeverity
134776GLSA-202003-48 : Node.js: Multiple vulnerabilitiesNessusGentoo Local Security Checks
high
123217openSUSE Security Update : nodejs8 (openSUSE-2019-513)NessusSuSE Local Security Checks
high
121994Photon OS 2.0: Nodejs PHSA-2018-2.0-0093NessusPhotonOS Local Security Checks
high
120914Fedora 28 : 1:nodejs (2018-f59d961d7b)NessusFedora Local Security Checks
high
120038SUSE SLES15 Security Update : nodejs8 (SUSE-SU-2018:1918-1)NessusSuSE Local Security Checks
high
120036SUSE SLES12 Security Update : nodejs6 (SUSE-SU-2018:1892-1)NessusSuSE Local Security Checks
medium
118957Node.js multiple vulnerabilities (July 2018 Security Releases).NessusMisc.
high
117634Photon OS 2.0: Nodejs PHSA-2018-2.0-0093 (deprecated)NessusPhotonOS Local Security Checks
high
111095openSUSE Security Update : nodejs8 (openSUSE-2018-724)NessusSuSE Local Security Checks
high
111094openSUSE Security Update : nodejs6 (openSUSE-2018-723)NessusSuSE Local Security Checks
medium
110822Fedora 27 : 1:nodejs (2018-79841c871e)NessusFedora Local Security Checks
high
110539FreeBSD : node.js -- multiple vulnerabilities (45b8e2eb-7056-11e8-8fab-63ca6e0e13a2)NessusFreeBSD Local Security Checks
high