{"containers": {"cna": {"affected": [{"product": "https://github.com/nodejs/node", "vendor": "n/a", "versions": [{"status": "affected", "version": "Fixed in 10.22.1, 12.18.4, 14.9.0"}]}], "descriptions": [{"lang": "en", "value": "The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-120", "description": "Classic Buffer Overflow (CWE-120)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-12-13T03:06:13", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/"}, {"tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/965914"}, {"name": "GLSA-202009-15", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202009-15"}, {"name": "USN-4548-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/4548-1/"}, {"name": "openSUSE-SU-2020:1616", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20201009-0004/"}, {"name": "openSUSE-SU-2020:1660", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00023.html"}, {"name": "FEDORA-2020-43d5a372fc", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "support@hackerone.com", "ID": "CVE-2020-8252", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "https://github.com/nodejs/node", "version": {"version_data": [{"version_value": "Fixed in 10.22.1, 12.18.4, 14.9.0"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Classic Buffer Overflow (CWE-120)"}]}]}, "references": {"reference_data": [{"name": "https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/", "refsource": "MISC", "url": "https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/"}, {"name": "https://hackerone.com/reports/965914", "refsource": "MISC", "url": "https://hackerone.com/reports/965914"}, {"name": "GLSA-202009-15", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202009-15"}, {"name": "USN-4548-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4548-1/"}, {"name": "openSUSE-SU-2020:1616", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html"}, {"name": "https://security.netapp.com/advisory/ntap-20201009-0004/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20201009-0004/"}, {"name": "openSUSE-SU-2020:1660", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00023.html"}, {"name": "FEDORA-2020-43d5a372fc", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T09:56:28.202Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://hackerone.com/reports/965914"}, {"name": "GLSA-202009-15", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202009-15"}, {"name": "USN-4548-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/4548-1/"}, {"name": "openSUSE-SU-2020:1616", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20201009-0004/"}, {"name": "openSUSE-SU-2020:1660", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00023.html"}, {"name": "FEDORA-2020-43d5a372fc", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/"}]}]}, "cveMetadata": {"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2020-8252", "datePublished": "2020-09-18T20:11:51", "dateReserved": "2020-01-28T00:00:00", "dateUpdated": "2024-08-04T09:56:28.202Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*", "matchCriteriaId": "3161B3E1-1269-4718-AE6A-2C122E1B52D3", "versionEndExcluding": "10.22.1", "versionStartIncluding": "10.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*", "matchCriteriaId": "3CB8E8E0-24CC-417B-96D7-AF53B2296661", "versionEndExcluding": "12.18.4", "versionStartIncluding": "12.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "matchCriteriaId": "F0300B3A-89AE-40AF-BDAF-EB3F5DA6A66E", "versionEndExcluding": "14.9.0", "versionStartIncluding": "14.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*", "matchCriteriaId": "B009C22E-30A4-4288-BCF6-C3E81DEAF45A", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes."}, {"lang": "es", "value": "La implementaci\u00f3n de realpath en libuv versiones anteriores a versiones anteriores a 10.22.1, versiones anteriores a 12.18.4 y versiones anteriores a 14.9.0, usada dentro de Node.js determin\u00f3 incorrectamente el tama\u00f1o del b\u00fafer, lo que puede resultar en un desbordamiento del b\u00fafer si la ruta resuelta tiene m\u00e1s de 256 bytes"}], "id": "CVE-2020-8252", "lastModified": "2023-11-07T03:26:19.070", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-09-18T21:15:13.497", "references": [{"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html"}, {"source": "support@hackerone.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00023.html"}, {"source": "support@hackerone.com", "tags": ["Permissions Required", "Third Party Advisory"], "url": "https://hackerone.com/reports/965914"}, {"source": "support@hackerone.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/"}, {"source": "support@hackerone.com", "tags": ["Vendor Advisory"], "url": "https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/"}, {"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202009-15"}, {"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20201009-0004/"}, {"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/4548-1/"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-120"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-120"}], "source": "support@hackerone.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2020:4272", "cpe": "cpe:/a:redhat:enterprise_linux:8", "impact": "low", "package": "nodejs:12-8020020201007080935.4cda2c84", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-10-19T00:00:00Z"}, {"advisory": "RHSA-2021:0548", "cpe": "cpe:/a:redhat:enterprise_linux:8", "impact": "low", "package": "nodejs:10-8030020210118191659.229f0a1c", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-02-16T00:00:00Z"}, {"advisory": "RHSA-2020:4903", "cpe": "cpe:/a:redhat:rhel_eus:8.1", "package": "nodejs:12-8010020201006223055.c27ad7f8", "product_name": "Red Hat Enterprise Linux 8.1 Extended Update Support", "release_date": "2020-11-04T00:00:00Z"}, {"advisory": "RHSA-2020:5086", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "impact": "low", "package": "rh-nodejs12-nodejs-0:12.18.4-3.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2020-11-12T00:00:00Z"}, {"advisory": "RHSA-2021:0521", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "impact": "low", "package": "rh-nodejs10-nodejs-0:10.23.1-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-02-15T00:00:00Z"}, {"advisory": "RHSA-2020:5086", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "impact": "low", "package": "rh-nodejs12-nodejs-0:12.18.4-3.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2020-11-12T00:00:00Z"}, {"advisory": "RHSA-2021:0521", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "impact": "low", "package": "rh-nodejs10-nodejs-0:10.23.1-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2021-02-15T00:00:00Z"}, {"advisory": "RHSA-2020:5086", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "impact": "low", "package": "rh-nodejs12-nodejs-0:12.18.4-3.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2020-11-12T00:00:00Z"}, {"advisory": "RHSA-2021:0521", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "impact": "low", "package": "rh-nodejs10-nodejs-0:10.23.1-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-02-15T00:00:00Z"}], "bugzilla": {"description": "libuv: buffer overflow in realpath", "id": "1879315", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1879315"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-131->CWE-122", "details": ["The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes.", "A flaw has been found in libuv. The realpath() implementation performs an incorrect calculation when allocating a buffer, leading to a potential buffer overflow. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability."], "name": "CVE-2020-8252", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "libuv", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "nodejs:14/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:openstack-optools:13", "fix_state": "Not affected", "package_name": "libuv", "product_name": "Red Hat OpenStack Platform 13 (Queens) Operational Tools"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Will not fix", "impact": "low", "package_name": "quay", "product_name": "Red Hat Quay 3"}], "public_date": "2020-09-15T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-8252\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-8252"], "statement": "As shipped in Red Hat Software Collections (nodejs-10 & nodejs-12) as well as Red Hat Enterprise Linux 8 (nodejs-10 and nodejs-12), no incorrect use of the `UV__PATH_MAX` macro were found. Although the releases of libuv contained in these versions of nodejs are considered \"Affected\", it is considered not feasible to trigger the flaw.\nNodeJS is included in Red Hat Quay as a dependency of Yarn which is only used while building Red Hat Quay, and not during runtime.\nRed Hat Enterprise Linux 8 ships libuv-1.23.1, which is not vulnerable to this flaw.", "threat_severity": "Important", "upstream_fix": "libuv 1.39.0, nodejs 12.18.4, nodejs 10.22.1"}