SB2020120326 - Fedora 33 Modular update for nodejs

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2020120326

SB2020120326 - Fedora 33 Modular update for nodejs

Published: December 3, 2020 Updated: April 25, 2025

Security Bulletin ID SB2020120326
Severity
High
Patch available
YES
Number of vulnerabilities 7
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 43% Medium 29% Low 29%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 7 secuirty vulnerabilities.


1) Integer overflow (CVE-ID: CVE-2020-10531)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow in UnicodeString::doAppend() function in common/unistr.cpp. A remote attacker can pass specially crafted string to the application that is using the vulnerable library, trigger integer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


2) Resource exhaustion (CVE-ID: CVE-2020-11080)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when processing HTTP/2 SETTINGS frames. A remote attacker can trigger high CPU load by sending large HTTP/2 SETTINGS frames and perform a denial of service (DoS) attack.


3) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2020-15095)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to NPM Cli stores sensitive information into log files and supports URLs like "://[[:]@][:][:][/]". A local user can redirect output of a log file to an external URL.


4) Use-after-free (CVE-ID: CVE-2020-14354)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a use-after-free error and double-free in c-ares, if the ares_destroy() function is called prior to the ares_getaddrinfo() completing. A remote attacker can perform a denial of service (DoS) attack.


5) Resource exhaustion (CVE-ID: CVE-2020-8251)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

Node.js < 14.11.0 is vulnerable to HTTP denial of service (DoS) attacks based on delayed requests submission which can make the server unable to accept new connections.


6) Buffer overflow (CVE-ID: CVE-2020-8252)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The vulnerability exists due to incorrect validation of realpath in libuv. The library incorrectly determines the buffer size, which can result in a buffer overflow if the resolved path is longer than 256 bytes. A remote attacker can pass an overly long path to the application that is using the library, trigger memory corruption and execute arbitrary code on the system.


7) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2020-8201)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system. The attack was possible due to a bug in processing of carrier-return symbols in the HTTP header names.


Remediation

Install update from vendor's website.

References