CVE-2020-8172 HIGH

Published: 2020-06-08 | Last Modified: 2024-11-21 | Status: Modified

Description

TLS session reuse can lead to host certificate verification bypass in node version < 12.18.0 and < 14.4.0.

Additional Descriptions (1)

La reutilización de una sesión TLS puede conllevar a una omisión de la verificación del certificado del host en node versión anterior a 12.18.0 y anterior a 14.4.0

CVSS Metrics

Base Score: 7.4 (HIGH)

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector	NETWORK
Attack Complexity	HIGH
Privileges Required	NONE
User Interaction	NONE
Scope	UNCHANGED
Confidentiality Impact	HIGH
Integrity Impact	HIGH
Availability Impact	NONE

Source: [email protected]

Type: Primary

Exploitability Score: 2.2

Impact Score: 5.2

Base Score: 5.8 (MEDIUM)

AV:N/AC:M/Au:N/C:P/I:P/A:N

Access Vector	NETWORK
Access Complexity	MEDIUM
Authentication	NONE
Confidentiality Impact	PARTIAL
Integrity Impact	PARTIAL
Availability Impact	NONE

Source: [email protected]

Type: Primary

Exploitability Score: 8.6

Impact Score: 4.9

Weaknesses

Source	Type	Description
[email protected]	Primary	en CWE-295

Affected Products

Vendor	Product	Version	Update	Type
nodejs	node.js	*	<built-in method update of dict object at 0x72a9cc67b600>	Application
nodejs	node.js	*	<built-in method update of dict object at 0x72a9ccd28980>	Application
oracle	banking_extensibility_workbench	14.3.0	<built-in method update of dict object at 0x72a9cc67be00>	Application
oracle	banking_extensibility_workbench	14.4.0	<built-in method update of dict object at 0x72a9cc774740>	Application
oracle	blockchain_platform	*	<built-in method update of dict object at 0x72a9cc679d00>	Application
oracle	graalvm	19.3.2	<built-in method update of dict object at 0x72a9cc678700>	Application
oracle	graalvm	20.1.0	<built-in method update of dict object at 0x72a9cc678f00>	Application
oracle	mysql_cluster	*	<built-in method update of dict object at 0x72a9cd0d8400>	Application
oracle	mysql_cluster	*	<built-in method update of dict object at 0x72a9ccd29c00>	Application
oracle	mysql_cluster	*	<built-in method update of dict object at 0x72a9cc67a380>	Application
oracle	mysql_cluster	*	<built-in method update of dict object at 0x72a9b0b3a580>	Application
oracle	mysql_cluster	*	<built-in method update of dict object at 0x72a9cd0d9700>	Application

Affected Configurations

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:a:nodejs:node.js::::::::`
Yes	`cpe:2.3:a:nodejs:node.js::::::::`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:a:oracle:banking_extensibility_workbench:14.3.0:::::::*`
Yes	`cpe:2.3:a:oracle:banking_extensibility_workbench:14.4.0:::::::*`
Yes	`cpe:2.3:a:oracle:blockchain_platform::::::::`
Yes	`cpe:2.3:a:oracle:graalvm:19.3.2::::enterprise:::`
Yes	`cpe:2.3:a:oracle:graalvm:20.1.0::::enterprise:::`
Yes	`cpe:2.3:a:oracle:mysql_cluster::::::::`
Yes	`cpe:2.3:a:oracle:mysql_cluster::::::::`
Yes	`cpe:2.3:a:oracle:mysql_cluster::::::::`
Yes	`cpe:2.3:a:oracle:mysql_cluster::::::::`
Yes	`cpe:2.3:a:oracle:mysql_cluster::::::::`

References

https://hackerone.com/reports/811502
Source: [email protected]

Exploit Third Party Advisory
https://nodejs.org/en/blog/vulnerability/june-2020-security-releases/
Source: [email protected]

Vendor Advisory
https://security.gentoo.org/glsa/202101-07
Source: [email protected]

Third Party Advisory
https://security.netapp.com/advisory/ntap-20200625-0002/
Source: [email protected]

Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html
Source: [email protected]

Not Applicable Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html
Source: [email protected]

Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html
Source: [email protected]

Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html
Source: [email protected]

Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html
Source: [email protected]

Patch Third Party Advisory
https://hackerone.com/reports/811502
Source: af854a3a-2127-422b-91ae-364da2661108

Exploit Third Party Advisory
https://nodejs.org/en/blog/vulnerability/june-2020-security-releases/
Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory
https://security.gentoo.org/glsa/202101-07
Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory
https://security.netapp.com/advisory/ntap-20200625-0002/
Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html
Source: af854a3a-2127-422b-91ae-364da2661108

Not Applicable Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html
Source: af854a3a-2127-422b-91ae-364da2661108

Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html
Source: af854a3a-2127-422b-91ae-364da2661108

Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html
Source: af854a3a-2127-422b-91ae-364da2661108

Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html
Source: af854a3a-2127-422b-91ae-364da2661108

Patch Third Party Advisory