CVE-2020-8277

high-risk

Published 2020-11-19

A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed in 15.2.1, 14.15.1, and 12.19.1.

Do I need to act?

59.2% chance of exploitation in next 30 days

EPSS score — higher than 41% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (14)

Node.Js

Fedora

Blockchain Platform

Graalvm

Jd Edwards Enterpriseone Tools

Mysql Cluster

Retail Xstore Point Of Service

C-Ares

Affected Vendors

Oracle Fedoraproject Nodejs C-Ares Project

References (26)

Permissions Required https://hackerone.com/reports/1033107

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

Patch https://nodejs.org/en/blog/vulnerability/november-2020-security-releases/

Third Party Advisory https://security.gentoo.org/glsa/202012-11

Third Party Advisory https://security.gentoo.org/glsa/202101-07

Patch https://www.oracle.com//security-alerts/cpujul2021.html

Patch https://www.oracle.com/security-alerts/cpuApr2021.html

Patch https://www.oracle.com/security-alerts/cpuapr2022.html

Patch https://www.oracle.com/security-alerts/cpujan2021.html

Patch https://www.oracle.com/security-alerts/cpuoct2021.html

Permissions Required https://hackerone.com/reports/1033107

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

Patch https://nodejs.org/en/blog/vulnerability/november-2020-security-releases/

Third Party Advisory https://security.gentoo.org/glsa/202012-11

and 6 more references

/ 100

high-risk

Severity 26/34 · High

Exploitability 18/34 · Moderate

Exposure 18/34 · Moderate