CVE-2017-15896

EUVD-2017-7315
Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake failure. The result was that an active network attacker could send application data to Node.js using the TLS or HTTP2 modules in a way that bypassed TLS authentication and encryption.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.1 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 27%
Affected Products (NVD)
VendorProductVersion
nodejsnode.js
4.0.0 ≤
𝑥
≤ 4.1.2
nodejsnode.js
4.2.0 ≤
𝑥
< 4.8.7
nodejsnode.js
6.0.0 ≤
𝑥
≤ 6.8.1
nodejsnode.js
6.9.0 ≤
𝑥
< 6.12.2
nodejsnode.js
8.0.0 ≤
𝑥
≤ 8.8.1
nodejsnode.js
8.9.0 ≤
𝑥
< 8.9.3
nodejsnode.js
9.0.0 ≤
𝑥
< 9.2.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
nodejs
bookworm
18.19.0+dfsg-6~deb12u2
fixed
bookworm (security)
18.19.0+dfsg-6~deb12u1
fixed
bullseye
12.22.12~dfsg-1~deb11u4
fixed
bullseye (security)
12.22.12~dfsg-1~deb11u5
fixed
sid
20.17.0+dfsg-2
fixed
trixie
20.17.0+dfsg-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
nodejs
artful
ignored
bionic
not-affected
trusty
not-affected
xenial
not-affected
zesty
ignored
References
https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/
https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/