CVE-2017-15896

Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake failure. The result was that an active network attacker could send application data to Node.js using the TLS or HTTP2 modules in a way that bypassed TLS authentication and encryption.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.1 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nodejsCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 29%
VendorProductVersion
nodejsnode.js
4.0.0 ≤
𝑥
≤ 4.1.2
nodejsnode.js
4.2.0 ≤
𝑥
< 4.8.7
nodejsnode.js
6.0.0 ≤
𝑥
≤ 6.8.1
nodejsnode.js
6.9.0 ≤
𝑥
< 6.12.2
nodejsnode.js
8.0.0 ≤
𝑥
≤ 8.8.1
nodejsnode.js
8.9.0 ≤
𝑥
< 8.9.3
nodejsnode.js
9.0.0 ≤
𝑥
< 9.2.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
nodejs
bullseye
12.22.12~dfsg-1~deb11u4
fixed
bullseye (security)
12.22.12~dfsg-1~deb11u5
fixed
bookworm
18.19.0+dfsg-6~deb12u2
fixed
bookworm (security)
18.19.0+dfsg-6~deb12u1
fixed
sid
20.17.0+dfsg-2
fixed
trixie
20.17.0+dfsg-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
nodejs
bionic
not-affected
artful
ignored
zesty
ignored
xenial
not-affected
trusty
not-affected
References
https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/
https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/