CVE-2020-8277

A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed in 15.2.1, 14.15.1, and 12.19.1.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
hackeroneCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 98%
VendorProductVersion
nodejsnode.js
12.16.3 ≤
𝑥
< 12.19.1
nodejsnode.js
14.13.0 ≤
𝑥
< 14.15.1
nodejsnode.js
15.0.0 ≤
𝑥
< 15.2.1
oracleblockchain_platform
𝑥
< 21.1.2
oraclegraalvm
19.3.4
oraclegraalvm
20.3.0
oraclejd_edwards_enterpriseone_tools
𝑥
< 9.2.6.0
oraclemysql_cluster
𝑥
≤ 8.0.23
oracleretail_xstore_point_of_service
16.0.6
oracleretail_xstore_point_of_service
17.0.4
oracleretail_xstore_point_of_service
18.0.3
oracleretail_xstore_point_of_service
19.0.2
c-ares_projectc-ares
𝑥
< 1.16.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
c-ares
bullseye (security)
1.17.1-1+deb11u3
fixed
bullseye
1.17.1-1+deb11u3
fixed
buster
not-affected
stretch
not-affected
bookworm
1.18.1-3
fixed
sid
1.34.2-1
fixed
trixie
1.34.2-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
c-ares
groovy
Fixed 1.16.1-1ubuntu0.1
released
focal
not-affected
bionic
not-affected
xenial
not-affected
trusty
dne
Common Weakness Enumeration
References
https://hackerone.com/reports/1033107
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A7WH7W46OZSEUHWBHD7TCH3LRFY52V6Z/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BEJBY3RJB3XWUOJFGZM5E3EMQ7MFM3UT/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEIV4CH6KNVZK63Y6EKVN2XDW7IHSJBJ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VXLJY4764LYVJPC7NCDLE2UMQ3QC5OI2/
https://nodejs.org/en/blog/vulnerability/november-2020-security-releases/
https://security.gentoo.org/glsa/202012-11
https://security.gentoo.org/glsa/202101-07
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpuoct2021.html
https://hackerone.com/reports/1033107
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A7WH7W46OZSEUHWBHD7TCH3LRFY52V6Z/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BEJBY3RJB3XWUOJFGZM5E3EMQ7MFM3UT/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEIV4CH6KNVZK63Y6EKVN2XDW7IHSJBJ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VXLJY4764LYVJPC7NCDLE2UMQ3QC5OI2/
https://nodejs.org/en/blog/vulnerability/november-2020-security-releases/
https://security.gentoo.org/glsa/202012-11
https://security.gentoo.org/glsa/202101-07
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpuoct2021.html