CVE-2020-8277 — HIGH (7.5) — White Hats Nepal

Q: How severe is CVE-2020-8277?

CVE-2020-8277 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-8277?

Check the references section above for vendor advisories and patch information. Affected products include: Nodejs Node.Js, Fedoraproject Fedora, Oracle Blockchain Platform, Oracle Graalvm, Oracle Jd Edwards Enterpriseone Tools.

Vulnerability Description

A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed in 15.2.1, 14.15.1, and 12.19.1.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Nodejs	Node.Js	>= 12.16.3, < 12.19.1
Fedoraproject	Fedora	32
Oracle	Blockchain Platform	< 21.1.2
Oracle	Graalvm	19.3.4
Oracle	Jd Edwards Enterpriseone Tools	< 9.2.6.0
Oracle	Mysql Cluster	<= 8.0.23
Oracle	Retail Xstore Point Of Service	16.0.6
C-Ares Project	C-Ares	< 1.16.0

Related Weaknesses (CWE)

CWE-400

References

https://hackerone.com/reports/1033107Permissions RequiredThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://nodejs.org/en/blog/vulnerability/november-2020-security-releases/PatchVendor Advisory
https://security.gentoo.org/glsa/202012-11Third Party Advisory
https://security.gentoo.org/glsa/202101-07Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.htmlPatchThird Party Advisory
https://hackerone.com/reports/1033107Permissions RequiredThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro

FAQ

What is CVE-2020-8277?

CVE-2020-8277 is a vulnerability with a CVSS score of 7.5 (HIGH). A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the applic...

How severe is CVE-2020-8277?

CVE-2020-8277 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-8277?

Check the references section above for vendor advisories and patch information. Affected products include: Nodejs Node.Js, Fedoraproject Fedora, Oracle Blockchain Platform, Oracle Graalvm, Oracle Jd Edwards Enterpriseone Tools.