Information Exposure

Affecting node package, versions [6.0.0,6.17.0) || [8.0.0,8.15.1)

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Information Exposure. Under certain circumstances, a TLS server can be forced to respond differently to a client if a zero-byte record is received with an invalid padding compared to a zero-byte record with an invalid MAC. This can be used as the basis of a padding oracle attack to decrypt data.

Only TLS connections using certain ciphersuites executing under certain conditions are exploitable. Node are currently unable to determine whether the use of OpenSSL in Node.js exposes this vulnerability. They are taking a cautionary approach and recommending the same for users.

Remediation

Upgrade node to version 6.17.0, 8.15.1 or higher.

References

CVSS Score

5.6
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    Low
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Credit
Jan Maybach and Marco Pracucci
CVE
CVE-2019-1559
CWE
CWE-200
Snyk ID
SNYK-UPSTREAM-NODE-173739
Disclosed
26 Feb, 2019
Published
28 Feb, 2019