Information Exposure in node

Do your applications use this vulnerable package? Test your applications

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Information Exposure. The function ares_parse_naptr_reply(), which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way.

Remediation

Upgrade node to version 4.8.4, 6.11.1, 7.10.1, 8.1.4 or higher.

References

Nodejs Security Advisory

Attack Vector

Network
Attack Complexity

Low
Privileges Required

None
User Interaction

None
Scope

Unchanged
Confidentiality

High
Integrity

None
Availability

None

Credit: Unknown
CVE: CVE-2017-1000381
CWE: CWE-200
Snyk ID: SNYK-UPSTREAM-NODE-72325
Disclosed: 02 Jan, 2019
Published: 03 Jan, 2019

Information Exposure
Affecting node package, versions [4.0.0,4.8.4) || [5.0.0,6.11.1) || [7.0.0,7.10.1) || [8.0.0,8.1.4)

Overview

Remediation

References

CVSS Score

Information Exposure Affecting node package, versions [4.0.0,4.8.4) || [5.0.0,6.11.1) || [7.0.0,7.10.1) || [8.0.0,8.1.4)

Overview

Remediation

References

Information Exposure
Affecting node package, versions [4.0.0,4.8.4) || [5.0.0,6.11.1) || [7.0.0,7.10.1) || [8.0.0,8.1.4)