Unprotected Primary Channel

Affecting node package, versions [6.0.0, 6.15.0)

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Unprotected Primary Channel. Debugger port 5858 listens on any interface by default: When the debugger is enabled with node --debug or node debug, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript

Remediation

Upgrade node to version 6.15.0 or higher.

References

CVSS Score

7.3
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    Low
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Credit
Ben Noordhuis
CVE
CVE-2018-12120
CWE
CWE-419
Snyk ID
SNYK-UPSTREAM-NODE-73599
Disclosed
28 Nov, 2018
Published
24 Jan, 2019