Uninitialized Memory Exposure
Affecting life_star package, versions <=0.8.4
Report new vulnerabilities
Do your applications use this vulnerable package?
Test your applications
Overview
life_star
is a web server for Lively
.
A possible memory disclosure vulnerability exists when a value of type number
is provided to the buffer
and results in concatenation of uninitialized memory to the buffer collection.
This is a result of unobstructed use of the Buffer
constructor, whose insecure default constructor increases the odds of memory leakage.
You can read more about the insecure Buffer
behavior on our blog.
Similar vulnerabilities were discovered in bl, request, mongoose, ws and sequelize.
Note This is vulnerable only for Node <=4
References
CVSS Score
5.1
medium severity
-
Attack VectorLocal
-
Attack ComplexityHigh
-
Privileges RequiredNone
-
User InteractionNone
-
ScopeUnchanged
-
ConfidentialityHigh
-
IntegrityNone
-
AvailabilityNone
- Credit
- Сковорода Никита Андреевич (ChALkeR)
- CWE
- CWE-201
- Snyk ID
- npm:life_star:20160212
- Disclosed
- 12 Feb, 2016
- Published
- 10 Nov, 2016