Uninitialized Memory Exposure in life_star

Do your applications use this vulnerable package? Test your applications

Overview

life_star is a web server for Lively.

A possible memory disclosure vulnerability exists when a value of type number is provided to the buffer and results in concatenation of uninitialized memory to the buffer collection. This is a result of unobstructed use of the Buffer constructor, whose insecure default constructor increases the odds of memory leakage.

You can read more about the insecure Buffer behavior on our blog.

Similar vulnerabilities were discovered in bl, request, mongoose, ws and sequelize.

Note This is vulnerable only for Node <=4

References

https://github.com/LivelyKernel/life_star/issues/8
https://github.com/LivelyKernel/life_star/compare/0.8.4...0.8.6
https://github.com/LivelyKernel/life_star/commit/b8d80b3209dcc26fc1f7784facaad0442b8c4218

Attack Vector

Local
Attack Complexity

High
Privileges Required

None
User Interaction

None
Scope

Unchanged
Confidentiality

High
Integrity

None
Availability

None

Credit: Сковорода Никита Андреевич (ChALkeR)
CWE: CWE-201
Snyk ID: npm:life_star:20160212
Disclosed: 12 Feb, 2016
Published: 10 Nov, 2016