{"containers": {"cna": {"affected": [{"product": "https://github.com/nodejs/node", "vendor": "n/a", "versions": [{"status": "affected", "version": "12.18.0,14.4.0"}]}], "descriptions": [{"lang": "en", "value": "TLS session reuse can lead to host certificate verification bypass in node version < 12.18.0 and < 14.4.0."}], "problemTypes": [{"descriptions": [{"description": "Privilege Escalation (CAPEC-233)", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-04-19T23:23:19", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpujul2020.html"}, {"tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/811502"}, {"tags": ["x_refsource_MISC"], "url": "https://nodejs.org/en/blog/vulnerability/june-2020-security-releases/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20200625-0002/"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"}, {"name": "GLSA-202101-07", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202101-07"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpujan2021.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "support@hackerone.com", "ID": "CVE-2020-8172", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "https://github.com/nodejs/node", "version": {"version_data": [{"version_value": "12.18.0,14.4.0"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "TLS session reuse can lead to host certificate verification bypass in node version < 12.18.0 and < 14.4.0."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Privilege Escalation (CAPEC-233)"}]}]}, "references": {"reference_data": [{"name": "https://www.oracle.com/security-alerts/cpujul2020.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujul2020.html"}, {"name": "https://hackerone.com/reports/811502", "refsource": "MISC", "url": "https://hackerone.com/reports/811502"}, {"name": "https://nodejs.org/en/blog/vulnerability/june-2020-security-releases/", "refsource": "MISC", "url": "https://nodejs.org/en/blog/vulnerability/june-2020-security-releases/"}, {"name": "https://security.netapp.com/advisory/ntap-20200625-0002/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20200625-0002/"}, {"name": "https://www.oracle.com/security-alerts/cpuoct2020.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"}, {"name": "GLSA-202101-07", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202101-07"}, {"name": "https://www.oracle.com/security-alerts/cpujan2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2021.html"}, {"name": "https://www.oracle.com//security-alerts/cpujul2021.html", "refsource": "MISC", "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}, {"name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T09:56:26.895Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpujul2020.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://hackerone.com/reports/811502"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://nodejs.org/en/blog/vulnerability/june-2020-security-releases/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20200625-0002/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"}, {"name": "GLSA-202101-07", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202101-07"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpujan2021.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}]}]}, "cveMetadata": {"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2020-8172", "datePublished": "2020-06-08T13:08:16", "dateReserved": "2020-01-28T00:00:00", "dateUpdated": "2024-08-04T09:56:26.895Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*", "matchCriteriaId": "9D494880-6066-460B-B384-B9188C3967FF", "versionEndExcluding": "12.18.0", "versionStartIncluding": "12.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*", "matchCriteriaId": "89511E55-5D62-425E-B1A3-0688FACEB53C", "versionEndExcluding": "14.4.0", "versionStartIncluding": "14.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:banking_extensibility_workbench:14.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "EABAFD73-150F-4DFE-B721-29EB4475D979", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_extensibility_workbench:14.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "DE57039D-E2EE-4014-A7B1-D7380D26098E", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:blockchain_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "D0DBC938-A782-433F-8BF1-CA250C332AA7", "versionEndExcluding": "21.1.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:graalvm:19.3.2:*:*:*:enterprise:*:*:*", "matchCriteriaId": "909B4029-1D4F-4D60-AC6D-98C7E9FF1B15", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:graalvm:20.1.0:*:*:*:enterprise:*:*:*", "matchCriteriaId": "B501426C-7FB5-4C0D-83E4-0279746EFBE8", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:*", "matchCriteriaId": "69D21CF6-A2D7-403B-9A22-66A892C0F57D", "versionEndIncluding": "7.3.30", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:*", "matchCriteriaId": "156E63C9-9834-4120-A245-CF1AF6BEC040", "versionEndIncluding": "7.4.29", "versionStartIncluding": "7.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:*", "matchCriteriaId": "6111894E-B3C9-41F1-8106-6BA16980A146", "versionEndIncluding": "7.5.19", "versionStartIncluding": "7.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:*", "matchCriteriaId": "C69D247E-D8A3-4834-9240-7EACCA0F63BA", "versionEndIncluding": "7.6.15", "versionStartIncluding": "7.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:*", "matchCriteriaId": "88B86B2E-D69E-4E1E-BCD5-8B3B9573626C", "versionEndIncluding": "8.0.21", "versionStartIncluding": "8.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "TLS session reuse can lead to host certificate verification bypass in node version < 12.18.0 and < 14.4.0."}, {"lang": "es", "value": "La reutilizaci\u00f3n de una sesi\u00f3n TLS puede conllevar a una omisi\u00f3n de la verificaci\u00f3n del certificado del host en node versi\u00f3n anterior a 12.18.0 y anterior a 14.4.0"}], "id": "CVE-2020-8172", "lastModified": "2024-11-21T05:38:26.007", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-06-08T14:15:13.213", "references": [{"source": "support@hackerone.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://hackerone.com/reports/811502"}, {"source": "support@hackerone.com", "tags": ["Vendor Advisory"], "url": "https://nodejs.org/en/blog/vulnerability/june-2020-security-releases/"}, {"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202101-07"}, {"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20200625-0002/"}, {"source": "support@hackerone.com", "tags": ["Not Applicable", "Third Party Advisory"], "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}, {"source": "support@hackerone.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"source": "support@hackerone.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujan2021.html"}, {"source": "support@hackerone.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujul2020.html"}, {"source": "support@hackerone.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://hackerone.com/reports/811502"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://nodejs.org/en/blog/vulnerability/june-2020-security-releases/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202101-07"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20200625-0002/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Not Applicable", "Third Party Advisory"], "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujan2021.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujul2020.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2020:2852", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "nodejs:12-8020020200630155331.4cda2c84", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-07-07T00:00:00Z"}, {"advisory": "RHSA-2020:2847", "cpe": "cpe:/a:redhat:rhel_eus:8.1", "package": "nodejs:12-8010020200630154708.c27ad7f8", "product_name": "Red Hat Enterprise Linux 8.1 Extended Update Support", "release_date": "2020-07-07T00:00:00Z"}, {"advisory": "RHSA-2020:2895", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs12-nodejs-0:12.18.2-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2020-07-13T00:00:00Z"}, {"advisory": "RHSA-2020:2895", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs12-nodejs-0:12.18.2-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2020-07-13T00:00:00Z"}, {"advisory": "RHSA-2020:2895", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs12-nodejs-0:12.18.2-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2020-07-13T00:00:00Z"}], "bugzilla": {"description": "nodejs: TLS session reuse can lead to hostname verification bypass", "id": "1845247", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1845247"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "status": "verified"}, "cwe": "CWE-285", "details": ["TLS session reuse can lead to host certificate verification bypass in node version < 12.18.0 and < 14.4.0.", "A TLS Hostname verification bypass vulnerability exists in NodeJS. This flaw allows an attacker to bypass TLS Hostname verification when a TLS client reuses HTTPS sessions."], "name": "CVE-2020-8172", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "nodejs:10/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "nodejs:14/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Fix deferred", "impact": "low", "package_name": "nodejs", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-nodejs10-nodejs", "product_name": "Red Hat Software Collections"}], "public_date": "2020-06-02T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-8172\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-8172"], "statement": "This issue only affects the TLS 1.2 protocol, not TLS 1.3. This issue does not affect NodeJS 10.\nRed Hat Quay installed NodeJS as a dependency of Yarn. It does not use NodeJS at runtime, but executes Javascript on the client's browser instead. Therefore the impact of this vulnerability on Red Hat Quay is low.", "threat_severity": "Moderate"}