#VU28537 Improper Authorization in Node.js - CVE-2020-8172
Vulnerability identifier: #VU28537
Vulnerability risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID:
CWE-ID:
CWE-285
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Node.js
Server applications /
Web servers
Vendor: Node.js Foundation
Description
The vulnerability allows a remote attacker to bypass authorization process.
The
vulnerability exists due to TLS session reuse and host certificate
verification bypass, as the 'session' event can be emitted before the
'secureConnect' event in Node.js. The application agent performs https
session caching and an unauthorized connection can be established via
the cached session ticket and treated as authorized connection.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Node.js: 12.0.0, 12.1.0 - 12.17.0, 12.2.0, 12.3.0 - 12.3.1, 12.4.0, 12.5.0, 12.6.0, 12.7.0, 12.8.0 - 12.8.1, 12.9.0 - 12.9.1, 13.0.0 - 13.0.1, 13.1.0 - 13.14.0, 13.2.0, 13.3.0, 13.4.0, 13.5.0, 13.6.0, 13.7.0, 13.8.0, 13.9.0, 14.0.0, 14.1.0, 14.2.0, 14.3.0
External links
http://nodejs.org/en/blog/vulnerability/june-2020-security-releases/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
