Main Vulnerability Database Vulnerabilities #VU28537

#VU28537 Improper Authorization in Node.js - CVE-2020-8172

Published: June 3, 2020

Vulnerability identifier: #VU28537

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2020-8172

CWE-ID: CWE-285

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Node.js

Software vendor:
Node.js Foundation

Description

The vulnerability allows a remote attacker to bypass authorization process.

The vulnerability exists due to TLS session reuse and host certificate verification bypass, as the 'session' event can be emitted before the 'secureConnect' event in Node.js. The application agent performs https session caching and an unauthorized connection can be established via the cached session ticket and treated as authorized connection.

Remediation

Install updates from vendor's website.

External links

https://nodejs.org/en/blog/vulnerability/june-2020-security-releases/