Main Vulnerability Database Vulnerabilities #VU33508

#VU33508 Information disclosure in Node.js - CVE-2017-15897

Published: December 11, 2017 / Updated: August 4, 2020

Vulnerability identifier: #VU33508

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2017-15897

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Node.js

Software vendor:
Node.js Foundation

Description

The vulnerability allows a remote authenticated user to gain access to sensitive information.

Node.js had a bug in versions 8.X and 9.X which caused buffers to not be initialized when the encoding for the fill value did not match the encoding specified. For example, 'Buffer.alloc(0x100, "This is not correctly encoded", "hex");' The buffer implementation was updated such that the buffer will be initialized to all zeros in these cases.

Remediation

Install update from vendor's website.

External links

https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/

#VU33508 Information disclosure in Node.js - CVE-2017-15897

Description

Remediation

External links

Please verify you're human