#VU47248 Buffer overflow in libuv


| Updated: 2020-10-02

Vulnerability identifier: #VU47248

Vulnerability risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-8252

CWE-ID: CWE-120

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
libuv
Other software / Other software solutions

Vendor: libuv.org

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The vulnerability exists due to incorrect validation of realpath in libuv. The library incorrectly determines the buffer size, which can result in a buffer overflow if the resolved path is longer than 256 bytes. A remote attacker can pass an overly long path to the application that is using the library, trigger memory corruption and execute arbitrary code on the system.

Mitigation
Install update from vendor's website.

Vulnerable software versions

libuv: 0.10.2 - 1.38.1

External links
http://hackerone.com/reports/965914
http://nodejs.org/en/blog/vulnerability/september-2020-security-releases/
http://security.gentoo.org/glsa/202009-15
http://usn.ubuntu.com/4548-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Hitachi Energy Gateway Station (GWS)
Multiple vulnerabilities in Hitachi Energy FACTS Control Platform (FCP)
Multiple vulnerabilities in Hitachi Energy MicroSCADA Pro/X SYS600
openEuler 20.03 LTS update for libuv
Multiple vulnerabilities in IBM Cloud Transformation Advisor
Red Hat Software Collections update for rh-nodejs12-nodejs
Red Hat Enterprise Linux 8 update for the nodejs:12 module
Red Hat Enterprise Linux 8 update for the nodejs:12 module
OpenSUSE Linux update for nodejs10
OpenSUSE Linux update for nodejs12