CVE-2020-8252
Publication date 18 September 2020
Last updated 24 July 2024
Ubuntu priority
The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| libuv1 | 20.04 LTS focal |
Fixed 1.34.2-1ubuntu1.1
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty | Not in release |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.8 · High
|
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-4548-1
- libuv vulnerability
- 28 September 2020
Other references
- https://hackerone.com/reports/965914
- https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/#fs-realpath-native-on-may-cause-buffer-overflow-medium-cve-2020-8252
- https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/
- https://www.cve.org/CVERecord?id=CVE-2020-8252