Vulnerability Name:

CVE-2014-5256 (CCN-95057)

Assigned:2014-07-31
Published:2014-07-31
Updated:2015-05-12
Summary:Node.js 0.8 before 0.8.28 and 0.10 before 0.10.30 does not consider the possibility of recursive processing that triggers V8 garbage collection in conjunction with a V8 interrupt, which allows remote attackers to cause a denial of service (memory corruption and application crash) via deep JSON objects whose parsing lets this interrupt mask an overflow of the program stack.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
Vulnerability Type:CWE-119
Vulnerability Consequences:Denial of Service
References:Source: CONFIRM
Type: UNKNOWN
http://advisories.mageia.org/MGASA-2014-0516.html

Source: CCN
Type: Node.js Blog
V8 Memory Corruption and Stack Overflow (fixed in Node v0.8.28 and v0.10.30)

Source: CONFIRM
Type: Patch, Vendor Advisory
http://blog.nodejs.org/2014/07/31/v8-memory-corruption-stack-overflow/

Source: CCN
Type: Google Web site
V8 JavaScript Engine

Source: MITRE
Type: CNA
CVE-2014-5256

Source: SECUNIA
Type: UNKNOWN
61260

Source: CONFIRM
Type: UNKNOWN
http://www-01.ibm.com/support/docview.wss?uid=swg21684769

Source: CCN
Type: Google Chrome Web site
Google Chrome

Source: CCN
Type: IBM Security Bulletin 1684769
A security vulnerability in Node.js affects the IBM Business Process Manager (BPM) configuration editor (CVE-2014-5256)

Source: CCN
Type: IBM Security Bulletin 1685398
Memory corruption security vulnerability in IBM API Management V3.0

Source: CCN
Type: IBM Security Bulletin 1685467
Multiple vulnerabilities affecting the IBM SDK for Node.js used by the Cordova platform packaged with Rational Application Developer (CVE-2014-3508 CVE-2014-5139 CVE-2014-3509 CVE-2014-3505 CVE-2014-3506 CVE-2014-3507 CVE-2014-3510 CVE

Source: CCN
Type: IBM Security Bulletin 1686792
Multiple vulnerabilities affecting the Cordova platform and IBM SDK Node.js packaged with Rational Software Architect and Rational Software Architect for WebSphere Software

Source: MANDRIVA
Type: UNKNOWN
MDVSA-2015:142

Source: CCN
Type: BID-69157
V8 JavaScript Engine Denial of Service Vulnerability

Source: XF
Type: UNKNOWN
v8-nodejs-dos(95057)

Source: CCN
Type: Node.js GIT Repository
v8: Interrupts must not mask stack overflow

Source: CONFIRM
Type: Exploit
https://github.com/joyent/node/commit/530af9cb8e700e7596b3ec812bad123c9fa06356

Source: CCN
Type: IBM Security Bulletin 1682094
Current Release of IBM SDK for Node.js is affected by CVE-2014-5256

Vulnerable Configuration:Configuration 1:
  • cpe:/a:nodejs:nodejs:0.8.0:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.8.1:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.8.2:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.8.3:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.8.4:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.8.5:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.8.6:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.8.7:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.8.8:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.8.9:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.8.10:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.8.11:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.8.12:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.8.13:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.8.14:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.8.15:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.8.16:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.8.17:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.8.18:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.8.19:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.8.20:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.8.21:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.8.22:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.8.23:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.8.24:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.8.25:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.8.26:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.8.27:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.10.0:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.10.1:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.10.2:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.10.3:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.10.4:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.10.5:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.10.6:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.10.7:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.10.8:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.10.9:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.10.10:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.10.11:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.10.12:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.10.13:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.10.14:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.10.15:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.10.16:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.10.17:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.10.18:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.10.19:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.10.20:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.10.21:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.10.22:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.10.23:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.10.24:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.10.25:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.10.26:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.10.27:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.10.28:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:nodejs:0.10.29:*:*:*:*:*:*:*

  • Configuration CCN 1:
  • cpe:/a:google:v8:*:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:node.js:0.10.18:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:node.js:0.8.25:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:api_management:3.0.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_software_architect:9.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_software_architect:9.1.1:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:com.ubuntu.bionic:def:201452560000000
    V
    CVE-2014-5256 on Ubuntu 18.04 LTS (bionic) - medium.
    2014-09-05
    oval:com.ubuntu.artful:def:20145256000
    V
    CVE-2014-5256 on Ubuntu 17.10 (artful) - medium.
    2014-09-05
    oval:com.ubuntu.trusty:def:20145256000
    V
    CVE-2014-5256 on Ubuntu 14.04 LTS (trusty) - medium.
    2014-09-05
    oval:com.ubuntu.xenial:def:201452560000000
    V
    CVE-2014-5256 on Ubuntu 16.04 LTS (xenial) - medium.
    2014-09-05
    oval:com.ubuntu.bionic:def:20145256000
    V
    CVE-2014-5256 on Ubuntu 18.04 LTS (bionic) - medium.
    2014-09-05
    oval:com.ubuntu.xenial:def:20145256000
    V
    CVE-2014-5256 on Ubuntu 16.04 LTS (xenial) - medium.
    2014-09-05
    oval:com.ubuntu.cosmic:def:20145256000
    V
    CVE-2014-5256 on Ubuntu 18.10 (cosmic) - medium.
    2014-09-05
    oval:com.ubuntu.cosmic:def:201452560000000
    V
    CVE-2014-5256 on Ubuntu 18.10 (cosmic) - medium.
    2014-09-05
    oval:com.ubuntu.precise:def:20145256000
    V
    CVE-2014-5256 on Ubuntu 12.04 LTS (precise) - medium.
    2014-09-05
    BACK
    nodejs nodejs 0.8.0
    nodejs nodejs 0.8.1
    nodejs nodejs 0.8.2
    nodejs nodejs 0.8.3
    nodejs nodejs 0.8.4
    nodejs nodejs 0.8.5
    nodejs nodejs 0.8.6
    nodejs nodejs 0.8.7
    nodejs nodejs 0.8.8
    nodejs nodejs 0.8.9
    nodejs nodejs 0.8.10
    nodejs nodejs 0.8.11
    nodejs nodejs 0.8.12
    nodejs nodejs 0.8.13
    nodejs nodejs 0.8.14
    nodejs nodejs 0.8.15
    nodejs nodejs 0.8.16
    nodejs nodejs 0.8.17
    nodejs nodejs 0.8.18
    nodejs nodejs 0.8.19
    nodejs nodejs 0.8.20
    nodejs nodejs 0.8.21
    nodejs nodejs 0.8.22
    nodejs nodejs 0.8.23
    nodejs nodejs 0.8.24
    nodejs nodejs 0.8.25
    nodejs nodejs 0.8.26
    nodejs nodejs 0.8.27
    nodejs nodejs 0.10.0
    nodejs nodejs 0.10.1
    nodejs nodejs 0.10.2
    nodejs nodejs 0.10.3
    nodejs nodejs 0.10.4
    nodejs nodejs 0.10.5
    nodejs nodejs 0.10.6
    nodejs nodejs 0.10.7
    nodejs nodejs 0.10.8
    nodejs nodejs 0.10.9
    nodejs nodejs 0.10.10
    nodejs nodejs 0.10.11
    nodejs nodejs 0.10.12
    nodejs nodejs 0.10.13
    nodejs nodejs 0.10.14
    nodejs nodejs 0.10.15
    nodejs nodejs 0.10.16
    nodejs nodejs 0.10.17
    nodejs nodejs 0.10.18
    nodejs nodejs 0.10.19
    nodejs nodejs 0.10.20
    nodejs nodejs 0.10.21
    nodejs nodejs 0.10.22
    nodejs nodejs 0.10.23
    nodejs nodejs 0.10.24
    nodejs nodejs 0.10.25
    nodejs nodejs 0.10.26
    nodejs nodejs 0.10.27
    nodejs nodejs 0.10.28
    nodejs nodejs 0.10.29
    google v8 *
    nodejs node.js 0.10.18
    nodejs node.js 0.8.25
    ibm api management 3.0.0.0
    ibm rational software architect 9.1.0
    ibm rational software architect 9.1.1