Vulnerability CVE-2020-8172

Vulnerability Name:

CVE-2020-8172 (CCN-182814)

Assigned:

2020-06-02

Published:

2020-06-02

Updated:

2022-05-12

Summary:

TLS session reuse can lead to host certificate verification bypass in node version < 12.18.0 and < 14.4.0.

CVSS v3 Severity:

7.4 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
6.4 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): None

7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): High Availibility (A): None

7.4 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
6.4 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): None

CVSS v2 Severity:

5.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): None

7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:C/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Complete Availibility (A): None

Vulnerability Type:

CWE-295
CWE-285

Vulnerability Consequences:

Bypass Security

References:

Vulnerable Configuration:

Configuration 1:

cpe:/a:nodejs:node.js:*:*:*:*:*:*:*:* (Version >= 12.0.0 and < 12.18.0)

OR cpe:/a:nodejs:node.js:*:*:*:*:*:*:*:* (Version >= 14.0.0 and < 14.4.0)

Configuration 2:

cpe:/a:oracle:graalvm:19.3.2:*:*:*:enterprise:*:*:*

OR cpe:/a:oracle:graalvm:20.1.0:*:*:*:enterprise:*:*:*

OR cpe:/a:oracle:banking_extensibility_workbench:14.4.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:banking_extensibility_workbench:14.3.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:mysql_cluster:*:*:*:*:*:*:*:* (Version >= 8.0.0 and <= 8.0.21)

OR cpe:/a:oracle:mysql_cluster:*:*:*:*:*:*:*:* (Version >= 7.6.0 and <= 7.6.15)

OR cpe:/a:oracle:mysql_cluster:*:*:*:*:*:*:*:* (Version >= 7.5.0 and <= 7.5.19)

OR cpe:/a:oracle:mysql_cluster:*:*:*:*:*:*:*:* (Version >= 7.4.0 and <= 7.4.29)

OR cpe:/a:oracle:mysql_cluster:*:*:*:*:*:*:*:* (Version <= 7.3.30)

OR cpe:/a:oracle:blockchain_platform:*:*:*:*:*:*:*:* (Version < 21.1.2)

Configuration RedHat 1:

cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

Configuration CCN 1:

cpe:/a:nodejs:node.js:12:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:14.0:*:*:*:*:*:*:*

AND

cpe:/a:ibm:sdk:*:*:node.js:*:bluemix:*:*:*

OR cpe:/a:ibm:spectrum_protect_plus:10.1.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:datapower_gateway:2018.4.1.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_control:5.3.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_control:5.3.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_control:5.3.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:voice_gateway:1.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:voice_gateway:1.0.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:watson_developer_cloud:1.4.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:voice_gateway:1.0.2.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:voice_gateway:1.0.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_data:2.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_private:3.2.1:cd:*:*:*:*:*:*

OR cpe:/a:ibm:watson_developer_cloud:1.4.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:voice_gateway:1.0.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_automation:20.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_protect_plus:10.1.6:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_private:3.2.2:cd:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_control:5.3.4:*:standard:*:*:*:*:*

OR cpe:/a:ibm:spectrum_control:5.3.5:*:standard:*:*:*:*:*

OR cpe:/a:ibm:spectrum_control:5.3.6:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_control:5.3.7:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_transformation_advisor:2.1.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_transformation_advisor:2.2.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:app_connect_enterprise_certified_container:1.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:app_connect_enterprise_certified_container:1.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:app_connect_enterprise_certified_container:1.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_automation:20.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:datapower_gateway:10.0.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:voice_gateway:1.0.6:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:641	P	Security update for nodejs12 (Moderate) (in QA)	2022-09-30
oval:org.opensuse.security:def:642	P	Security update for nodejs10 (Moderate) (in QA)	2022-09-30
oval:org.opensuse.security:def:20208172	V	CVE-2020-8172	2022-09-02
oval:org.opensuse.security:def:94260	P	(Important)	2022-07-13
oval:org.opensuse.security:def:1690	P	Security update for libeconf, shadow and util-linux (Moderate)	2022-03-04
oval:org.opensuse.security:def:113037	P	nodejs14-14.17.5-1.2 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:106478	P	nodejs14-14.17.5-1.2 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:66929	P	Security update for the Linux Kernel (Important)	2021-09-21
oval:org.opensuse.security:def:70285	P	Security update for dovecot23 (Moderate)	2021-08-31
oval:org.opensuse.security:def:14024	P	res-signingkeys-3.0.18-26.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14140	P	gdk-pixbuf-lang-2.34.0-18.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:15023	P	liblouis-data-2.6.4-6.6.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:15001	P	libgypsy0-0.9-6.22 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14339	P	pam_krb5-2.4.4-4.4 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14177	P	java-1_8_0-openjdk-1.8.0.131-26.3 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14363	P	python-pyOpenSSL-16.0.0-2.3.2 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14295	P	libsystemd0-228-142.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14002	P	perl-32bit-5.18.2-11.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14092	P	automake-1.13.4-6.2 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:13994	P	opie-2.4-724.56 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14158	P	gstreamer-plugins-base-1.8.3-12.11 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14350	P	perl-YAML-LibYAML-0.38-10.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14270	P	libpcre1-32bit-8.39-7.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:101418	P	nodejs14-14.16.0-5.9.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:2328	P	nodejs14-14.16.0-5.9.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:63416	P	nodejs12-12.21.0-4.13.2 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:101417	P	nodejs12-12.21.0-4.13.2 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:2327	P	nodejs12-12.21.0-4.13.2 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:63417	P	nodejs14-14.16.0-5.9.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:100973	P	libsmi-0.4.8-1.29 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:73620	P	Security update for ipvsadm (Low)	2021-05-13
oval:org.opensuse.security:def:66837	P	Security update for clamav-database (Important)	2021-01-25
oval:org.opensuse.security:def:107639	P	nodejs12-12.18.0-2.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63409	P	nodejs12-12.18.0-2.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:2320	P	nodejs12-12.18.0-2.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:117197	P	nodejs12-12.18.0-2.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:38752	P	mailx on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:38394	P	libvncclient0 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:50077	P	libshibsp-lite7 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:38819	P	vsftpd on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:38644	P	libXi6 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:38002	P	mariadb on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:38097	P	xen on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:38336	P	libopenssl-1_0_0-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:39543	P	Security update for nodejs12 (Critical)	2020-12-01
oval:org.opensuse.security:def:38791	P	rpcbind on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:38484	P	spice-vdagent on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:70180	P	nasm on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:38863	P	libmysqlclient_r18 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:38703	P	libneon27 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:38013	P	opie on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:50131	P	nodejs12 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:39501	P	Recommended update for php5 (Moderate)	2020-12-01
oval:org.opensuse.security:def:38234	P	kernel-firmware on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:38001	P	mailx on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:73502	P	gradle on GA media (Moderate)	2020-12-01
oval:com.redhat.rhsa:def:20202852	P	RHSA-2020:2852: nodejs:12 security update (Important)	2020-07-07

BACK