Vulnerability Name:

CVE-2020-8251

Assigned:2020-09-18
Published:2020-09-18
Updated:2022-05-24
Summary:Node.js < 14.11.0 is vulnerable to HTTP denial of service (DoS) attacks based on delayed requests submission which can make the server unable to accept new connections.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
Vulnerability Type:CWE-400
References:Source: MITRE
Type: CNA
CVE-2020-8251

Source: MISC
Type: Permissions Required
https://hackerone.com/reports/868834

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2020-43d5a372fc

Source: MISC
Type: Vendor Advisory
https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/

Source: GENTOO
Type: Third Party Advisory
GLSA-202101-07

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20201009-0004/

Vulnerable Configuration:Configuration 1:
  • cpe:/a:nodejs:node.js:*:*:*:*:*:*:*:* (Version >= 14.0.0 and < 14.11.0)

    • Configuration 2:
  • cpe:/o:fedoraproject:fedora:33:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Vulnerability Name:

    CVE-2020-8251 (CCN-188592)

    Assigned:2020-09-15
    Published:2020-09-15
    Updated:2021-01-11
    Summary:Node.js < 14.11.0 is vulnerable to HTTP denial of service (DoS) attacks based on delayed requests submission which can make the server unable to accept new connections.
    CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
    6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
    Exploitability Metrics:Attack Vector (AV): Network
    Attack Complexity (AC): Low
    Privileges Required (PR): None
    User Interaction (UI): None
    Scope:Scope (S): Unchanged
    Impact Metrics:Confidentiality (C): None
    Integrity (I): None
    Availibility (A): High
    7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
    6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
    Exploitability Metrics:Attack Vector (AV): Network
    Attack Complexity (AC): Low
    Privileges Required (PR): None
    User Interaction (UI): None
    Scope:Scope (S): Unchanged
    Impact Metrics:Confidentiality (C): None
    Integrity (I): None
    Availibility (A): High
    CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
    Exploitability Metrics:Access Vector (AV): Network
    Access Complexity (AC): Low
    Authentication (Au): None
    Impact Metrics:Confidentiality (C): None
    Integrity (I): None
    Availibility (A): Partial
    7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)
    Exploitability Metrics:Access Vector (AV): Network
    Access Complexity (AC): Low
    Athentication (Au): None
    Impact Metrics:Confidentiality (C): None
    Integrity (I): None
    Availibility (A): Complete
    Vulnerability Type:CWE-400
    Vulnerability Consequences:Denial of Service
    References:Source: MITRE
    Type: CNA
    CVE-2020-8251

    Source: XF
    Type: UNKNOWN
    nodejs-cve20208251-dos(188592)

    Source: MISC
    Type: Permissions Required
    https://hackerone.com/reports/868834

    Source: FEDORA
    Type: UNKNOWN
    FEDORA-2020-43d5a372fc

    Source: CCN
    Type: Node.js Blog, 2020-09-15
    September 2020 Security Releases

    Source: MISC
    Type: Vendor Advisory
    https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/

    Source: GENTOO
    Type: UNKNOWN
    GLSA-202101-07

    Source: CONFIRM
    Type: UNKNOWN
    https://security.netapp.com/advisory/ntap-20201009-0004/

    Source: CCN
    Type: IBM Security Bulletin 6364969 (Watson Discovery)
    IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Node.js

    Source: CCN
    Type: IBM Security Bulletin 6367943 (Spectrum Protect Plus)
    Vulnerabilities in jQuery, Spring, Dom4j, MongoDB, Linux Kernel, Targetcli-fb, Jackson, Node.js, and Apache Commons affect IBM Spectrum Protect Plus

    Source: CCN
    Type: IBM Security Bulletin 6373618 (Streams Designer)
    Node.js upgrade for IBM Cloud Pak for Data Streams Flows

    Source: CCN
    Type: IBM Security Bulletin 6373628 (Streams Designer)
    Node.js upgrade for IBM Cloud Pak for Data Streams Flows

    Source: CCN
    Type: IBM Security Bulletin 6379130 (Watson Developer Cloud)
    Potential vulnerability with Node.js

    Source: CCN
    Type: IBM Security Bulletin 6381256 (Business Automation Workflow)
    Multiple vulnerabilities in node.js may affect configuration editor used in IBM Business Automation Workflow and IBM Business Process Manager (BPM) - CVE-2020-8201, CVE-2020-8252, CVE-2020-8251

    Source: CCN
    Type: IBM Security Bulletin 6381846 (Cloud Transformation Advisor)
    IBM Cloud Transformation Advisor is affected by multiple Node.js vulnerabilities.

    Source: CCN
    Type: IBM Security Bulletin 6382360 (Netcool Operations Insight)
    Netcool Operations Insight - Cloud Native Event Analytics is affected by an Apache Commons Codec vulnerability

    Source: CCN
    Type: IBM Security Bulletin 6382364 (Netcool Operations Insight)
    Netcool Operations Insight - Cloud Native Event Analytics is affected by an Apache Commons Codec vulnerability

    Source: CCN
    Type: IBM Security Bulletin 6382878 (Cloud Pak for Automation)
    Multiple vulnerabilities in middleware software affect IBM Cloud Pak for Automation

    Source: CCN
    Type: IBM Security Bulletin 6386338 (Cloud Event Management)
    Version 12.18.0 of Node.js included in IBM Netcool Operations Insight 1.6.2.x has several security vulnerabilities

    Source: CCN
    Type: IBM Security Bulletin 6395504 (Event Streams)
    IBM Event Streams is affected by multiple Node.js vulnerabilities

    Source: CCN
    Type: IBM Security Bulletin 6395552 (Netcool Agile Service Manager)
    Vulnerability in Node.js affects IBM Netcool Agile Service Manager

    Source: CCN
    Type: IBM Security Bulletin 6397686 (Cloud Pak for Integration)
    IBM Cloud Pak for Integration is affected by multiple Node.js vulnerabilities

    Source: CCN
    Type: IBM Security Bulletin 6410494 (API Connect)
    IBM API Connect is impacted by multiple vulnerabilities in Node.js.(CVE-2020-8201 CVE-2020-8251 CVE-2020-8252 )

    Source: CCN
    Type: IBM Security Bulletin 6412707 (Planning Analytics)
    IBM Planning Analytics Workspace is affected by security vulnerabilities

    Source: CCN
    Type: IBM Security Bulletin 6417485 (Cloud Private)
    IBM Cloud Private is vulnerable to Node.js vulnerabilities (CVE-2020-8201, CVE-2020-8252, CVE-2020-8251)

    Source: CCN
    Type: IBM Security Bulletin 6453411 (Cloud Pak for Data)
    Security Vulnerabilities affect IBM Cloud Pak for Data - Node.js

    Source: CCN
    Type: IBM Security Bulletin 6482499 (DataPower Gateway)
    IBM DataPower Gateway vulnerable to a DoS

    Source: CCN
    Type: IBM Security Bulletin 6497219 (QRadar Network Packet Capture)
    Node.js as used by IBM Security QRadar Packet Capture contains multiple vulnerabilities (CVE-2020-8201, CVE-2020-8252, CVE-2020-8251, CVE-2020-8277)

    Vulnerable Configuration:Configuration CCN 1:
  • cpe:/a:nodejs:node.js:14.0:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:business_process_manager:8.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:business_process_manager:8.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_protect_plus:10.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:qradar_network_packet_capture:7.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:event_streams:2019.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:watson_discovery:2.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:api_connect:2018.4.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:watson_developer_cloud:1.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_data:2.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_private:3.2.1:cd:*:*:*:*:*:*
  • OR cpe:/a:ibm:watson_developer_cloud:1.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_automation:20.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:18.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:19.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:20.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_protect_plus:10.1.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_private:3.2.2:cd:*:*:*:*:*:*
  • OR cpe:/a:ibm:api_connect:2018.4.1.13:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_data:3.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:api_connect:10.0.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:streams_designer:2.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:streams_designer:3.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:streams_designer:3.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:watson_discovery:2.1.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:event_streams:2019.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:event_streams:10.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:api_connect:10.0.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:planning_analytics:2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:datapower_gateway:10.0.1.3:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:642
    P
    		Security update for nodejs10 (Moderate) (in QA)
    2022-09-30
    oval:org.opensuse.security:def:113037
    P
    		nodejs14-14.17.5-1.2 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:106478
    P
    		nodejs14-14.17.5-1.2 on GA media (Moderate)
    2021-10-01
    oval:org.opensuse.security:def:101418
    P
    		nodejs14-14.16.0-5.9.1 on GA media (Moderate)
    2021-08-10
    oval:org.opensuse.security:def:2328
    P
    		nodejs14-14.16.0-5.9.1 on GA media (Moderate)
    2021-08-10
    oval:org.opensuse.security:def:63417
    P
    		nodejs14-14.16.0-5.9.1 on GA media (Moderate)
    2021-08-10
    BACK
    nodejs node.js *
    fedoraproject fedora 33
    nodejs node.js 14.0
    ibm business process manager 8.5
    ibm business process manager 8.6
    ibm spectrum protect plus 10.1.0
    ibm qradar network packet capture 7.3
    ibm event streams 2019.2.1
    ibm watson discovery 2.0.0
    ibm api connect 2018.4.1.0
    ibm watson developer cloud 1.4.0
    ibm cloud pak for data 2.5
    ibm cloud private 3.2.1 cd
    ibm watson developer cloud 1.4.1
    ibm cloud pak for automation 20.0.1
    ibm business automation workflow 18.0
    ibm business automation workflow 19.0
    ibm business automation workflow 20.0
    ibm spectrum protect plus 10.1.6
    ibm cloud private 3.2.2 cd
    ibm api connect 2018.4.1.13
    ibm cloud pak for data 3.0
    ibm api connect 10.0.0.0
    ibm streams designer 2.5
    ibm streams designer 3.0
    ibm streams designer 3.0.1
    ibm watson discovery 2.1.4
    ibm event streams 2019.4.0
    ibm event streams 10.0
    ibm api connect 10.0.1.0
    ibm planning analytics 2.0
    ibm datapower gateway 10.0.1.3