CVE-2018-7167
Summary
| CVE | CVE-2018-7167 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2018-06-13 16:29:00 UTC |
| Updated | 2022-08-29 20:24:00 UTC |
| Description | Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a hang which could result in a Denial of Service. In order to address this vulnerability, the implementations of Buffer.alloc() and Buffer.fill() were updated so that they zero fill instead of hanging in these cases. All versions of Node.js 6.x (LTS "Boron"), 8.x (LTS "Carbon"), and 9.x are vulnerable. All versions of Node.js 10.x (Current) are NOT vulnerable. |
Risk And Classification
Problem Types: CWE-119
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Node.js Multiple Denial of Service Vulnerabilities | BID | www.securityfocus.com | Third Party Advisory, VDB Entry |
| June 2018 Security Releases | Node.js | CONFIRM | nodejs.org | Vendor Advisory |
| Node.js: Multiple vulnerabilities (GLSA 202003-48) — Gentoo security | GENTOO | security.gentoo.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.