Description
napi_get_value_string_*() allows various kinds of memory corruption in node < 10.21.0, 12.18.0, and < 14.4.0.
References (7)
Core 7
Core References
Exploit, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/784186
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2020.html
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/202101-07
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujan2021.html
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20201023-0003/
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com//security-alerts/cpujul2021.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2022.html
Scores
CVSS v3
8.1
EPSS
0.0149
EPSS Percentile
81.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-119
CWE-191
Status
published
Products (14)
netapp/active_iq_unified_manager
(2 CPE variants)
netapp/oncommand_insight
netapp/oncommand_workflow_automation
netapp/snapcenter
nodejs/node.js
< 10.21.0
oracle/banking_extensibility_workbench
14.3.0
oracle/banking_extensibility_workbench
14.4.0
oracle/blockchain_platform
< 21.1.2
oracle/mysql_cluster
< 7.3.30
oracle/retail_xstore_point_of_service
16.0.6
... and 4 more
Published
Jul 24, 2020
Tracked Since
Feb 18, 2026