CVE-2020-8277

HIGH LAB

Node.js <15.2.1, <14.15.1, <12.19.1 - DoS

Title source: llm

Description

A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed in 15.2.1, 14.15.1, and 12.19.1.

Exploits (2)

nomisec WORKING POC 8 stars

by masahiro331 · poc

https://github.com/masahiro331/CVE-2020-8277

View Code ZIP pw:eip

nomisec WORKING POC

by AndrewIjano · poc

https://github.com/AndrewIjano/CVE-2020-8277

View Code ZIP pw:eip

References (13)

Core 13

Core References

Permissions Required, Third Party Advisory x_refsource_misc

https://hackerone.com/reports/1033107

Patch, Vendor Advisory x_refsource_confirm

https://nodejs.org/en/blog/vulnerability/november-2020-security-releases/

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A7WH7W46OZSEUHWBHD7TCH3LRFY52V6Z/

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BEJBY3RJB3XWUOJFGZM5E3EMQ7MFM3UT/

Third Party Advisory vendor-advisory x_refsource_gentoo

https://security.gentoo.org/glsa/202012-11

Third Party Advisory vendor-advisory x_refsource_gentoo

https://security.gentoo.org/glsa/202101-07

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpujan2021.html

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VXLJY4764LYVJPC7NCDLE2UMQ3QC5OI2/

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEIV4CH6KNVZK63Y6EKVN2XDW7IHSJBJ/

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpuApr2021.html

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com//security-alerts/cpujul2021.html

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpuoct2021.html

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpuapr2022.html

Scores

CVSS v3 7.5

EPSS 0.5917

EPSS Percentile 98.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Lab Environment

COMMUNITY

Community Lab

docker pull internetsystemsconsortium/bind9:9.11

https://github.com/masahiro331/CVE-2020-8277

https://github.com/AndrewIjano/CVE-2020-8277

View in Library

Details

CWE

CWE-400

Status published

Products (14)

c-ares_project/c-ares < 1.16.0

fedoraproject/fedora 32

fedoraproject/fedora 33

nodejs/node.js 12.16.3 - 12.19.1

nodejs/node.js 15.0.0 - 15.2.1

oracle/blockchain_platform < 21.1.2

oracle/graalvm 19.3.4

oracle/graalvm 20.3.0

oracle/jd_edwards_enterpriseone_tools < 9.2.6.0

oracle/mysql_cluster < 8.0.23

... and 4 more

Published Nov 19, 2020

Tracked Since Feb 18, 2026