SB2020060365 - Improper Authorization in nodejs-current (Alpine package)
Published: June 3, 2020
Security Bulletin ID
SB2020060365
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Improper Authorization (CVE-ID: CVE-2020-8172)
The vulnerability allows a remote attacker to bypass authorization process.
The
vulnerability exists due to TLS session reuse and host certificate
verification bypass, as the 'session' event can be emitted before the
'secureConnect' event in Node.js. The application agent performs https
session caching and an unauthorized connection can be established via
the cached session ticket and treated as authorized connection.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=b4b2a5e4822d8b01e62e3be2645d38bf78c806a6
- https://git.alpinelinux.org/aports/commit/?id=7a14910d75ec00b49c3119f87badd6075099bbfa
- https://git.alpinelinux.org/aports/commit/?id=198d3bb2cd989d9883c042a284d830fb32d5029b
- https://git.alpinelinux.org/aports/commit/?id=0069a8448e7c867901988a4f689e09128bad72c0