#VU47248 Buffer overflow in libuv - CVE-2020-8252
Published: September 18, 2020 / Updated: October 2, 2020
Vulnerability identifier: #VU47248
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2020-8252
CWE-ID: CWE-120
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
libuv
libuv
Software vendor:
libuv.org
libuv.org
Description
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The vulnerability exists due to incorrect validation of realpath in libuv. The library incorrectly determines the buffer size, which can result in a buffer overflow if the resolved path is longer than 256 bytes. A remote attacker can pass an overly long path to the application that is using the library, trigger memory corruption and execute arbitrary code on the system.
Remediation
Install update from vendor's website.