CVE-2020-8244 – bl

Package

Manager: npm
Name: bl
Vulnerable Version: >=0 <1.2.3 || >=2.0.0 <2.2.1 || =3.0.0 || >=3.0.0 <3.0.1 || >=4.0.0 <4.0.3

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00368 pctl0.57941

Details

Remote Memory Exposure in bl A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1, <2.2.1, and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.

Metadata

Created: 2020-09-02T15:26:19Z
Modified: 2022-05-26T20:43:51Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-pp7h-53gx-mx7r/GHSA-pp7h-53gx-mx7r.json
CWE IDs: ["CWE-125", "CWE-126"]
Alternative ID: GHSA-pp7h-53gx-mx7r
Finding: F111
Auto approve: 1