CVE-2020-8252

Published: 18 September 2020

The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes.

Priority

Medium

CVSS 3 base score: 7.8

Status

Package Release Status
libuv1
Launchpad, Ubuntu, Debian
Upstream
Released (1.39.0-1)
Ubuntu 20.10 (Groovy Gorilla)
Released (1.38.0-2ubuntu2)
Ubuntu 20.04 LTS (Focal Fossa)
Released (1.34.2-1ubuntu1.1)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(1.18.0-3)
Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(1.8.0-1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Ubuntu 12.04 ESM (Precise Pangolin) Does not exist

Patches:
Upstream: https://github.com/libuv/libuv/commit/0e6e8620496dff0eb285589ef1e37a7f407f3ddd