Home > Vulnerability Database > CVE-2018-7166

Mend.io Vulnerability Database

CVE-2018-7166

Date: August 21, 2018

In all versions of Node.js 10 prior to 10.9.0, an argument processing flaw can cause "Buffer.alloc()" to return uninitialized memory. This method is intended to be safe and only return initialized, or cleared, memory. The third argument specifying "encoding" can be passed as a number, this is misinterpreted by "Buffer's" internal "fill" method as the "start" to a fill operation. This flaw may be abused where "Buffer.alloc()" arguments are derived from user input to return uncleared memory blocks that may contain sensitive information.

Language: JS

Severity Score

7.5

Related Resources (4)

Url: https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/

Url: https://access.redhat.com/errata/RHSA-2018:2553

Url: https://nvd.nist.gov/vuln/detail/CVE-2018-7166

Url: https://www.mend.io/vulnerability-database/CVE-2018-7166

Severity Score

7.5

Weakness Type (CWE)

Improper Restriction of Operations within the Bounds of a Memory Buffer

CWE-119

Sensitive Information in Resource Not Removed Before Reuse

CWE-226

Use of Uninitialized Resource

CWE-908

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

CVSS v2

Base Score:	5.0
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	NONE
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2018-7166

Date: August 21, 2018

Language: JS

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

CVSS v3.1

CVSS v2

Do you need more information?