Unrated severityNVD Advisory· Published Jun 13, 2018· Updated Sep 17, 2024
CVE-2018-7167
CVE-2018-7167
Description
Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a hang which could result in a Denial of Service. In order to address this vulnerability, the implementations of Buffer.alloc() and Buffer.fill() were updated so that they zero fill instead of hanging in these cases. All versions of Node.js 6.x (LTS "Boron"), 8.x (LTS "Carbon"), and 9.x are vulnerable. All versions of Node.js 10.x (Current) are NOT vulnerable.
Affected products
19- osv-coords18 versionspkg:rpm/suse/firefox-atk&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/firefox-cairo&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/firefox-gdk-pixbuf&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/firefox-glib2&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/firefox-gtk3&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/firefox-harfbuzz&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/firefox-libffi&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/firefox-libffi-gcc5&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/firefox-pango&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/MozillaFirefox-branding-SLED&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/mozilla-nspr&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/mozilla-nss&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/nodejs6&distro=SUSE%20Enterprise%20Storage%204pkg:rpm/suse/nodejs6&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012pkg:rpm/suse/nodejs6&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/nodejs6&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/nodejs8&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015
< 2.26.1-2.8.4+ 17 more
- (no CPE)range: < 2.26.1-2.8.4
- (no CPE)range: < 1.15.10-2.13.4
- (no CPE)range: < 2.36.11-2.8.4
- (no CPE)range: < 2.54.3-2.14.7
- (no CPE)range: < 3.10.9-2.15.3
- (no CPE)range: < 1.7.5-2.7.4
- (no CPE)range: < 3.2.1.git259-2.3.3
- (no CPE)range: < 5.3.1+r233831-14.1
- (no CPE)range: < 1.40.14-2.7.4
- (no CPE)range: < 68-21.9.8
- (no CPE)range: < 68.2.0-78.51.4
- (no CPE)range: < 4.21-29.6.1
- (no CPE)range: < 3.45-38.9.3
- (no CPE)range: < 6.14.3-11.15.1
- (no CPE)range: < 6.14.3-11.15.1
- (no CPE)range: < 6.14.3-11.15.1
- (no CPE)range: < 6.14.3-11.15.1
- (no CPE)range: < 8.11.3-3.5.1
- The Node.js Project/Node.jsv5Range: 6.x+
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- security.gentoo.org/glsa/202003-48mitrevendor-advisoryx_refsource_GENTOO
- www.securityfocus.com/bid/106363mitrevdb-entryx_refsource_BID
- nodejs.org/en/blog/vulnerability/june-2018-security-releases/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.