CVE-2018-7166

Impact:
Moderate
Public Date:
2018-08-11
CWE:
CWE-200
Bugzilla:
1620215: CVE-2018-7166 nodejs: Unintentional exposure of uninitialized memory

The MITRE CVE dictionary describes this issue as:

In all versions of Node.js 10 prior to 10.9.0, an argument processing flaw can cause `Buffer.alloc()` to return uninitialized memory. This method is intended to be safe and only return initialized, or cleared, memory. The third argument specifying `encoding` can be passed as a number, this is misinterpreted by `Buffer's` internal "fill" method as the `start` to a fill operation. This flaw may be abused where `Buffer.alloc()` arguments are derived from user input to return uncleared memory blocks that may contain sensitive information.

Find out more about CVE-2018-7166 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v3 metrics

CVSS3 Base Score 5.3
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity Impact None
Availability Impact None

Red Hat Security Errata

Platform Errata Release Date
Red Hat OpenShift Application Runtimes 1.0 (rhoar-nodejs) RHSA-2018:2553 2018-08-22

Affected Packages State

Platform Package State
Red Hat Software Collections for Red Hat Enterprise Linux rh-nodejs6-nodejs Not affected
Red Hat Software Collections for Red Hat Enterprise Linux rh-nodejs8-nodejs Not affected
Red Hat Software Collections for Red Hat Enterprise Linux rh-nodejs10-nodejs Affected
Red Hat Software Collections for Red Hat Enterprise Linux rh-nodejs4-nodejs Not affected
Red Hat OpenShift Enterprise 3.2 nodejs Not affected
Red Hat OpenShift Enterprise 3.1 nodejs Not affected
Red Hat OpenShift Container Platform 3.9 nodejs Not affected
Red Hat OpenShift Container Platform 3.7 nodejs Not affected
Red Hat OpenShift Container Platform 3.6 nodejs Not affected
Red Hat OpenShift Container Platform 3.5 nodejs Not affected
Red Hat OpenShift Container Platform 3.4 nodejs Not affected
Red Hat OpenShift Container Platform 3.3 nodejs Not affected
Red Hat OpenShift Container Platform 3.11 nodejs Not affected
Red Hat OpenShift Container Platform 3.10 nodejs Not affected
Last Modified

CVE description copyright © 2017, The MITRE Corporation