Node.js is vulnerable to buffer overflows, bypass of security restrictions, and denial of service which may affect IBM Spectrum Protect Plus.
CVEID:CVE-2020-10531
**DESCRIPTION:**International Components for Unicode (ICU) for C/C++ is vulnerable to a heap-based buffer overflow, caused by an integer overflow in UnicodeString::doAppend() function in common/unistr.cpp. By sending a specially-crafted request, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/177660 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID:CVE-2020-8172
**DESCRIPTION:**Node.js could allow a remote attacker to bypass security restrictions. The ‘session’ event could be emitted before the ‘secureConnect’ event and possibly allow for the reuse of the TLS session. An attacker could exploit this vulnerability to bypass host certificate verification and gain access to the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/182814 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
CVEID:CVE-2020-8174
**DESCRIPTION:**Node.js is vulnerable to a buffer overflow, caused by multiple memory corruptions in the napi_get_value_string_latin1(), napi_get_value_string_utf8(), or napi_get_value_string_utf16() functions. By sending an overly long string, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause a denial of service.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/182816 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID:CVE-2020-11080
**DESCRIPTION:**Node.js is vulnerable to a denial of service, caused by an error in the HTTP/2 session frame which is limited to 32 settings by default. By sending overly large HTTP/2 SETTINGS frames, an attacker could exploit this vulnerability to consume all available CPU resources.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/182815 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
Affected Product(s) | Version(s) |
---|---|
IBM Spectrum Protect Plus | 10.1.0-10.1.6 |
Spectrum Protect Plus Release | First Fixing VRM Level | Platform | Link to Fix |
---|---|---|---|
10.1 | 10.1.6 ifix2 | Linux | <https://www.ibm.com/support/pages/node/6254732> |
None
CPE | Name | Operator | Version |
---|---|---|---|
ibm spectrum protect plus | eq | 10.1 |