CVE-2020-8277

Advisory lineage Upstream: 0 Downstream: 16

Downstream

ALPINE-CVE-2020-8277 DEBIAN-CVE-2020-8277 OPENSUSE-SU-2020:2045-1 OPENSUSE-SU-2020:2092-1 OPENSUSE-SU-2021:0064-1 OPENSUSE-SU-2021:0066-1

Modified

Published: 19 Nov 2020, 00:32

Last modified:30 Apr 2025, 22:24

Vulnerability Summary

Overall Risk (default)

medium

42/100

CVSS Score

7.5 HIGH

v3.1 (nvd)

EPSS Score

58.88% CRITICAL

59% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

19 Nov 2020, 00:32

Published

Vulnerability first disclosed

30 Apr 2025, 22:24

Last Modified

Vulnerability information updated

Description

A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed in 15.2.1, 14.15.1, and 12.19.1.

CVSS Metrics

v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
v2.0•MEDIUM•Score: 5AV:N/AC:L/Au:N/C:N/I:N/A:P

EPSS Trends

Current EPSS score: 58.88%• Percentile: 98%

Techniques & Countermeasures

CWE-400•Uncontrolled Resource Consumption
The product does not properly control the allocation and maintenance of a limited resource.

Affected Systems

c-ares_project•c-ares
< 1.16.0
fedoraproject•fedora
32 | 33
nodejs•node
≥ 4.0, < 4.* | ≥ 5.0, < 5.* | ≥ 6.0, < 6.* | ≥ 7.0, < 7.* | ≥ 8.0, < 8.* | ≥ 9.0, < 9.* | ≥ 11.0, < 11.* | ≥ 12.0, < 12.19.1 | ≥ 13.0, < 13.* | ≥ 14.0, < 14.15.1 | ≥ 15.0, < 15.2.1
nodejs•node.js
≥ 12.16.3, < 12.19.1 | ≥ 14.13.0, < 14.15.1 | ≥ 15.0.0, < 15.2.1
oracle•blockchain_platform
< 21.1.2
oracle•graalvm
19.3.4 | 20.3.0
oracle•jd_edwards_enterpriseone_tools
< 9.2.6.0
oracle•mysql_cluster
≤ 8.0.23
oracle•retail_xstore_point_of_service
16.0.6 | 17.0.4 | 18.0.3 | 19.0.2