CVE-2018-12120

CVSS v3.1

8.1

High

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Node.js versions prior to 6.15.0

Description The issue allows remote computers to attach to the debug port and evaluate arbitrary JavaScript when the debugger is enabled with node --debug or node debug, as it listens on all interfaces by default. The default interface is now localhost. It has always been possible to start the debugger on a specific interface. The debugger was removed in Node.js 8 and replaced with the inspector.

Recommendations For Node.js versions prior to 6.15.0, consider starting the debugger on a specific interface, such as node --debug=localhost, to minimize the risk of exploitation.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-419CWE-829

Related Identifiers

ALT-PU-2018-1807

CVE-2018-12120

MGASA-2019-0277

OPENSUSE-SU-2019_0088-1

OPENSUSE-SU-2019_0234-1

SUSE-SU-2019:0117-1

SUSE-SU-2019:0395-1

Affected Products

Alt Linux

Node.Js

Suse

CVE-2018-12120

Weakness Enumeration

Related Identifiers

Affected Products

References · 68