CVE-2018-12120

EPSS 0.42%
Published 28.11.2018 17:29:00
Last modified 21.11.2024 03:44:38
Source cve-request@iojs.org
Teams watchlist Login
Open Login

Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as `node --debug=localhost`. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable.

Affected products Warnungen 0 Metrics 3 CWE 2 References 5

Data is provided by the National Vulnerability Database (NVD)

Nodejs ≫ Node.Js SwEditionlts Version >= 6.0.0 < 6.15.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.42%	0.612

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.1	2.2	5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	6.8	8.6	6.4	AV:N/AC:M/Au:N/C:P/I:P/A:P

CWE-419 Unprotected Primary Channel

The product uses a primary channel for administration or restricted functionality, but it does not properly protect the channel.

CWE-829 Inclusion of Functionality from Untrusted Control Sphere

The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/

Patch

Vendor Advisory

http://www.securityfocus.com/bid/106040

Third Party Advisory

VDB Entry

https://nvd.nist.gov/vuln/detail/CVE-2018-12120

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2018-12120

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2018-12120

EUVD