// For flags

CVE-2020-8172

nodejs: TLS session reuse can lead to hostname verification bypass

Severity Score

7.4
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

TLS session reuse can lead to host certificate verification bypass in node version < 12.18.0 and < 14.4.0.

La reutilización de una sesión TLS puede conllevar a una omisión de la verificación del certificado del host en node versión anterior a 12.18.0 y anterior a 14.4.0

A TLS Hostname verification bypass vulnerability exists in NodeJS. This flaw allows an attacker to bypass TLS Hostname verification when a TLS client reuses HTTPS sessions.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2020-01-28 CVE Reserved
  • 2020-06-08 CVE Published
  • 2024-08-04 CVE Updated
  • 2024-08-04 First Exploit
  • 2024-10-02 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-285: Improper Authorization
  • CWE-295: Improper Certificate Validation
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Nodejs
Search vendor "Nodejs"
Node.js
Search vendor "Nodejs" for product "Node.js"
>= 12.0.0 < 12.18.0
Search vendor "Nodejs" for product "Node.js" and version " >= 12.0.0 < 12.18.0"
-
Affected
Nodejs
Search vendor "Nodejs"
Node.js
Search vendor "Nodejs" for product "Node.js"
>= 14.0.0 < 14.4.0
Search vendor "Nodejs" for product "Node.js" and version " >= 14.0.0 < 14.4.0"
-
Affected
Oracle
Search vendor "Oracle"
Banking Extensibility Workbench
Search vendor "Oracle" for product "Banking Extensibility Workbench"
14.3.0
Search vendor "Oracle" for product "Banking Extensibility Workbench" and version "14.3.0"
-
Affected
Oracle
Search vendor "Oracle"
Banking Extensibility Workbench
Search vendor "Oracle" for product "Banking Extensibility Workbench"
14.4.0
Search vendor "Oracle" for product "Banking Extensibility Workbench" and version "14.4.0"
-
Affected
Oracle
Search vendor "Oracle"
Blockchain Platform
Search vendor "Oracle" for product "Blockchain Platform"
< 21.1.2
Search vendor "Oracle" for product "Blockchain Platform" and version " < 21.1.2"
-
Affected
Oracle
Search vendor "Oracle"
Graalvm
Search vendor "Oracle" for product "Graalvm"
19.3.2
Search vendor "Oracle" for product "Graalvm" and version "19.3.2"
enterprise
Affected
Oracle
Search vendor "Oracle"
Graalvm
Search vendor "Oracle" for product "Graalvm"
20.1.0
Search vendor "Oracle" for product "Graalvm" and version "20.1.0"
enterprise
Affected
Oracle
Search vendor "Oracle"
Mysql Cluster
Search vendor "Oracle" for product "Mysql Cluster"
<= 7.3.30
Search vendor "Oracle" for product "Mysql Cluster" and version " <= 7.3.30"
-
Affected
Oracle
Search vendor "Oracle"
Mysql Cluster
Search vendor "Oracle" for product "Mysql Cluster"
>= 7.4.0 <= 7.4.29
Search vendor "Oracle" for product "Mysql Cluster" and version " >= 7.4.0 <= 7.4.29"
-
Affected
Oracle
Search vendor "Oracle"
Mysql Cluster
Search vendor "Oracle" for product "Mysql Cluster"
>= 7.5.0 <= 7.5.19
Search vendor "Oracle" for product "Mysql Cluster" and version " >= 7.5.0 <= 7.5.19"
-
Affected
Oracle
Search vendor "Oracle"
Mysql Cluster
Search vendor "Oracle" for product "Mysql Cluster"
>= 7.6.0 <= 7.6.15
Search vendor "Oracle" for product "Mysql Cluster" and version " >= 7.6.0 <= 7.6.15"
-
Affected
Oracle
Search vendor "Oracle"
Mysql Cluster
Search vendor "Oracle" for product "Mysql Cluster"
>= 8.0.0 <= 8.0.21
Search vendor "Oracle" for product "Mysql Cluster" and version " >= 8.0.0 <= 8.0.21"
-
Affected