CVE-2017-15896 - OpenCVE

Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake failure. The result was that an active network attacker could send application data to Node.js using the TLS or HTTP2 modules in a way that bypassed TLS authentication and encryption.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Nodejs	Node.js

Configuration 1 [-]

OR	cpe:2.3:a:nodejs:node.js:::::-:::*
	cpe:2.3:a:nodejs:node.js:::::lts:::*
	cpe:2.3:a:nodejs:node.js:::::-:::*
	cpe:2.3:a:nodejs:node.js:::::lts:::*
	cpe:2.3:a:nodejs:node.js:::::-:::*
	cpe:2.3:a:nodejs:node.js:::::lts:::*
	cpe:2.3:a:nodejs:node.js:::::-:::*

References

Link	Resource
https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/	Issue Tracking Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: nodejs

Published: 2017-12-07T00:00:00

Updated: 2017-12-11T20:57:01

Reserved: 2017-10-25T00:00:00

Link: CVE-2017-15896

JSON object: View

NVD Information

Status : Analyzed

Published: 2017-12-11T21:29:00.517

Modified: 2022-08-16T13:01:10.227

Link: CVE-2017-15896

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"containers": {"cna": {"affected": [{"product": "Node.js", "vendor": "The Node.js Project", "versions": [{"status": "affected", "version": "4.0.0 and higher"}, {"status": "affected", "version": "6.0.0 and higher"}, {"status": "affected", "version": "8.0.0 and higher"}, {"status": "affected", "version": "9.0.0 and higher"}]}], "datePublic": "2017-12-07T00:00:00", "descriptions": [{"lang": "en", "value": "Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake failure. The result was that an active network attacker could send application data to Node.js using the TLS or HTTP2 modules in a way that bypassed TLS authentication and encryption."}], "problemTypes": [{"descriptions": [{"description": "Data Confidentiality/Integrity", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-12-11T20:57:01", "orgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558", "shortName": "nodejs"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve-request@iojs.org", "DATE_PUBLIC": "2017-12-07T00:00:00", "ID": "CVE-2017-15896", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Node.js", "version": {"version_data": [{"version_value": "4.0.0 and higher"}, {"version_value": "6.0.0 and higher"}, {"version_value": "8.0.0 and higher"}, {"version_value": "9.0.0 and higher"}]}}]}, "vendor_name": "The Node.js Project"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake failure. The result was that an active network attacker could send application data to Node.js using the TLS or HTTP2 modules in a way that bypassed TLS authentication and encryption."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Data Confidentiality/Integrity"}]}]}, "references": {"reference_data": [{"name": "https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/", "refsource": "CONFIRM", "url": "https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/"}]}}}}, "cveMetadata": {"assignerOrgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558", "assignerShortName": "nodejs", "cveId": "CVE-2017-15896", "datePublished": "2017-12-07T00:00:00", "dateReserved": "2017-10-25T00:00:00", "dateUpdated": "2017-12-11T20:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "matchCriteriaId": "A47FC4F7-1F77-4314-B4B3-3C5D8E335379", "versionEndIncluding": "4.1.2", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*", "matchCriteriaId": "3818E441-8DC4-42E6-8D11-E58D195CBE8A", "versionEndExcluding": "4.8.7", "versionStartIncluding": "4.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "matchCriteriaId": "D107EC29-67E7-40C3-8E5A-324C9105C5E4", "versionEndIncluding": "6.8.1", "versionStartIncluding": "6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*", "matchCriteriaId": "BEA03114-7288-4E7C-9220-C0ABCD5F0389", "versionEndExcluding": "6.12.2", "versionStartIncluding": "6.9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "matchCriteriaId": "74FB695D-2C76-47AB-988E-5629D2E695E5", "versionEndIncluding": "8.8.1", "versionStartIncluding": "8.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*", "matchCriteriaId": "C45E9D50-CD3D-480B-B9B8-451ADFF26505", "versionEndExcluding": "8.9.3", "versionStartIncluding": "8.9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "matchCriteriaId": "82FDBB10-3298-4C9A-9CC0-D34643AEC868", "versionEndExcluding": "9.2.1", "versionStartIncluding": "9.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake failure. The result was that an active network attacker could send application data to Node.js using the TLS or HTTP2 modules in a way that bypassed TLS authentication and encryption."}, {"lang": "es", "value": "Node.js se ha visto afectado por una vulnerabilidad de OpenSSL (CVE-2017-3737) en relaci\u00f3n con el uso de SSL_read() debido a un error en la negociaci\u00f3n TLS. El resultado era que un atacante de una red activa podr\u00eda enviar datos de la aplicaci\u00f3n a Node.js empleando los m\u00f3dulos TLS o HTTP2 de forma que omitan la autenticaci\u00f3n y codificaci\u00f3n TLS."}], "id": "CVE-2017-15896", "lastModified": "2022-08-16T13:01:10.227", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-12-11T21:29:00.517", "references": [{"source": "cve-request@iojs.org", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/"}], "sourceIdentifier": "cve-request@iojs.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}