QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2018-7166

Back to search

CVE-2018-7166

Published: Aug 21, 2018

Modified: Sep 17, 2024

PUBLISHED

Description

In all versions of Node.js 10 prior to 10.9.0, an argument processing flaw can cause `Buffer.alloc()` to return uninitialized memory. This method is intended to be safe and only return initialized, or cleared, memory. The third argument specifying `encoding` can be passed as a number, this is misinterpreted by `Buffer's` internal "fill" method as the `start` to a fill operation. This flaw may be abused where `Buffer.alloc()` arguments are derived from user input to return uncleared memory blocks that may contain sensitive information.

VendorProductVersions

The Node.js Project

Node.js

affected
All versions of Node.js 10 prior to 10.9.0

Weaknesses (CWE)

CWE-226

References

RHSA-2018:2553
vendor-advisory
x_refsource_REDHAT

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now