A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1, <2.2.1 and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls. External Reference: https://hackerone.com/reports/966347
Created nodejs-bl tracking bugs for this issue: Affects: epel-7 [bug 1874777] Affects: fedora-all [bug 1874776]
Changes to CVSS score: 3.7/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N 6.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L AC:H -> AC:L A:N -> A:L Also I increased the Impact to Moderate.
Upstream fix: https://github.com/rvagg/bl/commit/d3e240e3b8ba4048d3c76ef5fb9dd1f8872d3190
Statement: Red Hat OpenShift Container Platform 4 delivers the kibana package where the nodejs-bl module is used, but during the update to container first (to openshift4/ose-logging-kibana6) the dependency was removed and hence kibana package is marked as wontfix. This may be fixed in the future.