漏洞描述:
A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed in 15.2.1, 14.15.1, and 12.19.1
哦意思是能造成DOS的前提是这个nodejs应用具有接收域名解析的功能。
参考:
- https://nodejs.org/en/blog/vulnerability/november-2020-security-releases/
- https://nvd.nist.gov/vuln/detail/CVE-2020-8277
- https://github.com/masahiro331/CVE-2020-8277