{
  "threat_severity" : "Moderate",
  "public_date" : "2020-06-02T00:00:00Z",
  "bugzilla" : {
    "description" : "nodejs: TLS session reuse can lead to hostname verification bypass",
    "id" : "1845247",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1845247"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.4",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-285",
  "details" : [ "TLS session reuse can lead to host certificate verification bypass in node version < 12.18.0 and < 14.4.0.", "A TLS Hostname verification bypass vulnerability exists in NodeJS. This flaw allows an attacker to bypass TLS Hostname verification when a TLS client reuses HTTPS sessions." ],
  "statement" : "This issue only affects the TLS 1.2 protocol, not TLS 1.3. This issue does not affect NodeJS 10.\nRed Hat Quay installed NodeJS as a dependency of Yarn. It does not use NodeJS at runtime, but executes Javascript on the client's browser instead. Therefore the impact of this vulnerability on Red Hat Quay is low.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2020-07-07T00:00:00Z",
    "advisory" : "RHSA-2020:2852",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "nodejs:12-8020020200630155331.4cda2c84"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.1 Extended Update Support",
    "release_date" : "2020-07-07T00:00:00Z",
    "advisory" : "RHSA-2020:2847",
    "cpe" : "cpe:/a:redhat:rhel_eus:8.1",
    "package" : "nodejs:12-8010020200630154708.c27ad7f8"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2020-07-13T00:00:00Z",
    "advisory" : "RHSA-2020:2895",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-nodejs12-nodejs-0:12.18.2-1.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS",
    "release_date" : "2020-07-13T00:00:00Z",
    "advisory" : "RHSA-2020:2895",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-nodejs12-nodejs-0:12.18.2-1.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS",
    "release_date" : "2020-07-13T00:00:00Z",
    "advisory" : "RHSA-2020:2895",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-nodejs12-nodejs-0:12.18.2-1.el7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "nodejs:10/nodejs",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "nodejs:14/nodejs",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Quay 3",
    "fix_state" : "Fix deferred",
    "package_name" : "nodejs",
    "cpe" : "cpe:/a:redhat:quay:3",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Software Collections",
    "fix_state" : "Not affected",
    "package_name" : "rh-nodejs10-nodejs",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-8172\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-8172" ],
  "name" : "CVE-2020-8172",
  "csaw" : false
}