{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-07-05T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "The Utf8DecoderBase::WriteUtf16Slow function in unicode-decoder.cc in Google V8, as used in Node.js before 0.12.6, io.js before 1.8.3 and 2.x before 2.3.3, and other products, does not verify that there is memory available for a UTF-16 surrogate pair, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted byte sequence."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2016-11-25T19:57:01.000Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://codereview.chromium.org/1226493003"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://medium.com/%40iojs/important-security-upgrades-for-node-js-and-io-js-8ac14ece5852"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/joyent/node/issues/25583"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://blog.nodejs.org/2015/07/03/node-v0-12-6-stable/"}, {"name": "75556", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/75556"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2015-5380", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Utf8DecoderBase::WriteUtf16Slow function in unicode-decoder.cc in Google V8, as used in Node.js before 0.12.6, io.js before 1.8.3 and 2.x before 2.3.3, and other products, does not verify that there is memory available for a UTF-16 surrogate pair, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted byte sequence."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://codereview.chromium.org/1226493003", "refsource": "CONFIRM", "url": "https://codereview.chromium.org/1226493003"}, {"name": "https://medium.com/@iojs/important-security-upgrades-for-node-js-and-io-js-8ac14ece5852", "refsource": "CONFIRM", "url": "https://medium.com/@iojs/important-security-upgrades-for-node-js-and-io-js-8ac14ece5852"}, {"name": "https://github.com/joyent/node/issues/25583", "refsource": "CONFIRM", "url": "https://github.com/joyent/node/issues/25583"}, {"name": "http://blog.nodejs.org/2015/07/03/node-v0-12-6-stable/", "refsource": "CONFIRM", "url": "http://blog.nodejs.org/2015/07/03/node-v0-12-6-stable/"}, {"name": "75556", "refsource": "BID", "url": "http://www.securityfocus.com/bid/75556"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T06:50:02.366Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://codereview.chromium.org/1226493003"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://medium.com/%40iojs/important-security-upgrades-for-node-js-and-io-js-8ac14ece5852"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/joyent/node/issues/25583"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://blog.nodejs.org/2015/07/03/node-v0-12-6-stable/"}, {"name": "75556", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/75556"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2015-5380", "datePublished": "2015-07-09T10:00:00.000Z", "dateReserved": "2015-07-06T00:00:00.000Z", "dateUpdated": "2024-08-06T06:50:02.366Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:google:v8:-:*:*:*:*:*:*:*", "matchCriteriaId": "7900AA49-FCFE-4068-BA49-50EA0B53C4CF", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:iojs:io.js:*:*:*:*:*:*:*:*", "matchCriteriaId": "A3188BB5-6918-455C-8D25-B4DBA22830D6", "versionEndIncluding": "1.8.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:iojs:io.js:2.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "FABEE90B-14C3-4147-BBDA-6E1186452174", "vulnerable": true}, {"criteria": "cpe:2.3:a:iojs:io.js:2.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "2FF9263D-673F-40A4-8D40-56DE5AD63B73", "vulnerable": true}, {"criteria": "cpe:2.3:a:iojs:io.js:2.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "52BE5478-4021-42D4-B101-A572AAE17DAF", "vulnerable": true}, {"criteria": "cpe:2.3:a:iojs:io.js:2.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "2233DADC-4FBB-4459-AD8D-B15636DC5970", "vulnerable": true}, {"criteria": "cpe:2.3:a:iojs:io.js:2.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "72CC13EF-7061-4833-A079-EAB70A32F64B", "vulnerable": true}, {"criteria": "cpe:2.3:a:iojs:io.js:2.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "BA4A14A1-1D14-4CE8-9198-80C1772A8AC3", "vulnerable": true}, {"criteria": "cpe:2.3:a:iojs:io.js:2.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "A9D2B3E1-973D-46ED-ADE4-BECE0CAFD678", "vulnerable": true}, {"criteria": "cpe:2.3:a:iojs:io.js:2.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "8261E351-8CB2-4BCB-AB75-9FDD96DC2BA3", "vulnerable": true}, {"criteria": "cpe:2.3:a:iojs:io.js:2.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "C236FE4E-1FF0-47E5-91F9-75ADD6C61498", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*", "matchCriteriaId": "4BCBBCD4-2142-44B7-B3ED-6D2A301F85C6", "versionEndIncluding": "0.12.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Utf8DecoderBase::WriteUtf16Slow function in unicode-decoder.cc in Google V8, as used in Node.js before 0.12.6, io.js before 1.8.3 and 2.x before 2.3.3, and other products, does not verify that there is memory available for a UTF-16 surrogate pair, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted byte sequence."}, {"lang": "es", "value": "La funci\u00f3n de Utf8DecoderBase::WriteUtf16Slow en unicode.decoder.cc en Google V8, al igual que como se usa en Node.js anterior a 0.12.6, io.js anterior a 1.8.3 y 2.x antes de 2.3.3 y otros productos, no verifica que haya memoria disponible para un par surrogado UTF-16, lo que permite a atacantes remotos provocar una denegaci\u00f3n de servicio (corrupci\u00f3n de memoria) o la posibilidad de causar otro impacto a trav\u00e9s de una secuencia de bytes manipulada."}], "id": "CVE-2015-5380", "lastModified": "2026-05-06T22:30:45.220", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-07-09T10:59:00.057", "references": [{"source": "cve@mitre.org", "tags": ["Patch"], "url": "http://blog.nodejs.org/2015/07/03/node-v0-12-6-stable/"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/75556"}, {"source": "cve@mitre.org", "url": "https://codereview.chromium.org/1226493003"}, {"source": "cve@mitre.org", "url": "https://github.com/joyent/node/issues/25583"}, {"source": "cve@mitre.org", "url": "https://medium.com/%40iojs/important-security-upgrades-for-node-js-and-io-js-8ac14ece5852"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "http://blog.nodejs.org/2015/07/03/node-v0-12-6-stable/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/75556"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://codereview.chromium.org/1226493003"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/joyent/node/issues/25583"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://medium.com/%40iojs/important-security-upgrades-for-node-js-and-io-js-8ac14ece5852"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "nodejs: `Buffer` to UTF8 `String` conversion DoS", "id": "1239332", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1239332"}, "csaw": false, "cvss": {"cvss_base_score": "4.3", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "status": "draft"}, "cwe": "CWE-787", "details": ["The Utf8DecoderBase::WriteUtf16Slow function in unicode-decoder.cc in Google V8, as used in Node.js before 0.12.6, io.js before 1.8.3 and 2.x before 2.3.3, and other products, does not verify that there is memory available for a UTF-16 surrogate pair, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted byte sequence."], "name": "CVE-2015-5380", "package_state": [{"cpe": "cpe:/a:redhat:openstack:5::el6", "fix_state": "Not affected", "package_name": "v8", "product_name": "Red Hat Enterprise Linux OpenStack Platform 5 (Icehouse)"}, {"cpe": "cpe:/a:redhat:openstack:6", "fix_state": "Not affected", "package_name": "v8", "product_name": "Red Hat Enterprise Linux OpenStack Platform 6 (Juno)"}, {"cpe": "cpe:/a:redhat:openshift:2", "fix_state": "Will not fix", "package_name": "v8", "product_name": "Red Hat OpenShift Enterprise 2"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Will not fix", "package_name": "v8", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:2", "fix_state": "Not affected", "package_name": "nodejs010-nodejs", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:2", "fix_state": "Will not fix", "package_name": "v8314-v8", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:rhel_sam:1", "fix_state": "Will not fix", "package_name": "v8", "product_name": "Red Hat Subscription Asset Manager"}], "public_date": "2015-07-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2015-5380\nhttps://nvd.nist.gov/vuln/detail/CVE-2015-5380"], "statement": "This issue affects the versions of nodejs as shipped with various Red Hat Enterprise products. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.\nRed Hat Satellite 6.5 ship v8 however has been rated as a security impact of Moderate, product version Satellite 6.6 onward is not affected. Satellite 6.5 is in Maintenance Support phase of the product life cycle and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 6 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.", "threat_severity": "Moderate"}

{}