CVE-2020-8287
6.5MEDIUMNode.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the
Published: 1/6/2021Updated: 11/21/2024
Description
Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling.
AI AnalysisPowered by AI
Affected Products
nodejsnode.js
nodejsnode.js
nodejsnode.js
nodejsnode.js
debiandebian_linux
10.0
fedoraprojectfedora
32
fedoraprojectfedora
33
oraclegraalvm
19.3.4
oraclegraalvm
20.3.0
siemenssinec_infrastructure_network_services
References
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfPatchThird Party Advisory
- https://hackerone.com/reports/1002188ExploitIssue TrackingThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2022/12/msg00009.htmlMailing ListThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H472D5HPXN6RRXCNFML3BK5OYC52CXF2/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K4I6MZNC7C7VIDQR267OL4TVCI3ZKAC4/
- https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/PatchVendor Advisory
- https://security.gentoo.org/glsa/202101-07Third Party Advisory
- https://security.netapp.com/advisory/ntap-20210212-0003/Third Party Advisory
- https://www.debian.org/security/2021/dsa-4826Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2021.htmlThird Party Advisory
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfPatchThird Party Advisory
- https://hackerone.com/reports/1002188ExploitIssue TrackingThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2022/12/msg00009.htmlMailing ListThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H472D5HPXN6RRXCNFML3BK5OYC52CXF2/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K4I6MZNC7C7VIDQR267OL4TVCI3ZKAC4/
- https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/PatchVendor Advisory
- https://security.gentoo.org/glsa/202101-07Third Party Advisory
- https://security.netapp.com/advisory/ntap-20210212-0003/Third Party Advisory
- https://www.debian.org/security/2021/dsa-4826Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2021.htmlThird Party Advisory