Vulnerability-Lookup

CVE-2020-8287 (GCVE-0-2020-8287)

Vulnerability from cvelistv5 – Published: 2021-01-06 00:00 – Updated: 2025-04-30 22:24

Summary

Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling.

Severity ?

No CVSS data available.

CWE

CWE-444 - HTTP Request Smuggling (CWE-444)

Assigner

hackerone

References

URL

	Vendor	Product	Version
	NodeJS	Node	Affected: 4.0 , < 4.* (semver) Affected: 5.0 , < 5.* (semver) Affected: 6.0 , < 6.* (semver) Affected: 7.0 , < 7.* (semver) Affected: 8.0 , < 8.* (semver) Affected: 9.0 , < 9.* (semver) Affected: 10.0 , < 10.23.1 (semver) Affected: 11.0 , < 11.* (semver) Affected: 12.0 , < 12.20.1 (semver) Affected: 13.0 , < 13.* (semver) Affected: 14.0 , < 14.15.4 (semver) Affected: 15.0 , < 15.5.1 (semver)

CERTFR-2022-AVI-216

Vulnerability from certfr_avis - Published: 2022-03-08 - Updated: 2022-03-08

De multiples vulnérabilités ont été découvertes dans les produits Siemens. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et un contournement de la politique de sécurité.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Mendix Forgot Password Appstore module versions 3.2.x antérieures à 3.2.2
Mendix Forgot Password Appstore module versions 3.3.x à 3.5.x antérieures à 3.5.1
Mendix Applications utilisant Mendix versions 7.x antérieures à 7.23.29
Mendix Applications utilisant Mendix versions 8.x antérieures à 8.18.16
COMOS versions antérieures à 10.4.1
Simcenter STAR-CCM+ Viewer versions antérieures à V2022.1
SIMOTICS CONNECT 400 versions antérieures à 1.0.0.0
Climatix POL909 (module AWB) versions antérieures à 11.44
Climatix POL909 (module AWM) versions antérieures à 11.36
RUGGEDCOM ROS M2100, RMC8388, RS416v2, RS900G, RS900G (32M), RSG900, RSG920P, RSG2100 (32M), RSG2100P, RSG2100P (32M), RSG2288, RSG2300, RSG2300P, RSG2488, RSL910, RST916C, RST916P et RST2228 versions antérieures à 5.6.0
SINUMERIK MC versions antérieures à 1.15 SP1
SINUMERIK ONE versions antérieures à 6.15 SP1
SINEC INS versions antérieures à 1.0.1.1
RUGGEDCOM ROX MX5000, RX1400, RX1500, RX1501, RX1510, RX1511, RX1512, RX1524, RX1536 et RX5000 versions antérieures à 2.15.0
Polarion Subversion Webclient versions antérieures à 21 R2 P2
RUGGEDCOM ROS i800, i801, i802, i803, M969, M2100, M2200, RMC, RMC20, RMC30, RMC40, RMC41, RMC8388, RP110, RS400, RS401, RS416, RS416v2, RS900 (32M), RS900G, RS900G (32M), RS900GP, RS900L, RS900L, RS900W, RS910, RS910L, RS910W, RS920L, RS920W, RS930L, RS930W, RS940G, RS969, RS8000, RS8000A, RS8000H, RS8000T, RSG900, RSG900C, RSG900G, RSG900R, RSG907R, RSG908C, RSG909R, RSG910C, RSG920P, RSG2100, RSG2100 (32M), RSG2100P, RSG2100P (32M), RSG2200, RSG2288, RSG2300, RSG2300P, RSG2488, RSL910, RST916C, RST916P et RST2228 versions antérieures à 5.6.0

L'éditeur ne propose pas de correctif pour :

Mendix Applications utilisant Mendix versions 9
SINEC NMS toutes versions

Se référer aux mesures de contournement proposées dans la section Documentation.

Impacted products

	Vendor	Product	Description

References

Title

Publication Time

Tags

Bulletin de sécurité Siemens ssa-166747 du 8 mars 2022	None	vendor-advisory
Bulletin de sécurité Siemens ssa-252466 du 8 mars 2022	None	vendor-advisory
Bulletin de sécurité Siemens ssa-562051 du 8 mars 2022	None	vendor-advisory
Bulletin de sécurité Siemens ssa-223353 du 8 mars 2022	None	vendor-advisory
Bulletin de sécurité Siemens ssa-337210 du 8 mars 2022	None	vendor-advisory
Bulletin de sécurité Siemens ssa-148641 du 8 mars 2022	None	vendor-advisory
Bulletin de sécurité Siemens ssa-389290 du 8 mars 2022	None	vendor-advisory
Bulletin de sécurité Siemens ssa-764417 du 8 mars 2022	None	vendor-advisory
Bulletin de sécurité Siemens ssa-256353 du 8 mars 2022	None	vendor-advisory
Bulletin de sécurité Siemens ssa-703715 du 8 mars 2022	None	vendor-advisory
Bulletin de sécurité Siemens ssa-594438 du 8 mars 2022	None	vendor-advisory
Bulletin de sécurité Siemens ssa-415938 du 8 mars 2022	None	vendor-advisory
Bulletin de sécurité Siemens ssa-134279 du 8 mars 2022	None	vendor-advisory
Bulletin de sécurité Siemens ssa-155599 du 8 mars 2022	None	vendor-advisory
Bulletin de sécurité Siemens ssa-406691 du 8 mars 2022	None	vendor-advisory
Bulletin de sécurité Siemens ssa-250085 du 8 mars 2022	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [],
  "affected_systems_content": "\u003cul\u003e \u003cli\u003eMendix Forgot Password Appstore module versions 3.2.x ant\u00e9rieures \u00e0 3.2.2\u003c/li\u003e \u003cli\u003eMendix Forgot Password Appstore module versions 3.3.x \u00e0 3.5.x ant\u00e9rieures \u00e0 3.5.1\u003c/li\u003e \u003cli\u003eMendix Applications utilisant Mendix versions 7.x ant\u00e9rieures \u00e0 7.23.29\u003c/li\u003e \u003cli\u003eMendix Applications utilisant Mendix versions 8.x ant\u00e9rieures \u00e0 8.18.16\u003c/li\u003e \u003cli\u003eCOMOS versions ant\u00e9rieures \u00e0 10.4.1\u003c/li\u003e \u003cli\u003eSimcenter STAR-CCM+ Viewer versions ant\u00e9rieures \u00e0 V2022.1\u003c/li\u003e \u003cli\u003eSIMOTICS CONNECT 400 versions ant\u00e9rieures \u00e0 1.0.0.0\u003c/li\u003e \u003cli\u003eClimatix POL909 (module AWB) versions ant\u00e9rieures \u00e0 11.44\u003c/li\u003e \u003cli\u003eClimatix POL909 (module AWM) versions ant\u00e9rieures \u00e0 11.36\u003c/li\u003e \u003cli\u003eRUGGEDCOM ROS M2100, RMC8388, RS416v2, RS900G, RS900G (32M), RSG900, RSG920P, RSG2100 (32M), RSG2100P, RSG2100P (32M), RSG2288, RSG2300, RSG2300P, RSG2488, RSL910, RST916C, RST916P et RST2228 versions ant\u00e9rieures \u00e0 5.6.0\u003c/li\u003e \u003cli\u003eSINUMERIK MC versions ant\u00e9rieures \u00e0 1.15 SP1\u003c/li\u003e \u003cli\u003eSINUMERIK ONE versions ant\u00e9rieures \u00e0 6.15 SP1\u003c/li\u003e \u003cli\u003eSINEC INS versions ant\u00e9rieures \u00e0 1.0.1.1\u003c/li\u003e \u003cli\u003eRUGGEDCOM ROX MX5000, RX1400, RX1500, RX1501, RX1510, RX1511, RX1512, RX1524, RX1536 et RX5000 versions ant\u00e9rieures \u00e0 2.15.0\u003c/li\u003e \u003cli\u003ePolarion Subversion Webclient versions ant\u00e9rieures \u00e0 21 R2 P2\u003c/li\u003e \u003cli\u003eRUGGEDCOM ROS i800, i801, i802, i803, M969, M2100, M2200, RMC, RMC20, RMC30, RMC40, RMC41, RMC8388, RP110, RS400, RS401, RS416, RS416v2, RS900 (32M), RS900G, RS900G (32M), RS900GP, RS900L, RS900L, RS900W, RS910, RS910L, RS910W, RS920L, RS920W, RS930L, RS930W, RS940G, RS969, RS8000, RS8000A, RS8000H, RS8000T, RSG900, RSG900C, RSG900G, RSG900R, RSG907R, RSG908C, RSG909R, RSG910C, RSG920P, RSG2100, RSG2100 (32M), RSG2100P, RSG2100P (32M), RSG2200, RSG2288, RSG2300, RSG2300P, RSG2488, RSL910, RST916C, RST916P et RST2228 versions ant\u00e9rieures \u00e0 5.6.0\u003c/li\u003e \u003c/ul\u003e \u003cp\u003eL\u0027\u00e9diteur ne propose pas de correctif pour :\u003c/p\u003e \u003cul\u003e \u003cli\u003eMendix Applications utilisant Mendix versions 9\u003c/li\u003e \u003cli\u003eSINEC NMS toutes versions\u003c/li\u003e \u003c/ul\u003e \u003cp\u003eSe r\u00e9f\u00e9rer aux mesures de contournement propos\u00e9es dans la section Documentation.\u003c/p\u003e \u003cp\u003e\u0026nbsp;\u003c/p\u003e ",
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2021-44478",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-44478"
    },
    {
      "name": "CVE-2021-22898",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22898"
    },
    {
      "name": "CVE-2020-13871",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-13871"
    },
    {
      "name": "CVE-2021-42017",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-42017"
    },
    {
      "name": "CVE-2022-24282",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-24282"
    },
    {
      "name": "CVE-2021-25215",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-25215"
    },
    {
      "name": "CVE-2019-19317",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-19317"
    },
    {
      "name": "CVE-2020-8169",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-8169"
    },
    {
      "name": "CVE-2021-25174",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-25174"
    },
    {
      "name": "CVE-2021-22925",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22925"
    },
    {
      "name": "CVE-2021-37701",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-37701"
    },
    {
      "name": "CVE-2021-32944",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-32944"
    },
    {
      "name": "CVE-2019-19244",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-19244"
    },
    {
      "name": "CVE-2021-27290",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-27290"
    },
    {
      "name": "CVE-2021-42020",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-42020"
    },
    {
      "name": "CVE-2020-8285",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-8285"
    },
    {
      "name": "CVE-2021-22901",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22901"
    },
    {
      "name": "CVE-2021-22940",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22940"
    },
    {
      "name": "CVE-2021-32804",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-32804"
    },
    {
      "name": "CVE-2020-13632",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-13632"
    },
    {
      "name": "CVE-2022-24281",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-24281"
    },
    {
      "name": "CVE-2021-32936",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-32936"
    },
    {
      "name": "CVE-2021-22930",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22930"
    },
    {
      "name": "CVE-2019-19926",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-19926"
    },
    {
      "name": "CVE-2020-9327",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9327"
    },
    {
      "name": "CVE-2020-8286",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-8286"
    },
    {
      "name": "CVE-2020-7774",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-7774"
    },
    {
      "name": "CVE-2021-22918",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22918"
    },
    {
      "name": "CVE-2020-27304",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-27304"
    },
    {
      "name": "CVE-2021-32946",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-32946"
    },
    {
      "name": "CVE-2021-41543",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-41543"
    },
    {
      "name": "CVE-2020-8177",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-8177"
    },
    {
      "name": "CVE-2020-1971",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-1971"
    },
    {
      "name": "CVE-2020-13630",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-13630"
    },
    {
      "name": "CVE-2021-3450",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-3450"
    },
    {
      "name": "CVE-2021-22939",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22939"
    },
    {
      "name": "CVE-2019-19646",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-19646"
    },
    {
      "name": "CVE-2021-40366",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-40366"
    },
    {
      "name": "CVE-2021-41542",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-41542"
    },
    {
      "name": "CVE-2021-41541",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-41541"
    },
    {
      "name": "CVE-2021-22924",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22924"
    },
    {
      "name": "CVE-2022-24309",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-24309"
    },
    {
      "name": "CVE-2020-8265",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-8265"
    },
    {
      "name": "CVE-2021-37713",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-37713"
    },
    {
      "name": "CVE-2021-22947",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22947"
    },
    {
      "name": "CVE-2019-19925",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-19925"
    },
    {
      "name": "CVE-2021-22922",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22922"
    },
    {
      "name": "CVE-2019-19924",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-19924"
    },
    {
      "name": "CVE-2021-32938",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-32938"
    },
    {
      "name": "CVE-2020-11656",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-11656"
    },
    {
      "name": "CVE-2022-26317",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-26317"
    },
    {
      "name": "CVE-2021-22946",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22946"
    },
    {
      "name": "CVE-2021-37712",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-37712"
    },
    {
      "name": "CVE-2020-8284",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-8284"
    },
    {
      "name": "CVE-2021-32940",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-32940"
    },
    {
      "name": "CVE-2021-3711",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-3711"
    },
    {
      "name": "CVE-2021-37208",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-37208"
    },
    {
      "name": "CVE-2021-32948",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-32948"
    },
    {
      "name": "CVE-2021-3449",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-3449"
    },
    {
      "name": "CVE-2022-26313",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-26313"
    },
    {
      "name": "CVE-2021-22921",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22921"
    },
    {
      "name": "CVE-2021-25216",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-25216"
    },
    {
      "name": "CVE-2020-15358",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-15358"
    },
    {
      "name": "CVE-2021-43527",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-43527"
    },
    {
      "name": "CVE-2019-19242",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-19242"
    },
    {
      "name": "CVE-2021-22897",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22897"
    },
    {
      "name": "CVE-2021-32803",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-32803"
    },
    {
      "name": "CVE-2021-25177",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-25177"
    },
    {
      "name": "CVE-2021-25175",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-25175"
    },
    {
      "name": "CVE-2021-22884",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22884"
    },
    {
      "name": "CVE-2021-32952",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-32952"
    },
    {
      "name": "CVE-2019-19880",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-19880"
    },
    {
      "name": "CVE-2018-7160",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-7160"
    },
    {
      "name": "CVE-2021-32950",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-32950"
    },
    {
      "name": "CVE-2021-3672",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-3672"
    },
    {
      "name": "CVE-2021-31346",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-31346"
    },
    {
      "name": "CVE-2022-26314",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-26314"
    },
    {
      "name": "CVE-2021-31784",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-31784"
    },
    {
      "name": "CVE-2021-22883",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22883"
    },
    {
      "name": "CVE-2020-8231",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-8231"
    },
    {
      "name": "CVE-2020-13631",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-13631"
    },
    {
      "name": "CVE-2021-25214",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-25214"
    },
    {
      "name": "CVE-2021-22931",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22931"
    },
    {
      "name": "CVE-2021-31889",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-31889"
    },
    {
      "name": "CVE-2022-24408",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-24408"
    },
    {
      "name": "CVE-2021-42016",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-42016"
    },
    {
      "name": "CVE-2021-3712",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-3712"
    },
    {
      "name": "CVE-2021-39134",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-39134"
    },
    {
      "name": "CVE-2019-19645",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-19645"
    },
    {
      "name": "CVE-2020-11655",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-11655"
    },
    {
      "name": "CVE-2020-8287",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-8287"
    },
    {
      "name": "CVE-2021-22926",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22926"
    },
    {
      "name": "CVE-2022-24661",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-24661"
    },
    {
      "name": "CVE-2021-22890",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22890"
    },
    {
      "name": "CVE-2021-25219",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-25219"
    },
    {
      "name": "CVE-2021-23840",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-23840"
    },
    {
      "name": "CVE-2021-42018",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-42018"
    },
    {
      "name": "CVE-2021-22923",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22923"
    },
    {
      "name": "CVE-2019-19923",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-19923"
    },
    {
      "name": "CVE-2021-39135",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-39135"
    },
    {
      "name": "CVE-2021-25176",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-25176"
    },
    {
      "name": "CVE-2021-31890",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-31890"
    },
    {
      "name": "CVE-2021-25178",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-25178"
    },
    {
      "name": "CVE-2021-22876",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22876"
    },
    {
      "name": "CVE-2021-23362",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-23362"
    },
    {
      "name": "CVE-2019-19603",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-19603"
    },
    {
      "name": "CVE-2021-25217",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-25217"
    },
    {
      "name": "CVE-2021-25173",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-25173"
    },
    {
      "name": "CVE-2021-22945",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22945"
    },
    {
      "name": "CVE-2022-25311",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-25311"
    },
    {
      "name": "CVE-2021-31344",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-31344"
    },
    {
      "name": "CVE-2021-37209",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-37209"
    },
    {
      "name": "CVE-2021-42019",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-42019"
    },
    {
      "name": "CVE-2020-8625",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-8625"
    }
  ],
  "initial_release_date": "2022-03-08T00:00:00",
  "last_revision_date": "2022-03-08T00:00:00",
  "links": [],
  "reference": "CERTFR-2022-AVI-216",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2022-03-08T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    },
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits\nSiemens. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer\nune ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0\ndistance et un contournement de la politique de s\u00e9curit\u00e9.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Siemens",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-166747 du 8 mars 2022",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-166747.html"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-252466 du 8 mars 2022",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-252466.html"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-562051 du 8 mars 2022",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-562051.html"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-223353 du 8 mars 2022",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-223353.html"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-337210 du 8 mars 2022",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-337210.html"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-148641 du 8 mars 2022",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-148641.html"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-389290 du 8 mars 2022",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-389290.html"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-764417 du 8 mars 2022",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-764417.html"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-256353 du 8 mars 2022",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-256353.html"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-703715 du 8 mars 2022",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-703715.html"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-594438 du 8 mars 2022",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-594438.html"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-415938 du 8 mars 2022",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-415938.html"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-134279 du 8 mars 2022",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-134279.html"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-155599 du 8 mars 2022",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-155599.html"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-406691 du 8 mars 2022",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-406691.html"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-250085 du 8 mars 2022",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-250085.html"
    }
  ]
}

cve-2020-8287

Vulnerability from osv_almalinux

Published

2021-02-16 07:34

Modified

2021-02-16 13:03

Summary

Moderate: nodejs:12 security update

Details

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version: nodejs (12.20.1), nodejs-nodemon (2.0.3).

Security Fix(es):

nodejs-mixin-deep: prototype pollution in function mixin-deep (CVE-2019-10746)
nodejs-set-value: prototype pollution in function set-value (CVE-2019-10747)
nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS (CVE-2020-7754)
nodejs-ini: prototype pollution via malicious INI file (CVE-2020-7788)
nodejs: use-after-free in the TLS implementation (CVE-2020-8265)
nodejs: HTTP request smuggling via two copies of a header field in an http request (CVE-2020-8287)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "nodejs-nodemon"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.3-1.module_el8.4.0+2521+c668cc9f"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "nodejs-packaging"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "17-3.module_el8.4.0+2224+b07ac28e"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "nodejs-packaging"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "17-3.module_el8.4.0+2521+c668cc9f"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "nodejs-packaging"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "17-3.module_el8.3.0+2023+d2377ea3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. \n\nThe following packages have been upgraded to a later upstream version: nodejs (12.20.1), nodejs-nodemon (2.0.3).\n\nSecurity Fix(es):\n\n* nodejs-mixin-deep: prototype pollution in function mixin-deep (CVE-2019-10746)\n\n* nodejs-set-value: prototype pollution in function set-value (CVE-2019-10747)\n\n* nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS (CVE-2020-7754)\n\n* nodejs-ini: prototype pollution via malicious INI file (CVE-2020-7788)\n\n* nodejs: use-after-free in the TLS implementation (CVE-2020-8265)\n\n* nodejs: HTTP request smuggling via two copies of a header field in an http request (CVE-2020-8287)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
  "id": "ALSA-2021:0549",
  "modified": "2021-02-16T13:03:05Z",
  "published": "2021-02-16T07:34:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/8/ALSA-2021-0549.html"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2018-3750"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2019-10746"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2019-10747"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2020-7754"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2020-7788"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2020-8265"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2020-8287"
    }
  ],
  "related": [
    "CVE-2019-10746",
    "CVE-2019-10747",
    "CVE-2020-7754",
    "CVE-2020-7788",
    "CVE-2020-8265",
    "CVE-2020-8287"
  ],
  "summary": "Moderate: nodejs:12 security update"
}

cve-2020-8287

Vulnerability from osv_almalinux

Published

2021-02-16 07:34

Modified

2021-02-16 13:03

Summary

Moderate: nodejs:10 security update

Details

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version: nodejs (10.23.1).

Security Fix(es):

libuv: buffer overflow in realpath (CVE-2020-8252)
nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS (CVE-2020-7754)
nodejs-y18n: prototype pollution vulnerability (CVE-2020-7774)
nodejs-ini: prototype pollution via malicious INI file (CVE-2020-7788)
nodejs-dot-prop: prototype pollution (CVE-2020-8116)
nodejs: use-after-free in the TLS implementation (CVE-2020-8265)
npm: sensitive information exposure through logs (CVE-2020-15095)
nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366)
nodejs-yargs-parser: prototype pollution vulnerability (CVE-2020-7608)
nodejs: HTTP request smuggling via two copies of a header field in an http request (CVE-2020-8287)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "nodejs-nodemon"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.18.3-1.module_el8.3.0+2023+d2377ea3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "nodejs-nodemon"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.18.3-1.module_el8.3.0+2047+b07ac28e"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "nodejs-packaging"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "17-3.module_el8.4.0+2224+b07ac28e"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "nodejs-packaging"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "17-3.module_el8.4.0+2521+c668cc9f"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "nodejs-packaging"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "17-3.module_el8.3.0+2023+d2377ea3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. \n\nThe following packages have been upgraded to a later upstream version: nodejs (10.23.1).\n\nSecurity Fix(es):\n\n* libuv: buffer overflow in realpath (CVE-2020-8252)\n\n* nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS (CVE-2020-7754)\n\n* nodejs-y18n: prototype pollution vulnerability (CVE-2020-7774)\n\n* nodejs-ini: prototype pollution via malicious INI file (CVE-2020-7788)\n\n* nodejs-dot-prop: prototype pollution (CVE-2020-8116)\n\n* nodejs: use-after-free in the TLS implementation (CVE-2020-8265)\n\n* npm: sensitive information exposure through logs (CVE-2020-15095)\n\n* nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366)\n\n* nodejs-yargs-parser: prototype pollution vulnerability (CVE-2020-7608)\n\n* nodejs: HTTP request smuggling via two copies of a header field in an http request (CVE-2020-8287)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
  "id": "ALSA-2021:0548",
  "modified": "2021-02-16T13:03:03Z",
  "published": "2021-02-16T07:34:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/8/ALSA-2021-0548.html"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2020-15095"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2020-15366"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2020-7608"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2020-7754"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2020-7774"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2020-7788"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2020-8116"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2020-8252"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2020-8265"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2020-8287"
    }
  ],
  "related": [
    "CVE-2020-8252",
    "CVE-2020-7754",
    "CVE-2020-7774",
    "CVE-2020-7788",
    "CVE-2020-8116",
    "CVE-2020-8265",
    "CVE-2020-15095",
    "CVE-2020-15366",
    "CVE-2020-7608",
    "CVE-2020-8287"
  ],
  "summary": "Moderate: nodejs:10 security update"
}

cve-2020-8287

Vulnerability from osv_almalinux

Published

2021-02-16 07:34

Modified

2021-02-16 13:03

Summary

Moderate: nodejs:14 security and bug fix update

Details

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version: nodejs (14.15.4).

Security Fix(es):

nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS (CVE-2020-7754)
nodejs-y18n: prototype pollution vulnerability (CVE-2020-7774)
nodejs-ini: prototype pollution via malicious INI file (CVE-2020-7788)
nodejs: use-after-free in the TLS implementation (CVE-2020-8265)
c-ares: ares_parse_{a,aaaa}_reply() insufficient naddrttls validation DoS (CVE-2020-8277)
nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366)
nodejs: HTTP request smuggling via two copies of a header field in an http request (CVE-2020-8287)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

yarn install crashes with nodejs:14 on aarch64 (BZ#1916465)

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "nodejs-nodemon"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.3-1.module_el8.4.0+2521+c668cc9f"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "nodejs-packaging"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "23-3.module_el8.5.0+254+b4526b16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "nodejs-packaging"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "23-3.module_el8.4.0+2522+3bd42762"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. \n\nThe following packages have been upgraded to a later upstream version: nodejs (14.15.4).\n\nSecurity Fix(es):\n\n* nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS (CVE-2020-7754)\n\n* nodejs-y18n: prototype pollution vulnerability (CVE-2020-7774)\n\n* nodejs-ini: prototype pollution via malicious INI file (CVE-2020-7788)\n\n* nodejs: use-after-free in the TLS implementation (CVE-2020-8265)\n\n* c-ares: ares_parse_{a,aaaa}_reply() insufficient naddrttls validation DoS (CVE-2020-8277)\n\n* nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366)\n\n* nodejs: HTTP request smuggling via two copies of a header field in an http request (CVE-2020-8287)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* yarn install crashes with nodejs:14 on aarch64 (BZ#1916465)",
  "id": "ALSA-2021:0551",
  "modified": "2021-02-16T13:03:09Z",
  "published": "2021-02-16T07:34:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/8/ALSA-2021-0551.html"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2020-15366"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2020-7754"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2020-7774"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2020-7788"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2020-8265"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2020-8277"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2020-8287"
    }
  ],
  "related": [
    "CVE-2020-7754",
    "CVE-2020-7774",
    "CVE-2020-7788",
    "CVE-2020-8265",
    "CVE-2020-8277",
    "CVE-2020-15366",
    "CVE-2020-8287"
  ],
  "summary": "Moderate: nodejs:14 security and bug fix update"
}

GSD-2020-8287

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

Aliases

CVE-2020-8287

Aliases

CVE-2020-8287

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2020-8287",
    "description": "Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling.",
    "id": "GSD-2020-8287",
    "references": [
      "https://www.suse.com/security/cve/CVE-2020-8287.html",
      "https://www.debian.org/security/2021/dsa-4826",
      "https://access.redhat.com/errata/RHSA-2021:0551",
      "https://access.redhat.com/errata/RHSA-2021:0549",
      "https://access.redhat.com/errata/RHSA-2021:0548",
      "https://access.redhat.com/errata/RHSA-2021:0521",
      "https://access.redhat.com/errata/RHSA-2021:0485",
      "https://access.redhat.com/errata/RHSA-2021:0421",
      "https://advisories.mageia.org/CVE-2020-8287.html",
      "https://security.archlinux.org/CVE-2020-8287",
      "https://linux.oracle.com/cve/CVE-2020-8287.html",
      "https://ubuntu.com/security/CVE-2020-8287"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2020-8287"
      ],
      "details": "Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling.",
      "id": "GSD-2020-8287",
      "modified": "2023-12-13T01:21:53.423870Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "support@hackerone.com",
        "ID": "CVE-2020-8287",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "https://github.com/nodejs/node",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "Fixed in 10.23.1, 12.20.1, 14.15.4, 15.5.1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "HTTP Request Smuggling (CWE-444)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://hackerone.com/reports/1002188",
            "refsource": "MISC",
            "url": "https://hackerone.com/reports/1002188"
          },
          {
            "name": "https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/",
            "refsource": "MISC",
            "url": "https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/"
          },
          {
            "name": "DSA-4826",
            "refsource": "DEBIAN",
            "url": "https://www.debian.org/security/2021/dsa-4826"
          },
          {
            "name": "FEDORA-2021-fb1a136393",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K4I6MZNC7C7VIDQR267OL4TVCI3ZKAC4/"
          },
          {
            "name": "GLSA-202101-07",
            "refsource": "GENTOO",
            "url": "https://security.gentoo.org/glsa/202101-07"
          },
          {
            "name": "FEDORA-2021-d5b2c18fe6",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H472D5HPXN6RRXCNFML3BK5OYC52CXF2/"
          },
          {
            "name": "https://www.oracle.com/security-alerts/cpujan2021.html",
            "refsource": "MISC",
            "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
          },
          {
            "name": "https://security.netapp.com/advisory/ntap-20210212-0003/",
            "refsource": "CONFIRM",
            "url": "https://security.netapp.com/advisory/ntap-20210212-0003/"
          },
          {
            "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf",
            "refsource": "CONFIRM",
            "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
          },
          {
            "name": "[debian-lts-announce] 20221205 [SECURITY] [DLA 3224-1] http-parser security update",
            "refsource": "MLIST",
            "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00009.html"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "15.5.1",
                "versionStartIncluding": "15.0.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "14.15.4",
                "versionStartIncluding": "14.0.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "12.20.1",
                "versionStartIncluding": "12.0.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "10.23.1",
                "versionStartIncluding": "10.0.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:oracle:graalvm:19.3.4:*:*:*:enterprise:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:graalvm:20.3.0:*:*:*:enterprise:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.0.1.1",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve-assignments@hackerone.com",
          "ID": "CVE-2020-8287"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-444"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://hackerone.com/reports/1002188",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Issue Tracking",
                "Third Party Advisory"
              ],
              "url": "https://hackerone.com/reports/1002188"
            },
            {
              "name": "https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Vendor Advisory"
              ],
              "url": "https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/"
            },
            {
              "name": "DSA-4826",
              "refsource": "DEBIAN",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://www.debian.org/security/2021/dsa-4826"
            },
            {
              "name": "FEDORA-2021-fb1a136393",
              "refsource": "FEDORA",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K4I6MZNC7C7VIDQR267OL4TVCI3ZKAC4/"
            },
            {
              "name": "GLSA-202101-07",
              "refsource": "GENTOO",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://security.gentoo.org/glsa/202101-07"
            },
            {
              "name": "FEDORA-2021-d5b2c18fe6",
              "refsource": "FEDORA",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H472D5HPXN6RRXCNFML3BK5OYC52CXF2/"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujan2021.html",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20210212-0003/",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20210212-0003/"
            },
            {
              "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf",
              "refsource": "CONFIRM",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
            },
            {
              "name": "[debian-lts-announce] 20221205 [SECURITY] [DLA 3224-1] http-parser security update",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00009.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 6.4,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 4.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 2.5
        }
      },
      "lastModifiedDate": "2023-02-03T19:12Z",
      "publishedDate": "2021-01-06T21:15Z"
    }
  }
}

FKIE_CVE-2020-8287

Vulnerability from fkie_nvd - Published: 2021-01-06 21:15 - Updated: 2024-11-21 05:38

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Summary

References

URL	Tags
support@hackerone.com	https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf	Patch, Third Party Advisory
support@hackerone.com	https://hackerone.com/reports/1002188	Exploit, Issue Tracking, Third Party Advisory
support@hackerone.com	https://lists.debian.org/debian-lts-announce/2022/12/msg00009.html	Mailing List, Third Party Advisory
support@hackerone.com	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H472D5HPXN6RRXCNFML3BK5OYC52CXF2/
support@hackerone.com	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K4I6MZNC7C7VIDQR267OL4TVCI3ZKAC4/
support@hackerone.com	https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/	Patch, Vendor Advisory
support@hackerone.com	https://security.gentoo.org/glsa/202101-07	Third Party Advisory
support@hackerone.com	https://security.netapp.com/advisory/ntap-20210212-0003/	Third Party Advisory
support@hackerone.com	https://www.debian.org/security/2021/dsa-4826	Third Party Advisory
support@hackerone.com	https://www.oracle.com/security-alerts/cpujan2021.html	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://hackerone.com/reports/1002188	Exploit, Issue Tracking, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2022/12/msg00009.html	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H472D5HPXN6RRXCNFML3BK5OYC52CXF2/
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K4I6MZNC7C7VIDQR267OL4TVCI3ZKAC4/
af854a3a-2127-422b-91ae-364da2661108	https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/	Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://security.gentoo.org/glsa/202101-07	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://security.netapp.com/advisory/ntap-20210212-0003/	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.debian.org/security/2021/dsa-4826	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.oracle.com/security-alerts/cpujan2021.html	Third Party Advisory

Impacted products

Vendor	Product	Version
nodejs	node.js	*
nodejs	node.js	*
nodejs	node.js	*
nodejs	node.js	*
debian	debian_linux	10.0
fedoraproject	fedora	32
fedoraproject	fedora	33
oracle	graalvm	19.3.4
oracle	graalvm	20.3.0
siemens	sinec_infrastructure_network_services	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*",
              "matchCriteriaId": "8042EBD0-9F28-43DF-BF27-DD3BBBD3E017",
              "versionEndExcluding": "10.23.1",
              "versionStartIncluding": "10.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*",
              "matchCriteriaId": "5E1AAC61-6E2E-46F8-BB51-D615FC87DA3B",
              "versionEndExcluding": "12.20.1",
              "versionStartIncluding": "12.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*",
              "matchCriteriaId": "1DF64627-51CF-41BB-A9D2-B23DAC590FF0",
              "versionEndExcluding": "14.15.4",
              "versionStartIncluding": "14.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*",
              "matchCriteriaId": "B6E4C7D3-2F1D-49B8-95AF-B89D82267ECB",
              "versionEndExcluding": "15.5.1",
              "versionStartIncluding": "15.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*",
              "matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*",
              "matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:oracle:graalvm:19.3.4:*:*:*:enterprise:*:*:*",
              "matchCriteriaId": "937F66F5-F5BA-4156-82E0-EB2C99ABD41A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:graalvm:20.3.0:*:*:*:enterprise:*:*:*",
              "matchCriteriaId": "BC0F8B31-F93B-40B6-9C06-A3996DC63829",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B0F46497-4AB0-49A7-9453-CC26837BF253",
              "versionEndExcluding": "1.0.1.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling."
    },
    {
      "lang": "es",
      "value": "Node.js versiones anteriores a 10.23.1, 12.20.1, 14.15.4, 15.5.1 permiten dos copias de un campo de encabezado en una petici\u00f3n HTTP (por ejemplo, dos campos de encabezado Transfer-Encoding).\u0026#xa0;En este caso, Node.js identifica el primer campo de encabezado e ignora el segundo.\u0026#xa0;Esto puede conllevar a un Tr\u00e1fico no Autorizado de Peticiones HTTP"
    }
  ],
  "id": "CVE-2020-8287",
  "lastModified": "2024-11-21T05:38:39.843",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 6.4,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 4.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 2.5,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-01-06T21:15:14.707",
  "references": [
    {
      "source": "support@hackerone.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
    },
    {
      "source": "support@hackerone.com",
      "tags": [
        "Exploit",
        "Issue Tracking",
        "Third Party Advisory"
      ],
      "url": "https://hackerone.com/reports/1002188"
    },
    {
      "source": "support@hackerone.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00009.html"
    },
    {
      "source": "support@hackerone.com",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H472D5HPXN6RRXCNFML3BK5OYC52CXF2/"
    },
    {
      "source": "support@hackerone.com",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K4I6MZNC7C7VIDQR267OL4TVCI3ZKAC4/"
    },
    {
      "source": "support@hackerone.com",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/"
    },
    {
      "source": "support@hackerone.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.gentoo.org/glsa/202101-07"
    },
    {
      "source": "support@hackerone.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20210212-0003/"
    },
    {
      "source": "support@hackerone.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2021/dsa-4826"
    },
    {
      "source": "support@hackerone.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Issue Tracking",
        "Third Party Advisory"
      ],
      "url": "https://hackerone.com/reports/1002188"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00009.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H472D5HPXN6RRXCNFML3BK5OYC52CXF2/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K4I6MZNC7C7VIDQR267OL4TVCI3ZKAC4/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.gentoo.org/glsa/202101-07"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20210212-0003/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2021/dsa-4826"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
    }
  ],
  "sourceIdentifier": "support@hackerone.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-444"
        }
      ],
      "source": "support@hackerone.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-444"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

cleanstart-2026-ln12820

Vulnerability from cleanstart

Published

2026-02-19 00:58

Modified

2026-02-18 09:40

Summary

vulnerability has been identified in Node

Details

Multiple security vulnerabilities affect the nodejs package. A vulnerability has been identified in Node. See references for individual vulnerability details.

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "CleanStart",
        "name": "nodejs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.9.3-r0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "credits": [],
  "database_specific": {},
  "details": "Multiple security vulnerabilities affect the nodejs package. A vulnerability has been identified in Node. See references for individual vulnerability details.",
  "id": "CLEANSTART-2026-LN12820",
  "modified": "2026-02-18T09:40:19Z",
  "published": "2026-02-19T00:58:49.154512Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-LN12820.json"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2017-14919"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2017-15896"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2018-0734"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2018-0735"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2018-1000168"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2018-12121"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2018-12122"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2018-7160"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2018-7161"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2019-15604"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2019-15605"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2019-15606"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2019-5737"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2019-9511"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2019-9512"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2019-9513"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2019-9514"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2019-9515"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2019-9516"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2019-9517"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2019-9518"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2020-11080"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2020-7774"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2020-8172"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2020-8174"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2020-8201"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2020-8252"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2020-8265"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2020-8277"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2020-8287"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2021-21148"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2021-22930"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2021-22931"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2021-22959"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2021-22960"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2021-3672"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2021-43803"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2021-44531"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2021-44532"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2022-32212"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2022-32213"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2022-32214"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2022-32215"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2022-35255"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2022-35256"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2022-3602"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2022-43548"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2023-23918"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2023-23919"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2023-23920"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2023-23936"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2023-24807"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2023-39333"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2023-44487"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2024-22018"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2024-22020"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2024-27982"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2024-27983"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2024-36138"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2024-37372"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14919"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15896"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0734"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0735"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000168"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12121"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12122"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7160"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7161"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-15604"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-15605"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-15606"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5737"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9511"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9512"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9513"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9514"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9515"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9516"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9517"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9518"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11080"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7774"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8172"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8174"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8201"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8252"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8265"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8277"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8287"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21148"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22930"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22931"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22959"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22960"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3672"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43803"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44531"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44532"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32212"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32213"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32214"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32215"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35255"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35256"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3602"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43548"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23918"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23919"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23920"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23936"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24807"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39333"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44487"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22018"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22020"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27982"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27983"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36138"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37372"
    }
  ],
  "related": [],
  "schema_version": "1.7.3",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "vulnerability has been identified in Node",
  "upstream": [
    "CVE-2017-14919",
    "CVE-2017-15896",
    "CVE-2018-0734",
    "CVE-2018-0735",
    "CVE-2018-1000168",
    "CVE-2018-12121",
    "CVE-2018-12122",
    "CVE-2018-7160",
    "CVE-2018-7161",
    "CVE-2019-15604",
    "CVE-2019-15605",
    "CVE-2019-15606",
    "CVE-2019-5737",
    "CVE-2019-9511",
    "CVE-2019-9512",
    "CVE-2019-9513",
    "CVE-2019-9514",
    "CVE-2019-9515",
    "CVE-2019-9516",
    "CVE-2019-9517",
    "CVE-2019-9518",
    "CVE-2020-11080",
    "CVE-2020-7774",
    "CVE-2020-8172",
    "CVE-2020-8174",
    "CVE-2020-8201",
    "CVE-2020-8252",
    "CVE-2020-8265",
    "CVE-2020-8277",
    "CVE-2020-8287",
    "CVE-2021-21148",
    "CVE-2021-22930",
    "CVE-2021-22931",
    "CVE-2021-22959",
    "CVE-2021-22960",
    "CVE-2021-3672",
    "CVE-2021-43803",
    "CVE-2021-44531",
    "CVE-2021-44532",
    "CVE-2022-32212",
    "CVE-2022-32213",
    "CVE-2022-32214",
    "CVE-2022-32215",
    "CVE-2022-35255",
    "CVE-2022-35256",
    "CVE-2022-3602",
    "CVE-2022-43548",
    "CVE-2023-23918",
    "CVE-2023-23919",
    "CVE-2023-23920",
    "CVE-2023-23936",
    "CVE-2023-24807",
    "CVE-2023-39333",
    "CVE-2023-44487",
    "CVE-2024-22018",
    "CVE-2024-22020",
    "CVE-2024-27982",
    "CVE-2024-27983",
    "CVE-2024-36138",
    "CVE-2024-37372"
  ]
}

GHSA-F33F-HHX9-6J4M

Vulnerability from github – Published: 2022-05-24 17:38 – Updated: 2022-05-24 17:38

Details

Severity ?

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2020-8287"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-444"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-01-06T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling.",
  "id": "GHSA-f33f-hhx9-6j4m",
  "modified": "2022-05-24T17:38:08Z",
  "published": "2022-05-24T17:38:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8287"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/1002188"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00009.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H472D5HPXN6RRXCNFML3BK5OYC52CXF2"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K4I6MZNC7C7VIDQR267OL4TVCI3ZKAC4"
    },
    {
      "type": "WEB",
      "url": "https://nodejs.org/en/blog/vulnerability/january-2021-security-releases"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202101-07"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20210212-0003"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2021/dsa-4826"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

CNVD-2021-07118

Vulnerability from cnvd - Published: 2021-01-28

Title

Nodejs Core访问控制错误漏洞

Description

Nodejs Core是OpenJS基金会的一个编译到Nodejs中的核心模块。该模块为Nodejs提供底层的TCP，HTTP，DNS，文件系统，子进程等功能支持。 Node Core存在安全漏洞，攻击者可利用该漏洞通过HTTP Request Smuggling绕过访问限制，以读取或更改数据。

Severity

中

Patch Name

Nodejs Core访问控制错误漏洞的补丁

Patch Description

Nodejs Core是OpenJS基金会的一个编译到Nodejs中的核心模块。该模块为Nodejs提供底层的TCP，HTTP，DNS，文件系统，子进程等功能支持。 Node Core存在安全漏洞，攻击者可利用该漏洞通过HTTP Request Smuggling绕过访问限制，以读取或更改数据。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://github.com/nodejs/node/commit/fc70ce08f5818a286fb5899a1bc3aff5965a745e

Reference

https://vigilance.fr/vulnerability/Node-Core-read-write-access-via-HTTP-Request-Smuggling-34242

Impacted products

Name
nodejs Nodejs Core null

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-8287",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2020-8287"
    }
  },
  "description": "Nodejs Core\u662fOpenJS\u57fa\u91d1\u4f1a\u7684\u4e00\u4e2a\u7f16\u8bd1\u5230Nodejs\u4e2d\u7684\u6838\u5fc3\u6a21\u5757\u3002\u8be5\u6a21\u5757\u4e3aNodejs\u63d0\u4f9b\u5e95\u5c42\u7684TCP\uff0cHTTP\uff0cDNS\uff0c\u6587\u4ef6\u7cfb\u7edf\uff0c\u5b50\u8fdb\u7a0b\u7b49\u529f\u80fd\u652f\u6301\u3002\n\nNode Core\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7HTTP Request Smuggling\u7ed5\u8fc7\u8bbf\u95ee\u9650\u5236\uff0c\u4ee5\u8bfb\u53d6\u6216\u66f4\u6539\u6570\u636e\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://github.com/nodejs/node/commit/fc70ce08f5818a286fb5899a1bc3aff5965a745e",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-07118",
  "openTime": "2021-01-28",
  "patchDescription": "Nodejs Core\u662fOpenJS\u57fa\u91d1\u4f1a\u7684\u4e00\u4e2a\u7f16\u8bd1\u5230Nodejs\u4e2d\u7684\u6838\u5fc3\u6a21\u5757\u3002\u8be5\u6a21\u5757\u4e3aNodejs\u63d0\u4f9b\u5e95\u5c42\u7684TCP\uff0cHTTP\uff0cDNS\uff0c\u6587\u4ef6\u7cfb\u7edf\uff0c\u5b50\u8fdb\u7a0b\u7b49\u529f\u80fd\u652f\u6301\u3002\r\n\r\nNode Core\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7HTTP Request Smuggling\u7ed5\u8fc7\u8bbf\u95ee\u9650\u5236\uff0c\u4ee5\u8bfb\u53d6\u6216\u66f4\u6539\u6570\u636e\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Nodejs Core\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "nodejs Nodejs Core null"
  },
  "referenceLink": "https://vigilance.fr/vulnerability/Node-Core-read-write-access-via-HTTP-Request-Smuggling-34242",
  "serverity": "\u4e2d",
  "submitTime": "2021-01-07",
  "title": "Nodejs Core\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e"
}

bit-node-2020-8287

Vulnerability from bitnami_vulndb

Published

2024-03-06 11:07

Modified

2025-04-03 14:40

Summary

Details

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Bitnami",
        "name": "node",
        "purl": "pkg:bitnami/node"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "10.23.1"
            },
            {
              "introduced": "12.0.0"
            },
            {
              "fixed": "12.20.1"
            },
            {
              "introduced": "14.0.0"
            },
            {
              "fixed": "14.15.4"
            },
            {
              "introduced": "15.0.0"
            },
            {
              "fixed": "15.5.1"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "severity": [
        {
          "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
          "type": "CVSS_V3"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-8287"
  ],
  "database_specific": {
    "cpes": [
      "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*",
      "cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*"
    ],
    "severity": "Medium"
  },
  "details": "Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling.",
  "id": "BIT-node-2020-8287",
  "modified": "2025-04-03T14:40:37.652Z",
  "published": "2024-03-06T11:07:21.705Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/1002188"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00009.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H472D5HPXN6RRXCNFML3BK5OYC52CXF2/"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K4I6MZNC7C7VIDQR267OL4TVCI3ZKAC4/"
    },
    {
      "type": "WEB",
      "url": "https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202101-07"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20210212-0003/"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2021/dsa-4826"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8287"
    }
  ],
  "schema_version": "1.5.0"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2020-8287 (GCVE-0-2020-8287)

Solution

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Vulnerability from cleanstart

Vulnerability from bitnami_vulndb

Tags

Sightings

Nomenclature