Bug 1912863 (CVE-2020-8287)
Summary: | CVE-2020-8287 nodejs: HTTP request smuggling via two copies of a header field in an http request | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | bdettelb, cbuissar, cmoore, gmccullo, hhorak, jorton, jstanek, kaycoth, kmullins, kwalsh, mrunge, mvanderw, nodejs-maint, nodejs-sig, sadams, scorneli, sgallagh, tchollingsworth, thrcka, tomckay, zsvetlik |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | node 10.23.1, node 12.20.1, node 14.15.4, node 15.5.1 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in nodejs. Affected versions of Node.js allow two copies of a header field in an HTTP request. The first header field is recognized while the second is ignored leading to HTTP request smuggling. The highest threat from this vulnerability is to data confidentiality and integrity.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-02-04 20:42:27 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1912864, 1912865, 1912866, 1912867, 1912952, 1912953, 1912954, 1912955, 1912956, 1912957, 1913255, 1913256, 1913257, 1913258, 1913264, 1913586, 1914775, 1914786, 1914788, 1914789, 1914796, 1914799 | ||
Bug Blocks: | 1912868 |
Description
Guilherme de Almeida Suckevicz
2021-01-05 13:16:18 UTC
Created nodejs tracking bugs for this issue: Affects: fedora-all [bug 1912865] Created nodejs:10/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1912864] Created nodejs:12/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1912866] Created nodejs:14/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1912867] Red Hat Quay does not use NodeJS HTTP implementation. This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:0421 https://access.redhat.com/errata/RHSA-2021:0421 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-8287 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-8287 Note: upstream fix for Node.js version 10 looks differently: https://github.com/nodejs/node/commit/fc70ce08f5818a286fb5899a1bc3aff5965a745e This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:0485 https://access.redhat.com/errata/RHSA-2021:0485 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:0521 https://access.redhat.com/errata/RHSA-2021:0521 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:0548 https://access.redhat.com/errata/RHSA-2021:0548 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:0549 https://access.redhat.com/errata/RHSA-2021:0549 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:0551 https://access.redhat.com/errata/RHSA-2021:0551 |