Bug 2105428 (CVE-2022-32214)
Summary: | CVE-2022-32214 nodejs: HTTP request smuggling due to improper delimiting of header fields | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Sage McTaggart <amctagga> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | hhorak, jorton, mrunge, nodejs-maint, nodejs-sig, sgallagh, thrcka, zsvetlik |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | nodejs 14.20.0, nodejs 16.20.0, nodejs 18.5.0 | Doc Type: | If docs needed, set a value |
Doc Text: |
A vulnerability was found in NodeJS due to the llhttp parser in the http module not strictly using the CRLF sequence to delimit HTTP requests. This issue can lead to HTTP Request Smuggling (HRS). This flaw allows an attacker to send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers, causing web cache poisoning, and conducting XSS attacks.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2022-11-30 08:29:29 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2108496, 2108498, 2108500, 2108066, 2108067, 2108068, 2108069, 2108070, 2108502, 2108504, 2108505, 2108506, 2108507, 2108508, 2109531, 2109582, 2109583, 2109584, 2121023 | ||
Bug Blocks: | 2105423 |
Description
Sage McTaggart
2022-07-08 18:46:25 UTC
Created nodejs tracking bugs for this issue: Affects: epel-all [bug 2108496] Affects: fedora-all [bug 2108502] Created nodejs:12/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2108504] Created nodejs:13/nodejs tracking bugs for this issue: Affects: epel-all [bug 2108498] Created nodejs:14/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2108505] Created nodejs:15/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2108506] Created nodejs:16-epel/nodejs tracking bugs for this issue: Affects: epel-all [bug 2108500] Created nodejs:16/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2108507] Created nodejs:18/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2108508] Respective commits: v14: https://github.com/nodejs/node/commit/da0fda0fe81d372e24c0cb11aec37534985708dd v16: https://github.com/nodejs/node/commit/1da22eb48254f8c2d5f3c5865bb9f46e8b09ec60 v18: https://github.com/nodejs/node/commit/f2407748e3be07642d318ceb17366f62f41ddc33 This CVE was fixed by updating bundled dependency to newer version. This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2022:6389 https://access.redhat.com/errata/RHSA-2022:6389 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:6448 https://access.redhat.com/errata/RHSA-2022:6448 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:6449 https://access.redhat.com/errata/RHSA-2022:6449 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:6595 https://access.redhat.com/errata/RHSA-2022:6595 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:6985 https://access.redhat.com/errata/RHSA-2022:6985 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-32214 |