Bug 2105430 (CVE-2022-32213)
| Summary: | CVE-2022-32213 nodejs: HTTP request smuggling due to flawed parsing of Transfer-Encoding | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Sage McTaggart <amctagga> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | hhorak, jorton, mrunge, mvanderw, nodejs-maint, nodejs-sig, sgallagh, thrcka, zsvetlik |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | nodejs 14.20.0, nodejs 16.20.0, nodejs 18.5.0 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A vulnerability was found in NodeJS due to improper validation of HTTP requests. The llhttp parser in the http module does not correctly parse and validate Transfer-Encoding headers. This issue can lead to HTTP Request Smuggling (HRS), causing web cache poisoning, and conducting XSS attacks.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-11-30 08:58:00 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2108490, 2108491, 2108492, 2108061, 2108062, 2108063, 2108064, 2108065, 2108493, 2108494, 2108495, 2108497, 2108501, 2108503, 2109534, 2109579, 2109580, 2109581, 2121022 | ||
| Bug Blocks: | 2105423 | ||
|
Description
Sage McTaggart
2022-07-08 18:47:01 UTC
Created nodejs tracking bugs for this issue: Affects: epel-all [bug 2108490] Affects: fedora-all [bug 2108493] Created nodejs:12/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2108494] Created nodejs:13/nodejs tracking bugs for this issue: Affects: epel-all [bug 2108491] Created nodejs:14/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2108495] Created nodejs:15/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2108497] Created nodejs:16-epel/nodejs tracking bugs for this issue: Affects: epel-all [bug 2108492] Created nodejs:16/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2108501] Created nodejs:18/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2108503] Respective commits: v14: https://github.com/nodejs/node/commit/da0fda0fe8 v16: https://github.com/nodejs/node/commit/1da22eb482 v18: https://github.com/nodejs/node/commit/f2407748e3 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2022:6389 https://access.redhat.com/errata/RHSA-2022:6389 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:6448 https://access.redhat.com/errata/RHSA-2022:6448 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:6449 https://access.redhat.com/errata/RHSA-2022:6449 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:6595 https://access.redhat.com/errata/RHSA-2022:6595 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:6985 https://access.redhat.com/errata/RHSA-2022:6985 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-32213 |