Bug 2219841 (CVE-2023-30589)
Summary: | CVE-2023-30589 nodejs: HTTP Request Smuggling via Empty headers separated by CR | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Dhananjay Arunesh <darunesh> |
Component: | vulnerability | Assignee: | Nobody <nobody> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | hhorak, jorton, nodejs-maint, zsvetlik |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A vulnerability has been identified in the Node.js, where llhttp parser in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2023-08-08 13:17:02 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2220788, 2220789, 2220784, 2220785, 2220786, 2220787, 2220796, 2220797, 2220798, 2220799, 2220800, 2220801, 2223318, 2223340, 2223341, 2223633, 2223652, 2223684, 2223685 | ||
Bug Blocks: | 2217661 |
Description
Dhananjay Arunesh
2023-07-05 15:03:28 UTC
Created nodejs tracking bugs for this issue: Affects: epel-all [bug 2220789] Affects: fedora-all [bug 2220787] Created nodejs:14/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2220786] Created nodejs:16-epel/nodejs tracking bugs for this issue: Affects: epel-all [bug 2220788] Created nodejs:16/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2220785] Created nodejs:18/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2220784] This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:4331 https://access.redhat.com/errata/RHSA-2023:4331 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:4330 https://access.redhat.com/errata/RHSA-2023:4330 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:4536 https://access.redhat.com/errata/RHSA-2023:4536 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:4537 https://access.redhat.com/errata/RHSA-2023:4537 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2023-30589 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:5361 https://access.redhat.com/errata/RHSA-2023:5361 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2023:5533 https://access.redhat.com/errata/RHSA-2023:5533 |