Bug 2275392 (CVE-2024-27982)

Summary: CVE-2024-27982 nodejs: HTTP Request Smuggling via Content Length Obfuscation
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bdettelb, caswilli, dkuc, doconnor, fjansen, gsuckevi, hhorak, hkataria, jorton, kaycoth, kshier, nodejs-maint, teagle
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
An HTTP Request Smuggling vulnerability was found in Node.js due to Content-Length Obfuscation in the HTTP server. Malformed headers, particularly if a space is inserted before a content-length header, can result in HTTP request smuggling. This flaw allows attackers to inject a second request within the body of the first and poison web caches, bypass web application firewalls, and execute Cross-site scripting (XSS) attacks.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2275394, 2275395, 2275396, 2275397, 2275398, 2275399, 2275400    
Bug Blocks: 2275402    

Description TEJ RATHI 2024-04-17 04:20:12 UTC 
Malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in a second request within the body of the first.

This vulnerability affects all users in all active release lines: 18.x, 20.x and, 21.x.

https://nodejs.org/en/blog/vulnerability/april-2024-security-releases
Comment 1 TEJ RATHI 2024-04-17 04:32:42 UTC 
Created nodejs tracking bugs for this issue:

Affects: epel-all [bug 2275394]


Created nodejs16 tracking bugs for this issue:

Affects: fedora-all [bug 2275396]


Created nodejs18 tracking bugs for this issue:

Affects: fedora-all [bug 2275397]


Created nodejs20 tracking bugs for this issue:

Affects: fedora-all [bug 2275398]


Created nodejs:16-epel/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2275395]


Created nodejs:16/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2275399]
Comment 6 errata-xmlrpc 2024-05-09 06:18:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2779 https://access.redhat.com/errata/RHSA-2024:2779
Comment 7 errata-xmlrpc 2024-05-09 06:20:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:2778 https://access.redhat.com/errata/RHSA-2024:2778
Comment 8 errata-xmlrpc 2024-05-09 06:21:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:2780 https://access.redhat.com/errata/RHSA-2024:2780
Comment 9 errata-xmlrpc 2024-05-15 11:29:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2853 https://access.redhat.com/errata/RHSA-2024:2853
Comment 10 errata-xmlrpc 2024-05-20 02:06:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2910 https://access.redhat.com/errata/RHSA-2024:2910
Comment 12 errata-xmlrpc 2024-06-03 07:00:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:3545 https://access.redhat.com/errata/RHSA-2024:3545
Comment 13 errata-xmlrpc 2024-07-16 12:45:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:4559 https://access.redhat.com/errata/RHSA-2024:4559