Bug 1660998 (CVE-2018-12116) - CVE-2018-12116 nodejs: HTTP request splitting
Summary: CVE-2018-12116 nodejs: HTTP request splitting
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-12116
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1661000 1660999 1666338 1666339 1720097 1720098 1720099 1720100
Blocks: 1661014
TreeView+ depends on / blocked
 
Reported: 2018-12-19 19:37 UTC by Laura Pardo
Modified: 2019-09-29 15:04 UTC (History)
3 users (show)

Fixed In Version: nodejs 8.14.0, nodejs 6.15.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-07-22 15:06:55 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:1844 None None None 2019-07-24 14:56:02 UTC
Red Hat Product Errata RHBA-2019:1869 None None None 2019-07-26 18:08:48 UTC
Red Hat Product Errata RHSA-2019:1821 None None None 2019-07-22 13:37:52 UTC

Description Laura Pardo 2018-12-19 19:37:24 UTC
A flaw was found in Node.js before 6.15.0 and 8.14.0. An HTTP request splitting. If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to made to the same server. 


References:
https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/

Comment 1 Laura Pardo 2018-12-19 19:37:44 UTC
Created nodejs tracking bugs for this issue:

Affects: epel-all [bug 1661000]
Affects: fedora-all [bug 1660999]

Comment 2 Cedric Buissart 🐶 2019-01-15 14:31:08 UTC
Upstream fixes:

node.js 8 : https://github.com/nodejs/node/commit/513e9747a22
master:     https://github.com/nodejs/node/commit/b961d9fd83c

Comment 6 Sam Fowler 2019-06-13 07:17:49 UTC
Statement:

The nodejs RPMs shipped in Red Hat OpenShift Container Platform (OCP) versions 3.6 through 3.10 are vulnerable to this flaw because they contain the affected code. Later versions of OCP used nodejs RPMs delivered from Red Hat Software Collections and Red Hat Enterprise Linux channels.

Comment 9 errata-xmlrpc 2019-07-22 13:37:50 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2019:1821 https://access.redhat.com/errata/RHSA-2019:1821

Comment 10 Product Security DevOps Team 2019-07-22 15:06:55 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-12116


Note You need to log in before you can comment on or make changes to this bug.