1879311 – (CVE-2020-8201) CVE-2020-8201 nodejs: HTTP request smuggling due to CR-to-Hyphen conversion

Bug 1879311 (CVE-2020-8201) - CVE-2020-8201 nodejs: HTTP request smuggling due to CR-to-Hyphen conversion

Summary: CVE-2020-8201 nodejs: HTTP request smuggling due to CR-to-Hyphen conversion

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2020-8201
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1879340 1878546 1878547 1878548 1878549 1878550 1878551 1879341 1879343 1879344 1879345 1879346
Blocks:	1878541
TreeView+	depends on / blocked

Reported:	2020-09-16 01:03 UTC by Doran Moppert
Modified:	2021-06-07 16:37 UTC (History)
CC List:	14 users (show)
Fixed In Version:	nodejs 14.11.0, nodejs 12.18.4, llhttp 2.1.2
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Node.js, where affected Node.js versions converted carriage returns in HTTP request headers to a hyphen before parsing. This flaw leads to HTTP Request Smuggling as it is a non-standard interpretation of the header. The highest threat from this vulnerability is to confidentiality and integrity.
Clone Of:
Environment:
Last Closed:	2020-10-19 20:21:47 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2020:4272	None	None	None	2020-10-19 07:47:50 UTC
Red Hat Product Errata	RHSA-2020:4903	None	None	None	2020-11-04 12:32:22 UTC
Red Hat Product Errata	RHSA-2020:5086	None	None	None	2020-11-11 13:35:22 UTC

Description Doran Moppert 2020-09-16 01:03:47 UTC

Affected Node.js versions converted carriage returns in HTTP request headers to a hyphen before parsing. This can lead to HTTP Request Smuggling as it is a non-standard interpretation of the header.

Upstream advisory:

https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/

Comment 1 Doran Moppert 2020-09-16 03:00:25 UTC

Created nodejs tracking bugs for this issue:

Affects: epel-all [bug 1879340]
Affects: fedora-all [bug 1879341]


Created nodejs:11/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1879343]


Created nodejs:12/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1879344]


Created nodejs:13/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1879345]


Created nodejs:14/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1879346]

Comment 3 Jason Shepherd 2020-09-17 22:15:46 UTC

Statement:

NodeJS is included in Red Hat Quay as a dependency of Yarn which is only used while building Red Hat Quay, and not during runtime.

Comment 5 Cedric Buissart 2020-09-21 13:12:34 UTC

Upstream fix :
https://github.com/nodejs/llhttp/commit/9d9da1d0f18599ceddd8f484df5a5ad694d23361

Comment 24 errata-xmlrpc 2020-10-19 07:47:49 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4272 https://access.redhat.com/errata/RHSA-2020:4272

Comment 25 Product Security DevOps Team 2020-10-19 20:21:47 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-8201

Comment 27 errata-xmlrpc 2020-11-04 12:32:17 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:4903 https://access.redhat.com/errata/RHSA-2020:4903

Comment 30 errata-xmlrpc 2020-11-11 13:35:20 UTC

This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:5086 https://access.redhat.com/errata/RHSA-2020:5086

Note You need to log in before you can comment on or make changes to this bug.