Bug 1306203 (CVE-2016-2216) - CVE-2016-2216 nodejs: Response splitting vulnerability using Unicode characters
Summary: CVE-2016-2216 nodejs: Response splitting vulnerability using Unicode characters
Keywords:
Status: NEW
Alias: CVE-2016-2216
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1306206 1306207 1306208 1417961 1417963
Blocks: 1306204
TreeView+ depends on / blocked
 
Reported: 2016-02-10 10:22 UTC by Adam Mariš
Modified: 2019-09-29 13:44 UTC (History)
46 users (show)

Fixed In Version: nodejs 0.10.42, nodejs 0.12.10, nodejs 4.3.0, nodejs 5.6.0
Doc Type: Bug Fix
Doc Text:
It was found that nodejs functions manipulating HTTP headers did not properly forbid invalid characters. An attacker with ability to tamper with HTTP headers could use this flaw to inject a new-line allowing a response splitting attack.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Adam Mariš 2016-02-10 10:22:14 UTC
It was reported that HTTP header parsing in Node.js is vulnerable to response splitting attacks. While Node.js has been protecting against response splitting attacks by checking for CRLF characters, it is possible to compose response headers using Unicode characters that decompose to these characters, bypassing the checks previously in place.

External Reference:

https://nodejs.org/en/blog/vulnerability/february-2016-security-releases/

Comment 2 Adam Mariš 2016-02-10 10:26:46 UTC
Created nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1306207]
Affects: epel-all [bug 1306208]

Comment 4 Fedora Update System 2016-02-15 02:50:03 UTC
nodejs-0.10.42-4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2016-02-22 20:50:34 UTC
nodejs-0.10.42-4.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2016-02-27 01:59:44 UTC
nodejs-0.10.42-4.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2016-02-27 02:06:56 UTC
nodejs-0.10.42-4.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

Comment 8 Cedric Buissart 🐶 2016-11-22 10:39:00 UTC
Patches :
master branch : https://github.com/nodejs/node/commit/7bef1b7907
4.x branch : https://github.com/nodejs/node/commit/cf2b714b02
0.10.x branch : https://github.com/nodejs/node/commit/5c94624

Comment 11 Tomas Hoger 2016-11-23 18:59:21 UTC
(In reply to Ján Rusnačko from comment #3)
> Root cause analysis:
> 
> http://blog.safebreach.com/2016/02/09/http-response-splitting-in-node-js-
> root-cause-analysis/

The blog post has moved to:

https://safebreach.com/Post/HTTP-Response-Splitting-in-Node-js-Root-Cause-Analysis

Comment 15 Jason Shepherd 2018-04-03 04:50:16 UTC
Openshift Enterprise is pointed to latest RHSCL Node 4 image, which is 4.6.2. Marking as not afffected.


Note You need to log in before you can comment on or make changes to this bug.