A flaw was found in Node.js before 6.15.0 and 8.14.0. An HTTP request splitting. If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to made to the same server. References: https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
Created nodejs tracking bugs for this issue: Affects: epel-all [bug 1661000] Affects: fedora-all [bug 1660999]
Upstream fixes: node.js 8 : https://github.com/nodejs/node/commit/513e9747a22 master: https://github.com/nodejs/node/commit/b961d9fd83c
Statement: The nodejs RPMs shipped in Red Hat OpenShift Container Platform (OCP) versions 3.6 through 3.10 are vulnerable to this flaw because they contain the affected code. Later versions of OCP used nodejs RPMs delivered from Red Hat Software Collections and Red Hat Enterprise Linux channels.
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Via RHSA-2019:1821 https://access.redhat.com/errata/RHSA-2019:1821
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-12116