1660998 – (CVE-2018-12116) CVE-2018-12116 nodejs: HTTP request splitting

Bug 1660998 (CVE-2018-12116) - CVE-2018-12116 nodejs: HTTP request splitting

Summary: CVE-2018-12116 nodejs: HTTP request splitting

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2018-12116
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1661000 1660999 1666338 1666339 1720097 1720098 1720099 1720100
Blocks:	1661014
TreeView+	depends on / blocked

Reported:	2018-12-19 19:37 UTC by Laura Pardo
Modified:	2021-02-16 22:38 UTC (History)
CC List:	3 users (show)
Fixed In Version:	nodejs 8.14.0, nodejs 6.15.0
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-07-22 15:06:55 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2019:1844	None	None	None	2019-07-24 14:56:02 UTC
Red Hat Product Errata	RHBA-2019:1869	None	None	None	2019-07-26 18:08:48 UTC
Red Hat Product Errata	RHSA-2019:1821	None	None	None	2019-07-22 13:37:52 UTC

Description Laura Pardo 2018-12-19 19:37:24 UTC

A flaw was found in Node.js before 6.15.0 and 8.14.0. An HTTP request splitting. If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to made to the same server. 


References:
https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/

Comment 1 Laura Pardo 2018-12-19 19:37:44 UTC

Created nodejs tracking bugs for this issue:

Affects: epel-all [bug 1661000]
Affects: fedora-all [bug 1660999]

Comment 2 Cedric Buissart 2019-01-15 14:31:08 UTC

Upstream fixes:

node.js 8 : https://github.com/nodejs/node/commit/513e9747a22
master:     https://github.com/nodejs/node/commit/b961d9fd83c

Comment 6 Sam Fowler 2019-06-13 07:17:49 UTC

Statement:

The nodejs RPMs shipped in Red Hat OpenShift Container Platform (OCP) versions 3.6 through 3.10 are vulnerable to this flaw because they contain the affected code. Later versions of OCP used nodejs RPMs delivered from Red Hat Software Collections and Red Hat Enterprise Linux channels.

Comment 9 errata-xmlrpc 2019-07-22 13:37:50 UTC

This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2019:1821 https://access.redhat.com/errata/RHSA-2019:1821

Comment 10 Product Security DevOps Team 2019-07-22 15:06:55 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-12116

Note You need to log in before you can comment on or make changes to this bug.