Bug 2105428 (CVE-2022-32214) - CVE-2022-32214 nodejs: HTTP request smuggling due to improper delimiting of header fields
Summary: CVE-2022-32214 nodejs: HTTP request smuggling due to improper delimiting of h...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-32214
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2108066 2108067 2108069 2108496 2108498 2108500 2108502 2108504 2108505 2108506 2108507 2108508 2108068 2108070 2109531 2109582 2109583 2109584 2121023
Blocks: 2105423
TreeView+ depends on / blocked
 
Reported: 2022-07-08 18:46 UTC by Sage McTaggart
Modified: 2022-11-30 08:29 UTC (History)
8 users (show)

Fixed In Version: nodejs 14.20.0, nodejs 16.20.0, nodejs 18.5.0
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in NodeJS due to the llhttp parser in the http module not strictly using the CRLF sequence to delimit HTTP requests. This issue can lead to HTTP Request Smuggling (HRS). This flaw allows an attacker to send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers, causing web cache poisoning, and conducting XSS attacks.
Clone Of:
Environment:
Last Closed: 2022-11-30 08:29:29 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:6389 0 None None None 2022-09-08 07:42:43 UTC
Red Hat Product Errata RHSA-2022:6448 0 None None None 2022-09-13 09:44:23 UTC
Red Hat Product Errata RHSA-2022:6449 0 None None None 2022-09-13 09:44:54 UTC
Red Hat Product Errata RHSA-2022:6595 0 None None None 2022-09-20 12:24:34 UTC
Red Hat Product Errata RHSA-2022:6985 0 None None None 2022-10-18 08:18:16 UTC

Description Sage McTaggart 2022-07-08 18:46:25 UTC
CVE-2022-32214

The llhttp parser in the http module does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).

More details will be available at CVE-2022-32214 after publication.

Thank you to Zeyu Zhang (@zeyu2001) for reporting this vulnerability.

Impacts:

All versions of the 18.x, 16.x, and 14.x releases lines.
llhttp v6.0.7 and llhttp v2.1.5 contains the fixes that were updated inside Node.js

Comment 2 TEJ RATHI 2022-07-19 08:17:35 UTC
Created nodejs tracking bugs for this issue:

Affects: epel-all [bug 2108496]
Affects: fedora-all [bug 2108502]


Created nodejs:12/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2108504]


Created nodejs:13/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2108498]


Created nodejs:14/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2108505]


Created nodejs:15/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2108506]


Created nodejs:16-epel/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2108500]


Created nodejs:16/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2108507]


Created nodejs:18/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2108508]

Comment 4 errata-xmlrpc 2022-09-08 07:42:40 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:6389 https://access.redhat.com/errata/RHSA-2022:6389

Comment 5 errata-xmlrpc 2022-09-13 09:44:20 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:6448 https://access.redhat.com/errata/RHSA-2022:6448

Comment 6 errata-xmlrpc 2022-09-13 09:44:51 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:6449 https://access.redhat.com/errata/RHSA-2022:6449

Comment 7 errata-xmlrpc 2022-09-20 12:24:31 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:6595 https://access.redhat.com/errata/RHSA-2022:6595

Comment 9 errata-xmlrpc 2022-10-18 08:18:14 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:6985 https://access.redhat.com/errata/RHSA-2022:6985

Comment 10 Product Security DevOps Team 2022-11-30 08:29:27 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-32214


Note You need to log in before you can comment on or make changes to this bug.