Bug 2121101 (CVE-2022-35948) - CVE-2022-35948 nodejs: undici vulnerable to CRLF via content headers
Summary: CVE-2022-35948 nodejs: undici vulnerable to CRLF via content headers
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-35948
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2121293
Blocks: 2118398
TreeView+ depends on / blocked
 
Reported: 2022-08-24 13:06 UTC by ybuenos
Modified: 2024-03-15 23:39 UTC (History)
8 users (show)

Fixed In Version: undici 5.8.2
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the undici package. When requesting unsanitized input on content-type headers, it is possible to inject additional requests via Carriage Return/Line Feed (CRLF).
Clone Of:
Environment:
Last Closed: 2022-12-03 02:33:16 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:7276 0 None None None 2022-11-01 16:53:30 UTC

Description ybuenos 2022-08-24 13:06:33 UTC 
undici up to and including 5.8.1 is vulnerable to CRLF (Carriage Return / Line Feed) Injection on headers when using unsanitized input as request headers, specifically inside the `content-type` header.

Example: 
import { request } from 'undici'

const unsanitizedContentTypeInput =  'application/json\r\n\r\nGET /foo2 HTTP/1.1'

await request('http://localhost:3000, {
    method: 'GET',
    headers: {
      'content-type': unsanitizedContentTypeInput
    },
})
Comment 3 errata-xmlrpc 2022-11-01 16:53:28 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8

Via RHSA-2022:7276 https://access.redhat.com/errata/RHSA-2022:7276
Comment 4 Product Security DevOps Team 2022-12-03 02:33:14 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-35948
Note You need to log in before you can comment on or make changes to this bug.