The fetch API in Node.js did not prevent CRLF injection in the 'host' header potentially allowing attacks such as HTTP response splitting and HTTP header injection.
Created nodejs tracking bugs for this issue: Affects: epel-all [bug 2172191] Affects: fedora-all [bug 2172195] Created nodejs:16-epel/nodejs tracking bugs for this issue: Affects: epel-all [bug 2172192] Created nodejs:16/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2172193] Created nodejs:18/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2172194]
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:1582 https://access.redhat.com/errata/RHSA-2023:1582
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:1583 https://access.redhat.com/errata/RHSA-2023:1583
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:2654 https://access.redhat.com/errata/RHSA-2023:2654
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:2655 https://access.redhat.com/errata/RHSA-2023:2655
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2023-23936
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2023:5533 https://access.redhat.com/errata/RHSA-2023:5533