Bug 2172190 (CVE-2023-23936) - CVE-2023-23936 Node.js: Fetch API did not protect against CRLF injection in host headers
Summary: CVE-2023-23936 Node.js: Fetch API did not protect against CRLF injection in h...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2023-23936
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2172191 2172192 2172193 2172194 2172195 2172196 2172197 2172198 2172199 2172200 2178118 2178119 2178120 2178121 2178122 2178123 2178124 2178125 2178160 2178161 2178162
Blocks: 2171920
TreeView+ depends on / blocked
 
Reported: 2023-02-21 16:13 UTC by Zack Miele
Modified: 2023-10-09 10:26 UTC (History)
8 users (show)

Fixed In Version: Node.js 19.6.1, Node.js 18.14.1, Node.js 16.19.1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the fetch API in Node.js that did not prevent CRLF injection in the 'host' header. This issue could allow HTTP response splitting and HTTP header injection.
Clone Of:
Environment:
Last Closed: 2023-05-09 20:48:45 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:1582 0 None None None 2023-04-04 09:48:30 UTC
Red Hat Product Errata RHSA-2023:1583 0 None None None 2023-04-04 09:48:42 UTC
Red Hat Product Errata RHSA-2023:2654 0 None None None 2023-05-09 11:46:44 UTC
Red Hat Product Errata RHSA-2023:2655 0 None None None 2023-05-09 11:46:55 UTC
Red Hat Product Errata RHSA-2023:5533 0 None None None 2023-10-09 10:26:41 UTC

Description Zack Miele 2023-02-21 16:13:50 UTC 
The fetch API in Node.js did not prevent CRLF injection in the 'host' header potentially allowing attacks such as HTTP response splitting and HTTP header injection.
Comment 1 Zack Miele 2023-02-21 16:14:30 UTC 
Created nodejs tracking bugs for this issue:

Affects: epel-all [bug 2172191]
Affects: fedora-all [bug 2172195]


Created nodejs:16-epel/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2172192]


Created nodejs:16/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2172193]


Created nodejs:18/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2172194]
Comment 5 errata-xmlrpc 2023-04-04 09:48:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:1582 https://access.redhat.com/errata/RHSA-2023:1582
Comment 6 errata-xmlrpc 2023-04-04 09:48:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:1583 https://access.redhat.com/errata/RHSA-2023:1583
Comment 7 errata-xmlrpc 2023-05-09 11:46:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2654 https://access.redhat.com/errata/RHSA-2023:2654
Comment 8 errata-xmlrpc 2023-05-09 11:46:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2655 https://access.redhat.com/errata/RHSA-2023:2655
Comment 9 Product Security DevOps Team 2023-05-09 20:48:42 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-23936
Comment 11 errata-xmlrpc 2023-10-09 10:26:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:5533 https://access.redhat.com/errata/RHSA-2023:5533
Note You need to log in before you can comment on or make changes to this bug.