Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2020-8201

Опубликовано: 18 сент. 2020
Источник: nvd
CVSS3: 7.4
CVSS2: 5.8
EPSS Низкий

Описание

Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system. The attack was possible due to a bug in processing of carrier-return symbols in the HTTP header names.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
Версия от 12.0.0 (включая) до 12.18.4 (исключая)
cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*
Версия от 14.0.0 (включая) до 14.11.0 (исключая)
Конфигурация 2
cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*
Конфигурация 3
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*

EPSS

Процентиль: 79%
0.01384
Низкий

7.4 High

CVSS3

5.8 Medium

CVSS2

Дефекты

CWE-444
CWE-444

Связанные уязвимости

ubuntu логотип

CVE-2020-8201

CVSS3: 7.4
ubuntu
почти 5 лет назад

Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system. The attack was possible due to a bug in processing of carrier-return symbols in the HTTP header names.

redhat логотип

CVE-2020-8201

CVSS3: 7.4
redhat
почти 5 лет назад

Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system. The attack was possible due to a bug in processing of carrier-return symbols in the HTTP header names.

debian логотип

CVE-2020-8201

CVSS3: 7.4
debian
почти 5 лет назад

Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync ...

github логотип

GHSA-7mcp-gwc2-4c6m

CVSS3: 7.4
github
около 3 лет назад

Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system. The attack was possible due to a bug in processing of carrier-return symbols in the HTTP header names.

fstec логотип

BDU:2020-05657

CVSS3: 7.4
fstec
почти 5 лет назад

Уязвимость программной платформы Node.js, связанная с ошибкой обработки имен HTTP - заголовка, позволяющая нарушителю получить доступ к защищаемой информации или повысить свои привилегии

EPSS

Процентиль: 79%
0.01384
Низкий

7.4 High

CVSS3

5.8 Medium

CVSS2

Дефекты

CWE-444
CWE-444