Описание
CRLF injection vulnerability in the ServerResponse#writeHead function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the reason argument.
It was found that the reason argument in ServerResponse#writeHead() was not properly validated. A remote attacker could possibly use this flaw to conduct an HTTP response splitting attack via a specially-crafted HTTP request.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Mobile Application Platform 4 | nodejs | Not affected | ||
| Red Hat OpenShift Enterprise 2 | nodejs010-nodejs | Will not fix | ||
| Red Hat Software Collections | nodejs010-nodejs | Will not fix | ||
| Red Hat OpenShift Container Platform 3.2 | nodejs | Fixed | RHSA-2016:2101 | 27.10.2016 |
| Red Hat OpenShift Container Platform 3.2 | nodejs-tough-cookie | Fixed | RHSA-2016:2101 | 27.10.2016 |
| Red Hat OpenShift Container Platform 3.3 | nodejs | Fixed | RHSA-2016:2101 | 27.10.2016 |
| Red Hat OpenShift Container Platform 3.3 | nodejs-tough-cookie | Fixed | RHSA-2016:2101 | 27.10.2016 |
| Red Hat OpenShift Enterprise 3.1 | nodejs | Fixed | RHSA-2016:2101 | 27.10.2016 |
| Red Hat OpenShift Enterprise 3.1 | nodejs-tough-cookie | Fixed | RHSA-2016:2101 | 27.10.2016 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6 | rh-nodejs4-http-parser | Fixed | RHSA-2017:0002 | 02.01.2017 |
Показывать по
Дополнительная информация
Статус:
EPSS
4.8 Medium
CVSS3
4 Medium
CVSS2
Связанные уязвимости
CRLF injection vulnerability in the ServerResponse#writeHead function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the reason argument.
CRLF injection vulnerability in the ServerResponse#writeHead function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the reason argument.
CRLF injection vulnerability in the ServerResponse#writeHead function ...
CRLF injection vulnerability in the ServerResponse#writeHead function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the reason argument.
EPSS
4.8 Medium
CVSS3
4 Medium
CVSS2