CVE-2018-12116

Опубликовано: 27 нояб. 2018

Источник: redhat

CVSS3: 7.2

Описание

Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the path option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to made to the same server.

Отчет

The nodejs RPMs shipped in Red Hat OpenShift Container Platform (OCP) versions 3.6 through 3.10 are vulnerable to this flaw because they contain the affected code. Later versions of OCP used nodejs RPMs delivered from Red Hat Software Collections and Red Hat Enterprise Linux channels.

Затронутые пакеты

Платформа	Пакет	Состояние
Red Hat Enterprise Linux 8	nodejs	Not affected
Red Hat OpenShift Application Runtimes	nodejs	Not affected
Red Hat OpenShift Container Platform 3.10	nodejs	Fix deferred
Red Hat OpenShift Container Platform 3.2	nodejs	Out of support scope
Red Hat OpenShift Container Platform 3.3	nodejs	Out of support scope
Red Hat OpenShift Container Platform 3.4	nodejs	Out of support scope
Red Hat OpenShift Container Platform 3.5	nodejs	Out of support scope
Red Hat OpenShift Container Platform 3.6	nodejs	Out of support scope
Red Hat OpenShift Container Platform 3.7	nodejs	Out of support scope
Red Hat OpenShift Container Platform 3.9	nodejs	Fix deferred

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-113

https://bugzilla.redhat.com/show_bug.cgi?id=1660998nodejs: HTTP request splitting

7.2 High

CVSS3

Связанные уязвимости

CVE-2018-12116

CVSS3: 7.5

ubuntu

больше 6 лет назад

Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to made to the same server.