CVE-2022-35256

Опубликовано: 23 сент. 2022

Источник: redhat

CVSS3: 6.5

EPSS Низкий

Описание

The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.

A vulnerability was found in NodeJS due to improper validation of HTTP requests. The llhttp parser in the HTTP module in Node.js does not correctly handle header fields that are not terminated with CLRF. This issue may result in HTTP Request Smuggling. This flaw allows a remote attacker to send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat Enterprise Linux 9	nodejs:18/nodejs	Not affected
Red Hat Enterprise Linux 8	nodejs	Fixed	RHSA-2022:6964	17.10.2022
Red Hat Enterprise Linux 8	nodejs	Fixed	RHSA-2022:7821	08.11.2022
Red Hat Enterprise Linux 8	nodejs	Fixed	RHSA-2022:7830	08.11.2022
Red Hat Enterprise Linux 8.4 Extended Update Support	nodejs	Fixed	RHSA-2023:1533	30.03.2023
Red Hat Enterprise Linux 8.6 Extended Update Support	nodejs	Fixed	RHSA-2023:1742	12.04.2023
Red Hat Enterprise Linux 9	nodejs	Fixed	RHSA-2022:6963	18.10.2022
Red Hat Enterprise Linux 9	nodejs	Fixed	RHSA-2023:0321	23.01.2023
Red Hat Software Collections for Red Hat Enterprise Linux 7	rh-nodejs14-nodejs	Fixed	RHSA-2022:7044	19.10.2022

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-444

https://bugzilla.redhat.com/show_bug.cgi?id=2130518nodejs: HTTP Request Smuggling due to incorrect parsing of header fields

EPSS

Процентиль: 87%

0.03548

Низкий

6.5 Medium

CVSS3

Связанные уязвимости

CVE-2022-35256

CVSS3: 6.5

ubuntu

больше 2 лет назад

The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.

CVE-2022-35256

CVSS3: 6.5

nvd

больше 2 лет назад

The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.

CVE-2022-35256

CVSS3: 6.5

msrc

больше 2 лет назад

Описание отсутствует

CVE-2022-35256

CVSS3: 6.5

debian

больше 2 лет назад

The llhttp parser in the http module in Node v18.7.0 does not correctl ...

GHSA-rc2m-q589-vpqx

CVSS3: 9.8

github

больше 2 лет назад

The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.

EPSS

Процентиль: 87%

0.03548

Низкий

6.5 Medium

CVSS3