CVE-2018-12116

Name
CVE-2018-12116
Description
Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to made to the same server.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Patch https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
REDHAT https://access.redhat.com/errata/RHSA-2019:1821
GENTOO https://security.gentoo.org/glsa/202003-48

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:joyent:node.js:*:*:*:*:*:*:*:* node.js >= 11.0.0 <= 11.3.0
cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:* nodejs >= 6.0.0 <= 6.15.0
cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:* nodejs >= 8.0.0 <= 8.14.0
cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:* nodejs >= 10.0.0 <= 10.14.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status