CVE-2020-8287

CVE-2020-8287

Name

CVE-2020-8287

Description

Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
Exploit	https://hackerone.com/reports/1002188
Vendor Advisory	https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/
Third Party Advisory	https://www.debian.org/security/2021/dsa-4826
Mailing List	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K4I6MZNC7C7VIDQR267OL4TVCI3ZKAC4/
Third Party Advisory	https://security.gentoo.org/glsa/202101-07
Third Party Advisory	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H472D5HPXN6RRXCNFML3BK5OYC52CXF2/
Third Party Advisory	https://www.oracle.com/security-alerts/cpujan2021.html
Third Party Advisory	https://security.netapp.com/advisory/ntap-20210212-0003/
Patch	https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

Type

URI

Exploit

https://hackerone.com/reports/1002188

Vendor Advisory

https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/

Third Party Advisory

https://www.debian.org/security/2021/dsa-4826

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K4I6MZNC7C7VIDQR267OL4TVCI3ZKAC4/

Third Party Advisory

https://security.gentoo.org/glsa/202101-07

Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H472D5HPXN6RRXCNFML3BK5OYC52CXF2/

Third Party Advisory

https://www.oracle.com/security-alerts/cpujan2021.html

Third Party Advisory

https://security.netapp.com/advisory/ntap-20210212-0003/

Patch

https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:nodejs:node.js:::::lts:::*`	node.js	>= 10.0.0	< 10.23.1
`cpe:2.3:a:nodejs:node.js:::::lts:::*`	node.js	>= 12.0.0	< 12.20.1
`cpe:2.3:a:nodejs:node.js:::::lts:::*`	node.js	>= 14.0.0	< 14.15.4
`cpe:2.3:a:nodejs:node.js:::::-:::*`	node.js	>= 15.0.0	< 15.5.1
`cpe:2.3:a:nodejs:node.js:::::lts:::*`	nodejs	>= 10.0.0	< 10.23.1
`cpe:2.3:a:nodejs:node.js:::::lts:::*`	nodejs	>= 12.0.0	< 12.20.1
`cpe:2.3:a:nodejs:node.js:::::lts:::*`	nodejs	>= 14.0.0	< 14.15.4
`cpe:2.3:a:nodejs:node.js:::::-:::*`	nodejs	>= 15.0.0	< 15.5.1

CPE URI

Source package

Min version

Max version

cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*

node.js

>= 10.0.0

< 10.23.1

cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*

node.js

>= 12.0.0

< 12.20.1

cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*

node.js

>= 14.0.0

< 14.15.4

cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*

node.js

>= 15.0.0

< 15.5.1

cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*

nodejs

>= 10.0.0

< 10.23.1

cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*

nodejs

>= 12.0.0

< 12.20.1

cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*

nodejs

>= 14.0.0

< 14.15.4

cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*

nodejs

>= 15.0.0

< 15.5.1

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
nodejs-current	edge-community	15.5.1-r0	None	fixed
nodejs-current	3.22-community	15.5.1-r0	None	fixed
nodejs-current	3.21-community	15.5.1-r0	None	fixed
nodejs-current	3.20-community	15.5.1-r0	None	fixed
nodejs-current	3.19-community	15.5.1-r0	None	fixed
nodejs-current	3.18-community	15.5.1-r0	None	fixed
nodejs-current	3.17-community	15.5.1-r0	None	fixed
nodejs	edge-main	14.15.4-r0	None	fixed
nodejs	edge-main	14.15.1-r0	None	possibly vulnerable
nodejs	edge-main	12.18.4-r0	None	possibly vulnerable
nodejs	edge-main	12.18.0-r0	None	possibly vulnerable
nodejs	edge-main	12.15.0-r0	None	possibly vulnerable
nodejs	edge-main	10.16.3-r0	None	possibly vulnerable
nodejs	edge-main	10.15.3-r0	None	possibly vulnerable
nodejs	edge-main	10.14.0-r0	None	possibly vulnerable
nodejs	3.22-main	14.15.4-r0	None	fixed
nodejs	3.22-main	14.15.1-r0	None	possibly vulnerable
nodejs	3.22-main	12.18.4-r0	None	possibly vulnerable
nodejs	3.22-main	12.18.0-r0	None	possibly vulnerable
nodejs	3.22-main	12.15.0-r0	None	possibly vulnerable
nodejs	3.22-main	10.16.3-r0	None	possibly vulnerable
nodejs	3.22-main	10.15.3-r0	None	possibly vulnerable
nodejs	3.22-main	10.14.0-r0	None	possibly vulnerable
nodejs	3.21-main	14.15.4-r0	None	fixed
nodejs	3.21-main	14.15.1-r0	None	possibly vulnerable
nodejs	3.21-main	12.18.4-r0	None	possibly vulnerable
nodejs	3.21-main	12.18.0-r0	None	possibly vulnerable
nodejs	3.21-main	12.15.0-r0	None	possibly vulnerable
nodejs	3.21-main	10.16.3-r0	None	possibly vulnerable
nodejs	3.21-main	10.15.3-r0	None	possibly vulnerable
nodejs	3.21-main	10.14.0-r0	None	possibly vulnerable
nodejs	3.20-main	14.15.4-r0	None	fixed
nodejs	3.20-main	14.15.1-r0	None	possibly vulnerable
nodejs	3.20-main	12.18.4-r0	None	possibly vulnerable
nodejs	3.20-main	12.18.0-r0	None	possibly vulnerable
nodejs	3.20-main	12.15.0-r0	None	possibly vulnerable
nodejs	3.20-main	10.16.3-r0	None	possibly vulnerable
nodejs	3.20-main	10.15.3-r0	None	possibly vulnerable
nodejs	3.20-main	10.14.0-r0	None	possibly vulnerable
nodejs	3.19-main	14.15.4-r0	None	fixed
nodejs	3.19-main	14.15.1-r0	None	possibly vulnerable
nodejs	3.19-main	12.18.4-r0	None	possibly vulnerable
nodejs	3.19-main	12.18.0-r0	None	possibly vulnerable
nodejs	3.19-main	12.15.0-r0	None	possibly vulnerable
nodejs	3.19-main	10.16.3-r0	None	possibly vulnerable
nodejs	3.19-main	10.15.3-r0	None	possibly vulnerable
nodejs	3.19-main	10.14.0-r0	None	possibly vulnerable
nodejs	3.18-main	14.15.4-r0	None	fixed
nodejs	3.17-main	14.15.4-r0	None	fixed
nodejs	3.12-main	12.20.1-r0	None	fixed
nodejs	3.11-main	12.20.1-r0	None	fixed

Source package

Branch

Version

Maintainer

Status

nodejs-current

edge-community

15.5.1-r0

None

fixed

nodejs-current

3.22-community