CVE-2023-23936

CVE-2023-23936

Name

CVE-2023-23936

Description

Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://github.com/nodejs/undici/releases/tag/v5.19.1
MISC	https://github.com/nodejs/undici/commit/a2eff05401358f6595138df963837c24348f2034
MISC	https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff
MISC	https://hackerone.com/reports/1820955

Type

URI

MISC

https://github.com/nodejs/undici/releases/tag/v5.19.1

MISC

https://github.com/nodejs/undici/commit/a2eff05401358f6595138df963837c24348f2034

MISC

https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff

MISC

https://hackerone.com/reports/1820955

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:nodejs:undici::::::node.js::*`	nodejs	>= 2.0.0	< 5.19.1
`cpe:2.3:a:nodejs:node.js:::::lts:::*`	nodejs	>= 18.0.0	< 18.14.1
`cpe:2.3:a:nodejs:node.js:::::lts:::*`	nodejs	>= 16.0.0	< 16.19.1
`cpe:2.3:a:nodejs:node.js:::::-:::*`	nodejs	>= 19.0.0	< 19.6.1

CPE URI

Source package

Min version

Max version

cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*

nodejs

>= 2.0.0

< 5.19.1

cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*

nodejs

>= 18.0.0

< 18.14.1

cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*

nodejs

>= 16.0.0

< 16.19.1

cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*

nodejs

>= 19.0.0

< 19.6.1

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
nodejs	edge-main	18.14.1-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed
nodejs	edge-main	18.14.0-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	18.13.0-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	18.12.1-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	16.18.0-r1	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	16.18.0-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	16.17.1-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	16.17.0-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	16.16.0-r1	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	16.16.0-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	16.13.2-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	3.22-main	18.14.1-r0	None	fixed
nodejs	3.22-main	18.12.1-r0	None	possibly vulnerable
nodejs	3.22-main	16.17.1-r0	None	possibly vulnerable
nodejs	3.22-main	16.13.2-r0	None	possibly vulnerable
nodejs	3.21-main	18.14.1-r0	None	fixed
nodejs	3.21-main	18.12.1-r0	None	possibly vulnerable
nodejs	3.21-main	16.17.1-r0	None	possibly vulnerable
nodejs	3.21-main	16.13.2-r0	None	possibly vulnerable
nodejs	3.20-main	18.14.1-r0	None	fixed
nodejs	3.20-main	18.12.1-r0	None	possibly vulnerable
nodejs	3.20-main	16.17.1-r0	None	possibly vulnerable
nodejs	3.20-main	16.13.2-r0	None	possibly vulnerable
nodejs	3.19-main	18.14.1-r0	None	fixed
nodejs	3.19-main	18.12.1-r0	None	possibly vulnerable
nodejs	3.19-main	16.17.1-r0	None	possibly vulnerable
nodejs	3.19-main	16.13.2-r0	None	possibly vulnerable
nodejs	3.18-main	18.14.1-r0	None	fixed
nodejs	3.17-main	18.14.1-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed

Source package

Branch

Version

Maintainer

Status

References

Match rules

Vulnerable and fixed packages