CVE-2023-30589

Name
CVE-2023-30589
Description
The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://hackerone.com/reports/2001873
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VEEQIN5242K5NBE2CZ4DYTNA5B4YTYE5/
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UEJWL67XR67JAGEL2ZK22NA3BRKNMZNY/
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HMEELCREWMRT6NS7HWXLA6XFLLMO36HE/
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VKFMKD4MJZIKFQJAAJ4VZ2FHIJ764A76/
MISC https://security.netapp.com/advisory/ntap-20230803-0009/
MISC https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VCVG4TQRGTK4LKAZKVEQAUEJM7DUACYE/
MISC https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IV326O2X4BE3SINX5FJHMAKVHUAA4ZYF/
support@hackerone.com https://security.netapp.com/advisory/ntap-20240621-0006/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:nodejs:node.js:16.0.0:*:*:*:-:*:*:* nodejs == None == 16.0.0
cpe:2.3:a:nodejs:node.js:20.0.0:*:*:*:-:*:*:* nodejs == None == 20.0.0
cpe:2.3:a:nodejs:node.js:18.0.0:*:*:*:-:*:*:* nodejs == None == 18.0.0
cpe:2.3:a:nodejs:node.js:20.2.0:*:*:*:-:*:*:* nodejs == None == 20.2.0
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* nodejs >= 16.0.0 < 16.20.1
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* nodejs >= 18.0.0 < 18.16.1
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* nodejs >= 20.0.0 < 20.3.1

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
openjdk17 3.18-community 17.0.9_p8-r0 Simon Frankenberger <simon-alpine@fraho.eu> fixed