CVE-2020-8287

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling.

References

https://hackerone.com/reports/1002188

https://lists.fedoraproject.org/archives/list/[email protected]/message/H472D5HPXN6RRXCNFML3BK5OYC52CXF2/

https://lists.fedoraproject.org/archives/list/[email protected]/message/K4I6MZNC7C7VIDQR267OL4TVCI3ZKAC4/

https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/

https://security.gentoo.org/glsa/202101-07

https://security.netapp.com/advisory/ntap-20210212-0003/

https://www.debian.org/security/2021/dsa-4826

https://www.oracle.com/security-alerts/cpujan2021.html

Details

Source: MITRE

Published: 2021-01-06

Updated: 2021-02-19

Type: CWE-444

Risk Information

CVSS v2

Base Score: 6.4

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N

Impact Score: 4.9

Exploitability Score: 10

Severity: MEDIUM

CVSS v3

Base Score: 6.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Impact Score: 2.5

Exploitability Score: 3.9

Severity: MEDIUM

Tenable Plugins

View all (31 total)

IDNameProductFamilySeverity
148351Photon OS 4.0: Nodejs PHSA-2021-4.0-0007NessusPhotonOS Local Security Checks
high
148292Photon OS 3.0: Nodejs PHSA-2021-3.0-0213NessusPhotonOS Local Security Checks
medium
147954Photon OS 1.0: Nodejs10 PHSA-2021-1.0-0373NessusPhotonOS Local Security Checks
medium
146539CentOS 8 : nodejs:12 (CESA-2021:0549)NessusCentOS Local Security Checks
high
146802CentOS 8 : nodejs:10 (CESA-2021:0548)NessusCentOS Local Security Checks
high
146638Oracle Linux 8 : nodejs:10 (ELSA-2021-0548)NessusOracle Linux Local Security Checks
high
146637Oracle Linux 8 : nodejs:14 (ELSA-2021-0551)NessusOracle Linux Local Security Checks
high
146636Oracle Linux 8 : nodejs:12 (ELSA-2021-0549)NessusOracle Linux Local Security Checks
high
146548CentOS 8 : nodejs:14 (CESA-2021:0551)NessusCentOS Local Security Checks
high
146547RHEL 8 : nodejs:10 (RHSA-2021:0548)NessusRed Hat Local Security Checks
high
146540RHEL 8 : nodejs:14 (RHSA-2021:0551)NessusRed Hat Local Security Checks
high
146536RHEL 8 : nodejs:12 (RHSA-2021:0549)NessusRed Hat Local Security Checks
high
145762openSUSE Security Update : nodejs8 (openSUSE-2021-195)NessusSuSE Local Security Checks
medium
145487SUSE SLES15 Security Update : nodejs8 (SUSE-SU-2021:0224-1)NessusSuSE Local Security Checks
medium
145398openSUSE Security Update : nodejs10 (openSUSE-2021-82)NessusSuSE Local Security Checks
high
145371openSUSE Security Update : nodejs12 (openSUSE-2021-64)NessusSuSE Local Security Checks
high
145299openSUSE Security Update : nodejs10 (openSUSE-2021-65)NessusSuSE Local Security Checks
high
145286openSUSE Security Update : nodejs14 (openSUSE-2021-66)NessusSuSE Local Security Checks
high
145150Fedora 32 : 1:nodejs (2021-d5b2c18fe6)NessusFedora Local Security Checks
high
145024FreeBSD : Node.js -- January 2021 Security Releases (08b553ed-537a-11eb-be6e-0022489ad614)NessusFreeBSD Local Security Checks
high
145022SUSE SLES15 Security Update : nodejs8 (SUSE-SU-2021:0121-1)NessusSuSE Local Security Checks
medium
144953SUSE SLES12 Security Update : nodejs14 (SUSE-SU-2021:0107-1)NessusSuSE Local Security Checks
high
144949Node.js 10.x < 10.23.1 / 12.x < 12.20.1 / 14.x < 14.15.4 / 15.x < 15.5.1 Multiple VulnerabilitiesNessusMisc.
high
144921SUSE SLES15 Security Update : nodejs12 (SUSE-SU-2021:0062-1)NessusSuSE Local Security Checks
high
144917SUSE SLES12 Security Update : nodejs12 (SUSE-SU-2021:0068-1)NessusSuSE Local Security Checks
high
144912SUSE SLES12 Security Update : nodejs10 (SUSE-SU-2021:0082-1)NessusSuSE Local Security Checks
high
144911SUSE SLES15 Security Update : nodejs10 (SUSE-SU-2021:0060-1)NessusSuSE Local Security Checks
high
144910SUSE SLES15 Security Update : nodejs14 (SUSE-SU-2021:0061-1)NessusSuSE Local Security Checks
high
144864GLSA-202101-07 : NodeJS: Multiple vulnerabilitiesNessusGentoo Local Security Checks
high
144840Fedora 33 : 1:nodejs (2021-fb1a136393)NessusFedora Local Security Checks
high
144824Debian DSA-4826-1 : nodejs - security updateNessusDebian Local Security Checks
high