{"containers": {"cna": {"affected": [{"product": "https://github.com/nodejs/node", "vendor": "n/a", "versions": [{"status": "affected", "version": "Fixed in 12.18.4 and 14.11"}]}], "descriptions": [{"lang": "en", "value": "Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system. The attack was possible due to a bug in processing of carrier-return symbols in the HTTP header names."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-444", "description": "HTTP Request Smuggling (CWE-444)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-01-11T10:06:18", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/"}, {"tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/922597"}, {"name": "openSUSE-SU-2020:1616", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20201009-0004/"}, {"name": "FEDORA-2020-43d5a372fc", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/"}, {"name": "GLSA-202101-07", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202101-07"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "support@hackerone.com", "ID": "CVE-2020-8201", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "https://github.com/nodejs/node", "version": {"version_data": [{"version_value": "Fixed in 12.18.4 and 14.11"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system. The attack was possible due to a bug in processing of carrier-return symbols in the HTTP header names."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "HTTP Request Smuggling (CWE-444)"}]}]}, "references": {"reference_data": [{"name": "https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/", "refsource": "MISC", "url": "https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/"}, {"name": "https://hackerone.com/reports/922597", "refsource": "MISC", "url": "https://hackerone.com/reports/922597"}, {"name": "openSUSE-SU-2020:1616", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html"}, {"name": "https://security.netapp.com/advisory/ntap-20201009-0004/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20201009-0004/"}, {"name": "FEDORA-2020-43d5a372fc", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/"}, {"name": "GLSA-202101-07", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202101-07"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T09:56:28.317Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://hackerone.com/reports/922597"}, {"name": "openSUSE-SU-2020:1616", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20201009-0004/"}, {"name": "FEDORA-2020-43d5a372fc", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/"}, {"name": "GLSA-202101-07", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202101-07"}]}]}, "cveMetadata": {"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2020-8201", "datePublished": "2020-09-18T20:12:43", "dateReserved": "2020-01-28T00:00:00", "dateUpdated": "2024-08-04T09:56:28.317Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*", "matchCriteriaId": "3CB8E8E0-24CC-417B-96D7-AF53B2296661", "versionEndExcluding": "12.18.4", "versionStartIncluding": "12.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*", "matchCriteriaId": "BA70BBF0-BD24-4786-A705-48F26FF4B34B", "versionEndExcluding": "14.11.0", "versionStartIncluding": "14.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*", "matchCriteriaId": "B009C22E-30A4-4288-BCF6-C3E81DEAF45A", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system. The attack was possible due to a bug in processing of carrier-return symbols in the HTTP header names."}, {"lang": "es", "value": "Node.js versiones anteriores a 12.18.4 y versiones anteriores a 14.11, pueden ser explotado para llevar a cabo ataques de desincronizaci\u00f3n HTTP y entregar cargas \u00fatiles maliciosas a usuarios desprevenidos.&#xa0;Las cargas \u00fatiles pueden ser dise\u00f1adas por un atacante para secuestrar sesiones de usuario, envenenar cookies, llevar a cabo secuestro del click y una multitud de otros ataques dependiendo de la arquitectura del sistema subyacente.&#xa0;El ataque fue posible debido a un error en el procesamiento de los s\u00edmbolos carrier-return en los nombres de encabezado HTTP"}], "id": "CVE-2020-8201", "lastModified": "2024-11-21T05:38:29.563", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-09-18T21:15:12.903", "references": [{"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html"}, {"source": "support@hackerone.com", "tags": ["Permissions Required"], "url": "https://hackerone.com/reports/922597"}, {"source": "support@hackerone.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/"}, {"source": "support@hackerone.com", "tags": ["Vendor Advisory"], "url": "https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/"}, {"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202101-07"}, {"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20201009-0004/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Permissions Required"], "url": "https://hackerone.com/reports/922597"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202101-07"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20201009-0004/"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-444"}], "source": "support@hackerone.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-444"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2020:4272", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "nodejs:12-8020020201007080935.4cda2c84", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-10-19T00:00:00Z"}, {"advisory": "RHSA-2020:4903", "cpe": "cpe:/a:redhat:rhel_eus:8.1", "package": "nodejs:12-8010020201006223055.c27ad7f8", "product_name": "Red Hat Enterprise Linux 8.1 Extended Update Support", "release_date": "2020-11-04T00:00:00Z"}, {"advisory": "RHSA-2020:5086", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs12-nodejs-0:12.18.4-3.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2020-11-12T00:00:00Z"}, {"advisory": "RHSA-2020:5086", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs12-nodejs-0:12.18.4-3.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2020-11-12T00:00:00Z"}, {"advisory": "RHSA-2020:5086", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs12-nodejs-0:12.18.4-3.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2020-11-12T00:00:00Z"}], "bugzilla": {"description": "nodejs: HTTP request smuggling due to CR-to-Hyphen conversion", "id": "1879311", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1879311"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "status": "verified"}, "cwe": "CWE-444", "details": ["Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system. The attack was possible due to a bug in processing of carrier-return symbols in the HTTP header names.", "A flaw was found in Node.js, where affected Node.js versions converted carriage returns in HTTP request headers to a hyphen before parsing. This flaw leads to HTTP Request Smuggling as it is a non-standard interpretation of the header. The highest threat from this vulnerability is to confidentiality and integrity."], "name": "CVE-2020-8201", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "nodejs:10/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "nodejs:14/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Will not fix", "impact": "low", "package_name": "quay", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-nodejs10-nodejs", "product_name": "Red Hat Software Collections"}], "public_date": "2020-09-15T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-8201\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-8201"], "statement": "Node.js is included in Red Hat Quay as a dependency of Yarn, which is only used while building Red Hat Quay, and not during runtime.", "threat_severity": "Moderate", "upstream_fix": "llhttp 2.1.2, nodejs 14.11.0, nodejs 12.18.4"}