Lucene search

K
cveHackeroneCVE-2020-8287
HistoryJan 06, 2021 - 9:15 p.m.

CVE-2020-8287

2021-01-0621:15:14
CWE-444
hackerone
web.nvd.nist.gov
307
7
node.js
http request
smuggling
cve-2020-8287
nvd

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

AI Score

7.1

Confidence

High

EPSS

0.008

Percentile

81.8%

Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling.

Affected configurations

Nvd
Vulners
Node
nodejsnode.jsRange10.0.010.23.1lts
OR
nodejsnode.jsRange12.0.012.20.1lts
OR
nodejsnode.jsRange14.0.014.15.4lts
OR
nodejsnode.jsRange15.0.015.5.1-
Node
debiandebian_linuxMatch10.0
Node
fedoraprojectfedoraMatch32
OR
fedoraprojectfedoraMatch33
Node
oraclegraalvmMatch19.3.4enterprise
OR
oraclegraalvmMatch20.3.0enterprise
Node
siemenssinec_infrastructure_network_servicesRange<1.0.1.1
VendorProductVersionCPE
nodejsnode.js*cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
nodejsnode.js*cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
debiandebian_linux10.0cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
fedoraprojectfedora32cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
fedoraprojectfedora33cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
oraclegraalvm19.3.4cpe:2.3:a:oracle:graalvm:19.3.4:*:*:*:enterprise:*:*:*
oraclegraalvm20.3.0cpe:2.3:a:oracle:graalvm:20.3.0:*:*:*:enterprise:*:*:*
siemenssinec_infrastructure_network_services*cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*

CNA Affected

[
  {
    "vendor": "n/a",
    "product": "https://github.com/nodejs/node",
    "versions": [
      {
        "version": "Fixed in 10.23.1, 12.20.1, 14.15.4, 15.5.1",
        "status": "affected"
      }
    ]
  }
]

Social References

More

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

AI Score

7.1

Confidence

High

EPSS

0.008

Percentile

81.8%