Fedora 37 : llhttp / python-aiohttp (2023-105880e618)

The remote Fedora 37 host has packages installed that are affected by a vulnerability as referenced in the FEDORA-2023-105880e618 advisory. Update llhttp to 8.1.1 including a SONAME version bump and ABI break, https://pagure.io/fesco/issue/3049 and python-aiohttp to 3.8.5. Fixes CVE-2023-30589...

Oracle Linux 8 : nodejs:18 (ELSA-2023-4536)

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2023-4536 advisory. - Rebase to 18.16.1 Resolves: rhbz2188290 rhbz2166926 Resolves: CVE-2023-30581 CVE-2023-30588 CVE-2023-30589 CVE-2023-30590 Tenable has extracted the...

Fedora 38 : llhttp / python-aiohttp (2023-f75af676f2)

The remote Fedora 38 host has packages installed that are affected by a vulnerability as referenced in the FEDORA-2023-f75af676f2 advisory. Update llhttp to 8.1.1 and python-aiohttp to 3.8.5. Fixes CVE-2023-30589. Tenable has extracted the preceding description block directly from the Fedora...

AlmaLinux 9 : nodejs (ALSA-2023:4331)

The remote AlmaLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2023:4331 advisory. - The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request...

AlmaLinux 9 : nodejs:18 (ALSA-2023:4330)

The remote AlmaLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2023:4330 advisory. nodejs: mainModule.proto bypass experimental policy mechanism CVE-2023-30581 nodejs: process interuption due to invalid Public Key information in x509...

nodejs: HTTP Request Smuggling via Empty headers separated by CR

A vulnerability has been identified in the Node.js, where llhttp parser in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling HRS...

SUSE CVE-2023-37276

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6. Vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel. This vulnerability only...

GHSA-45C4-8WX5-QW6W aiohttp.web.Application vulnerable to HTTP request smuggling via llhttp HTTP request parser

Impact aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6 which is vulnerable to CVE-2023-30589. The vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel. This vulnerability only affects users of aiohttp as an...

aiohttp.web.Application vulnerable to HTTP request smuggling via llhttp HTTP request parser

Impactaiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6 which is vulnerable to CVE-2023-30589. The vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel.This vulnerability only affects users of aiohttp as an HT...

UBUNTU-CVE-2023-37276

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6. Vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel. This vulnerability only...

aiohttp 环境问题漏洞

aiohttp is an open source asynchronous HTTP client/server framework for asyncio and Python. An environment issue vulnerability exists in aiohttp v3.8.4 and earlier versions that stems from easy HTTP request smuggling through the llhttp HTTP request parser...

CVE-2023-30589

A vulnerability has been identified in the Node.js, where llhttp parser in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling HRS...

llhttp vulnerable to HTTP request smuggling

The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling HRS. The CR character without LF is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only th...

CVE-2023-30589

The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling HRS. The CR character without LF is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only th...

AZL-27278 CVE-2023-30589 affecting package nodejs for versions less than 16.20.1-2

The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling HRS. The CR character without LF is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only th...

AZL-27279 CVE-2023-30589 affecting package nodejs18 for versions less than 18.17.1-2

The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling HRS. The CR character without LF is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only th...

UBUNTU-CVE-2023-30589

The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling HRS. The CR character without LF is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only th...

Crlf injection

The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling HRS. The CR character without LF is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only th...

CVE-2023-30589

CVE-2023-30589 – Node.js (llhttp CRLF handling) – Technical summary The llhttp parser in Node.js’ http module does not strictly use CRLF to delimit HTTP header fields, potentially allowing HTTP Request Smuggling. The CR character alone (without LF) can delimit headers, contrary to RFC7230 which r...

CVE-2023-30589

The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling HRS. The CR character without LF is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only th...