Lucene search

K
ubuntucveUbuntu.comUB:CVE-2020-8287
HistoryJan 06, 2021 - 12:00 a.m.

CVE-2020-8287

2021-01-0600:00:00
ubuntu.com
ubuntu.com
23
node.js
http request smuggling
cve-2020-8287
security issue
http
unix

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

EPSS

0.008

Percentile

81.8%

Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies
of a header field in an HTTP request (for example, two Transfer-Encoding
header fields). In this case, Node.js identifies the first header field and
ignores the second. This can lead to HTTP Request Smuggling.

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

EPSS

0.008

Percentile

81.8%