Bug 1176605 (CVE-2020-8201) - VUL-0: CVE-2020-8201: nodejs12, nodejs14, nodejs: HTTP Request Smuggling due to CR-to-Hyphen conversion
Summary: VUL-0: CVE-2020-8201: nodejs12, nodejs14, nodejs: HTTP Request Smuggling due ...
Status: RESOLVED FIXED
Alias: CVE-2020-8201
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/267445/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-8201:5.6:(AV:N...
Keywords:
Depends on:
Blocks:
 
Reported: 2020-09-16 12:58 UTC by Wolfgang Frisch
Modified: 2023-07-06 12:31 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Frisch 2020-09-16 12:58:00 UTC
CVE-2020-8201

Affected Node.js versions converted carriage returns in HTTP request headers to a hyphen before parsing. This can lead to HTTP Request Smuggling as it is a non-standard interpretation of the header.

Upstream advisory:
https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1879311
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-8201
https://access.redhat.com/security/cve/CVE-2020-8201
Comment 1 Wolfgang Frisch 2020-09-16 13:00:34 UTC
Affected:
SUSE:SLE-12:Update         nodejs12
SUSE:SLE-15-SP2:Update     nodejs12
openSUSE:Leap:15.2:Update  nodejs12
openSUSE:Factory           nodejs14
Comment 3 OBSbugzilla Bot 2020-09-25 10:50:12 UTC
This is an autogenerated message for OBS integration:
This bug (1176605) was mentioned in
https://build.opensuse.org/request/show/837371 Factory / nodejs14
https://build.opensuse.org/request/show/837372 Factory / nodejs12
https://build.opensuse.org/request/show/837373 Factory / nodejs10
Comment 4 OBSbugzilla Bot 2020-09-28 12:50:12 UTC
This is an autogenerated message for OBS integration:
This bug (1176605) was mentioned in
https://build.opensuse.org/request/show/838274 Factory / nodejs14
Comment 6 Adam Majer 2020-09-28 13:52:36 UTC
Fixes submitted to all codestreams. Reassigning to security for tracking
Comment 8 Swamp Workflow Management 2020-10-01 13:15:03 UTC
SUSE-SU-2020:2813-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1172686,1173937,1176589,1176605
CVE References: CVE-2020-15095,CVE-2020-8201,CVE-2020-8252
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15-SP2 (src):    nodejs12-12.18.4-4.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2020-10-01 13:18:12 UTC
SUSE-SU-2020:2812-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1172686,1173937,1176589,1176605
CVE References: CVE-2020-15095,CVE-2020-8201,CVE-2020-8252
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs12-12.18.4-1.20.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2020-10-05 10:16:27 UTC
openSUSE-SU-2020:1616-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1172686,1173937,1176589,1176605
CVE References: CVE-2020-15095,CVE-2020-8201,CVE-2020-8252
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    nodejs12-12.18.4-lp152.3.6.1
Comment 11 Wolfgang Frisch 2020-10-15 11:32:18 UTC
Released.