Bugzilla – Bug 1176605
VUL-0: CVE-2020-8201: nodejs12, nodejs14, nodejs: HTTP Request Smuggling due to CR-to-Hyphen conversion
Last modified: 2023-07-06 12:31:29 UTC
CVE-2020-8201 Affected Node.js versions converted carriage returns in HTTP request headers to a hyphen before parsing. This can lead to HTTP Request Smuggling as it is a non-standard interpretation of the header. Upstream advisory: https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/ References: https://bugzilla.redhat.com/show_bug.cgi?id=1879311 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-8201 https://access.redhat.com/security/cve/CVE-2020-8201
Affected: SUSE:SLE-12:Update nodejs12 SUSE:SLE-15-SP2:Update nodejs12 openSUSE:Leap:15.2:Update nodejs12 openSUSE:Factory nodejs14
This is an autogenerated message for OBS integration: This bug (1176605) was mentioned in https://build.opensuse.org/request/show/837371 Factory / nodejs14 https://build.opensuse.org/request/show/837372 Factory / nodejs12 https://build.opensuse.org/request/show/837373 Factory / nodejs10
This is an autogenerated message for OBS integration: This bug (1176605) was mentioned in https://build.opensuse.org/request/show/838274 Factory / nodejs14
Fixes submitted to all codestreams. Reassigning to security for tracking
SUSE-SU-2020:2813-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1172686,1173937,1176589,1176605 CVE References: CVE-2020-15095,CVE-2020-8201,CVE-2020-8252 JIRA References: Sources used: SUSE Linux Enterprise Module for Web Scripting 15-SP2 (src): nodejs12-12.18.4-4.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:2812-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1172686,1173937,1176589,1176605 CVE References: CVE-2020-15095,CVE-2020-8201,CVE-2020-8252 JIRA References: Sources used: SUSE Linux Enterprise Module for Web Scripting 12 (src): nodejs12-12.18.4-1.20.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:1616-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1172686,1173937,1176589,1176605 CVE References: CVE-2020-15095,CVE-2020-8201,CVE-2020-8252 JIRA References: Sources used: openSUSE Leap 15.2 (src): nodejs12-12.18.4-lp152.3.6.1
Released.