Bug 1203832 – VUL-0: CVE-2022-35256: nodejs10,nodejs8,nodejs12,nodejs16,nodejs14,nodejs4,nodejs6: HTTP Request Smuggling Due to Incorrect Parsing of Header Fields

Bug 1203832 - (CVE-2022-35256) VUL-0: CVE-2022-35256: nodejs10,nodejs8,nodejs12,nodejs16,nodejs14,nodejs4,nodejs6: HTTP Request Smuggling Due to Incorrect Parsing of Header Fields

(CVE-2022-35256)
Summary:	VUL-0: CVE-2022-35256: nodejs10,nodejs8,nodejs12,nodejs16,nodejs14,nodejs4,no...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Adam Majer
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/343736/
Whiteboard:	CVSSv3.1:SUSE:CVE-2022-35256:6.5:(AV:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2022-09-28 09:03 UTC by Marcus Meissner
Modified:	2023-02-15 14:29 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2022-09-28 09:03:21 UTC

CVE-2022-35256

https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/

HTTP Request Smuggling Due to Incorrect Parsing of Header Fields (Medium) (CVE-2022-35256)

The llhttp parser in the http module in Node.js v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.

Thank you, VVX7 for reporting this vulnerability.

Impacts:

    All versions of the 18.x, 16.x, and 14.x release lines.
    llhttp v6.0.10 contains the fixes that were updated inside Node.js

Comment 2 OBSbugzilla Bot 2022-09-28 14:25:07 UTC

This is an autogenerated message for OBS integration:
This bug (1203832) was mentioned in
https://build.opensuse.org/request/show/1006689 Factory / nodejs18
https://build.opensuse.org/request/show/1006690 Factory / nodejs16

Comment 6 OBSbugzilla Bot 2022-09-29 15:35:08 UTC

This is an autogenerated message for OBS integration:
This bug (1203832) was mentioned in
https://build.opensuse.org/request/show/1006992 Factory / nodejs18

Comment 7 Swamp Workflow Management 2022-10-04 13:31:13 UTC

SUSE-SU-2022:3503-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1201325,1203832
CVE References: CVE-2022-32213,CVE-2022-35256
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs12-12.22.12-1.54.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 8 Swamp Workflow Management 2022-10-04 16:20:35 UTC

SUSE-SU-2022:3516-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1201325,1203832
CVE References: CVE-2022-32213,CVE-2022-35256
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs14-14.20.1-6.34.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 9 Swamp Workflow Management 2022-10-05 13:19:36 UTC

SUSE-SU-2022:3524-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1201325,1201327,1203831,1203832
CVE References: CVE-2022-32213,CVE-2022-32215,CVE-2022-35255,CVE-2022-35256
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs16-16.17.1-8.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 10 Swamp Workflow Management 2022-10-18 16:21:01 UTC

SUSE-SU-2022:3614-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1201325,1203832
CVE References: CVE-2022-32213,CVE-2022-35256
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    nodejs14-14.20.1-150200.15.37.1
openSUSE Leap 15.3 (src):    nodejs14-14.20.1-150200.15.37.1
SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src):    nodejs14-14.20.1-150200.15.37.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 11 Swamp Workflow Management 2022-10-18 16:22:53 UTC

SUSE-SU-2022:3615-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1201325,1201327,1203831,1203832
CVE References: CVE-2022-32213,CVE-2022-32215,CVE-2022-35255,CVE-2022-35256
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    nodejs16-16.17.1-150300.7.12.1
SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src):    nodejs16-16.17.1-150300.7.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 12 Swamp Workflow Management 2022-10-18 16:25:53 UTC

SUSE-SU-2022:3616-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1201325,1203832
CVE References: CVE-2022-32213,CVE-2022-35256
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    nodejs12-12.22.12-150200.4.38.1
openSUSE Leap 15.3 (src):    nodejs12-12.22.12-150200.4.38.1
SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src):    nodejs12-12.22.12-150200.4.38.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 13 Swamp Workflow Management 2022-10-19 16:27:07 UTC

SUSE-SU-2022:3656-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1201325,1201327,1203831,1203832
CVE References: CVE-2022-32213,CVE-2022-32215,CVE-2022-35255,CVE-2022-35256
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    nodejs16-16.17.1-150400.3.9.1
SUSE Linux Enterprise Module for Web Scripting 15-SP4 (src):    nodejs16-16.17.1-150400.3.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 14 Swamp Workflow Management 2022-11-01 14:19:02 UTC

SUSE-SU-2022:3835-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1201325,1203832
CVE References: CVE-2022-32213,CVE-2022-35256
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    nodejs10-10.24.1-150000.1.50.1
openSUSE Leap 15.3 (src):    nodejs10-10.24.1-150000.1.50.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 20 Swamp Workflow Management 2023-02-14 17:25:58 UTC

SUSE-SU-2023:0408-1: An update that solves 7 vulnerabilities, contains two features and has three fixes is now available.

Category: security (moderate)
Bug References: 1200303,1201325,1201326,1201327,1201328,1203831,1203832,1205042,1205119,1205236
CVE References: CVE-2022-32212,CVE-2022-32213,CVE-2022-32214,CVE-2022-32215,CVE-2022-35255,CVE-2022-35256,CVE-2022-43548
JIRA References: PED-2097,PED-3192
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs18-18.13.0-8.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 21 Swamp Workflow Management 2023-02-15 14:29:11 UTC

SUSE-SU-2023:0419-1: An update that solves 7 vulnerabilities, contains two features and has three fixes is now available.

Category: security (moderate)
Bug References: 1200303,1201325,1201326,1201327,1201328,1203831,1203832,1205042,1205119,1205236
CVE References: CVE-2022-32212,CVE-2022-32213,CVE-2022-32214,CVE-2022-32215,CVE-2022-35255,CVE-2022-35256,CVE-2022-43548
JIRA References: PED-2097,PED-3192
Sources used:
openSUSE Leap 15.5 (src):    nodejs18-18.13.0-150400.9.3.1
openSUSE Leap 15.4 (src):    nodejs18-18.13.0-150400.9.3.1
SUSE Linux Enterprise Module for Web Scripting 15-SP4 (src):    nodejs18-18.13.0-150400.9.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.