Bugzilla – Bug 1222384
VUL-0: CVE-2024-27982: nodejs18,nodejs20: HTTP Request Smuggling via Content Length Obfuscation
Last modified: 2024-07-23 09:00:13 UTC
References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-27982 HTTP Request Smuggling via Content Length Obfuscation - (CVE-2024-27982) - (Medium) The team has identified a vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in a second request within the body of the first. Impacts: This vulnerability affects all users in all active release lines: 18.x, 20.x and, 21.x. Thank you, to bpingel for reporting this vulnerability and Paolo Insogna for fixing it.
This is an autogenerated message for OBS integration: This bug (1222384) was mentioned in https://build.opensuse.org/request/show/1166607 Factory / nodejs21
This is an autogenerated message for OBS integration: This bug (1222384) was mentioned in https://build.opensuse.org/request/show/1166624 Factory / nodejs20
SUSE-SU-2024:1301-1: An update that solves five vulnerabilities can now be installed. Category: security (important) Bug References: 1220053, 1222244, 1222384, 1222530, 1222603 CVE References: CVE-2024-24806, CVE-2024-27982, CVE-2024-27983, CVE-2024-30260, CVE-2024-30261 Maintenance Incident: [SUSE:Maintenance:33347](https://smelt.suse.de/incident/33347/) Sources used: Web and Scripting Module 15-SP5 (src): nodejs20-20.12.1-150500.11.9.2 openSUSE Leap 15.5 (src): nodejs20-20.12.1-150500.11.9.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1309-1: An update that solves five vulnerabilities can now be installed. Category: security (important) Bug References: 1220053, 1222244, 1222384, 1222530, 1222603 CVE References: CVE-2024-24806, CVE-2024-27982, CVE-2024-27983, CVE-2024-30260, CVE-2024-30261 Maintenance Incident: [SUSE:Maintenance:33350](https://smelt.suse.de/incident/33350/) Sources used: openSUSE Leap 15.4 (src): nodejs18-18.20.1-150400.9.21.3 openSUSE Leap 15.5 (src): nodejs18-18.20.1-150400.9.21.3 Web and Scripting Module 15-SP5 (src): nodejs18-18.20.1-150400.9.21.3 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): nodejs18-18.20.1-150400.9.21.3 SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): nodejs18-18.20.1-150400.9.21.3 SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): nodejs18-18.20.1-150400.9.21.3 SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): nodejs18-18.20.1-150400.9.21.3 SUSE Manager Server 4.3 (src): nodejs18-18.20.1-150400.9.21.3 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1308-1: An update that solves two vulnerabilities can now be installed. Category: security (important) Bug References: 1222244, 1222384 CVE References: CVE-2024-27982, CVE-2024-27983 Maintenance Incident: [SUSE:Maintenance:33369](https://smelt.suse.de/incident/33369/) Sources used: openSUSE Leap 15.4 (src): nodejs16-16.20.2-150400.3.33.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): nodejs16-16.20.2-150400.3.33.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): nodejs16-16.20.2-150400.3.33.1 SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): nodejs16-16.20.2-150400.3.33.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): nodejs16-16.20.2-150400.3.33.1 SUSE Manager Server 4.3 (src): nodejs16-16.20.2-150400.3.33.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1307-1: An update that solves five vulnerabilities can now be installed. Category: security (important) Bug References: 1220053, 1222244, 1222384, 1222530, 1222603 CVE References: CVE-2024-24806, CVE-2024-27982, CVE-2024-27983, CVE-2024-30260, CVE-2024-30261 Maintenance Incident: [SUSE:Maintenance:33351](https://smelt.suse.de/incident/33351/) Sources used: Web and Scripting Module 12 (src): nodejs18-18.20.1-8.21.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1306-1: An update that solves two vulnerabilities can now be installed. Category: security (important) Bug References: 1222244, 1222384 CVE References: CVE-2024-27982, CVE-2024-27983 Maintenance Incident: [SUSE:Maintenance:33366](https://smelt.suse.de/incident/33366/) Sources used: openSUSE Leap 15.3 (src): nodejs16-16.20.2-150300.7.36.2 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): nodejs16-16.20.2-150300.7.36.2 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): nodejs16-16.20.2-150300.7.36.2 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): nodejs16-16.20.2-150300.7.36.2 SUSE Enterprise Storage 7.1 (src): nodejs16-16.20.2-150300.7.36.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1305-1: An update that solves two vulnerabilities can now be installed. Category: security (important) Bug References: 1222244, 1222384 CVE References: CVE-2024-27982, CVE-2024-27983 Maintenance Incident: [SUSE:Maintenance:33365](https://smelt.suse.de/incident/33365/) Sources used: Web and Scripting Module 12 (src): nodejs16-16.20.2-8.42.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1346-1: An update that solves two vulnerabilities can now be installed. Category: security (important) Bug References: 1222244, 1222384 CVE References: CVE-2024-27982, CVE-2024-27983 Maintenance Incident: [SUSE:Maintenance:33399](https://smelt.suse.de/incident/33399/) Sources used: SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): nodejs12-12.22.12-150200.4.59.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): nodejs12-12.22.12-150200.4.59.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): nodejs12-12.22.12-150200.4.59.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): nodejs12-12.22.12-150200.4.59.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): nodejs12-12.22.12-150200.4.59.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): nodejs12-12.22.12-150200.4.59.1 SUSE Enterprise Storage 7.1 (src): nodejs12-12.22.12-150200.4.59.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1355-1: An update that solves two vulnerabilities can now be installed. Category: security (important) Bug References: 1222244, 1222384 CVE References: CVE-2024-27982, CVE-2024-27983 Maintenance Incident: [SUSE:Maintenance:33370](https://smelt.suse.de/incident/33370/) Sources used: SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): nodejs14-14.21.3-150200.15.58.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): nodejs14-14.21.3-150200.15.58.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): nodejs14-14.21.3-150200.15.58.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): nodejs14-14.21.3-150200.15.58.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): nodejs14-14.21.3-150200.15.58.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): nodejs14-14.21.3-150200.15.58.1 SUSE Enterprise Storage 7.1 (src): nodejs14-14.21.3-150200.15.58.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.