Bug 1222384 (CVE-2024-27982) - VUL-0: CVE-2024-27982: nodejs18,nodejs20: HTTP Request Smuggling via Content Length Obfuscation
Summary: VUL-0: CVE-2024-27982: nodejs18,nodejs20: HTTP Request Smuggling via Content ...
Status: IN_PROGRESS
Alias: CVE-2024-27982
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Adam Majer
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/400474/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-27982:6.1:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-04-05 13:20 UTC by SMASH SMASH
Modified: 2024-07-23 09:00 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-04-05 13:20:26 UTC
References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-27982

HTTP Request Smuggling via Content Length Obfuscation - (CVE-2024-27982) - (Medium)

The team has identified a vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in a second request within the body of the first.

Impacts:

    This vulnerability affects all users in all active release lines: 18.x, 20.x and, 21.x.

Thank you, to bpingel for reporting this vulnerability and Paolo Insogna for fixing it.
Comment 1 OBSbugzilla Bot 2024-04-10 09:35:03 UTC
This is an autogenerated message for OBS integration:
This bug (1222384) was mentioned in
https://build.opensuse.org/request/show/1166607 Factory / nodejs21
Comment 2 OBSbugzilla Bot 2024-04-10 11:35:07 UTC
This is an autogenerated message for OBS integration:
This bug (1222384) was mentioned in
https://build.opensuse.org/request/show/1166624 Factory / nodejs20
Comment 7 Maintenance Automation 2024-04-16 08:30:04 UTC
SUSE-SU-2024:1301-1: An update that solves five vulnerabilities can now be installed.

Category: security (important)
Bug References: 1220053, 1222244, 1222384, 1222530, 1222603
CVE References: CVE-2024-24806, CVE-2024-27982, CVE-2024-27983, CVE-2024-30260, CVE-2024-30261
Maintenance Incident: [SUSE:Maintenance:33347](https://smelt.suse.de/incident/33347/)
Sources used:
Web and Scripting Module 15-SP5 (src):
 nodejs20-20.12.1-150500.11.9.2
openSUSE Leap 15.5 (src):
 nodejs20-20.12.1-150500.11.9.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Maintenance Automation 2024-04-16 12:30:08 UTC
SUSE-SU-2024:1309-1: An update that solves five vulnerabilities can now be installed.

Category: security (important)
Bug References: 1220053, 1222244, 1222384, 1222530, 1222603
CVE References: CVE-2024-24806, CVE-2024-27982, CVE-2024-27983, CVE-2024-30260, CVE-2024-30261
Maintenance Incident: [SUSE:Maintenance:33350](https://smelt.suse.de/incident/33350/)
Sources used:
openSUSE Leap 15.4 (src):
 nodejs18-18.20.1-150400.9.21.3
openSUSE Leap 15.5 (src):
 nodejs18-18.20.1-150400.9.21.3
Web and Scripting Module 15-SP5 (src):
 nodejs18-18.20.1-150400.9.21.3
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src):
 nodejs18-18.20.1-150400.9.21.3
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src):
 nodejs18-18.20.1-150400.9.21.3
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src):
 nodejs18-18.20.1-150400.9.21.3
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src):
 nodejs18-18.20.1-150400.9.21.3
SUSE Manager Server 4.3 (src):
 nodejs18-18.20.1-150400.9.21.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Maintenance Automation 2024-04-16 12:30:10 UTC
SUSE-SU-2024:1308-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1222244, 1222384
CVE References: CVE-2024-27982, CVE-2024-27983
Maintenance Incident: [SUSE:Maintenance:33369](https://smelt.suse.de/incident/33369/)
Sources used:
openSUSE Leap 15.4 (src):
 nodejs16-16.20.2-150400.3.33.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src):
 nodejs16-16.20.2-150400.3.33.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src):
 nodejs16-16.20.2-150400.3.33.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src):
 nodejs16-16.20.2-150400.3.33.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src):
 nodejs16-16.20.2-150400.3.33.1
SUSE Manager Server 4.3 (src):
 nodejs16-16.20.2-150400.3.33.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Maintenance Automation 2024-04-16 12:30:13 UTC
SUSE-SU-2024:1307-1: An update that solves five vulnerabilities can now be installed.

Category: security (important)
Bug References: 1220053, 1222244, 1222384, 1222530, 1222603
CVE References: CVE-2024-24806, CVE-2024-27982, CVE-2024-27983, CVE-2024-30260, CVE-2024-30261
Maintenance Incident: [SUSE:Maintenance:33351](https://smelt.suse.de/incident/33351/)
Sources used:
Web and Scripting Module 12 (src):
 nodejs18-18.20.1-8.21.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Maintenance Automation 2024-04-16 12:30:16 UTC
SUSE-SU-2024:1306-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1222244, 1222384
CVE References: CVE-2024-27982, CVE-2024-27983
Maintenance Incident: [SUSE:Maintenance:33366](https://smelt.suse.de/incident/33366/)
Sources used:
openSUSE Leap 15.3 (src):
 nodejs16-16.20.2-150300.7.36.2
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src):
 nodejs16-16.20.2-150300.7.36.2
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src):
 nodejs16-16.20.2-150300.7.36.2
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src):
 nodejs16-16.20.2-150300.7.36.2
SUSE Enterprise Storage 7.1 (src):
 nodejs16-16.20.2-150300.7.36.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Maintenance Automation 2024-04-16 12:30:18 UTC
SUSE-SU-2024:1305-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1222244, 1222384
CVE References: CVE-2024-27982, CVE-2024-27983
Maintenance Incident: [SUSE:Maintenance:33365](https://smelt.suse.de/incident/33365/)
Sources used:
Web and Scripting Module 12 (src):
 nodejs16-16.20.2-8.42.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Maintenance Automation 2024-04-19 12:30:24 UTC
SUSE-SU-2024:1346-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1222244, 1222384
CVE References: CVE-2024-27982, CVE-2024-27983
Maintenance Incident: [SUSE:Maintenance:33399](https://smelt.suse.de/incident/33399/)
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src):
 nodejs12-12.22.12-150200.4.59.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src):
 nodejs12-12.22.12-150200.4.59.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src):
 nodejs12-12.22.12-150200.4.59.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src):
 nodejs12-12.22.12-150200.4.59.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src):
 nodejs12-12.22.12-150200.4.59.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src):
 nodejs12-12.22.12-150200.4.59.1
SUSE Enterprise Storage 7.1 (src):
 nodejs12-12.22.12-150200.4.59.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Maintenance Automation 2024-04-19 16:30:01 UTC
SUSE-SU-2024:1355-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1222244, 1222384
CVE References: CVE-2024-27982, CVE-2024-27983
Maintenance Incident: [SUSE:Maintenance:33370](https://smelt.suse.de/incident/33370/)
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src):
 nodejs14-14.21.3-150200.15.58.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src):
 nodejs14-14.21.3-150200.15.58.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src):
 nodejs14-14.21.3-150200.15.58.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src):
 nodejs14-14.21.3-150200.15.58.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src):
 nodejs14-14.21.3-150200.15.58.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src):
 nodejs14-14.21.3-150200.15.58.1
SUSE Enterprise Storage 7.1 (src):
 nodejs14-14.21.3-150200.15.58.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.