Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!Close

CVE-2020-8287

Published: 6 January 2021

Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling.

Priority

Medium

Cvss 3 Severity Score

6.5

Score breakdown

Status

Package Release Status
nodejs
Launchpad, Ubuntu, Debian
groovy Ignored
(end of life)
hirsute Ignored
(end of life)
upstream Needs triage

xenial
Released (4.2.6~dfsg-1ubuntu4.2+esm2)
Available with Ubuntu Pro
kinetic Ignored
(end of life, was needs-triage)
lunar Not vulnerable
(18.13.0+dfsg1-1ubuntu2)
trusty Ignored
(regressions likely)
bionic
Released (8.10.0~dfsg-2ubuntu0.4+esm2)
Available with Ubuntu Pro
focal
Released (10.19.0~dfsg-3ubuntu1.1)
jammy Not vulnerable
(12.22.9~dfsg-1ubuntu3)
impish Ignored
(end of life)
mantic Not vulnerable
(18.13.0+dfsg1-1ubuntu2)
http-parser
Launchpad, Ubuntu, Debian
kinetic Ignored
(end of life, was needs-triage)
bionic
Released (2.7.1-2ubuntu0.1)
focal Needs triage

jammy Needs triage

trusty Needs triage

upstream Needs triage

lunar Needs triage

xenial Needs triage

mantic Needs triage

Severity score breakdown

Parameter Value
Base score 6.5
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality Low
Integrity impact Low
Availability impact None
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N