Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2021-22959 CVE-2021-22960

An HTTP Request Smuggling (HRS) vulnerability was found in the llhttp library, used by Node.JS. Spaces as part of the header names were accepted as valid. In situations where HTTP conversations are being proxied (such as proxy, reverse-proxy, load-balancer), an attacker can use this flaw to inject arbitrary messages through the proxy. The highest threat from this vulnerability is to confidentiality and integrity. (CVE-2021-22959) An HTTP Request Smuggling (HRS) vulnerability was found in the llhttp library, used by Node.JS. During the parsing of chunked messages, the chunk size parameter was not validated properly. In situations where HTTP conversations are being proxied (such as proxy, reverse-proxy, load-balancer), an attacker can use this flaw to inject arbitrary messages through the proxy. The highest threat from this vulnerability is to confidentiality and integrity. (CVE-2021-22960)

Source

ALAS2022-2022-013

Amazon Linux 2022 Security Advisory: ALAS-2022-013
Advisory Release Date: 2022-01-25 10:58 Pacific
Advisory Updated Date: 2022-01-26 21:43 Pacific

Severity: Low

References: CVE-2021-22959 CVE-2021-22960

Issue Overview:

An HTTP Request Smuggling (HRS) vulnerability was found in the llhttp library, used by Node.JS. Spaces as part of the header names were accepted as valid. In situations where HTTP conversations are being proxied (such as proxy, reverse-proxy, load-balancer), an attacker can use this flaw to inject arbitrary messages through the proxy. The highest threat from this vulnerability is to confidentiality and integrity. (CVE-2021-22959)

An HTTP Request Smuggling (HRS) vulnerability was found in the llhttp library, used by Node.JS. During the parsing of chunked messages, the chunk size parameter was not validated properly. In situations where HTTP conversations are being proxied (such as proxy, reverse-proxy, load-balancer), an attacker can use this flaw to inject arbitrary messages through the proxy. The highest threat from this vulnerability is to confidentiality and integrity. (CVE-2021-22960)

Affected Packages:

nodejs

Issue Correction:
Run dnf update --releasever=2022.0.20220125 nodejs to update your system.

New Packages:

aarch64:
    nodejs-libs-debuginfo-16.13.1-2.amzn2022.aarch64
    v8-devel-9.4.146.24-1.16.13.1.2.amzn2022.aarch64
    nodejs-devel-16.13.1-2.amzn2022.aarch64
    nodejs-debuginfo-16.13.1-2.amzn2022.aarch64
    nodejs-16.13.1-2.amzn2022.aarch64
    nodejs-full-i18n-16.13.1-2.amzn2022.aarch64
    nodejs-libs-16.13.1-2.amzn2022.aarch64
    npm-8.1.2-1.16.13.1.2.amzn2022.aarch64
    nodejs-debugsource-16.13.1-2.amzn2022.aarch64

i686:
    nodejs-libs-debuginfo-16.13.1-2.amzn2022.i686
    nodejs-libs-16.13.1-2.amzn2022.i686
    nodejs-debugsource-16.13.1-2.amzn2022.i686
    nodejs-full-i18n-16.13.1-2.amzn2022.i686
    npm-8.1.2-1.16.13.1.2.amzn2022.i686
    nodejs-16.13.1-2.amzn2022.i686
    nodejs-devel-16.13.1-2.amzn2022.i686
    nodejs-debuginfo-16.13.1-2.amzn2022.i686
    v8-devel-9.4.146.24-1.16.13.1.2.amzn2022.i686

noarch:
    nodejs-docs-16.13.1-2.amzn2022.noarch

src:
    nodejs-16.13.1-2.amzn2022.src

x86_64:
    nodejs-libs-debuginfo-16.13.1-2.amzn2022.x86_64
    nodejs-libs-16.13.1-2.amzn2022.x86_64
    nodejs-debuginfo-16.13.1-2.amzn2022.x86_64
    v8-devel-9.4.146.24-1.16.13.1.2.amzn2022.x86_64
    nodejs-devel-16.13.1-2.amzn2022.x86_64
    nodejs-16.13.1-2.amzn2022.x86_64
    nodejs-full-i18n-16.13.1-2.amzn2022.x86_64
    npm-8.1.2-1.16.13.1.2.amzn2022.x86_64
    nodejs-debugsource-16.13.1-2.amzn2022.x86_64

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

ALAS2022-2022-013

ALAS2022-2022-013

Vulmon Search

About

Products

Connect