Published: 18/09/2020 Updated: 07/11/2023

CVSS v2 Base Score: 5.8 | Impact Score: 4.9 | Exploitability Score: 8.6

CVSS v3 Base Score: 7.4 | Impact Score: 5.2 | Exploitability Score: 2.2

VMScore: 516

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N

Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an malicious user to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system. The attack was possible due to a bug in processing of carrier-return symbols in the HTTP header names.

Vulnerable Product	Search on Vulmon	Subscribe to Product
nodejs node.js
opensuse leap 15.2
fedoraproject fedora 33

Synopsis Moderate: rh-nodejs12-nodejs security update Type/Severity Security Advisory: Moderate Topic An update for rh-nodejs12-nodejs is now available for Red Hat Software CollectionsRed Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring Syst ...

Synopsis Moderate: nodejs:12 security and bug fix update Type/Severity Security Advisory: Moderate Topic An update for the nodejs:12 module is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring S ...

Synopsis Moderate: nodejs:12 security and bug fix update Type/Severity Security Advisory: Moderate Topic An update for the nodejs:12 module is now available for Red Hat Enterprise Linux 81 Extended Update SupportRed Hat Product Security has rated this update as having a security impact of Moderate A Comm ...

Nodejs < 12184 and < 1411 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system The attack was po ...

Critical Infrastructure Sectors: Energy

Docker build with nodejs, oracle and linux alpine

oracle-node-alpine Simple and lightweight Alpine Linux build with NodeJS and Oracle Instant Client 12101 Recommended Tags 16131-alpine314, latest (2021-12): NodeJS 16131 and Alpine Linux 314 Suitable for use with npm package oracledb@510; 14182-alpine314, latest (2021-12): NodeJS 14182 and Alpine Linux 314 Suitable for use with npm package oracledb@510;

CWE-444 https://hackerone.com/reports/922597 https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html https://security.netapp.com/advisory/ntap-20201009-0004/https://security.gentoo.org/glsa/202101-07 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/https://nvd.nist.gov https://access.redhat.com/errata/RHSA-2020:5086 https://github.com/dnorio/oracle-node-alpine https://www.cisa.gov/uscert/ics/advisories/icsa-22-242-01 https://alas.aws.amazon.com/AL2/ALAS-2021-1581.html

CVE-2020-8201

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

ICS Advisories

Github Repositories

References

Vulmon Search

About

Products

Connect