Candidate: CVE-2016-2216
PublicDate: 2016-04-07 21:59:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2216
 https://nodejs.org/en/blog/vulnerability/february-2016-security-releases/
Description:
 The HTTP header parsing code in Node.js 0.10.x before 0.10.42, 0.11.6
 through 0.11.16, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before
 5.6.0 allows remote attackers to bypass an HTTP response-splitting
 protection mechanism via UTF-8 encoded Unicode characters in the HTTP
 header, as demonstrated by %c4%8d%c4%8a.
Ubuntu-Description:
Notes:
Bugs:
Priority: low
Discovered-by: Сковорода Никита Андреевич and Amit Klein
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N [7.5 HIGH]

Patches_nodejs:
upstream_nodejs: released (4.3.0~dfsg-1)
precise_nodejs: ignored (reached end-of-life)
precise/esm_nodejs: DNE (precise was needs-triage)
trusty_nodejs: ignored (out of standard support)
trusty/esm_nodejs: needed
vivid/stable-phone-overlay_nodejs: DNE
vivid/ubuntu-core_nodejs: DNE
wily_nodejs: ignored (reached end-of-life)
xenial_nodejs: ignored (end of standard support, was needed)
yakkety_nodejs: ignored (reached end-of-life)
zesty_nodejs: ignored (reached end-of-life)
artful_nodejs: ignored (reached end-of-life)
bionic_nodejs: not-affected (8.10.0~dfsg-2)
cosmic_nodejs: not-affected (8.11.2~dfsg-1)
disco_nodejs: not-affected (8.11.2~dfsg-1)
eoan_nodejs: not-affected (8.11.2~dfsg-1)
focal_nodejs: not-affected (8.11.2~dfsg-1)
groovy_nodejs: not-affected (8.11.2~dfsg-1)
hirsute_nodejs: not-affected (8.11.2~dfsg-1)
impish_nodejs: not-affected (8.11.2~dfsg-1)
jammy_nodejs: not-affected (8.11.2~dfsg-1)
devel_nodejs: not-affected (8.11.2~dfsg-1)