CVE-2020-8201
Published: 18 September 2020
Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system. The attack was possible due to a bug in processing of carrier-return symbols in the HTTP header names.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
nodejs Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(code not present)
|
| focal |
Not vulnerable
(code not present)
|
|
| groovy |
Ignored
(end of life)
|
|
| hirsute |
Ignored
(end of life)
|
|
| impish |
Ignored
(end of life)
|
|
| jammy |
Not vulnerable
(12.22.9~dfsg-1ubuntu3)
|
|
| kinetic |
Ignored
(end of life, was needs-triage)
|
|
| lunar |
Not vulnerable
(18.7.0+dfsg-5ubuntu1)
|
|
| mantic |
Not vulnerable
(18.7.0+dfsg-5ubuntu1)
|
|
| trusty |
Not vulnerable
(code not present)
|
|
| upstream |
Released
(12.18.4~dfsg-1)
|
|
| xenial |
Not vulnerable
(code not present)
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.4 |
| Attack vector | Network |
| Attack complexity | High |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
References
- https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/#http-request-smuggling-due-to-cr-to-hyphen-conversion-high-cve-2020-8201
- https://hackerone.com/reports/922597
- https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/
- https://www.cve.org/CVERecord?id=CVE-2020-8201
- NVD
- Launchpad
- Debian