Vulnerability Name:

CVE-2020-8201

Assigned:2020-09-15
Published:2020-09-15
Updated:2022-05-24
Summary:Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system. The attack was possible due to a bug in processing of carrier-return symbols in the HTTP header names.
CVSS v3 Severity:7.4 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): None
7.4 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): None
7.4 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): None
CVSS v2 Severity:5.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
5.8 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-444
References:Source: MITRE
Type: CNA
CVE-2020-8201

Source: SUSE
Type: Third Party Advisory
openSUSE-SU-2020:1616

Source: MISC
Type: Permissions Required
https://hackerone.com/reports/922597

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2020-43d5a372fc

Source: MISC
Type: Vendor Advisory
https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/

Source: GENTOO
Type: Third Party Advisory
GLSA-202101-07

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20201009-0004/

Vulnerable Configuration:Configuration 1:
  • cpe:/a:nodejs:node.js:*:*:*:*:*:*:*:* (Version >= 14.0.0 and < 14.11.0)
  • OR cpe:/a:nodejs:node.js:*:*:*:*:lts:*:*:* (Version >= 12.0.0 and < 12.18.4)

    • Configuration 2:
  • cpe:/o:opensuse:leap:15.2:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/o:fedoraproject:fedora:33:*:*:*:*:*:*:*

    • Configuration RedHat 1:
  • cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:642
    P
    		Security update for nodejs10 (Moderate) (in QA)
    2022-09-30
    oval:org.opensuse.security:def:641
    P
    		Security update for nodejs12 (Moderate) (in QA)
    2022-09-30
    oval:org.opensuse.security:def:20208201
    V
    		CVE-2020-8201
    2022-06-30
    oval:org.opensuse.security:def:113037
    P
    		nodejs14-14.17.5-1.2 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:4243
    P
    		Security update for MozillaFirefox (Important) (in QA)
    2022-01-14
    oval:org.opensuse.security:def:67387
    P
    		Security update for libsndfile (Important)
    2022-01-11
    oval:org.opensuse.security:def:51999
    P
    		Security update for xorg-x11-server (Important)
    2021-12-20
    oval:org.opensuse.security:def:4227
    P
    		Security update for flatpak (Important)
    2021-10-20
    oval:org.opensuse.security:def:70837
    P
    		Security update for ffmpeg (Moderate)
    2021-10-06
    oval:org.opensuse.security:def:106478
    P
    		nodejs14-14.17.5-1.2 on GA media (Moderate)
    2021-10-01
    oval:org.opensuse.security:def:38801
    P
    		Security update for curl (Moderate)
    2021-09-23
    oval:org.opensuse.security:def:4215
    P
    		Security update for ffmpeg (Important)
    2021-09-02
    oval:org.opensuse.security:def:64753
    P
    		Security update for openssl-1_1 (Important)
    2021-08-24
    oval:org.opensuse.security:def:38107
    P
    		Security update for cpio (Important)
    2021-08-23
    oval:org.opensuse.security:def:14168
    P
    		hyper-v-7-13.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:14349
    P
    		perl-XML-LibXML-2.0019-5.3 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:14102
    P
    		colord-gtk-lang-0.1.26-6.3 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:14305
    P
    		libvdpau1-1.1.1-6.73 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:14012
    P
    		ppp-2.4.7-1.4 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:14187
    P
    		libMagickCore-6_Q16-1-6.8.8.1-70.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:14360
    P
    		python-doc-2.7.13-27.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:15011
    P
    		libjavascriptcoregtk-3_0-0-2.4.11-23.20 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:14150
    P
    		gnome-shell-3.20.4-76.3 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:14034
    P
    		squashfs-4.3-6.2 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:15033
    P
    		libmysqlclient18-10.0.40.1-2.9.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:14280
    P
    		libpython2_7-1_0-2.7.13-27.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:14004
    P
    		perl-HTML-Parser-3.71-1.145 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:14373
    P
    		rrdtool-1.4.7-20.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:63102
    P
    		reiserfs-kmp-default-5.3.18-57.3 on GA media (Moderate)
    2021-08-10
    oval:org.opensuse.security:def:63130
    P
    		python3-keystoneclient-4.0.0-9.4.5 on GA media (Moderate)
    2021-08-10
    oval:org.opensuse.security:def:63416
    P
    		nodejs12-12.21.0-4.13.2 on GA media (Moderate)
    2021-08-10
    oval:org.opensuse.security:def:101417
    P
    		nodejs12-12.21.0-4.13.2 on GA media (Moderate)
    2021-08-10
    oval:org.opensuse.security:def:63417
    P
    		nodejs14-14.16.0-5.9.1 on GA media (Moderate)
    2021-08-10
    oval:org.opensuse.security:def:63098
    P
    		openldap2-2.4.46-9.51.1 on GA media (Moderate)
    2021-08-10
    oval:org.opensuse.security:def:101418
    P
    		nodejs14-14.16.0-5.9.1 on GA media (Moderate)
    2021-08-10
    oval:org.opensuse.security:def:2327
    P
    		nodejs12-12.21.0-4.13.2 on GA media (Moderate)
    2021-08-10
    oval:org.opensuse.security:def:2328
    P
    		nodejs14-14.16.0-5.9.1 on GA media (Moderate)
    2021-08-10
    oval:org.opensuse.security:def:4142
    P
    		Security update for wireshark (Moderate)
    2021-07-22
    oval:org.opensuse.security:def:51927
    P
    		Security update for the Linux Kernel (Important)
    2021-07-21
    oval:org.opensuse.security:def:4129
    P
    		Security update for gstreamer, gstreamer-plugins-bad, gstreamer-plugins-base, gstreamer-plugins-good, gstreamer-plugins-ugly (Important)
    2021-06-01
    oval:org.opensuse.security:def:64509
    P
    		Security update for libX11 (Moderate)
    2021-05-26
    oval:org.opensuse.security:def:4121
    P
    		Security update for librsvg (Important)
    2021-04-28
    oval:org.opensuse.security:def:52033
    P
    		Security update for MozillaFirefox (Important)
    2021-03-31
    oval:org.opensuse.security:def:51736
    P
    		Security update for java-1_8_0-openjdk (Moderate)
    2021-02-19
    oval:org.opensuse.security:def:64646
    P
    		Security update for jasper (Important)
    2021-02-16
    oval:org.opensuse.security:def:64645
    P
    		Security update for wpa_supplicant (Important)
    2021-02-11
    oval:org.opensuse.security:def:38654
    P
    		Security update for MozillaFirefox (Important)
    2021-01-29
    oval:org.opensuse.security:def:4184
    P
    		Security update for MozillaFirefox (Important)
    2021-01-12
    oval:org.opensuse.security:def:70724
    P
    		Security update for MozillaThunderbird (Important)
    2020-12-07
    oval:org.opensuse.security:def:63601
    P
    		transfig-3.2.6a-2.86 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:63105
    P
    		python3-keystoneclient-3.15.0-2.33 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:63308
    P
    		uuidd-2.33.1-4.5.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:4349
    P
    		Security update for the Linux Kernel (Important)
    2020-12-02
    oval:org.opensuse.security:def:5023
    P
    		Security update for nodejs12 (Important)
    2020-12-02
    oval:org.opensuse.security:def:4304
    P
    		Security update for the Linux Kernel (Live Patch 12 for SLE 15) (Important)
    2020-12-02
    oval:org.opensuse.security:def:4363
    P
    		Security update for the Linux Kernel (Live Patch 19 for SLE 15) (Important)
    2020-12-02
    oval:org.opensuse.security:def:4356
    P
    		Security update for the Linux Kernel (Important)
    2020-12-02
    oval:org.opensuse.security:def:4324
    P
    		Security update for the Linux Kernel (Live Patch 16 for SLE 15) (Important)
    2020-12-02
    oval:org.opensuse.security:def:4359
    P
    		Security update for the Linux Kernel (Live Patch 18 for SLE 15) (Important)
    2020-12-02
    oval:org.opensuse.security:def:5001
    P
    		Security update for nodejs10 (Critical)
    2020-12-02
    oval:org.opensuse.security:def:67487
    P
    		Security update for nodejs12 (Important)
    2020-12-01
    oval:org.opensuse.security:def:38023
    P
    		perl-32bit on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:38494
    P
    		sysstat on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:74967
    P
    		Security update for openldap2 (Important)
    2020-12-01
    oval:org.opensuse.security:def:38829
    P
    		xorg-x11 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:51030
    P
    		Security update for cf-cli (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:51840
    P
    		Security update for python (Important)
    2020-12-01
    oval:org.opensuse.security:def:39511
    P
    		Security update for nodejs4 (Important)
    2020-12-01
    oval:org.opensuse.security:def:64180
    P
    		Security update for krb5 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:38346
    P
    		libpcsclite1 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:64913
    P
    		Security update for ncurses (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:38762
    P
    		opie on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:50661
    P
    		Security update for openldap2 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:75100
    P
    		Security update for nodejs12 (Important)
    2020-12-01
    oval:org.opensuse.security:def:51461
    P
    		Security update for openldap2 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:74046
    P
    		Security update for librsvg (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:63804
    P
    		Security update for dhcp (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:39553
    P
    		Security update for nodejs12 (Important)
    2020-12-01
    oval:org.opensuse.security:def:53384
    P
    		Security update for postgresql12 (Important)
    2020-12-01
    oval:org.opensuse.security:def:38011
    P
    		openssh on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:38873
    P
    		libuuid-devel on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:51193
    P
    		Security update for webkit2gtk3 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:74172
    P
    		Security update for nodejs12 (Important)
    2020-12-01
    oval:org.opensuse.security:def:38012
    P
    		openvpn on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:38404
    P
    		libxmltooling6 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:65025
    P
    		Security update for openldap2 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:50795
    P
    		Security update for webkit2gtk3 (Important)
    2020-12-01
    oval:org.opensuse.security:def:53454
    P
    		Security update for nodejs12 (Important)
    2020-12-01
    oval:org.opensuse.security:def:50638
    P
    		Security update for gpg2 (Important)
    2020-12-01
    oval:org.opensuse.security:def:52108
    P
    		Security update for mariadb-connector-c (Important)
    2020-12-01
    oval:org.opensuse.security:def:63951
    P
    		Security update for the Linux Kernel (Important)
    2020-12-01
    oval:org.opensuse.security:def:38244
    P
    		libQt5WebKit5 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:64855
    P
    		Security update for subversion (Important)
    2020-12-01
    oval:org.opensuse.security:def:38713
    P
    		libpolkit0 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:50639
    P
    		Security update for postgresql10 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:51297
    P
    		Security update for ImageMagick (Moderate)
    2020-12-01
    oval:com.redhat.rhsa:def:20204272
    P
    		RHSA-2020:4272: nodejs:12 security and bug fix update (Moderate)
    2020-10-19
    oval:org.opensuse.security:def:110795
    P
    		Security update for nodejs12 (Important)
    2020-10-05
    oval:org.opensuse.security:def:102804
    P
    		Security update for nodejs12 (Important)
    2020-10-01
    oval:org.opensuse.security:def:109470
    P
    		Security update for nodejs12 (Important)
    2020-10-01
    oval:org.opensuse.security:def:96114
    P
    		Security update for nodejs12 (Important)
    2020-10-01
    BACK
    nodejs node.js *
    nodejs node.js *
    opensuse leap 15.2
    fedoraproject fedora 33