Vulnerability CVE-2020-8287

Vulnerability Name:

CVE-2020-8287 (CCN-194100)

Assigned:

2020-01-28

Published:

2021-01-04

Updated:

2023-02-03

Summary:

Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling.

CVSS v3 Severity:

6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
5.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): None

7.4 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
6.4 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): None

5.4 Medium (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
4.7 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

6.4 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): None

7.1 High (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Athentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): None

Vulnerability Type:

CWE-444

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2020-8287

Source: support@hackerone.com
Type: Patch, Third Party Advisory
support@hackerone.com

Source: XF
Type: UNKNOWN
nodejs-cve20208287-request-smuggling(194100)

Source: support@hackerone.com
Type: Exploit, Issue Tracking, Third Party Advisory
support@hackerone.com

Source: support@hackerone.com
Type: Mailing List, Third Party Advisory
support@hackerone.com

Source: support@hackerone.com
Type: Third Party Advisory
support@hackerone.com

Source: support@hackerone.com
Type: Mailing List, Third Party Advisory
support@hackerone.com

Source: CCN
Type: Node.js Blog, 2021-01-04
Node v10.23.1 (LTS)

Source: CCN
Type: Node.js Blog, 2021-01-04
Node v12.20.1 (LTS)

Source: support@hackerone.com
Type: Patch, Vendor Advisory
support@hackerone.com

Source: support@hackerone.com
Type: Third Party Advisory
support@hackerone.com

Source: support@hackerone.com
Type: Third Party Advisory
support@hackerone.com

Source: support@hackerone.com
Type: Third Party Advisory
support@hackerone.com

Source: CCN
Type: IBM Security Bulletin 6415993 (Spectrum Control)
Vulnerabilities in XStream, Apache HTTP, Jackson Databind, OpenSSL, and Node.js affect IBM Spectrum Control

Source: CCN
Type: IBM Security Bulletin 6416137 (Watson Discovery)
IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Node.js

Source: CCN
Type: IBM Security Bulletin 6428997 (SDK for Node.js for Bluemix)
Multiple vulnerabilities affect IBM SDK for Node.js in IBM Cloud

Source: CCN
Type: IBM Security Bulletin 6435153 (Cloud Pak for Integration)
IBM Cloud Pak for Integration is vulnerable to Node.js vulnerabilities (CVE-2020-1971, CVE-2020-8265, and CVE-2020-8287)

Source: CCN
Type: IBM Security Bulletin 6436083 (Business Automation Workflow)
Multiple vulnerabilities in node.js may affect configuration editor used in IBM Business Automation Workflow and IBM Business Process Manager (BPM) - CVE-2020-1971, CVE-2020-8265, CVE-2020-8287

Source: CCN
Type: IBM Security Bulletin 6437245 (InfoSphere Information Server)
Multiple vulnerabilities in Node.js affect IBM InfoSphere Information Server

Source: CCN
Type: IBM Security Bulletin 6437577 (Cloud Pak for Automation)
Multiple vulnerabilities affect IBM Cloud Pak for Automation

Source: CCN
Type: IBM Security Bulletin 6437579 (Rational Team Concert)
Multiple vulnerabilites affect IBM Engineering products.

Source: CCN
Type: IBM Security Bulletin 6438785 (Cloud Transformation Advisor)
IBM Cloud Transformation Advisor is affected by multiple Node.js vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6440625 (API Connect)
IBM API Connect is impacted by vulnerabilities in Node.js and OpenSSL (CVE-2020-1971, CVE-2020-8265, CVE-2020-8287)

Source: CCN
Type: IBM Security Bulletin 6444815 (App Connect Enterprise)
Multiple vulnerabilites in Node.js affect IBM Integration Bus & IBM App Connect Enterprise V11

Source: CCN
Type: IBM Security Bulletin 6448434 (App Connect Enterprise Certified Container)
IBM App Connect Enterprise Certified Container may be vulnerable to multiple denial of service and HTTP request smuggling vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6449998 (Integration Bus)
IBM Integration Bus & IBM App Connect Enterprise V11 are affected by vulnerabilities in Node.js (CVE-2020-8287)

Source: CCN
Type: IBM Security Bulletin 6453115 (Cloud Pak for Security)
Cloud Pak for Security contains security vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6463275 (Event Streams)
IBM Event Streams is potentially affected by multiple node vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6469135 (Security Guardium Insights)
IBM Security Guardium Insights is affected by multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6476622 (WA for ICP)
Potential vulnerability with Node.js

Source: CCN
Type: IBM Security Bulletin 6481671 (DataPower Gateway)
Vulnerabilities in Node.js in IBM DataPower Gateway

Source: CCN
Type: IBM Security Bulletin 6482489 (DataPower Gateway)
Update Secure Gateway Client in IBM DataPower Gateway to address several CVEs

Source: CCN
Type: IBM Security Bulletin 6486165 (Cloud Private)
IBM Cloud Private is vulnerable to OpenSSL and Node.js vulnerabilities (CVE-2020-1971, CVE-2020-8287, CVE-2020-8265)

Source: CCN
Type: IBM Security Bulletin 6591203 (Netcool Agile Service Manager)
Multiple Vulnerabilities in Node.js affects IBM Netcool Agile Service Manager

Source: support@hackerone.com
Type: Third Party Advisory
support@hackerone.com

Vulnerable Configuration:

Configuration RedHat 1:

cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

Configuration CCN 1:

cpe:/a:nodejs:node.js:10:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:12:*:*:*:*:*:*:*

AND

cpe:/a:ibm:business_process_manager:8.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:api_connect:5.0.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_team_concert:6.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:business_process_manager:8.6:*:*:*:*:*:*:*

OR cpe:/a:ibm:infosphere_information_server:11.7:*:*:*:*:*:*:*

OR cpe:/a:ibm:integration_bus:10.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:app_connect:11.0.0.0:*:*:*:enterprise:*:*:*

OR cpe:/a:ibm:datapower_gateway:2018.4.1.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_control:5.3.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_control:5.3.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_control:5.3.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_control:5.3.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:event_streams:2019.2.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:watson_discovery:2.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:api_connect:2018.4.1.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_private:3.2.1:cd:*:*:*:*:*:*

OR cpe:/a:ibm:event_streams:2019.4.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:business_automation_workflow:18.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:business_automation_workflow:19.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:business_automation_workflow:20.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_team_concert:7.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:event_streams:2019.4.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:event_streams:10.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_private:3.2.2:cd:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_control:5.3.4:*:standard:*:*:*:*:*

OR cpe:/a:ibm:spectrum_control:5.3.5:*:standard:*:*:*:*:*

OR cpe:/a:ibm:spectrum_control:5.3.6:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_control:5.3.7:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_automation:20.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:datapower_gateway:10.0.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:api_connect:10.0.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:api_connect:5.0.8.10:*:*:*:*:*:*:*

OR cpe:/a:ibm:event_streams:2019.4.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:event_streams:10.1.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_security:1.4.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_control:5.4.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:watson_discovery:2.2.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:api_connect:10.0.1.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_security:1.6.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_security:1.5.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_security:1.5.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_transformation_advisor:2.4.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:api_connect:2018.4.1.15:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_security:1.6.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:event_streams:10.2.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:datapower_gateway:10.0.2.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:datapower_gateway:10.0.1.3:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:8154	P	Security update for openssl-1_0_0 (Moderate) (in QA)	2023-06-20
oval:org.opensuse.security:def:8176	P	Security update for php7 (Moderate) (in QA)	2023-06-15
oval:org.opensuse.security:def:8175	P	Security update for MozillaThunderbird (Important) (in QA)	2023-06-13
oval:org.opensuse.security:def:8143	P	Security update for rustup (Moderate) (in QA)	2023-06-09
oval:org.opensuse.security:def:8174	P	Security update for dav1d (Moderate) (in QA)	2023-05-22
oval:org.opensuse.security:def:641	P	Security update for nodejs12 (Moderate) (in QA)	2022-09-30
oval:org.opensuse.security:def:642	P	Security update for nodejs10 (Moderate) (in QA)	2022-09-30
oval:org.opensuse.security:def:99499	P	(Important)	2022-03-10
oval:org.opensuse.security:def:113037	P	nodejs14-14.17.5-1.2 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:99698	P	(Moderate)	2021-12-03
oval:org.opensuse.security:def:106478	P	nodejs14-14.17.5-1.2 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:101418	P	nodejs14-14.16.0-5.9.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:63416	P	nodejs12-12.21.0-4.13.2 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:2327	P	nodejs12-12.21.0-4.13.2 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:63417	P	nodejs14-14.16.0-5.9.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:2328	P	nodejs14-14.16.0-5.9.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:101417	P	nodejs12-12.21.0-4.13.2 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:93099	P	(Moderate)	2021-07-20
oval:org.opensuse.security:def:99108	P	(Important)	2021-06-08
oval:org.opensuse.security:def:93252	P	(Moderate)	2021-06-04
oval:com.redhat.rhsa:def:20210548	P	RHSA-2021:0548: nodejs:10 security update (Moderate)	2021-02-16
oval:com.redhat.rhsa:def:20210549	P	RHSA-2021:0549: nodejs:12 security update (Moderate)	2021-02-16
oval:com.redhat.rhsa:def:20210551	P	RHSA-2021:0551: nodejs:14 security and bug fix update (Moderate)	2021-02-16
oval:org.opensuse.security:def:100006	P	(Important)	2021-02-09
oval:org.opensuse.security:def:111197	P	Security update for nodejs8 (Moderate)	2021-01-30
oval:org.opensuse.security:def:69889	P	Security update for nodejs8 (Moderate)	2021-01-26
oval:org.opensuse.security:def:10300	P	Security update for nodejs8 (Moderate)	2021-01-26
oval:org.opensuse.security:def:98913	P	Security update for nodejs8 (Moderate)	2021-01-26
oval:org.opensuse.security:def:8997	P	Security update for nodejs8 (Moderate)	2021-01-26
oval:org.opensuse.security:def:69501	P	Security update for nodejs8 (Moderate)	2021-01-26
oval:org.opensuse.security:def:97155	P	Security update for nodejs8 (Moderate)	2021-01-26
oval:org.opensuse.security:def:9749	P	Security update for nodejs8 (Moderate)	2021-01-26
oval:org.opensuse.security:def:8617	P	Security update for nodejs8 (Moderate)	2021-01-26
oval:org.opensuse.security:def:92549	P	Security update for nodejs8 (Moderate)	2021-01-26
oval:org.opensuse.security:def:70255	P	Security update for nodejs8 (Moderate)	2021-01-26
oval:org.opensuse.security:def:9361	P	Security update for nodejs8 (Moderate)	2021-01-26
oval:org.opensuse.security:def:91963	P	Security update for nodejs8 (Moderate)	2021-01-26
oval:org.opensuse.security:def:10115	P	Security update for nodejs8 (Moderate)	2021-01-26
oval:org.opensuse.security:def:92748	P	Security update for nodejs8 (Moderate)	2021-01-26
oval:org.opensuse.security:def:99300	P	Security update for nodejs8 (Moderate)	2021-01-26
oval:org.opensuse.security:def:92158	P	Security update for nodejs8 (Moderate)	2021-01-26
oval:org.opensuse.security:def:69690	P	Security update for nodejs8 (Moderate)	2021-01-26
oval:org.opensuse.security:def:8802	P	Security update for nodejs8 (Moderate)	2021-01-26
oval:org.opensuse.security:def:92946	P	Security update for nodejs8 (Moderate)	2021-01-26
oval:org.opensuse.security:def:70440	P	Security update for nodejs8 (Moderate)	2021-01-26
oval:org.opensuse.security:def:9550	P	Security update for nodejs8 (Moderate)	2021-01-26
oval:org.opensuse.security:def:92350	P	Security update for nodejs8 (Moderate)	2021-01-26
oval:org.opensuse.security:def:110676	P	Security update for nodejs10 (Moderate)	2021-01-16
oval:org.opensuse.security:def:111357	P	Security update for nodejs12 (Moderate)	2021-01-15
oval:org.opensuse.security:def:111361	P	Security update for nodejs10 (Moderate)	2021-01-15
oval:org.opensuse.security:def:111363	P	Security update for nodejs14 (Moderate)	2021-01-15
oval:org.opensuse.security:def:118571	P	Security update for nodejs8 (Moderate)	2021-01-14
oval:org.opensuse.security:def:69243	P	Security update for nodejs8 (Moderate)	2021-01-14
oval:org.opensuse.security:def:109475	P	Security update for nodejs8 (Moderate)	2021-01-14
oval:org.opensuse.security:def:96119	P	Security update for nodejs8 (Moderate)	2021-01-14
oval:org.opensuse.security:def:102809	P	Security update for nodejs8 (Moderate)	2021-01-14
oval:org.opensuse.security:def:96850	P	Security update for nodejs8 (Moderate)	2021-01-14
oval:org.opensuse.security:def:49438	P	Security update for nodejs14 (Moderate)	2021-01-13
oval:org.opensuse.security:def:20967	P	Security update for nodejs14 (Moderate)	2021-01-13
oval:org.opensuse.security:def:20994	P	Security update for nodejs10 (Moderate)	2021-01-12
oval:org.opensuse.security:def:49465	P	Security update for nodejs10 (Moderate)	2021-01-12
oval:org.opensuse.security:def:102829	P	Security update for nodejs10 (Moderate)	2021-01-11
oval:org.opensuse.security:def:97241	P	Security update for nodejs12 (Moderate)	2021-01-11
oval:org.opensuse.security:def:91824	P	Security update for nodejs10 (Moderate)	2021-01-11
oval:org.opensuse.security:def:109497	P	Security update for nodejs12 (Moderate)	2021-01-11
oval:org.opensuse.security:def:96140	P	Security update for nodejs14 (Moderate)	2021-01-11
oval:org.opensuse.security:def:118591	P	Security update for nodejs10 (Moderate)	2021-01-11
oval:org.opensuse.security:def:69263	P	Security update for nodejs10 (Moderate)	2021-01-11
oval:org.opensuse.security:def:102830	P	Security update for nodejs14 (Moderate)	2021-01-11
oval:org.opensuse.security:def:69592	P	Security update for nodejs10 (Moderate)	2021-01-11
oval:org.opensuse.security:def:97238	P	Security update for nodejs10 (Moderate)	2021-01-11
oval:org.opensuse.security:def:96141	P	Security update for nodejs12 (Moderate)	2021-01-11
oval:org.opensuse.security:def:8705	P	Security update for nodejs10 (Moderate)	2021-01-11
oval:org.opensuse.security:def:70346	P	Security update for nodejs10 (Moderate)	2021-01-11
oval:org.opensuse.security:def:118592	P	Security update for nodejs14 (Moderate)	2021-01-11
oval:org.opensuse.security:def:109495	P	Security update for nodejs10 (Moderate)	2021-01-11
oval:org.opensuse.security:def:69264	P	Security update for nodejs14 (Moderate)	2021-01-11
oval:org.opensuse.security:def:102831	P	Security update for nodejs12 (Moderate)	2021-01-11
oval:org.opensuse.security:def:49464	P	Security update for nodejs12 (Moderate)	2021-01-11
oval:org.opensuse.security:def:9452	P	Security update for nodejs10 (Moderate)	2021-01-11
oval:org.opensuse.security:def:20993	P	Security update for nodejs12 (Moderate)	2021-01-11
oval:org.opensuse.security:def:69232	P	Security update for nodejs10 (Moderate)	2021-01-11
oval:org.opensuse.security:def:97240	P	Security update for nodejs14 (Moderate)	2021-01-11
oval:org.opensuse.security:def:10206	P	Security update for nodejs10 (Moderate)	2021-01-11
oval:org.opensuse.security:def:98774	P	Security update for nodejs10 (Moderate)	2021-01-11
oval:org.opensuse.security:def:118593	P	Security update for nodejs12 (Moderate)	2021-01-11
oval:org.opensuse.security:def:109496	P	Security update for nodejs14 (Moderate)	2021-01-11
oval:org.opensuse.security:def:69265	P	Security update for nodejs12 (Moderate)	2021-01-11
oval:org.opensuse.security:def:96139	P	Security update for nodejs10 (Moderate)	2021-01-11

BACK