Vulnerability Name:

CVE-2022-32215 (CCN-230659)

Assigned:2022-07-07
Published:2022-07-07
Updated:2023-01-26
Summary:The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).
CVSS v3 Severity:6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
5.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
6.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
5.7 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:6.4 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-444
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2022-32215

Source: support@hackerone.com
Type: UNKNOWN
support@hackerone.com

Source: XF
Type: UNKNOWN
nodejs-cve202232215-request-smuggling(230659)

Source: support@hackerone.com
Type: Exploit, Issue Tracking, Third Party Advisory
support@hackerone.com

Source: support@hackerone.com
Type: UNKNOWN
support@hackerone.com

Source: support@hackerone.com
Type: UNKNOWN
support@hackerone.com

Source: support@hackerone.com
Type: UNKNOWN
support@hackerone.com

Source: CCN
Type: Node.js Blog, 2022-07-07
July 7th 2022 Security Releases

Source: support@hackerone.com
Type: Patch, Vendor Advisory
support@hackerone.com

Source: CCN
Type: Node.js Blog, 2022-09-23
September 22nd 2022 Security Releases

Source: CCN
Type: SNYK-JS-LLHTTP-2946720
HTTP Request Smuggling

Source: support@hackerone.com
Type: UNKNOWN
support@hackerone.com

Source: CCN
Type: IBM Security Bulletin 6603049 (Answer Retrieval for Watson Discovery)
IBM Answer Retrieval for Watson Discovery is vulnerable to HTTP request smuggling due to NodeJS

Source: CCN
Type: IBM Security Bulletin 6610929 (Voice Gateway)
Multiple Vulnerabilities in node.js

Source: CCN
Type: IBM Security Bulletin 6611585 (Cloud Pak for Integration)
Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6613025 (App Connect Enterprise)
Multiple vulnerabilities due to OpenSSL and Node js which affect IBM App Connect Enterprise and IBM Integration Bus

Source: CCN
Type: IBM Security Bulletin 6616293 (Cloud Transformation Advisor)
IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6619919 (Spectrum Protect Plus)
Multiple vulnerabilities in Node.js may affect IBM Spectrum Protect Plus (CVE-2022-32223, CVE-2022-32215, CVE-2022-33987, CVE-2022-32213, CVE-2022-32212, CVE-2022-32222, CVE-2022-32214)

Source: CCN
Type: IBM Security Bulletin 6659671 (Spectrum Control)
IBM Spectrum Control is vulnerable to multiple weaknesses related Java SE and Node

Source: CCN
Type: IBM Security Bulletin 6825155 (Watson Assistant for Cloud Pak for data)
Multiple Vulnerabilities in node.js

Source: CCN
Type: IBM Security Bulletin 6825561 (Event Streams)
Multiple vulnerabilities in Node.js affect IBM Event Streams

Source: CCN
Type: IBM Security Bulletin 6831297 (Cloud Pak for Watson AIOps)
A security vulnerability in Node.js affects IBM Cloud Pak for Watson AIOps Infrastructure Automation

Source: CCN
Type: IBM Security Bulletin 6831849 (Cloud Pak for Watson AIOps)
Multiple Vulnerabilities in CloudPak for Watson AIOPs

Source: CCN
Type: IBM Security Bulletin 6832732 (Cloud Pak for Automation)
Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for October 2022

Source: CCN
Type: IBM Security Bulletin 6833888 (Business Automation Workflow traditional)
Security vulnerabilities in IBM SDK for Node.js might affect the configuration editor used by IBM Business Automation Workflow

Source: CCN
Type: IBM Security Bulletin 6837325 (App Connect Enterprise Certified Container)
IBM App Connect Enterprise Certified Container may be vulnerable to HTTP request smuggling due to CVE-2022-32215

Source: CCN
Type: IBM Security Bulletin 6840765 (DataPower Gateway)
IBM DataPower Gateway potentially vulnerable to HTTP request smuggling

Source: CCN
Type: IBM Security Bulletin 6840919 (Watson Discovery)
IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Node.js

Source: CCN
Type: IBM Security Bulletin 6841799 (Planning Analytics Workspace)
IBM Planning Analytics Workspace is affected by vulnerabilities in Node.js and Spring Data MongoDB

Vulnerable Configuration:Configuration RedHat 1:
  • cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*
    • Configuration RedHat 2:
  • cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*
    • Configuration RedHat 3:
  • cpe:/a:redhat:enterprise_linux:9:*:*:*:*:*:*:*
    • Configuration RedHat 4:
  • cpe:/a:redhat:enterprise_linux:9::appstream:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:nodejs:node.js:14.0:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:spectrum_protect_plus:10.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect:11.0.0.0:*:*:*:enterprise:*:*:*
  • OR cpe:/a:ibm:integration_bus:10.0.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:datapower_gateway:2018.4.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_transformation_advisor:2.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_automation:19.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_automation:20.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:event_streams:10.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_automation:20.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:event_streams:10.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:datapower_gateway:10.0.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_automation:20.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:event_streams:10.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_automation:21.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_automation:21.0.2:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:event_streams:10.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:event_streams:10.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:planning_analytics_workspace:2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_automation:19.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:20.0.0.1:*:*:*:traditional:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:20.0.0.2:*:*:*:traditional:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:21.0.1:*:*:*:traditional:*:*:*
  • OR cpe:/a:ibm:datapower_gateway:10.0.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_automation:19.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:datapower_gateway:10.0.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:4.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:datapower_gateway:10.5.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:22.0.1:*:*:*:traditional:*:*:*
  • OR cpe:/a:ibm:datapower_gateway:2018.4.1.22:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:datapower_gateway:10.0.1.9:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:datapower_gateway:10.5.0.2:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:636
    P
    		Security update for nodejs16 (Important) (in QA)
    2022-09-29
    oval:com.redhat.rhsa:def:20226595
    P
    		RHSA-2022:6595: nodejs and nodejs-nodemon security and bug fix update (Moderate)
    2022-09-20
    oval:org.opensuse.security:def:701
    P
    		Security update for nodejs10 (Important)
    2022-08-19
    oval:org.opensuse.security:def:3777
    P
    		Security update for nodejs16 (Important)
    2022-07-21
    oval:org.opensuse.security:def:95410
    P
    		Security update for nodejs16 (Important)
    2022-07-21
    oval:org.opensuse.security:def:587
    P
    		Security update for nodejs16 (Important)
    2022-07-21
    oval:org.opensuse.security:def:584
    P
    		Security update for nodejs12 (Important)
    2022-07-18
    oval:org.opensuse.security:def:583
    P
    		Security update for nodejs14 (Important)
    2022-07-18
    BACK
    nodejs node.js 14.0
    ibm spectrum protect plus 10.1.0
    ibm app connect 11.0.0.0
    ibm integration bus 10.0.0.0
    ibm datapower gateway 2018.4.1.0
    ibm cloud transformation advisor 2.0.1
    ibm cloud pak for automation 19.0.3
    ibm cloud pak for automation 20.0.1
    ibm event streams 10.0.0
    ibm cloud pak for automation 20.0.2
    ibm event streams 10.1.0
    ibm datapower gateway 10.0.1.0
    ibm cloud pak for automation 20.0.3
    ibm voice gateway 1.0.7
    ibm event streams 10.2.0
    ibm cloud pak for automation 21.0.1
    ibm cloud pak for automation 21.0.2 -
    ibm event streams 10.3.0
    ibm event streams 10.3.1
    ibm planning analytics workspace 2.0
    ibm cloud pak for automation 19.0.1
    ibm business automation workflow 20.0.0.1
    ibm business automation workflow 20.0.0.2
    ibm business automation workflow 21.0.1
    ibm datapower gateway 10.0.3.0
    ibm cloud pak for automation 19.0.2
    ibm datapower gateway 10.0.4.0
    ibm app connect enterprise certified container 4.2
    ibm datapower gateway 10.5.0.0
    ibm business automation workflow 22.0.1
    ibm datapower gateway 2018.4.1.22
    ibm datapower gateway 10.0.1.9
    ibm datapower gateway 10.5.0.2