CVE-2020-8287 log

Source
Severity Low
Remote No
Type Url request injection
Description
The nodejs release lines 15.x, 14.x, 12.x and 10.x allow two copies of a header field in an HTTP request. For example, two Transfer-Encoding header fields. In this case Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling. The issue is fixed in nodejs versions 15.5.1, 14.15.4, 12.20.1 and 10.23.1.
Group Package Affected Fixed Severity Status Ticket
AVG-1403 nodejs-lts-dubnium 10.23.0-2 10.23.1-1 High Fixed
AVG-1402 nodejs-lts-erbium 12.20.0-2 12.20.1-1 High Fixed
AVG-1401 nodejs-lts-fermium 14.15.3-2 14.15.4-1 High Fixed
AVG-1400 nodejs 15.5.0-1 15.5.1-1 High Fixed
Date Advisory Group Package Severity Type
12 Jan 2021 ASA-202101-16 AVG-1400 nodejs High multiple issues
12 Jan 2021 ASA-202101-15 AVG-1401 nodejs-lts-fermium High multiple issues
12 Jan 2021 ASA-202101-14 AVG-1402 nodejs-lts-erbium High multiple issues
12 Jan 2021 ASA-202101-13 AVG-1403 nodejs-lts-dubnium High multiple issues
References
https://groups.google.com/g/nodejs-sec/c/kyzmwvQdUfs/m/7mjPCzY2BAAJ
https://hackerone.com/bugs?report_id=1002188&subject=nodejs
https://github.com/nodejs-private/llhttp-private/pull/3
https://github.com/nodejs/node/commit/e0c9a2285cfe18642d15d5ed9b7122755c6e66e0
https://github.com/nodejs/node/commit/c5dbe831b714b3a98c59ba2406b791fb27016d79
https://github.com/nodejs/node/commit/641f786bb1a1f6eb1ff8750782ed939780f2b31a
https://github.com/nodejs/node/commit/7ecac8143f0a91785ed0bd3b4d9aab5d98419b41
https://github.com/nodejs/node/commit/92d430917a63a567bb528100371263c46e50ee4a
https://github.com/nodejs/node/commit/4a30ac8c755d0701e773831ce22153b66bb36305
https://github.com/nodejs/node/commit/420244e4d9ca6de2612e7f503f5c87e448fbc14b
https://github.com/nodejs/node/commit/fc70ce08f5818a286fb5899a1bc3aff5965a745e
https://github.com/nodejs/node/commit/aa6b97fb99d7528649fadb4c6a894e078fe4323c