CVE-2020-8287 log

Severity Low
Remote No
Type Url request injection
The nodejs release lines 15.x, 14.x, 12.x and 10.x allow two copies of a header field in an HTTP request. For example, two Transfer-Encoding header fields. In this case Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling. The issue is fixed in nodejs versions 15.5.1, 14.15.4, 12.20.1 and 10.23.1.
Group Package Affected Fixed Severity Status Ticket
AVG-1403 nodejs-lts-dubnium 10.23.0-2 10.23.1-1 High Fixed
AVG-1402 nodejs-lts-erbium 12.20.0-2 12.20.1-1 High Fixed
AVG-1401 nodejs-lts-fermium 14.15.3-2 14.15.4-1 High Fixed
AVG-1400 nodejs 15.5.0-1 15.5.1-1 High Fixed
Date Advisory Group Package Severity Type
12 Jan 2021 ASA-202101-16 AVG-1400 nodejs High multiple issues
12 Jan 2021 ASA-202101-15 AVG-1401 nodejs-lts-fermium High multiple issues
12 Jan 2021 ASA-202101-14 AVG-1402 nodejs-lts-erbium High multiple issues
12 Jan 2021 ASA-202101-13 AVG-1403 nodejs-lts-dubnium High multiple issues