---

CVE-2020-8287 - log back

CVE-2020-8287 edited at 04 Jan 2021 23:53:03

References

https://groups.google.com/g/nodejs-sec/c/kyzmwvQdUfs/m/7mjPCzY2BAAJ https://hackerone.com/bugs?report_id=1002188&subject=nodejs https://github.com/nodejs-private/llhttp-private/pull/3 - https://github.com/nodejs-private/node-private/pull/228 https://github.com/nodejs/node/commit/e0c9a2285cfe18642d15d5ed9b7122755c6e66e0 https://github.com/nodejs/node/commit/c5dbe831b714b3a98c59ba2406b791fb27016d79 + https://github.com/nodejs/node/commit/641f786bb1a1f6eb1ff8750782ed939780f2b31a + https://github.com/nodejs/node/commit/7ecac8143f0a91785ed0bd3b4d9aab5d98419b41 + https://github.com/nodejs/node/commit/92d430917a63a567bb528100371263c46e50ee4a + https://github.com/nodejs/node/commit/4a30ac8c755d0701e773831ce22153b66bb36305 + https://github.com/nodejs/node/commit/420244e4d9ca6de2612e7f503f5c87e448fbc14b + https://github.com/nodejs/node/commit/fc70ce08f5818a286fb5899a1bc3aff5965a745e + https://github.com/nodejs/node/commit/aa6b97fb99d7528649fadb4c6a894e078fe4323c

CVE-2020-8287 edited at 04 Jan 2021 23:31:53
Severity	- Medium + Low
References	https://groups.google.com/g/nodejs-sec/c/kyzmwvQdUfs/m/7mjPCzY2BAAJ + https://hackerone.com/bugs?report_id=1002188&subject=nodejs + https://github.com/nodejs-private/llhttp-private/pull/3 + https://github.com/nodejs-private/node-private/pull/228 + https://github.com/nodejs/node/commit/e0c9a2285cfe18642d15d5ed9b7122755c6e66e0 + https://github.com/nodejs/node/commit/c5dbe831b714b3a98c59ba2406b791fb27016d79

CVE-2020-8287 edited at 04 Jan 2021 23:26:13
Severity	- Unknown + Medium
Remote	- Unknown + Local
Type	- Unknown + Url request injection
Description	+ The nodejs release lines 15.x, 14.x, 12.x and 10.x allow two copies of a header field in an HTTP request. For example, two Transfer-Encoding header fields. In this case Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling. The issue is fixed in nodejs versions 15.5.1, 14.15.4, 12.20.1 and 10.23.1.
References	+ https://groups.google.com/g/nodejs-sec/c/kyzmwvQdUfs/m/7mjPCzY2BAAJ
Notes

CVE-2020-8287 created at 04 Jan 2021 23:18:41