CVE-2021-22960 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Medium
Remote	Yes
Type	Url request injection
Description	A security issue has been found in Node.js before versions 16.11.1, 14.18.1 and 12.22.7. The parser ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-2460	nodejs	16.11.0-1	16.11.1-1	Medium	Fixed
AVG-2285	nodejs-lts-erbium	12.22.4-2	12.22.7-1	High	Fixed	FS#72412
AVG-2284	nodejs-lts-fermium	14.17.4-1	14.18.1-1	High	Fixed	FS#72413

Date	Advisory	Group	Package	Severity	Type
21 Oct 2021	ASA-202110-6	AVG-2285	nodejs-lts-erbium	High	multiple issues
21 Oct 2021	ASA-202110-5	AVG-2284	nodejs-lts-fermium	High	multiple issues
21 Oct 2021	ASA-202110-4	AVG-2460	nodejs	Medium	url request injection

References
https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/#http-request-smuggling-when-parsing-the-body-medium-cve-2021-22960 https://hackerone.com/reports/1238099 https://hackerone.com/reports/1238709 https://github.com/nodejs/node/commit/af488f8dc82d69847992ea1cd2f53dc8082b3b91 https://github.com/nodejs/node/commit/8c254ca7e4693fb778d808fa835b095de6c9fdd4 https://github.com/nodejs/node/commit/21a2e554e3eaa325abbdb28f366928d0ccc0a0f0

References

https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/#http-request-smuggling-when-parsing-the-body-medium-cve-2021-22960
https://hackerone.com/reports/1238099
https://hackerone.com/reports/1238709
https://github.com/nodejs/node/commit/af488f8dc82d69847992ea1cd2f53dc8082b3b91
https://github.com/nodejs/node/commit/8c254ca7e4693fb778d808fa835b095de6c9fdd4
https://github.com/nodejs/node/commit/21a2e554e3eaa325abbdb28f366928d0ccc0a0f0