1. Home
  2. Vulnerabilities
  3. CVE-2020-8287

CVE-2020-8287

CVSS v3.1 6.5 (Medium)
65% Progress
CVSS v2.0 6.4 (Medium)
64% Progress
EPSS 0.81 % (82th)
0.81% Progress
Affected Products 5
Advisories 34
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software OVAL Tools, Exploits & PoC Graph Web & Social Timeline

Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling.

Weaknesses
CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVE Status
PUBLISHED
CNA
HackerOne
Published Date
2021-01-06 21:15:14
(3 years ago)
Updated Date
2023-11-07 03:26:19
(10 months ago)

Affected Products

Debian

Fedoraproject

Nodejs

Oracle

Siemens

Configuration #1

    CPE23 From Up To
  Nodejs Node.js from 10.0.0 version and prior 10.23.1 version cpe:2.3:a:nodejs:node.js::*:*:*:lts >= 10.0.0 < 10.23.1
  Nodejs Node.js from 12.0.0 version and prior 12.20.1 version cpe:2.3:a:nodejs:node.js::*:*:*:lts >= 12.0.0 < 12.20.1
  Nodejs Node.js from 14.0.0 version and prior 14.15.4 version cpe:2.3:a:nodejs:node.js::*:*:*:lts >= 14.0.0 < 14.15.4
  Nodejs Node.js from 15.0.0 version and prior 15.5.1 version cpe:2.3:a:nodejs:node.js::*:*:*:- >= 15.0.0 < 15.5.1

Configuration #2

    CPE23 From Up To
  Debian Linux 10.0 cpe:2.3:o:debian:debian_linux:10.0

Configuration #3

    CPE23 From Up To
  Fedoraproject Fedora 32 cpe:2.3:o:fedoraproject:fedora:32
  Fedoraproject Fedora 33 cpe:2.3:o:fedoraproject:fedora:33

Configuration #4

    CPE23 From Up To
  Oracle Graalvm 19.3.4 cpe:2.3:a:oracle:graalvm:19.3.4:*:*:*:enterprise
  Oracle Graalvm 20.3.0 cpe:2.3:a:oracle:graalvm:20.3.0:*:*:*:enterprise

Configuration #5

    CPE23 From Up To
  Siemens Sinec Infrastructure Network Services prior 1.0.1.1 version cpe:2.3:a:siemens:sinec_infrastructure_network_services < 1.0.1.1