[FREEBSD:4CA5894C-F7F1-11EA-8FF8-0022489AD614] Node.js -- September 2020 Security Releases
Severity
High
Affected Packages
3
CVEs
3
Node.js reports:
Updates are now available for v10,x, v12.x and v14.x Node.js release lines for the following issues.
HTTP Request Smuggling due to CR-to-Hyphen conversion (High) (CVE-2020-8201)
Affected Node.js versions converted carriage returns in HTTP request headers to a hyphen before parsing. This can lead to HTTP Request Smuggling as it is a non-standard interpretation of the header.
Impacts:
All versions of the 14.x and 12.x releases line
Denial of Service by resource exhaustion CWE-400 due to unfinished HTTP/1.1 requests (Critical) (CVE-2020-8251)
Node.js is vulnerable to HTTP denial of service (DOS) attacks based on delayed requests submission which can make the server unable to accept new connections. The fix a new http.Server option called requestTimeout with a default value of 0 which means it is disabled by default. This should be set when Node.js is used as an edge server, for more details refer to the documentation.
Impacts:
All versions of the 14.x release line
fs.realpath.native on may cause buffer overflow (Medium) (CVE-2020-8252)
libuv's realpath implementation incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes.
Impacts:
All versions of the 10.x release line
All versions of the 12.x release line
All versions of the 14.x release line before 14.9.0
Package | Affected Version |
---|---|
pkg:freebsd/node12 | < 12.18.4 |
pkg:freebsd/node10 | < 10.22.1 |
pkg:freebsd/node | < 14.11.0 |
- ID
- FREEBSD:4CA5894C-F7F1-11EA-8FF8-0022489AD614
- Severity
- high
- Severity from
- CVE-2020-8252
- URL
- http://vuxml.freebsd.org/freebsd/4ca5894c-f7f1-11ea-8ff8-0022489ad614.html
- Published
-
2020-09-08T00:00:00
(4 years ago) - Modified
-
2020-09-16T00:00:00
(4 years ago) - Rights
- FreeBSD VuXML Security Team
- Other Advisories
-
- ALAS2-2021-1581
- ALPINE:CVE-2020-8201
- ALPINE:CVE-2020-8251
- ALPINE:CVE-2020-8252
- ALSA-2020:4272
- ALSA-2021:0548
- ELSA-2020-4272
- ELSA-2021-0548
- FEDORA-2020-43d5a372fc
- GLSA-202009-15
- GLSA-202101-07
- openSUSE-SU-2020:1616-1
- openSUSE-SU-2020:1660-1
- RHSA-2020:4272
- RHSA-2021:0548
- RLSA-2020:4272
- RLSA-2021:0548
- SUSE-SU-2020:2812-1
- SUSE-SU-2020:2813-1
- SUSE-SU-2020:2823-1
- SUSE-SU-2020:2829-1
- USN-4548-1
Source | # ID | Name | URL |
---|---|---|---|
FreeBSD VuXML | https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/ |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |