Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2020-8201

Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system. The attack was possible due to a bug in processing of carrier-return symbols in the HTTP header names.

Published

2020-09-18T21:15:12.903

Last Modified

2024-11-21T05:38:29.563

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.4 (HIGH)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:P/I:P/A:N

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

8.6

Impact Score

4.9

Weaknesses

Type: Secondary
CWE-444
Type: Primary
CWE-444

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	nodejs	node.js	< 12.18.4	Yes
Application	nodejs	node.js	< 14.11.0	Yes
Operating System	opensuse	leap	15.2	Yes
Operating System	fedoraproject	fedora	33	Yes

References

http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html Third Party Advisory ([email protected])
https://hackerone.com/reports/922597 Permissions Required ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/ ([email protected])
https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/ Vendor Advisory ([email protected])
https://security.gentoo.org/glsa/202101-07 Third Party Advisory ([email protected])
https://security.netapp.com/advisory/ntap-20201009-0004/ Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://hackerone.com/reports/922597 Permissions Required (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/ (af854a3a-2127-422b-91ae-364da2661108)
https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/ Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.gentoo.org/glsa/202101-07 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20201009-0004/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)