Launchpad.net

Launchpad Home
Code
Bugs
Blueprints
Translations
Answers

CVE 2020-8287

Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling.

Related bugs and status

CVE-2020-8287 (Candidate) is related to these bugs:

Bug #1990655: MIR: libgit2, http-parser

Summary				In	Importance	Status
	1990655	MIR: libgit2, http-parser		http-parser (Ubuntu)	High	Fix Released
	1990655	MIR: libgit2, http-parser		libgit2 (Ubuntu)	Undecided	Fix Released

See the

CVE page on Mitre.org for more details.

References

MISC: https://hackerone.com/...
MISC: https://nodejs.org/en/...
DEBIAN: DSA-4826
FEDORA: FEDORA-2021-fb1a136393
GENTOO: GLSA-202101-07
FEDORA: FEDORA-2021-d5b2c18fe6
MISC: https://www.oracle.com...
CONFIRM: https://security.netap...
CONFIRM: https://cert-portal.si...
MLIST: [debian-lts-announce] ...