CVE-2018-12116
First published: Wed Nov 28 2018(Updated: )
A flaw was found in Node.js before 6.15.0 and 8.14.0. An HTTP request splitting. If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to made to the same server. References: <a href="https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/">https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/</a>
Credit: cve-request@iojs.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/nodejs | <8.14.0 | 8.14.0 |
| redhat/nodejs | <6.15.0 | 6.15.0 |
| F5 BIG-IP | >=17.1.0<=17.1.2 | |
| F5 BIG-IP | >=16.1.0<=16.1.5 | |
| F5 BIG-IP | >=15.1.0<=15.1.10 | |
| F5 BIG-IP | >=14.1.0<=14.1.5 | |
| F5 BIG-IP | >=13.1.0<=13.1.5 | |
| F5 BIG-IQ Centralized Management | >=8.0.0<=8.3.0 | |
| Node.js | >=6.0.0<=6.8.1 | |
| Node.js | >=6.9.0<6.15.0 | |
| Node.js | >=8.0.0<=8.8.1 | |
| Node.js | >=8.9.0<8.14.0 | |
| Suse Suse Enterprise Storage | =4 | |
| SUSE Linux Enterprise Server | =12 | |
| SUSE Linux Enterprise Server | =15 | |
| Suse Suse Openstack Cloud | =7 | |
| Suse Suse Openstack Cloud | =8 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1661000
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1660999
- https://github.com/nodejs/node/commit/513e9747a22
- https://github.com/nodejs/node/commit/b961d9fd83c
- https://access.redhat.com/errata/RHSA-2019:1821
- https://access.redhat.com/security/cve/cve-2018-12116
- https://bugzilla.redhat.com/show_bug.cgi?id=1660998
- https://security.gentoo.org/glsa/202003-48
- https://my.f5.com/manage/s/article/K000137093
Frequently Asked Questions
What is CVE-2018-12116?
CVE-2018-12116 is a vulnerability in Node.js that allows for HTTP request splitting.
How does CVE-2018-12116 affect Node.js?
CVE-2018-12116 affects all versions prior to Node.js 6.15.0 and 8.14.0.
What is the severity of CVE-2018-12116?
CVE-2018-12116 has a severity value of 7.5 (high).
How can I fix CVE-2018-12116?
To fix CVE-2018-12116, you need to update Node.js to version 6.15.0 or 8.14.0.
Where can I find more information about CVE-2018-12116?
You can find more information about CVE-2018-12116 on the following references: - Red Hat advisory: https://access.redhat.com/errata/RHSA-2019:1821 - Node.js blog: https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/ - Gentoo Security: https://security.gentoo.org/glsa/202003-48
- agent/type
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2018-12116
- agent/software-canonical-lookup
- agent/author
- agent/weakness
- agent/remedy
- collector/mitre-cve
- source/MITRE
- agent/first-publish-date
- collector/f5-advisory
- source/F5
- alias/CVE-2018-7167
- alias/CVE-2018-12115
- agent/severity
- agent/references
- agent/last-modified-date
- agent/description
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/f5
- canonical/f5 big-ip
- version/f5 big-ip/17.1.0
- version/f5 big-ip/17.1.2
- version/f5 big-ip/16.1.0
- version/f5 big-ip/16.1.5
- version/f5 big-ip/15.1.0
- version/f5 big-ip/15.1.10
- version/f5 big-ip/14.1.0
- version/f5 big-ip/14.1.5
- version/f5 big-ip/13.1.0
- version/f5 big-ip/13.1.5
- canonical/f5 big-iq centralized management
- version/f5 big-iq centralized management/8.0.0
- version/f5 big-iq centralized management/8.3.0
- vendor/nodejs
- canonical/node.js
- version/node.js/6.0.0
- version/node.js/6.8.1
- version/node.js/6.9.0
- version/node.js/8.0.0
- version/node.js/8.8.1
- version/node.js/8.9.0
- vendor/suse
- canonical/suse suse enterprise storage
- version/suse suse enterprise storage/4
- canonical/suse linux enterprise server
- version/suse linux enterprise server/12
- version/suse linux enterprise server/15
- canonical/suse suse openstack cloud
- version/suse suse openstack cloud/7
- version/suse suse openstack cloud/8