CVE-2018-12116
First published: Wed Nov 28 2018(Updated: )
Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to made to the same server.
Credit: cve-request@iojs.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/nodejs | <8.14.0 | 8.14.0 |
| redhat/nodejs | <6.15.0 | 6.15.0 |
| Nodejs Node.js | >=6.0.0<=6.8.1 | |
| Nodejs Node.js | >=6.9.0<6.15.0 | |
| Nodejs Node.js | >=8.0.0<=8.8.1 | |
| Nodejs Node.js | >=8.9.0<8.14.0 | |
| Suse Suse Enterprise Storage | =4 | |
| SUSE SUSE Linux Enterprise Server | =12 | |
| SUSE SUSE Linux Enterprise Server | =15 | |
| Suse Suse Openstack Cloud | =7 | |
| Suse Suse Openstack Cloud | =8 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/errata/RHSA-2019:1821
- https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
- https://security.gentoo.org/glsa/202003-48
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1661000
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1660999
- https://github.com/nodejs/node/commit/513e9747a22
- https://github.com/nodejs/node/commit/b961d9fd83c
- https://access.redhat.com/security/cve/cve-2018-12116
- https://bugzilla.redhat.com/show_bug.cgi?id=1660998
Frequently Asked Questions
What is CVE-2018-12116?
CVE-2018-12116 is a vulnerability in Node.js that allows for HTTP request splitting.
How does CVE-2018-12116 affect Node.js?
CVE-2018-12116 affects all versions prior to Node.js 6.15.0 and 8.14.0.
What is the severity of CVE-2018-12116?
CVE-2018-12116 has a severity value of 7.5 (high).
How can I fix CVE-2018-12116?
To fix CVE-2018-12116, you need to update Node.js to version 6.15.0 or 8.14.0.
Where can I find more information about CVE-2018-12116?
You can find more information about CVE-2018-12116 on the following references: - Red Hat advisory: https://access.redhat.com/errata/RHSA-2019:1821 - Node.js blog: https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/ - Gentoo Security: https://security.gentoo.org/glsa/202003-48
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2018-12116
- agent/software-canonical-lookup
- agent/severity
- agent/references
- agent/author
- agent/weakness
- agent/remedy
- agent/description
- agent/event
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- collector/mitre-cve
- source/MITRE
- package-manager/redhat
- vendor/nodejs
- canonical/nodejs node.js
- version/nodejs node.js/6.0.0
- version/nodejs node.js/6.8.1
- version/nodejs node.js/6.9.0
- version/nodejs node.js/8.0.0
- version/nodejs node.js/8.8.1
- version/nodejs node.js/8.9.0
- vendor/suse
- canonical/suse suse enterprise storage
- version/suse suse enterprise storage/4
- canonical/suse suse linux enterprise server
- version/suse suse linux enterprise server/12
- version/suse suse linux enterprise server/15
- canonical/suse suse openstack cloud
- version/suse suse openstack cloud/7
- version/suse suse openstack cloud/8