CVE-2020-8287: XSS
First published: Mon Jan 04 2021(Updated: )
A flaw was found in nodejs. Affected versions of Node.js allow two copies of a header field in an HTTP request. The first header field is recognized while the second is ignored leading to HTTP request smuggling. The highest threat from this vulnerability is to data confidentiality and integrity.
Credit: support@hackerone.com support@hackerone.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/rh-nodejs14-nodejs | <0:14.15.4-2.el7 | 0:14.15.4-2.el7 |
| redhat/rh-nodejs12-nodejs | <0:12.20.1-1.el7 | 0:12.20.1-1.el7 |
| redhat/rh-nodejs12-nodejs-nodemon | <0:2.0.3-1.el7 | 0:2.0.3-1.el7 |
| redhat/rh-nodejs10-nodejs | <0:10.23.1-2.el7 | 0:10.23.1-2.el7 |
| Nodejs Node.js | >=10.0.0<10.23.1 | |
| Nodejs Node.js | >=12.0.0<12.20.1 | |
| Nodejs Node.js | >=14.0.0<14.15.4 | |
| Nodejs Node.js | >=15.0.0<15.5.1 | |
| Debian Debian Linux | =10.0 | |
| Fedoraproject Fedora | =32 | |
| Fedoraproject Fedora | =33 | |
| Oracle GraalVM | =19.3.4 | |
| Oracle GraalVM | =20.3.0 | |
| Siemens Sinec Infrastructure Network Services | <1.0.1.1 | |
| IBM Cloud Pak for Security (CP4S) | <=1.6.0.1 | |
| IBM Cloud Pak for Security (CP4S) | <=1.6.0.0 | |
| IBM Cloud Pak for Security (CP4S) | <=1.5.0.1 | |
| IBM Cloud Pak for Security (CP4S) | <=1.5.0.0 | |
| IBM Cloud Pak for Security (CP4S) | <=1.4.0.0 | |
| redhat/node | <10.23.1 | 10.23.1 |
| redhat/node | <12.20.1 | 12.20.1 |
| redhat/node | <14.15.4 | 14.15.4 |
| redhat/node | <15.5.1 | 15.5.1 |
| ubuntu/http-parser | <2.7.1-2ubuntu0.1 | 2.7.1-2ubuntu0.1 |
| ubuntu/nodejs | <8.10.0~dfsg-2ubuntu0.4+ | 8.10.0~dfsg-2ubuntu0.4+ |
| ubuntu/nodejs | <10.19.0~dfsg-3ubuntu1.1 | 10.19.0~dfsg-3ubuntu1.1 |
| ubuntu/nodejs | <4.2.6~dfsg-1ubuntu4.2+ | 4.2.6~dfsg-1ubuntu4.2+ |
| debian/http-parser | <=2.8.1-1+deb10u2 | 2.8.1-1+deb10u3 2.9.4-4+deb11u1 2.9.4-5 2.9.4-6 |
| debian/nodejs | 10.24.0~dfsg-1~deb10u1 10.24.0~dfsg-1~deb10u4 12.22.12~dfsg-1~deb11u4 18.13.0+dfsg1-1 18.19.0+dfsg-6~deb12u1 18.20.1+dfsg-4 20.13.1+dfsg-2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2020-8287 https://nvd.nist.gov/vuln/detail/CVE-2020-8287
- https://bugzilla.redhat.com/show_bug.cgi?id=1912863
- https://access.redhat.com/errata/RHSA-2021:0548
- https://access.redhat.com/errata/RHSA-2021:0549
- https://access.redhat.com/errata/RHSA-2021:0551
- https://access.redhat.com/errata/RHSA-2021:0421
- https://access.redhat.com/errata/RHSA-2021:0485
- https://access.redhat.com/errata/RHSA-2021:0521
- https://access.redhat.com/security/cve/cve-2020-8287
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://hackerone.com/reports/1002188
- https://lists.debian.org/debian-lts-announce/2022/12/msg00009.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H472D5HPXN6RRXCNFML3BK5OYC52CXF2/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K4I6MZNC7C7VIDQR267OL4TVCI3ZKAC4/
- https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/
- https://security.gentoo.org/glsa/202101-07
- https://security.netapp.com/advisory/ntap-20210212-0003/
- https://www.debian.org/security/2021/dsa-4826
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/194100
- https://www.ibm.com/support/pages/node/6453115 (Advisory)
- https://launchpad.net/bugs/cve/CVE-2020-8287
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H472D5HPXN6RRXCNFML3BK5OYC52CXF2/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K4I6MZNC7C7VIDQR267OL4TVCI3ZKAC4/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1912865
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1912864
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1912866
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1912867
- https://github.com/nodejs/node/commit/641f786bb1a1f6eb1ff8750782ed939780f2b31a
- https://github.com/nodejs/node/commit/fc70ce08f5818a286fb5899a1bc3aff5965a745e
- https://nodejs.org/en/blog/release/v10.23.1/
- https://github.com/nodejs/http-parser/pull/530/
- https://security-tracker.debian.org/tracker/CVE-2020-8287
- https://github.com/nodejs/node/commit/fc70ce08f5818a286fb5899a1bc3aff5965a745e (v10.23.1)
- https://ubuntu.com/security/notices/USN-5563-1
- https://ubuntu.com/security/notices/USN-6380-1
- https://www.cve.org/CVERecord?id=CVE-2020-8287
- https://nvd.nist.gov/vuln/detail/CVE-2020-8287
- https://ubuntu.com/security/CVE-2020-8287
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the vulnerability ID for this Node.js vulnerability?
The vulnerability ID for this Node.js vulnerability is CVE-2020-8287.
What is the severity of CVE-2020-8287?
The severity of CVE-2020-8287 is medium.
How does CVE-2020-8287 affect Node.js?
CVE-2020-8287 allows two copies of a header field in an HTTP request, leading to HTTP request smuggling and posing a threat to data confidentiality and integrity.
Which versions of Node.js are affected by CVE-2020-8287?
Node.js versions before 10.23.1, 12.20.1, 14.15.4, and 15.5.1 are affected by CVE-2020-8287.
How can I fix CVE-2020-8287?
To fix CVE-2020-8287, upgrade to Node.js versions 10.23.1, 12.20.1, 14.15.4, or 15.5.1.
- collector/redhat-cve
- collector/nvd-index
- collector/ibm-support
- agent/type
- agent/remedy
- agent/last-modified-date
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/author
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-8287
- agent/event
- agent/severity
- agent/tags
- agent/description
- agent/weakness
- agent/references
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/usn-cve
- source/Ubuntu
- package-manager/redhat
- vendor/nodejs
- canonical/nodejs node.js
- version/nodejs node.js/10.0.0
- version/nodejs node.js/12.0.0
- version/nodejs node.js/14.0.0
- version/nodejs node.js/15.0.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/10.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/32
- version/fedoraproject fedora/33
- vendor/oracle
- canonical/oracle graalvm
- version/oracle graalvm/19.3.4
- version/oracle graalvm/20.3.0
- vendor/siemens
- canonical/siemens sinec infrastructure network services
- vendor/ibm
- canonical/ibm cloud pak for security (cp4s)
- version/ibm cloud pak for security (cp4s)/1.6.0.1
- version/ibm cloud pak for security (cp4s)/1.6.0.0
- version/ibm cloud pak for security (cp4s)/1.5.0.1
- version/ibm cloud pak for security (cp4s)/1.5.0.0
- version/ibm cloud pak for security (cp4s)/1.4.0.0
- package-manager/debian
- package-manager/ubuntu