| عنوان | CVE-2021-22959, CVE-2021-22960 in Node.JS |
|---|
| الوصف | HTTP Request Smuggling due to spaced in headers (Medium)(CVE-2021-22959)
The http parser accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS). More details will be available at CVE-2021-22959 after publication.
The fix for this is included in llhttp v2.1.4 and v6.0.6.
Thanks to Mattias Grenfeldt (https://grenfeldt.dev/) and Asta Olofsson for reporting this vulnerability.
Impacts:
All versions of the 16.x, 14.x, and 12.x releases lines.
HTTP Request Smuggling when parsing the body (Medium)(CVE-2021-22960)
The parse ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions. More details will be available at CVE-2021-22960 after publication.
THe fix for this is included in llhttp v2.1.4 and v6.0.6.
Thanks to Mattias Grenfeldt (https://grenfeldt.dev/) and Asta Olofsson for reporting this vulnerability.
Impacts:
All versions of the 16.x, 14.x, and 12.x releases lines.
|
|---|
| المصدر | ⚠️ https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/ |
|---|
| المستخدم | CSieberg (UID 13359) |
|---|
| ارسال | 14/10/2021 11:42 AM (5 سنوات منذ) |
|---|
| الاعتدال | 14/10/2021 11:47 AM (5 minutes later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 184405 [Node.js حتى 12.22.6/14.18.0/16.11.0 llhttp تجاوز الصلاحيات] |
|---|
| النقاط | 20 |
|---|