vulnerability
Oracle Linux: CVE-2023-30589: ELSA-2023-4536: nodejs:18 security, bug fix, and enhancement update (MODERATE) (Multiple Advisories)
Severity | CVSS | Published | Added | Modified |
---|---|---|---|---|
8 | (AV:N/AC:L/Au:N/C:N/I:C/A:N) | Jun 20, 2023 | Aug 2, 2023 | Jan 8, 2025 |
Severity
8
CVSS
(AV:N/AC:L/Au:N/C:N/I:C/A:N)
Published
Jun 20, 2023
Added
Aug 2, 2023
Modified
Jan 8, 2025
Description
The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).
The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20
A vulnerability has been identified in the Node.js, where llhttp parser in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).
The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20
A vulnerability has been identified in the Node.js, where llhttp parser in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).
Solution(s)
oracle-linux-upgrade-graalvm-community-17-espressooracle-linux-upgrade-graalvm-community-17-espresso-llvmoracle-linux-upgrade-graalvm-community-17-icu4joracle-linux-upgrade-graalvm-community-17-javascriptoracle-linux-upgrade-graalvm-community-17-jdkoracle-linux-upgrade-graalvm-community-17-libpolyglotoracle-linux-upgrade-graalvm-community-17-llvmoracle-linux-upgrade-graalvm-community-17-llvm-toolchainoracle-linux-upgrade-graalvm-community-17-native-imageoracle-linux-upgrade-graalvm-community-17-native-image-llvm-backendoracle-linux-upgrade-graalvm-community-17-nodejsoracle-linux-upgrade-graalvm-community-17-nodejs-develoracle-linux-upgrade-graalvm-community-17-polyglotoracle-linux-upgrade-graalvm-community-17-pythonoracle-linux-upgrade-graalvm-community-17-python-develoracle-linux-upgrade-graalvm-community-17-regexoracle-linux-upgrade-graalvm-community-17-rubyoracle-linux-upgrade-graalvm-community-17-ruby-develoracle-linux-upgrade-graalvm-community-17-toolsoracle-linux-upgrade-graalvm-community-17-wasmoracle-linux-upgrade-graalvm-community-21-jdkoracle-linux-upgrade-graalvm-community-21-native-imageoracle-linux-upgrade-nodejsoracle-linux-upgrade-nodejs-develoracle-linux-upgrade-nodejs-docsoracle-linux-upgrade-nodejs-full-i18noracle-linux-upgrade-nodejs-libsoracle-linux-upgrade-nodejs-nodemonoracle-linux-upgrade-nodejs-packagingoracle-linux-upgrade-nodejs-packaging-bundleroracle-linux-upgrade-npm
References
- CVE-2023-30589
- https://attackerkb.com/topics/CVE-2023-30589
- ELSA-ELSA-2023-4536
- ELSA-ELSA-2023-4537
- ELSA-ELSA-2023-12935
- ELSA-ELSA-2023-4331
- ELSA-ELSA-2023-12944
- ELSA-ELSA-2023-4330
- ELSA-ELSA-2023-12938
- ELSA-ELSA-2023-12943
- ELSA-ELSA-2023-12933
- ELSA-ELSA-2023-12939
- ELSA-ELSA-2023-12934
- ELSA-ELSA-2023-12941
- ELSA-ELSA-2023-12936
- ELSA-ELSA-2023-12942
- ELSA-ELSA-2023-12937
- ELSA-ELSA-2023-12940

NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.