CVE-2020-8201 HIGH

Published: 2020-09-18 | Last Modified: 2024-11-21 | Status: Modified

Description

Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system. The attack was possible due to a bug in processing of carrier-return symbols in the HTTP header names.

Additional Descriptions (1)

Node.js versiones anteriores a 12.18.4 y versiones anteriores a 14.11, pueden ser explotado para llevar a cabo ataques de desincronización HTTP y entregar cargas útiles maliciosas a usuarios desprevenidos. Las cargas útiles pueden ser diseñadas por un atacante para secuestrar sesiones de usuario, envenenar cookies, llevar a cabo secuestro del click y una multitud de otros ataques dependiendo de la arquitectura del sistema subyacente. El ataque fue posible debido a un error en el procesamiento de los símbolos carrier-return en los nombres de encabezado HTTP

CVSS Metrics

Base Score: 7.4 (HIGH)

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector	NETWORK
Attack Complexity	HIGH
Privileges Required	NONE
User Interaction	NONE
Scope	UNCHANGED
Confidentiality Impact	HIGH
Integrity Impact	HIGH
Availability Impact	NONE

Source: [email protected]

Type: Primary

Exploitability Score: 2.2

Impact Score: 5.2

Base Score: 5.8 (MEDIUM)

AV:N/AC:M/Au:N/C:P/I:P/A:N

Access Vector	NETWORK
Access Complexity	MEDIUM
Authentication	NONE
Confidentiality Impact	PARTIAL
Integrity Impact	PARTIAL
Availability Impact	NONE

Source: [email protected]

Type: Primary

Exploitability Score: 8.6

Impact Score: 4.9

Weaknesses

Source	Type	Description
[email protected]	Secondary	en CWE-444
[email protected]	Primary	en CWE-444

Affected Products

Vendor	Product	Version	Update	Type
nodejs	node.js	*	<built-in method update of dict object at 0x72a9b0918a40>	Application
nodejs	node.js	*	<built-in method update of dict object at 0x72a9b091a740>	Application
opensuse	leap	15.2	<built-in method update of dict object at 0x72a9b0b49380>	Operating System
fedoraproject	fedora	33	<built-in method update of dict object at 0x72a9b0b4a4c0>	Operating System

Affected Configurations

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:a:nodejs:node.js:::::lts:::*`
Yes	`cpe:2.3:a:nodejs:node.js::::::::`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:opensuse:leap:15.2:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:fedoraproject:fedora:33:::::::*`

References

http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html
Source: [email protected]

Third Party Advisory
https://hackerone.com/reports/922597
Source: [email protected]

Permissions Required
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/
Source: [email protected]
https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/
Source: [email protected]

Vendor Advisory
https://security.gentoo.org/glsa/202101-07
Source: [email protected]

Third Party Advisory
https://security.netapp.com/advisory/ntap-20201009-0004/
Source: [email protected]

Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html
Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory
https://hackerone.com/reports/922597
Source: af854a3a-2127-422b-91ae-364da2661108

Permissions Required
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/
Source: af854a3a-2127-422b-91ae-364da2661108
https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/
Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory
https://security.gentoo.org/glsa/202101-07
Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory
https://security.netapp.com/advisory/ntap-20201009-0004/
Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory