CVE-2020-8201

Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system. The attack was possible due to a bug in processing of carrier-return symbols in the HTTP header names.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*

Configuration 3 (hide)

cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*

History

07 Nov 2023, 03:26

Type Values Removed Values Added
References
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/', 'name': 'FEDORA-2020-43d5a372fc', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'}
  • () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/ -

24 May 2022, 17:24

Type Values Removed Values Added
References (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/ - (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/ - Mailing List, Third Party Advisory
References (GENTOO) https://security.gentoo.org/glsa/202101-07 - (GENTOO) https://security.gentoo.org/glsa/202101-07 - Third Party Advisory
References (CONFIRM) https://security.netapp.com/advisory/ntap-20201009-0004/ - (CONFIRM) https://security.netapp.com/advisory/ntap-20201009-0004/ - Third Party Advisory
First Time Fedoraproject
Fedoraproject fedora
CPE cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*

11 Jan 2021, 11:15

Type Values Removed Values Added
References
  • (GENTOO) https://security.gentoo.org/glsa/202101-07 -

Information

Published : 2020-09-18 21:15

Updated : 2023-12-10 13:41


NVD link : CVE-2020-8201

Mitre link : CVE-2020-8201

CVE.ORG link : CVE-2020-8201


JSON object : View

Products Affected

opensuse

  • leap

fedoraproject

  • fedora

nodejs

  • node.js
CWE
CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')