CVE-2020-8201
Description
Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system. The attack was possible due to a bug in processing of carrier-return symbols in the HTTP header names.
Risk Information
Base Score
7.4
MODERATE
Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score
Exploitation Probability
0.258
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2020-8201,CVE-2020-8251,CVE-2020-8252 are fixed in Node.js 12 (x64) (12.18.4) | Windows |
| Vulnerabilities CVE-2020-8201,CVE-2020-8251,CVE-2020-8252 are fixed in Node.js 12 (12.18.4) | Windows |
| Vulnerabilities CVE-2020-8201,CVE-2020-8251,CVE-2020-8252 are fixed in Node.js 14 (14.21.3) | Windows |
| Vulnerabilities CVE-2020-8201,CVE-2020-8251,CVE-2020-8252 are fixed in Node.js 14 (x64) (14.21.3) | Windows |
| Vulnerabilities CVE-2020-8201,CVE-2020-8251,CVE-2020-8252 are fixed in Node.js 10 (x64) (10.22.1) | Windows |
| Vulnerabilities CVE-2020-8201,CVE-2020-8251,CVE-2020-8252 are fixed in Node.js 10 (10.22.1) | Windows |
| Vulnerabilities CVE-2020-8201,CVE-2020-8251,CVE-2020-8252 are fixed in Node.js 10 (x64) (10.24.1) | Windows |
| Multiple Vulnerabilities are affected in IBM Business Automation Workflow 20.0 | Windows |
| (RHSA-2020:4272) nodejs:12 security and bug fix update nodejs-12.18.4-2.module+el8.2.0+8361+192e434e.x86_64.rpm | Linux |
| (RHSA-2020:4272) nodejs:12 security and bug fix update nodejs-debugsource-12.18.4-2.module+el8.2.0+8361+192e434e.x86_64.rpm | Linux |
| (RHSA-2020:4272) nodejs:12 security and bug fix update nodejs-devel-12.18.4-2.module+el8.2.0+8361+192e434e.x86_64.rpm | Linux |
| (RHSA-2020:4272) nodejs:12 security and bug fix update nodejs-docs-12.18.4-2.module+el8.2.0+8361+192e434e.noarch.rpm | Linux |
| (RHSA-2020:4272) nodejs:12 security and bug fix update nodejs-full-i18n-12.18.4-2.module+el8.2.0+8361+192e434e.x86_64.rpm | Linux |
| (RHSA-2020:4272) nodejs:12 security and bug fix update npm-6.14.6-1.12.18.4.2.module+el8.2.0+8361+192e434e.x86_64.rpm | Linux |
Patch Details
Click to see the patches provided by ManageEngine for this CVE
| Patch ID | Patch Description |
|---|---|
| PATCH-324371 | Node.js 12 (x64) (12.22.12) |
| PATCH-324370 | Node.js 12 (12.22.12) |
| PATCH-329082 | Node.js 14 (14.21.3) |
| PATCH-329083 | Node.js 14 (x64) (14.21.3) |
| PATCH-319043 | Node.js 10 (x64) (10.24.1) |
| PATCH-319042 | Node.js 10 (10.24.1) |
| PATCH-319043 | Node.js 10 (x64) (10.24.1) |
References
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234