CVE-2021-22959
Description
The parser in accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6.
Risk Information
Base Score
6.5
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS Score
Exploitation Probability
0.212
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2021-22959,CVE-2021-22960 are fixed in Node.js 12 (x64) (12.22.7) | Windows |
| Vulnerabilities CVE-2021-22959,CVE-2021-22960 are fixed in Node.js 12 (12.22.7) | Windows |
| Vulnerabilities CVE-2021-22959,CVE-2021-22960 are fixed in Node.js 14 (x64) (14.18.1) | Windows |
| Vulnerabilities CVE-2021-22959,CVE-2021-22960 are fixed in Node.js 14 (14.18.1) | Windows |
| Vulnerabilities CVE-2021-22959,CVE-2021-22960 are fixed in Node.js 16 (x64) (16.11.1) | Windows |
| Vulnerabilities CVE-2021-22959,CVE-2021-22960 are fixed in Node.js 16 (16.11.1) | Windows |
| Multiple Vulnerabilities are affected in IBM Business Automation Workflow 20.0.0.2 | Windows |
| Multiple vulnerabilities are affected in Oracle GraalVM Enterprise Edition 20.3.4 | Windows |
| Multiple vulnerabilities are affected in Oracle GraalVM Enterprise Edition 21.3.0 | Windows |
| Multiple Vulnerabilities are affected in IBM Cognos Controller 11.0.1 | Windows |
| Multiple Vulnerabilities are affected in IBM Business Automation Workflow 18.0.0.1 | Windows |
| Multiple Vulnerabilities are affected in IBM Business Automation Workflow 19.0.0.3 | Windows |
| Multiple Vulnerabilities are affected in IBM Business Automation Workflow 21.0.3 | Windows |
| Multiple Vulnerabilities are affected in IBM Cognos Analytics 11.1 | Windows |
| Multiple Vulnerabilities are affected in IBM Cognos Analytics 11.2 | Windows |
| (RHSA-2021:5171) nodejs:16 security, bug fix, and enhancement update nodejs-16.13.1-3.module+el8.5.0+13548+45d748af.x86_64.rpm | Linux |
| (RHSA-2021:5171) nodejs:16 security, bug fix, and enhancement update nodejs-debugsource-16.13.1-3.module+el8.5.0+13548+45d748af.x86_64.rpm | Linux |
| (RHSA-2021:5171) nodejs:16 security, bug fix, and enhancement update nodejs-devel-16.13.1-3.module+el8.5.0+13548+45d748af.x86_64.rpm | Linux |
| (RHSA-2021:5171) nodejs:16 security, bug fix, and enhancement update nodejs-docs-16.13.1-3.module+el8.5.0+13548+45d748af.noarch.rpm | Linux |
| (RHSA-2021:5171) nodejs:16 security, bug fix, and enhancement update nodejs-full-i18n-16.13.1-3.module+el8.5.0+13548+45d748af.x86_64.rpm | Linux |
| (RHSA-2021:5171) nodejs:16 security, bug fix, and enhancement update nodejs-nodemon-2.0.15-1.module+el8.5.0+13548+45d748af.noarch.rpm | Linux |
| (RHSA-2021:5171) nodejs:16 security, bug fix, and enhancement update nodejs-packaging-25-1.module+el8.5.0+10992+fac5fe06.noarch.rpm | Linux |
| (RHSA-2021:5171) nodejs:16 security, bug fix, and enhancement update npm-8.1.2-1.16.13.1.3.module+el8.5.0+13548+45d748af.x86_64.rpm | Linux |
| Nodejs update (ELSA-2021-5171) nodejs-16.13.1-3.0.1.module+el8.5.0+20457+52828f44.x86_64.rpm | Linux |
| Nodejs-devel update (ELSA-2021-5171) nodejs-devel-16.13.1-3.0.1.module+el8.5.0+20457+52828f44.x86_64.rpm | Linux |
| Nodejs-docs update (ELSA-2021-5171) nodejs-docs-16.13.1-3.0.1.module+el8.5.0+20457+52828f44.noarch.rpm | Linux |
| Nodejs-full-i18n update (ELSA-2021-5171) nodejs-full-i18n-16.13.1-3.0.1.module+el8.5.0+20457+52828f44.x86_64.rpm | Linux |
| Nodejs-nodemon update (ELSA-2021-5171) nodejs-nodemon-2.0.15-1.module+el8.5.0+20457+52828f44.noarch.rpm | Linux |
| Nodejs-packaging update (ELSA-2021-5171) nodejs-packaging-25-1.module+el8.5.0+20388+4b61e68d.noarch.rpm | Linux |
| Npm update (ELSA-2021-5171) npm-8.1.2-1.16.13.1.3.0.1.module+el8.5.0+20457+52828f44.x86_64.rpm | Linux |
| Nodejs update (ELSA-2022-0350) nodejs-14.18.2-2.module+el8.5.0+20489+261d51d3.x86_64.rpm | Linux |
| Nodejs-devel update (ELSA-2022-0350) nodejs-devel-14.18.2-2.module+el8.5.0+20489+261d51d3.x86_64.rpm | Linux |
| Nodejs-docs update (ELSA-2022-0350) nodejs-docs-14.18.2-2.module+el8.5.0+20489+261d51d3.noarch.rpm | Linux |
| Nodejs-full-i18n update (ELSA-2022-0350) nodejs-full-i18n-14.18.2-2.module+el8.5.0+20489+261d51d3.x86_64.rpm | Linux |
| Nodejs-nodemon update (ELSA-2022-0350) nodejs-nodemon-2.0.15-1.module+el8.5.0+20489+261d51d3.noarch.rpm | Linux |
| Nodejs-packaging update (ELSA-2022-0350) nodejs-packaging-23-3.module+el8.3.0+7818+6cd30d85.noarch.rpm | Linux |
| Npm update (ELSA-2022-0350) npm-6.14.15-1.14.18.2.2.module+el8.5.0+20489+261d51d3.x86_64.rpm | Linux |
| (RHSA-2022:0350) nodejs:14 security, bug fix, and enhancement update nodejs-14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64.rpm | Linux |
| (RHSA-2022:0350) nodejs:14 security, bug fix, and enhancement update nodejs-debugsource-14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64.rpm | Linux |
| (RHSA-2022:0350) nodejs:14 security, bug fix, and enhancement update nodejs-devel-14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64.rpm | Linux |
| (RHSA-2022:0350) nodejs:14 security, bug fix, and enhancement update nodejs-docs-14.18.2-2.module+el8.5.0+13644+8d46dafd.noarch.rpm | Linux |
| (RHSA-2022:0350) nodejs:14 security, bug fix, and enhancement update nodejs-full-i18n-14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64.rpm | Linux |
| (RHSA-2022:0350) nodejs:14 security, bug fix, and enhancement update nodejs-nodemon-2.0.15-1.module+el8.5.0+13504+a2e74d91.noarch.rpm | Linux |
| (RHSA-2022:0350) nodejs:14 security, bug fix, and enhancement update npm-6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.x86_64.rpm | Linux |
| nodejs security update(DSA-5170-1) nodejs_12.22.12~dfsg-1~deb11u1_amd64.deb | Linux |
| nodejs Security Update (ALAS2023-2023-084) v8-devel-10.2.154.15-1.18.12.1.1.amzn2023.0.2.x86_64.rpm | Linux |
| nodejs Security Update (ALAS2023-2023-084) nodejs-18.12.1-1.amzn2023.0.2.x86_64.rpm | Linux |
| nodejs Security Update (ALAS2023-2023-084) nodejs-devel-18.12.1-1.amzn2023.0.2.x86_64.rpm | Linux |
| nodejs Security Update (ALAS2023-2023-084) nodejs-docs-18.12.1-1.amzn2023.0.2.noarch.rpm | Linux |
| nodejs Security Update (ALAS2023-2023-084) nodejs-full-i18n-18.12.1-1.amzn2023.0.2.x86_64.rpm | Linux |
| nodejs Security Update (ALAS2023-2023-084) nodejs-libs-18.12.1-1.amzn2023.0.2.x86_64.rpm | Linux |
| nodejs Security Update (ALAS2023-2023-084) npm-8.19.2-1.18.12.1.1.amzn2023.0.2.x86_64.rpm | Linux |
Patch Details
Click to see the patches provided by ManageEngine for this CVE
| Patch ID | Patch Description |
|---|---|
| PATCH-324371 | Node.js 12 (x64) (12.22.12) |
| PATCH-324370 | Node.js 12 (12.22.12) |
| PATCH-329083 | Node.js 14 (x64) (14.21.3) |
| PATCH-329082 | Node.js 14 (14.21.3) |
| PATCH-331257 | Node.js 16 (x64) (16.20.1) |
| PATCH-331256 | Node.js 16 (16.20.1) |
References
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234