CVE Vulnerabilities

CVE-2018-12116

Misinterpretation of Input

Published: Nov 28, 2018 | Modified: Nov 21, 2024
CVSS 3.x
7.5
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS 2.x
5 MEDIUM
AV:N/AC:L/Au:N/C:N/I:P/A:N
RedHat/V2
RedHat/V3
7.2 MODERATE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Ubuntu
MEDIUM

Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the path option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to made to the same server.

Weakness

The product misinterprets an input, whether from an attacker or another product, in a security-relevant fashion.

Affected Software

Name Vendor Start Version End Version
Node.js Nodejs 6.0.0 (including) 6.8.1 (including)
Node.js Nodejs 6.9.0 (including) 6.15.0 (excluding)
Node.js Nodejs 8.0.0 (including) 8.8.1 (including)
Node.js Nodejs 8.9.0 (including) 8.14.0 (excluding)
Red Hat Software Collections for Red Hat Enterprise Linux 7 RedHat rh-nodejs8-nodejs-0:8.16.0-1.el7 *
Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS RedHat rh-nodejs8-nodejs-0:8.16.0-1.el7 *
Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS RedHat rh-nodejs8-nodejs-0:8.16.0-1.el7 *
Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS RedHat rh-nodejs8-nodejs-0:8.16.0-1.el7 *
Nodejs Ubuntu bionic *
Nodejs Ubuntu cosmic *
Nodejs Ubuntu esm-apps/bionic *
Nodejs Ubuntu upstream *

References