CVE-2018-12116

Advisory lineage Upstream: 0 Downstream: 11

Downstream

ALPINE-CVE-2018-12116 DEBIAN-CVE-2018-12116 MGASA-2019-0277 OPENSUSE-SU-2019:0089-1 RHSA-2019:1821 SUSE-SU-2019:0117-1

Modified

Published: 28 Nov 2018, 17:00

Last modified:05 Aug 2024, 08:24

Vulnerability Summary

Overall Risk (default)

medium

30/100

CVSS Score

7.5 HIGH

v3.1 (nvd)

EPSS Score

0.53% LOW

1% probability -0.09%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

28 Nov 2018, 17:00

Published

Vulnerability first disclosed

05 Aug 2024, 08:24

Last Modified

Vulnerability information updated

Description

Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to made to the same server.

CVSS Metrics

v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
v2.0•MEDIUM•Score: 5AV:N/AC:L/Au:N/C:N/I:P/A:N

EPSS Trends

Current EPSS score: 0.53%• Percentile: 68%

Techniques & Countermeasures

CWE-115•Misinterpretation of Input
The product misinterprets an input, whether from an attacker or another product, in a security-relevant fashion.

Affected Systems

nodejs•node.js
≥ 6.0.0, ≤ 6.8.1 | ≥ 6.9.0, < 6.15.0 | ≥ 8.0.0, ≤ 8.8.1 | ≥ 8.9.0, < 8.14.0
suse•suse_enterprise_storage
4
suse•suse_linux_enterprise_server
12 | 15
suse•suse_openstack_cloud
7 | 8
the node.js project•node.js
All versions prior to Node.js 6.15.0 and 8.14.0