CVE-2020-8201 : Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspec

Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system. The attack was possible due to a bug in processing of carrier-return symbols in the HTTP header names.

Published 2020-09-18 21:15:13

Updated 2022-05-24 17:24:47

Source HackerOne

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2020-8201

Probability of exploitation activity in the next 30 days: 0.26%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 64 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2020-8201

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:N	8.6	4.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: None
7.4	HIGH	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N	2.2	5.2	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: None

CWE ids for CVE-2020-8201

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.
Assigned by:
- nvd@nist.gov (Primary)
- support@hackerone.com (Secondary)

References for CVE-2020-8201

https://security.gentoo.org/glsa/202101-07

NodeJS: Multiple vulnerabilities (GLSA 202101-07) — Gentoo security
Third Party Advisory

CVEs referencing this url
https://hackerone.com/reports/922597

Sign in
Permissions Required
https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/

September 2020 Security Releases | Node.js
Vendor Advisory

CVEs referencing this url
https://security.netapp.com/advisory/ntap-20201009-0004/

October 2020 Node.js Vulnerabilities in NetApp Products | NetApp Product Security
Third Party Advisory

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html

[security-announce] openSUSE-SU-2020:1616-1: important: Security update
Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/

[SECURITY] Fedora 33 Update: nodejs-14.15.1-1.fc33 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url

Products affected by CVE-2020-8201

Fedoraproject » Fedora » Version: 33
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
Matching versions
Opensuse » Leap » Version: 15.2
cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » LTS Edition
Versions from including (>=) 12.0.0 and before (<) 12.18.4
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
Matching versions
Nodejs » Node.js
Versions from including (>=) 14.0.0 and before (<) 14.11.0
cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2020-8201

Exploit prediction scoring system (EPSS) score for CVE-2020-8201

CVSS scores for CVE-2020-8201

CWE ids for CVE-2020-8201

References for CVE-2020-8201

Products affected by CVE-2020-8201