跳转到帖子

Oracle Linux: CVE-2024-27982: ELSA-2024-2853: nodejs:20 security update (IMPORTANT) (Multiple Advisories)

recommended_posts

发布于
  • Members

Oracle Linux: CVE-2024-27982: ELSA-2024-2853:nodejs:20 security update (IMPORTANT) (Multiple Advisories)

Severity
6
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:N)
Published
04/03/2024
Created
05/21/2024
Added
05/09/2024
Modified
01/07/2025

Description

The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in a second request within the body of the first. An HTTP Request Smuggling vulnerability was found in Node.js due to Content-Length Obfuscation in the HTTP server. Malformed headers, particularly if a space is inserted before a content-length header, can result in HTTP request smuggling. This flaw allows attackers to inject a second request within the body of the first and poison web caches, bypass web application firewalls, and execute Cross-site scripting (XSS) attacks.

Solution(s)

  • oracle-linux-upgrade-nodejs
  • oracle-linux-upgrade-nodejs-devel
  • oracle-linux-upgrade-nodejs-docs
  • oracle-linux-upgrade-nodejs-full-i18n
  • oracle-linux-upgrade-nodejs-libs
  • oracle-linux-upgrade-nodejs-nodemon
  • oracle-linux-upgrade-nodejs-packaging
  • oracle-linux-upgrade-nodejs-packaging-bundler
  • oracle-linux-upgrade-npm

References

  • https://attackerkb.com/topics/cve-2024-27982
  • CVE - 2024-27982
  • ELSA-2024-2853
  • ELSA-2024-2780
  • ELSA-2024-2910
  • ELSA-2024-2779
  • ELSA-2024-2778
  • 查看数 708
  • 已创建
  • 最后回复

参与讨论

你可立刻发布并稍后注册。 如果你有帐户,立刻登录发布帖子。
注意:你的帖子需要版主批准后才能看到。

游客
回帖…