BIT-node-2023-23936

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/node/BIT-node-2023-23936.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-node-2023-23936

Aliases

CVE-2023-23936
GHSA-5r9g-qh6m-jxff

Published

2024-03-06T11:01:51.693Z

Modified

2024-03-06T11:25:28.861Z

Summary

[none]

Details

Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect host HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the headers.host string before passing to undici.

References

https://github.com/nodejs/undici/commit/a2eff05401358f6595138df963837c24348f2034
https://github.com/nodejs/undici/releases/tag/v5.19.1
https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff
https://hackerone.com/reports/1820955

Affected packages

Bitnami / node

Package

Name: node
Purl: pkg:bitnami/node

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

16.0.0

Fixed

16.19.1

Introduced

18.0.0

Fixed

18.14.1

Introduced

19.0.0

Fixed

19.6.1