CVE-2020-8287

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2020-8287
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-8287.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2020-8287
Aliases
Downstream
Related
Published
2021-01-06T21:15:14.707Z
Modified
2026-06-18T03:56:05.293726677Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling.

Database specific 
{
    "unresolved_ranges": [
        {
            "vendor_product": "siemens:sinec_infrastructure_network_services",
            "extracted_events": [
                {
                    "fixed": "1.0.1.1"
                }
            ],
            "cpes": [
                "cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*"
            ],
            "source": "CPE_RANGE"
        },
        {
            "vendor_product": "debian:debian_linux",
            "extracted_events": [
                {
                    "last_affected": "10.0"
                }
            ],
            "cpes": [
                "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*"
            ],
            "source": "CPE_STRING"
        },
        {
            "vendor_product": "fedoraproject:fedora",
            "extracted_events": [
                {
                    "last_affected": "32"
                },
                {
                    "last_affected": "33"
                }
            ],
            "cpes": [
                "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*",
                "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*"
            ],
            "source": "CPE_STRING"
        }
    ]
}
References

Affected packages

Git / github.com/graalvm/graalvm-ce-builds

Affected ranges

Type
GIT
Repo
https://github.com/graalvm/graalvm-ce-builds
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
4b00c1f1d35186b8ac562522370ad3982124bd80
Last affected
fab0396eab86e8236899c69d3a56baad00e5af14
Database specific 
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "19.3.4"
        },
        {
            "last_affected": "20.3.0"
        }
    ],
    "cpe": [
        "cpe:2.3:a:oracle:graalvm:19.3.4:*:*:*:enterprise:*:*:*",
        "cpe:2.3:a:oracle:graalvm:20.3.0:*:*:*:enterprise:*:*:*"
    ],
    "source": "CPE_STRING"
}

Affected versions

vm-19.*
vm-19.3.2
vm-19.3.2-pre
vm-19.3.3
vm-19.3.4
vm-20.*
vm-20.0.1
vm-20.1.0
vm-20.2.0
vm-20.3.0

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-8287.json"

Git / github.com/nodejs/node

Affected ranges

Type
GIT
Repo
https://github.com/nodejs/node
Events
Introduced
cf41627411886000429bde058a6594fb7f6d6d47
Fixed
811be91dfe623c7569f5fd87b1eaf46074334c94
Introduced
2f45ad8060e13d5ac912335096d21526f2f9602b
Fixed
87ddc7f10c6463bbcdd9dfc79f1e510a584e616e
Introduced
73aa21658dfa6a22c06451d080152b32b1f98dbe
Fixed
04509d6847a2d164b223a77aed0c41fe9ca60e57
Introduced
d683e3dda09b6b3cc6cad6fd2c106e3061a48f0d
Fixed
39fee5d91bc07beab14a1049358ababdd77ce3b1
Database specific 
{
    "extracted_events": [
        {
            "introduced": "10.0.0"
        },
        {
            "fixed": "10.23.1"
        },
        {
            "introduced": "12.0.0"
        },
        {
            "fixed": "12.20.1"
        },
        {
            "introduced": "14.0.0"
        },
        {
            "fixed": "14.15.4"
        },
        {
            "introduced": "15.0.0"
        },
        {
            "fixed": "15.5.1"
        }
    ],
    "cpe": [
        "cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*",
        "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*"
    ],
    "source": "CPE_RANGE"
}

Affected versions

v10.*
v10.0.0
v10.1.0
v10.10.0
v10.11.0
v10.12.0
v10.13.0
v10.14.0
v10.14.1
v10.14.2
v10.15.0
v10.15.1
v10.15.2
v10.15.3
v10.16.0
v10.16.1
v10.16.2
v10.16.3
v10.17.0
v10.18.0
v10.18.1
v10.19.0
v10.2.0
v10.2.1
v10.20.0
v10.20.1
v10.21.0
v10.22.0
v10.22.1
v10.23.0
v10.3.0
v10.4.0
v10.4.1
v10.5.0
v10.6.0
v10.7.0
v10.8.0
v10.9.0
v12.*
v12.0.0
v12.1.0
v12.10.0
v12.11.0
v12.11.1
v12.12.0
v12.13.0
v12.13.1
v12.14.0
v12.14.1
v12.15.0
v12.16.0
v12.16.1
v12.16.2
v12.16.3
v12.17.0
v12.18.0
v12.18.1
v12.18.2
v12.18.3
v12.18.4
v12.19.0
v12.19.1
v12.2.0
v12.20.0
v12.3.0
v12.3.1
v12.4.0
v12.5.0
v12.6.0
v12.7.0
v12.8.0
v12.8.1
v12.9.0
v12.9.1
v14.*
v14.0.0
v14.1.0
v14.10.0
v14.10.1
v14.11.0
v14.12.0
v14.13.0
v14.13.1
v14.14.0
v14.15.0
v14.15.1
v14.15.2
v14.15.3
v14.2.0
v14.3.0
v14.4.0
v14.5.0
v14.6.0
v14.7.0
v14.8.0
v14.9.0
v15.*
v15.0.0
v15.0.1
v15.1.0
v15.2.0
v15.2.1
v15.3.0
v15.4.0
v15.5.0

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-8287.json"