CVE-2020-8287

Source
https://cve.org/CVERecord?id=CVE-2020-8287
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-8287.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2020-8287
Aliases
Downstream
Related
Published
2021-01-06T21:15:14.707Z
Modified
2026-07-10T12:01:30.155824042Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling.

Database specific
{
    "unresolved_ranges": [
        {
            "vendor_product": "nodejs:node.js",
            "cpes": [
                "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*",
                "cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*"
            ],
            "source": "CPE_RANGE",
            "extracted_events": [
                {
                    "introduced": "10.0.0"
                },
                {
                    "fixed": "10.23.1"
                },
                {
                    "introduced": "12.0.0"
                },
                {
                    "fixed": "12.20.1"
                },
                {
                    "introduced": "14.0.0"
                },
                {
                    "fixed": "14.15.4"
                },
                {
                    "introduced": "15.0.0"
                },
                {
                    "fixed": "15.5.1"
                }
            ]
        },
        {
            "vendor_product": "siemens:sinec_infrastructure_network_services",
            "cpes": [
                "cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*"
            ],
            "source": "CPE_RANGE",
            "extracted_events": [
                {
                    "fixed": "1.0.1.1"
                }
            ]
        },
        {
            "vendor_product": "debian:debian_linux",
            "cpes": [
                "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*"
            ],
            "source": "CPE_STRING",
            "extracted_events": [
                {
                    "introduced": "10.0"
                },
                {
                    "last_affected": "10.0"
                }
            ]
        },
        {
            "vendor_product": "fedoraproject:fedora",
            "cpes": [
                "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*",
                "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*"
            ],
            "source": "CPE_STRING",
            "extracted_events": [
                {
                    "introduced": "32"
                },
                {
                    "last_affected": "32"
                },
                {
                    "introduced": "33"
                },
                {
                    "last_affected": "33"
                }
            ]
        }
    ]
}
References

Affected packages

Git / github.com/graalvm/graalvm-ce-builds

Affected ranges

Type
GIT
Repo
https://github.com/graalvm/graalvm-ce-builds
Events
Database specific
{
    "cpe": [
        "cpe:2.3:a:oracle:graalvm:19.3.4:*:*:*:enterprise:*:*:*",
        "cpe:2.3:a:oracle:graalvm:20.3.0:*:*:*:enterprise:*:*:*"
    ],
    "source": "CPE_STRING",
    "extracted_events": [
        {
            "introduced": "19.3.4"
        },
        {
            "last_affected": "19.3.4"
        },
        {
            "introduced": "20.3.0"
        },
        {
            "last_affected": "20.3.0"
        }
    ]
}

Affected versions

19.*
19.3.4
20.*
20.3.0
vm-19.*
vm-19.3.4
vm-20.*
vm-20.3.0

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-8287.json"