csaf_opensuse - opensuse-su-2024:13851-1

opensuse-su-2024:13851-1

Vulnerability from csaf_opensuse

Published

2024-06-15 00:00

Modified

2024-06-15 00:00

Summary

corepack20-20.12.1-1.1 on GA media

Notes

Title of the patch

corepack20-20.12.1-1.1 on GA media

Description of the patch

These are all security issues fixed in the corepack20-20.12.1-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2024-13851

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "corepack20-20.12.1-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the corepack20-20.12.1-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-13851",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_13851-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-27982 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-27982/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-27983 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-27983/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-30260 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-30260/"
      }
    ],
    "title": "corepack20-20.12.1-1.1 on GA media",
    "tracking": {
      "current_release_date": "2024-06-15T00:00:00Z",
      "generator": {
        "date": "2024-06-15T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:13851-1",
      "initial_release_date": "2024-06-15T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-06-15T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "corepack20-20.12.1-1.1.aarch64",
                "product": {
                  "name": "corepack20-20.12.1-1.1.aarch64",
                  "product_id": "corepack20-20.12.1-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "nodejs20-20.12.1-1.1.aarch64",
                "product": {
                  "name": "nodejs20-20.12.1-1.1.aarch64",
                  "product_id": "nodejs20-20.12.1-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "nodejs20-devel-20.12.1-1.1.aarch64",
                "product": {
                  "name": "nodejs20-devel-20.12.1-1.1.aarch64",
                  "product_id": "nodejs20-devel-20.12.1-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "nodejs20-docs-20.12.1-1.1.aarch64",
                "product": {
                  "name": "nodejs20-docs-20.12.1-1.1.aarch64",
                  "product_id": "nodejs20-docs-20.12.1-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "npm20-20.12.1-1.1.aarch64",
                "product": {
                  "name": "npm20-20.12.1-1.1.aarch64",
                  "product_id": "npm20-20.12.1-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "corepack20-20.12.1-1.1.ppc64le",
                "product": {
                  "name": "corepack20-20.12.1-1.1.ppc64le",
                  "product_id": "corepack20-20.12.1-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "nodejs20-20.12.1-1.1.ppc64le",
                "product": {
                  "name": "nodejs20-20.12.1-1.1.ppc64le",
                  "product_id": "nodejs20-20.12.1-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "nodejs20-devel-20.12.1-1.1.ppc64le",
                "product": {
                  "name": "nodejs20-devel-20.12.1-1.1.ppc64le",
                  "product_id": "nodejs20-devel-20.12.1-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "nodejs20-docs-20.12.1-1.1.ppc64le",
                "product": {
                  "name": "nodejs20-docs-20.12.1-1.1.ppc64le",
                  "product_id": "nodejs20-docs-20.12.1-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "npm20-20.12.1-1.1.ppc64le",
                "product": {
                  "name": "npm20-20.12.1-1.1.ppc64le",
                  "product_id": "npm20-20.12.1-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "corepack20-20.12.1-1.1.s390x",
                "product": {
                  "name": "corepack20-20.12.1-1.1.s390x",
                  "product_id": "corepack20-20.12.1-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "nodejs20-20.12.1-1.1.s390x",
                "product": {
                  "name": "nodejs20-20.12.1-1.1.s390x",
                  "product_id": "nodejs20-20.12.1-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "nodejs20-devel-20.12.1-1.1.s390x",
                "product": {
                  "name": "nodejs20-devel-20.12.1-1.1.s390x",
                  "product_id": "nodejs20-devel-20.12.1-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "nodejs20-docs-20.12.1-1.1.s390x",
                "product": {
                  "name": "nodejs20-docs-20.12.1-1.1.s390x",
                  "product_id": "nodejs20-docs-20.12.1-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "npm20-20.12.1-1.1.s390x",
                "product": {
                  "name": "npm20-20.12.1-1.1.s390x",
                  "product_id": "npm20-20.12.1-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "corepack20-20.12.1-1.1.x86_64",
                "product": {
                  "name": "corepack20-20.12.1-1.1.x86_64",
                  "product_id": "corepack20-20.12.1-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "nodejs20-20.12.1-1.1.x86_64",
                "product": {
                  "name": "nodejs20-20.12.1-1.1.x86_64",
                  "product_id": "nodejs20-20.12.1-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "nodejs20-devel-20.12.1-1.1.x86_64",
                "product": {
                  "name": "nodejs20-devel-20.12.1-1.1.x86_64",
                  "product_id": "nodejs20-devel-20.12.1-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "nodejs20-docs-20.12.1-1.1.x86_64",
                "product": {
                  "name": "nodejs20-docs-20.12.1-1.1.x86_64",
                  "product_id": "nodejs20-docs-20.12.1-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "npm20-20.12.1-1.1.x86_64",
                "product": {
                  "name": "npm20-20.12.1-1.1.x86_64",
                  "product_id": "npm20-20.12.1-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "corepack20-20.12.1-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:corepack20-20.12.1-1.1.aarch64"
        },
        "product_reference": "corepack20-20.12.1-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "corepack20-20.12.1-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:corepack20-20.12.1-1.1.ppc64le"
        },
        "product_reference": "corepack20-20.12.1-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "corepack20-20.12.1-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:corepack20-20.12.1-1.1.s390x"
        },
        "product_reference": "corepack20-20.12.1-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "corepack20-20.12.1-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:corepack20-20.12.1-1.1.x86_64"
        },
        "product_reference": "corepack20-20.12.1-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs20-20.12.1-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:nodejs20-20.12.1-1.1.aarch64"
        },
        "product_reference": "nodejs20-20.12.1-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs20-20.12.1-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:nodejs20-20.12.1-1.1.ppc64le"
        },
        "product_reference": "nodejs20-20.12.1-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs20-20.12.1-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:nodejs20-20.12.1-1.1.s390x"
        },
        "product_reference": "nodejs20-20.12.1-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs20-20.12.1-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:nodejs20-20.12.1-1.1.x86_64"
        },
        "product_reference": "nodejs20-20.12.1-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs20-devel-20.12.1-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:nodejs20-devel-20.12.1-1.1.aarch64"
        },
        "product_reference": "nodejs20-devel-20.12.1-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs20-devel-20.12.1-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:nodejs20-devel-20.12.1-1.1.ppc64le"
        },
        "product_reference": "nodejs20-devel-20.12.1-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs20-devel-20.12.1-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:nodejs20-devel-20.12.1-1.1.s390x"
        },
        "product_reference": "nodejs20-devel-20.12.1-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs20-devel-20.12.1-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:nodejs20-devel-20.12.1-1.1.x86_64"
        },
        "product_reference": "nodejs20-devel-20.12.1-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs20-docs-20.12.1-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:nodejs20-docs-20.12.1-1.1.aarch64"
        },
        "product_reference": "nodejs20-docs-20.12.1-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs20-docs-20.12.1-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:nodejs20-docs-20.12.1-1.1.ppc64le"
        },
        "product_reference": "nodejs20-docs-20.12.1-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs20-docs-20.12.1-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:nodejs20-docs-20.12.1-1.1.s390x"
        },
        "product_reference": "nodejs20-docs-20.12.1-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs20-docs-20.12.1-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:nodejs20-docs-20.12.1-1.1.x86_64"
        },
        "product_reference": "nodejs20-docs-20.12.1-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "npm20-20.12.1-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:npm20-20.12.1-1.1.aarch64"
        },
        "product_reference": "npm20-20.12.1-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "npm20-20.12.1-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:npm20-20.12.1-1.1.ppc64le"
        },
        "product_reference": "npm20-20.12.1-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "npm20-20.12.1-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:npm20-20.12.1-1.1.s390x"
        },
        "product_reference": "npm20-20.12.1-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "npm20-20.12.1-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:npm20-20.12.1-1.1.x86_64"
        },
        "product_reference": "npm20-20.12.1-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-27982",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-27982"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in a second request within the body of the first.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:corepack20-20.12.1-1.1.aarch64",
          "openSUSE Tumbleweed:corepack20-20.12.1-1.1.ppc64le",
          "openSUSE Tumbleweed:corepack20-20.12.1-1.1.s390x",
          "openSUSE Tumbleweed:corepack20-20.12.1-1.1.x86_64",
          "openSUSE Tumbleweed:nodejs20-20.12.1-1.1.aarch64",
          "openSUSE Tumbleweed:nodejs20-20.12.1-1.1.ppc64le",
          "openSUSE Tumbleweed:nodejs20-20.12.1-1.1.s390x",
          "openSUSE Tumbleweed:nodejs20-20.12.1-1.1.x86_64",
          "openSUSE Tumbleweed:nodejs20-devel-20.12.1-1.1.aarch64",
          "openSUSE Tumbleweed:nodejs20-devel-20.12.1-1.1.ppc64le",
          "openSUSE Tumbleweed:nodejs20-devel-20.12.1-1.1.s390x",
          "openSUSE Tumbleweed:nodejs20-devel-20.12.1-1.1.x86_64",
          "openSUSE Tumbleweed:nodejs20-docs-20.12.1-1.1.aarch64",
          "openSUSE Tumbleweed:nodejs20-docs-20.12.1-1.1.ppc64le",
          "openSUSE Tumbleweed:nodejs20-docs-20.12.1-1.1.s390x",
          "openSUSE Tumbleweed:nodejs20-docs-20.12.1-1.1.x86_64",
          "openSUSE Tumbleweed:npm20-20.12.1-1.1.aarch64",
          "openSUSE Tumbleweed:npm20-20.12.1-1.1.ppc64le",
          "openSUSE Tumbleweed:npm20-20.12.1-1.1.s390x",
          "openSUSE Tumbleweed:npm20-20.12.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-27982",
          "url": "https://www.suse.com/security/cve/CVE-2024-27982"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1222384 for CVE-2024-27982",
          "url": "https://bugzilla.suse.com/1222384"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:corepack20-20.12.1-1.1.aarch64",
            "openSUSE Tumbleweed:corepack20-20.12.1-1.1.ppc64le",
            "openSUSE Tumbleweed:corepack20-20.12.1-1.1.s390x",
            "openSUSE Tumbleweed:corepack20-20.12.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs20-20.12.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs20-20.12.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs20-20.12.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs20-20.12.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs20-devel-20.12.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs20-devel-20.12.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs20-devel-20.12.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs20-devel-20.12.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs20-docs-20.12.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs20-docs-20.12.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs20-docs-20.12.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs20-docs-20.12.1-1.1.x86_64",
            "openSUSE Tumbleweed:npm20-20.12.1-1.1.aarch64",
            "openSUSE Tumbleweed:npm20-20.12.1-1.1.ppc64le",
            "openSUSE Tumbleweed:npm20-20.12.1-1.1.s390x",
            "openSUSE Tumbleweed:npm20-20.12.1-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:corepack20-20.12.1-1.1.aarch64",
            "openSUSE Tumbleweed:corepack20-20.12.1-1.1.ppc64le",
            "openSUSE Tumbleweed:corepack20-20.12.1-1.1.s390x",
            "openSUSE Tumbleweed:corepack20-20.12.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs20-20.12.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs20-20.12.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs20-20.12.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs20-20.12.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs20-devel-20.12.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs20-devel-20.12.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs20-devel-20.12.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs20-devel-20.12.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs20-docs-20.12.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs20-docs-20.12.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs20-docs-20.12.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs20-docs-20.12.1-1.1.x86_64",
            "openSUSE Tumbleweed:npm20-20.12.1-1.1.aarch64",
            "openSUSE Tumbleweed:npm20-20.12.1-1.1.ppc64le",
            "openSUSE Tumbleweed:npm20-20.12.1-1.1.s390x",
            "openSUSE Tumbleweed:npm20-20.12.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-27982"
    },
    {
      "cve": "CVE-2024-27983",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-27983"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:corepack20-20.12.1-1.1.aarch64",
          "openSUSE Tumbleweed:corepack20-20.12.1-1.1.ppc64le",
          "openSUSE Tumbleweed:corepack20-20.12.1-1.1.s390x",
          "openSUSE Tumbleweed:corepack20-20.12.1-1.1.x86_64",
          "openSUSE Tumbleweed:nodejs20-20.12.1-1.1.aarch64",
          "openSUSE Tumbleweed:nodejs20-20.12.1-1.1.ppc64le",
          "openSUSE Tumbleweed:nodejs20-20.12.1-1.1.s390x",
          "openSUSE Tumbleweed:nodejs20-20.12.1-1.1.x86_64",
          "openSUSE Tumbleweed:nodejs20-devel-20.12.1-1.1.aarch64",
          "openSUSE Tumbleweed:nodejs20-devel-20.12.1-1.1.ppc64le",
          "openSUSE Tumbleweed:nodejs20-devel-20.12.1-1.1.s390x",
          "openSUSE Tumbleweed:nodejs20-devel-20.12.1-1.1.x86_64",
          "openSUSE Tumbleweed:nodejs20-docs-20.12.1-1.1.aarch64",
          "openSUSE Tumbleweed:nodejs20-docs-20.12.1-1.1.ppc64le",
          "openSUSE Tumbleweed:nodejs20-docs-20.12.1-1.1.s390x",
          "openSUSE Tumbleweed:nodejs20-docs-20.12.1-1.1.x86_64",
          "openSUSE Tumbleweed:npm20-20.12.1-1.1.aarch64",
          "openSUSE Tumbleweed:npm20-20.12.1-1.1.ppc64le",
          "openSUSE Tumbleweed:npm20-20.12.1-1.1.s390x",
          "openSUSE Tumbleweed:npm20-20.12.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-27983",
          "url": "https://www.suse.com/security/cve/CVE-2024-27983"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1222244 for CVE-2024-27983",
          "url": "https://bugzilla.suse.com/1222244"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:corepack20-20.12.1-1.1.aarch64",
            "openSUSE Tumbleweed:corepack20-20.12.1-1.1.ppc64le",
            "openSUSE Tumbleweed:corepack20-20.12.1-1.1.s390x",
            "openSUSE Tumbleweed:corepack20-20.12.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs20-20.12.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs20-20.12.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs20-20.12.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs20-20.12.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs20-devel-20.12.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs20-devel-20.12.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs20-devel-20.12.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs20-devel-20.12.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs20-docs-20.12.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs20-docs-20.12.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs20-docs-20.12.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs20-docs-20.12.1-1.1.x86_64",
            "openSUSE Tumbleweed:npm20-20.12.1-1.1.aarch64",
            "openSUSE Tumbleweed:npm20-20.12.1-1.1.ppc64le",
            "openSUSE Tumbleweed:npm20-20.12.1-1.1.s390x",
            "openSUSE Tumbleweed:npm20-20.12.1-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:corepack20-20.12.1-1.1.aarch64",
            "openSUSE Tumbleweed:corepack20-20.12.1-1.1.ppc64le",
            "openSUSE Tumbleweed:corepack20-20.12.1-1.1.s390x",
            "openSUSE Tumbleweed:corepack20-20.12.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs20-20.12.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs20-20.12.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs20-20.12.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs20-20.12.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs20-devel-20.12.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs20-devel-20.12.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs20-devel-20.12.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs20-devel-20.12.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs20-docs-20.12.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs20-docs-20.12.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs20-docs-20.12.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs20-docs-20.12.1-1.1.x86_64",
            "openSUSE Tumbleweed:npm20-20.12.1-1.1.aarch64",
            "openSUSE Tumbleweed:npm20-20.12.1-1.1.ppc64le",
            "openSUSE Tumbleweed:npm20-20.12.1-1.1.s390x",
            "openSUSE Tumbleweed:npm20-20.12.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2024-27983"
    },
    {
      "cve": "CVE-2024-30260",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-30260"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:corepack20-20.12.1-1.1.aarch64",
          "openSUSE Tumbleweed:corepack20-20.12.1-1.1.ppc64le",
          "openSUSE Tumbleweed:corepack20-20.12.1-1.1.s390x",
          "openSUSE Tumbleweed:corepack20-20.12.1-1.1.x86_64",
          "openSUSE Tumbleweed:nodejs20-20.12.1-1.1.aarch64",
          "openSUSE Tumbleweed:nodejs20-20.12.1-1.1.ppc64le",
          "openSUSE Tumbleweed:nodejs20-20.12.1-1.1.s390x",
          "openSUSE Tumbleweed:nodejs20-20.12.1-1.1.x86_64",
          "openSUSE Tumbleweed:nodejs20-devel-20.12.1-1.1.aarch64",
          "openSUSE Tumbleweed:nodejs20-devel-20.12.1-1.1.ppc64le",
          "openSUSE Tumbleweed:nodejs20-devel-20.12.1-1.1.s390x",
          "openSUSE Tumbleweed:nodejs20-devel-20.12.1-1.1.x86_64",
          "openSUSE Tumbleweed:nodejs20-docs-20.12.1-1.1.aarch64",
          "openSUSE Tumbleweed:nodejs20-docs-20.12.1-1.1.ppc64le",
          "openSUSE Tumbleweed:nodejs20-docs-20.12.1-1.1.s390x",
          "openSUSE Tumbleweed:nodejs20-docs-20.12.1-1.1.x86_64",
          "openSUSE Tumbleweed:npm20-20.12.1-1.1.aarch64",
          "openSUSE Tumbleweed:npm20-20.12.1-1.1.ppc64le",
          "openSUSE Tumbleweed:npm20-20.12.1-1.1.s390x",
          "openSUSE Tumbleweed:npm20-20.12.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-30260",
          "url": "https://www.suse.com/security/cve/CVE-2024-30260"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1222530 for CVE-2024-30260",
          "url": "https://bugzilla.suse.com/1222530"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:corepack20-20.12.1-1.1.aarch64",
            "openSUSE Tumbleweed:corepack20-20.12.1-1.1.ppc64le",
            "openSUSE Tumbleweed:corepack20-20.12.1-1.1.s390x",
            "openSUSE Tumbleweed:corepack20-20.12.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs20-20.12.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs20-20.12.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs20-20.12.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs20-20.12.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs20-devel-20.12.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs20-devel-20.12.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs20-devel-20.12.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs20-devel-20.12.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs20-docs-20.12.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs20-docs-20.12.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs20-docs-20.12.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs20-docs-20.12.1-1.1.x86_64",
            "openSUSE Tumbleweed:npm20-20.12.1-1.1.aarch64",
            "openSUSE Tumbleweed:npm20-20.12.1-1.1.ppc64le",
            "openSUSE Tumbleweed:npm20-20.12.1-1.1.s390x",
            "openSUSE Tumbleweed:npm20-20.12.1-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 3.1,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:corepack20-20.12.1-1.1.aarch64",
            "openSUSE Tumbleweed:corepack20-20.12.1-1.1.ppc64le",
            "openSUSE Tumbleweed:corepack20-20.12.1-1.1.s390x",
            "openSUSE Tumbleweed:corepack20-20.12.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs20-20.12.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs20-20.12.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs20-20.12.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs20-20.12.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs20-devel-20.12.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs20-devel-20.12.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs20-devel-20.12.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs20-devel-20.12.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs20-docs-20.12.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs20-docs-20.12.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs20-docs-20.12.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs20-docs-20.12.1-1.1.x86_64",
            "openSUSE Tumbleweed:npm20-20.12.1-1.1.aarch64",
            "openSUSE Tumbleweed:npm20-20.12.1-1.1.ppc64le",
            "openSUSE Tumbleweed:npm20-20.12.1-1.1.s390x",
            "openSUSE Tumbleweed:npm20-20.12.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "low"
        }
      ],
      "title": "CVE-2024-30260"
    }
  ]
}

CVE-2024-27983 (GCVE-0-2024-27983)

Vulnerability from cvelistv5

Published

2024-04-09 01:06

Modified

2025-04-30 22:25

Severity ?

8.2 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Summary

An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.

References

►

URL

Tags

	https://hackerone.com/reports/2319584
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDECX4BYZLMM4S4LALN4DPZ2HUTTPLKE/
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YDVFUH7ACZPYB3BS4SVILNOY7NQU73VW/
	http://www.openwall.com/lists/oss-security/2024/04/03/16
	https://security.netapp.com/advisory/ntap-20240510-0002/

Impacted products

	Vendor	Product	Version
	NodeJS	Node	Version: 4.0 ≤ Version: 5.0 ≤ Version: 6.0 ≤ Version: 7.0 ≤ Version: 8.0 ≤ Version: 9.0 ≤ Version: 10.0 ≤ Version: 11.0 ≤ Version: 12.0 ≤ Version: 13.0 ≤ Version: 14.0 ≤ Version: 15.0 ≤ Version: 16.0 ≤ Version: 17.0 ≤ Version: 18.0 ≤ Version: 19.0 ≤ Version: 20.0 ≤ Version: 21.0 ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:41:55.943Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://hackerone.com/reports/2319584"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDECX4BYZLMM4S4LALN4DPZ2HUTTPLKE/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YDVFUH7ACZPYB3BS4SVILNOY7NQU73VW/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/04/03/16"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20240510-0002/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:nodejs:nodejs:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "nodejs",
            "vendor": "nodejs",
            "versions": [
              {
                "lessThanOrEqual": "18.20.0",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              },
              {
                "lessThanOrEqual": "20.12.0",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              },
              {
                "lessThanOrEqual": "21.7.1",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-27983",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-04-09T19:14:56.001352Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-362",
                "description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-14T18:08:27.458Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Node",
          "vendor": "NodeJS",
          "versions": [
            {
              "lessThan": "4.*",
              "status": "affected",
              "version": "4.0",
              "versionType": "semver"
            },
            {
              "lessThan": "5.*",
              "status": "affected",
              "version": "5.0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.*",
              "status": "affected",
              "version": "6.0",
              "versionType": "semver"
            },
            {
              "lessThan": "7.*",
              "status": "affected",
              "version": "7.0",
              "versionType": "semver"
            },
            {
              "lessThan": "8.*",
              "status": "affected",
              "version": "8.0",
              "versionType": "semver"
            },
            {
              "lessThan": "9.*",
              "status": "affected",
              "version": "9.0",
              "versionType": "semver"
            },
            {
              "lessThan": "10.*",
              "status": "affected",
              "version": "10.0",
              "versionType": "semver"
            },
            {
              "lessThan": "11.*",
              "status": "affected",
              "version": "11.0",
              "versionType": "semver"
            },
            {
              "lessThan": "12.*",
              "status": "affected",
              "version": "12.0",
              "versionType": "semver"
            },
            {
              "lessThan": "13.*",
              "status": "affected",
              "version": "13.0",
              "versionType": "semver"
            },
            {
              "lessThan": "14.*",
              "status": "affected",
              "version": "14.0",
              "versionType": "semver"
            },
            {
              "lessThan": "15.*",
              "status": "affected",
              "version": "15.0",
              "versionType": "semver"
            },
            {
              "lessThan": "16.*",
              "status": "affected",
              "version": "16.0",
              "versionType": "semver"
            },
            {
              "lessThan": "17.*",
              "status": "affected",
              "version": "17.0",
              "versionType": "semver"
            },
            {
              "lessThan": "18.20.1",
              "status": "affected",
              "version": "18.0",
              "versionType": "semver"
            },
            {
              "lessThan": "19.*",
              "status": "affected",
              "version": "19.0",
              "versionType": "semver"
            },
            {
              "lessThan": "20.12.1",
              "status": "affected",
              "version": "20.0",
              "versionType": "semver"
            },
            {
              "lessThan": "21.7.2",
              "status": "affected",
              "version": "21.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
            "version": "3.0"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-30T22:25:15.944Z",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "url": "https://hackerone.com/reports/2319584"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDECX4BYZLMM4S4LALN4DPZ2HUTTPLKE/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YDVFUH7ACZPYB3BS4SVILNOY7NQU73VW/"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2024/04/03/16"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20240510-0002/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2024-27983",
    "datePublished": "2024-04-09T01:06:43.681Z",
    "dateReserved": "2024-02-29T01:04:06.641Z",
    "dateUpdated": "2025-04-30T22:25:15.944Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-30260 (GCVE-0-2024-30260)

Vulnerability from cvelistv5

Published

2024-04-04 15:15

Modified

2025-02-13 17:47

Severity ?

3.9 (Low) - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L

CWE

CWE-285 - Improper Authorization

Summary

Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.

References

►

URL

Tags

	https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7	x_refsource_CONFIRM
	https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f	x_refsource_MISC
	https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75	x_refsource_MISC
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/

Impacted products

	Vendor	Product	Version
	nodejs	undici	Version: < 5.28.4 Version: >= 6.0.0, < 6.11.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-30260",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-04-05T13:43:37.003793Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:38:49.201Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T01:32:05.438Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7"
          },
          {
            "name": "https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f"
          },
          {
            "name": "https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "undici",
          "vendor": "nodejs",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 5.28.4"
            },
            {
              "status": "affected",
              "version": "\u003e= 6.0.0, \u003c 6.11.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 3.9,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "CWE-285: Improper Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-04-19T23:06:41.342Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7"
        },
        {
          "name": "https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f"
        },
        {
          "name": "https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/"
        }
      ],
      "source": {
        "advisory": "GHSA-m4v8-wqvr-p9f7",
        "discovery": "UNKNOWN"
      },
      "title": "Undici\u0027s Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-30260",
    "datePublished": "2024-04-04T15:15:44.653Z",
    "dateReserved": "2024-03-26T12:52:00.934Z",
    "dateUpdated": "2025-02-13T17:47:47.503Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-27982 (GCVE-0-2024-27982)

Vulnerability from cvelistv5

Published

2024-05-07 16:40

Modified

2025-04-30 22:25

Severity ?

6.5 (Medium) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Summary

The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in a second request within the body of the first.

References

►

URL

Tags

https://hackerone.com/reports/2237099

Impacted products

	Vendor	Product	Version
	NodeJS	Node	Version: 4.0 ≤ Version: 5.0 ≤ Version: 6.0 ≤ Version: 7.0 ≤ Version: 8.0 ≤ Version: 9.0 ≤ Version: 10.0 ≤ Version: 11.0 ≤ Version: 12.0 ≤ Version: 13.0 ≤ Version: 14.0 ≤ Version: 15.0 ≤ Version: 16.0 ≤ Version: 17.0 ≤ Version: 18.0 ≤ Version: 19.0 ≤ Version: 20.0 ≤ Version: 21.0 ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:nodejs:node.js:-:*:*:*:*:-:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "node.js",
            "vendor": "nodejs",
            "versions": [
              {
                "status": "affected",
                "version": "20.12.0, 21.7.2, 18.20.0"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-27982",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-07T18:19:19.540907Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-444",
                "description": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-28T20:38:42.197Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-04-19T00:11:04.832Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://hackerone.com/reports/2237099"
          },
          {
            "url": "https://security.netapp.com/advisory/ntap-20250418-0001/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Node",
          "vendor": "NodeJS",
          "versions": [
            {
              "lessThan": "4.*",
              "status": "affected",
              "version": "4.0",
              "versionType": "semver"
            },
            {
              "lessThan": "5.*",
              "status": "affected",
              "version": "5.0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.*",
              "status": "affected",
              "version": "6.0",
              "versionType": "semver"
            },
            {
              "lessThan": "7.*",
              "status": "affected",
              "version": "7.0",
              "versionType": "semver"
            },
            {
              "lessThan": "8.*",
              "status": "affected",
              "version": "8.0",
              "versionType": "semver"
            },
            {
              "lessThan": "9.*",
              "status": "affected",
              "version": "9.0",
              "versionType": "semver"
            },
            {
              "lessThan": "10.*",
              "status": "affected",
              "version": "10.0",
              "versionType": "semver"
            },
            {
              "lessThan": "11.*",
              "status": "affected",
              "version": "11.0",
              "versionType": "semver"
            },
            {
              "lessThan": "12.*",
              "status": "affected",
              "version": "12.0",
              "versionType": "semver"
            },
            {
              "lessThan": "13.*",
              "status": "affected",
              "version": "13.0",
              "versionType": "semver"
            },
            {
              "lessThan": "14.*",
              "status": "affected",
              "version": "14.0",
              "versionType": "semver"
            },
            {
              "lessThan": "15.*",
              "status": "affected",
              "version": "15.0",
              "versionType": "semver"
            },
            {
              "lessThan": "16.*",
              "status": "affected",
              "version": "16.0",
              "versionType": "semver"
            },
            {
              "lessThan": "17.*",
              "status": "affected",
              "version": "17.0",
              "versionType": "semver"
            },
            {
              "lessThan": "18.20.1",
              "status": "affected",
              "version": "18.0",
              "versionType": "semver"
            },
            {
              "lessThan": "19.*",
              "status": "affected",
              "version": "19.0",
              "versionType": "semver"
            },
            {
              "lessThan": "20.12.1",
              "status": "affected",
              "version": "20.0",
              "versionType": "semver"
            },
            {
              "lessThan": "21.7.2",
              "status": "affected",
              "version": "21.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in a second request within the body of the first."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
            "version": "3.0"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-30T22:25:16.878Z",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "url": "https://hackerone.com/reports/2237099"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2024-27982",
    "datePublished": "2024-05-07T16:40:02.518Z",
    "dateReserved": "2024-02-29T01:04:06.640Z",
    "dateUpdated": "2025-04-30T22:25:16.878Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

opensuse-su-2024:13851-1

Vulnerability from csaf_opensuse

CVE-2024-27983 (GCVE-0-2024-27983)

Vulnerability from cvelistv5

CVE-2024-30260 (GCVE-0-2024-30260)

Vulnerability from cvelistv5

CVE-2024-27982 (GCVE-0-2024-27982)

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature