CVE-2022-32214 - OpenCVE

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Debian	Debian Linux
Stormshield	Stormshield Management Center
Nodejs	Node.js
Llhttp	Llhttp

Configuration 1 [-]

OR	cpe:2.3:a:llhttp:llhttp::::::node.js::*
	cpe:2.3:a:llhttp:llhttp::::::node.js::*
	cpe:2.3:a:nodejs:node.js:::::-:::*
	cpe:2.3:a:nodejs:node.js:::::lts:::*
	cpe:2.3:a:nodejs:node.js:::::-:::*
	cpe:2.3:a:nodejs:node.js:::::lts:::*
	cpe:2.3:a:nodejs:node.js:::::-:::*

Configuration 2 [-]

cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

Configuration 3 [-]

cpe:2.3:a:stormshield:stormshield_management_center:*:*:*:*:*:*:*:*

References

Link	Resource
https://hackerone.com/reports/1524692	Exploit Issue Tracking Third Party Advisory
https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/	Patch Vendor Advisory
https://www.debian.org/security/2023/dsa-5326	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: hackerone

Published: 2022-07-14T00:00:00

Updated: 2023-01-25T00:00:00

Reserved: 2022-06-01T00:00:00

Link: CVE-2022-32214

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-07-14T15:15:08.337

Modified: 2023-07-19T00:55:52.457

Link: CVE-2022-32214

JSON object: View

Redhat Information

No data.

CWE

CWE-444

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:llhttp:llhttp:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "C2150173-C986-4D63-AA7F-9618AA856F2C", "versionEndExcluding": "2.1.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:llhttp:llhttp:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "FBB4A716-D0D0-4319-BAF0-7F012973330A", "versionEndExcluding": "6.0.7", "versionStartIncluding": "6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "matchCriteriaId": "428DCD7B-6F66-4F18-B780-5BD80143D482", "versionEndIncluding": "14.14.0", "versionStartIncluding": "14.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*", "matchCriteriaId": "3EB02718-B2A5-4822-B611-D62BB9EF44B0", "versionEndExcluding": "14.20.0", "versionStartIncluding": "14.15.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "matchCriteriaId": "1D1D0CEC-62E5-4368-B8F2-1DA5DD0B88FA", "versionEndIncluding": "16.12.0", "versionStartIncluding": "16.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*", "matchCriteriaId": "D9D9B02E-C965-408B-999E-1F3DA09B62AA", "versionEndExcluding": "16.16.0", "versionStartIncluding": "16.13.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "matchCriteriaId": "D224E154-915A-4E2C-A0D7-D28D1C1472F7", "versionEndExcluding": "18.5.0", "versionStartIncluding": "18.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:stormshield:stormshield_management_center:*:*:*:*:*:*:*:*", "matchCriteriaId": "5A8085B7-6068-464E-B00E-638F49F60730", "versionEndExcluding": "3.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS)."}, {"lang": "es", "value": "El parser llhttp anteriores a la versi\u00f3n v14.20.1, anteriores a la versi\u00f3n v16.17.1 y anteriores a la versi\u00f3n v18.9.1 del m\u00f3dulo http en Node.js no utiliza estrictamente la secuencia CRLF para delimitar las peticiones HTTP. Esto puede llevar a un contrabando de peticiones HTTP (HRS)"}], "id": "CVE-2022-32214", "lastModified": "2023-07-19T00:55:52.457", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-07-14T15:15:08.337", "references": [{"source": "support@hackerone.com", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://hackerone.com/reports/1524692"}, {"source": "support@hackerone.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/"}, {"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2023/dsa-5326"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-444"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-444"}], "source": "support@hackerone.com", "type": "Secondary"}]}