{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-32215", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "dateUpdated": "2023-01-25T00:00:00", "dateReserved": "2022-06-01T00:00:00", "datePublished": "2022-07-14T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2023-01-25T00:00:00"}, "descriptions": [{"lang": "en", "value": "The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS)."}], "affected": [{"vendor": "n/a", "product": "https://github.com/nodejs/node", "versions": [{"version": "Fixed in 14.20.1+, 16.17.1+,18.9.1+", "status": "affected"}]}], "references": [{"url": "https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/"}, {"url": "https://hackerone.com/reports/1501679"}, {"name": "FEDORA-2022-52dec6351a", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VMQK5L5SBYD47QQZ67LEMHNQ662GH3OY/"}, {"name": "FEDORA-2022-1667f7b60a", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCNN3YG2BCLS4ZEKJ3CLSUT6AS7AXTH3/"}, {"name": "FEDORA-2022-de515f765f", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ICG6CSIB3GUWH5DUSQEVX53MOJW7LYK/"}, {"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf"}, {"name": "DSA-5326", "tags": ["vendor-advisory"], "url": "https://www.debian.org/security/2023/dsa-5326"}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "HTTP Request Smuggling (CWE-444)", "cweId": "CWE-444"}]}]}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:llhttp:llhttp:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "E47EBF6E-EAF4-4853-A7F1-49B0E2880E44", "versionEndExcluding": "14.20.1", "versionStartIncluding": "14.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:llhttp:llhttp:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "BF84A61F-30D6-4D93-BCBD-C856D671B68B", "versionEndExcluding": "16.17.1", "versionStartIncluding": "16.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:llhttp:llhttp:*:*:*:*:*:*:*:*", "matchCriteriaId": "65CED312-C629-4515-A3F4-84E889159D4A", "versionEndExcluding": "18.9.1", "versionStartIncluding": "18.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "matchCriteriaId": "428DCD7B-6F66-4F18-B780-5BD80143D482", "versionEndIncluding": "14.14.0", "versionStartIncluding": "14.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*", "matchCriteriaId": "3EB02718-B2A5-4822-B611-D62BB9EF44B0", "versionEndExcluding": "14.20.0", "versionStartIncluding": "14.15.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "matchCriteriaId": "1D1D0CEC-62E5-4368-B8F2-1DA5DD0B88FA", "versionEndIncluding": "16.12.0", "versionStartIncluding": "16.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*", "matchCriteriaId": "D9D9B02E-C965-408B-999E-1F3DA09B62AA", "versionEndExcluding": "16.16.0", "versionStartIncluding": "16.13.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "matchCriteriaId": "D224E154-915A-4E2C-A0D7-D28D1C1472F7", "versionEndExcluding": "18.5.0", "versionStartIncluding": "18.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", "matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", "matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:siemens:sinec_ins:1.0:-:*:*:*:*:*:*", "matchCriteriaId": "4664B195-AF14-4834-82B3-0B2C98020EB6", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:sinec_ins:1.0:sp1:*:*:*:*:*:*", "matchCriteriaId": "75BC588E-CDF0-404E-AD61-02093A1DF343", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:sinec_ins:1.0:sp2:*:*:*:*:*:*", "matchCriteriaId": "A334F7B4-7283-4453-BAED-D2E01B7F8A6E", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:stormshield:stormshield_management_center:*:*:*:*:*:*:*:*", "matchCriteriaId": "57CACB72-BAD7-41F6-9977-321DA7F79519", "versionEndExcluding": "3.3.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS)."}, {"lang": "es", "value": "El parser llhttp anteriores a la versi\u00f3n v14.20.1, anteriores a la versi\u00f3n v16.17.1 y anteriores a la versi\u00f3n v18.9.1 del m\u00f3dulo http en Node.js no maneja correctamente las cabeceras Transfer-Encoding de varias l\u00edneas. Esto puede llevar al contrabando de solicitudes HTTP (HRS)"}], "id": "CVE-2022-32215", "lastModified": "2023-11-07T03:47:46.577", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-07-14T15:15:08.387", "references": [{"source": "support@hackerone.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf"}, {"source": "support@hackerone.com", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://hackerone.com/reports/1501679"}, {"source": "support@hackerone.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ICG6CSIB3GUWH5DUSQEVX53MOJW7LYK/"}, {"source": "support@hackerone.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCNN3YG2BCLS4ZEKJ3CLSUT6AS7AXTH3/"}, {"source": "support@hackerone.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VMQK5L5SBYD47QQZ67LEMHNQ662GH3OY/"}, {"source": "support@hackerone.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/"}, {"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2023/dsa-5326"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-444"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-444"}], "source": "support@hackerone.com", "type": "Secondary"}]}

{}